fix(didcomm): tolerate base64url in signed attachment payloads (#2761)

Signed-off-by: Ariel Gentile <gentilester@gmail.com>

Author: genaris

packages/didcomm/src/decorators/attachment/DidCommAttachment.ts

@@ -1,6 +1,6 @@
 import type { JwsDetachedFormat, JwsFlattenedDetachedFormat, JwsGeneralFormat } from '@credo-ts/core'
 
-import { CredoError, JsonEncoder, type JsonValue, utils } from '@credo-ts/core'
+import { CredoError, JsonEncoder, type JsonValue, TypedArrayEncoder, utils } from '@credo-ts/core'
 import { Expose, Type } from 'class-transformer'
 import { IsDate, IsHash, IsInstance, IsInt, IsMimeType, IsOptional, IsString, ValidateNested } from 'class-validator'
 
@@ -135,12 +135,39 @@ export class DidCommAttachment {
   @IsInstance(DidCommAttachmentData)
   public data!: DidCommAttachmentData
 
+  /*
+   * Helper function returning the raw bytes of a base64 attachment payload.
+   *
+   * The DIDComm/Aries RFC 0017 spec mandates base64url for `data.base64`, so we try
+   * decoding it as base64url first. Credo itself (and other implementations) has
+   * historically emitted standard base64 with `+`/`/` and `=` padding, so we fall
+   * back to that to preserve interop with older agents.
+   */
+  public getDataAsUint8Array(): Uint8Array {
+    if (typeof this.data.base64 !== 'string') {
+      throw new CredoError('No base64 attachment data found.')
+    }
+    try {
+      // `fromBase64Url` expects the no-padding variant, strip trailing `=` so
+      // both padded and unpadded base64url inputs are accepted.
+      return TypedArrayEncoder.fromBase64Url(this.data.base64.replace(/=+$/, ''))
+    } catch (base64UrlError) {
+      try {
+        return TypedArrayEncoder.fromBase64(this.data.base64)
+      } catch {
+        throw new CredoError('Could not decode attachment data as base64url or base64 string.', {
+          cause: base64UrlError,
+        })
+      }
+    }
+  }
+
   /*
    * Helper function returning JSON representation of attachment data (if present). Tries to obtain the data from .base64 or .json, throws an error otherwise
    */
   public getDataAsJson<T>(): T {
     if (typeof this.data.base64 === 'string') {
-      return JsonEncoder.fromBase64(this.data.base64) as T
+      return JsonEncoder.fromUint8Array(this.getDataAsUint8Array()) as T
     }
     if (this.data.json) {
       return this.data.json as T

packages/didcomm/src/decorators/attachment/__tests__/Attachment.test.ts

@@ -2,6 +2,7 @@ import * as didJwsz6Mkf from '../../../../../core/src/crypto/__tests__/__fixture
 import * as didJwsz6Mkv from '../../../../../core/src/crypto/__tests__/__fixtures__/didJwsz6Mkv'
 import { JsonEncoder } from '../../../../../core/src/utils/JsonEncoder'
 import { JsonTransformer } from '../../../../../core/src/utils/JsonTransformer'
+import { TypedArrayEncoder } from '../../../../../core/src/utils/TypedArrayEncoder'
 import { DidCommAttachment, DidCommAttachmentData } from '../DidCommAttachment'
 
 const mockJson = {
@@ -96,6 +97,60 @@ describe('Decorators | DidCommAttachment', () => {
     expect(mockJson.data.json).toEqual(gotData)
   })
 
+  describe('getDataAsUint8Array', () => {
+    // Bytes chosen so their base64 encoding exercises both `+` and `/` characters
+    // (the ones that differ between the standard and url-safe alphabets) *and*
+    // requires `=` padding. This way the url-alphabet / no-padding variants
+    // below are genuinely different strings from the canonical base64, not
+    // no-ops.
+    const payload = new Uint8Array([0xff, 0xe0, 0x3f, 0xff, 0xfe])
+    const padded = TypedArrayEncoder.toBase64(payload) // has '+', '/', and '=' padding
+    const unpadded = padded.replace(/=+$/, '')
+    const urlPadded = padded.replace(/\+/g, '-').replace(/\//g, '_')
+    const urlUnpadded = unpadded.replace(/\+/g, '-').replace(/\//g, '_')
+
+    test.each([
+      ['standard base64 with padding', padded],
+      ['base64url with padding', urlPadded],
+      ['base64url without padding', urlUnpadded],
+    ])('decodes %s', (_label, encoded) => {
+      const attachment = new DidCommAttachment({
+        id: 'some-uuid',
+        data: new DidCommAttachmentData({ base64: encoded }),
+      })
+      expect(attachment.getDataAsUint8Array()).toEqual(payload)
+    })
+
+    it('throws when no base64 payload is present', () => {
+      const attachment = new DidCommAttachment({
+        id: 'some-uuid',
+        data: new DidCommAttachmentData({ json: { hello: 'world' } }),
+      })
+      expect(() => attachment.getDataAsUint8Array()).toThrow(/No base64 attachment data found/)
+    })
+
+    it('throws a clear error for genuinely invalid input', () => {
+      const attachment = new DidCommAttachment({
+        id: 'some-uuid',
+        data: new DidCommAttachmentData({ base64: 'this is definitely not base64 $$$' }),
+      })
+      expect(() => attachment.getDataAsUint8Array()).toThrow(
+        /Could not decode attachment data as base64url or base64 string/
+      )
+    })
+
+    it('getDataAsJson delegates to getDataAsUint8Array, accepting base64url-without-padding too', () => {
+      const json = { hello: 'world' }
+      const standardPadded = JsonEncoder.toBase64(json)
+      const urlNoPad = standardPadded.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
+      const attachment = new DidCommAttachment({
+        id: 'some-uuid',
+        data: new DidCommAttachmentData({ base64: urlNoPad }),
+      })
+      expect(attachment.getDataAsJson()).toEqual(json)
+    })
+  })
+
   describe('addJws', () => {
     it('correctly adds the jws to the data', async () => {
       const base64 = JsonEncoder.toBase64(didJwsz6Mkf.DATA_JSON)

packages/didcomm/src/modules/connections/DidExchangeProtocol.ts

@@ -570,7 +570,7 @@ export class DidExchangeProtocol {
         throw new CredoError('DID Rotate attachment is missing base64 property for signed did.')
       }
 
-      const payload = TypedArrayEncoder.fromBase64(didRotateAttachment.data.base64)
+      const payload = didRotateAttachment.getDataAsUint8Array()
       // JWS payload must be base64url encoded
 
       const signedDid = TypedArrayEncoder.toUtf8String(payload)
@@ -675,7 +675,7 @@ export class DidExchangeProtocol {
     const { isValid, jwsSigners } = await this.jwsService.verifyJws(agentContext, {
       jws: {
         ...jws,
-        payload: TypedArrayEncoder.toBase64Url(TypedArrayEncoder.fromBase64(didDocumentAttachment.data.base64)),
+        payload: TypedArrayEncoder.toBase64Url(didDocumentAttachment.getDataAsUint8Array()),
       },
       allowedJwsSignerMethods: ['did'],
       resolveJwsSigner: ({ jws: { header } }) => {
@@ -692,7 +692,7 @@ export class DidExchangeProtocol {
       },
     })
 
-    const json = JsonEncoder.fromBase64(didDocumentAttachment.data.base64)
+    const json = didDocumentAttachment.getDataAsJson()
     const didDocument = JsonTransformer.fromJSON(json, DidDocument)
     const didDocumentKeys = didDocument.authentication
       ?.map((authentication) => {