DirectAccessCredential

An mdoc credential, according to ISO/IEC 18013-5:2021, which can be stored in the DirectAccess applet. This credential makes use of the DirectAccess class to integrate with the applet.

Creation of a DirectAccessCredential is very similar to any other Credential with the following exceptions:

First, a slot must be reserved in the Direct Access applet for the Document this credential is associated with. This can be done using DirectAccess.allocateDocumentSlot. Once allocated, the slot must be passed into the DirectAccessCredential constructor when creating new credentials.

Secondly, certifying the credential requires the following format for issuerProvidedAuthenticationData:

The |issuerProvidedAuthenticationData| parameter must be CBOR conforming to the following CDDL:

issuerProvidedAuthenticationData = {
  "issuerNameSpaces": IssuerNameSpaces,
  "issuerAuth" : IssuerAuth,
  "readerAccess" : ReaderAccess // TODO: update applet for name change to "authorizedReaderRoots"
}

IssuerNameSpaces = {
  NameSpace => [ + IssuerSignedItemBytes ]
}

ReaderAccess = [ * COSE_Key ]

This data will be stored on the Secure Area and used for MDOC presentations using NFC data transfer in low-power mode.

The readerAccess field contains a list of keys used for implementing reader authentication. If this list is empty, reader authentication is not required. Otherwise the request must be be signed and the request is authenticated if, and only if, a public key from the X.509 certificate chain for the key signing the request exists in the readerAccess list.

If reader authentication fails, the returned DeviceResponse shall return error code 10 for the requested docType in the "documentErrors" field.

Lastly, in order to use the credential, it must be set as the active credential in the Direct Access applet using setAsActiveCredential once the credential is certified.