Skip to content
This repository has been archived by the owner on Dec 12, 2024. It is now read-only.

Refactor verification, integrity, parsing #404

Merged
merged 11 commits into from
Jun 1, 2023
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion credential/exchange/submission.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"strings"

"github.com/TBD54566975/ssi-sdk/credential"
"github.com/TBD54566975/ssi-sdk/credential/integrity"
"github.com/TBD54566975/ssi-sdk/crypto/jwx"
"github.com/TBD54566975/ssi-sdk/util"
"github.com/goccy/go-json"
Expand Down Expand Up @@ -165,7 +166,7 @@ func BuildPresentationSubmission(signer any, requester string, def PresentationD
if err != nil {
return nil, errors.Wrap(err, "unable to fulfill presentation definition with given credentials")
}
return credential.SignVerifiablePresentationJWT(jwtSigner, credential.JWTVVPParameters{Audience: []string{requester}}, *vpSubmission)
return integrity.SignVerifiablePresentationJWT(jwtSigner, integrity.JWTVVPParameters{Audience: []string{requester}}, *vpSubmission)
default:
return nil, fmt.Errorf("presentation submission embed target <%s> is not implemented", et)
}
Expand Down
9 changes: 5 additions & 4 deletions credential/exchange/submission_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"testing"

"github.com/TBD54566975/ssi-sdk/credential/integrity"
"github.com/TBD54566975/ssi-sdk/cryptosuite/jws2020"
"github.com/goccy/go-json"
"github.com/oliveagle/jsonpath"
Expand Down Expand Up @@ -60,7 +61,7 @@ func TestBuildPresentationSubmission(t *testing.T) {

resolver, err := resolution.NewResolver([]resolution.Resolver{key.Resolver{}}...)
assert.NoError(tt, err)
_, _, _, err = credential.VerifyVerifiablePresentationJWT(context.Background(), *verifier, resolver, string(submissionBytes))
_, _, _, err = integrity.VerifyVerifiablePresentationJWT(context.Background(), *verifier, resolver, string(submissionBytes))
assert.Error(tt, err)
assert.Contains(tt, err.Error(), "credential must have a proof")
})
Expand Down Expand Up @@ -88,7 +89,7 @@ func TestBuildPresentationSubmission(t *testing.T) {
signer, verifier := getJWKSignerVerifier(tt)
testVC := getTestVerifiableCredential(signer.ID, signer.ID)

credJWT, err := credential.SignVerifiableCredentialJWT(*signer, testVC)
credJWT, err := integrity.SignVerifiableCredentialJWT(*signer, testVC)
assert.NoError(tt, err)
assert.NotEmpty(tt, credJWT)
presentationClaim := PresentationClaim{
Expand All @@ -104,7 +105,7 @@ func TestBuildPresentationSubmission(t *testing.T) {

resolver, err := resolution.NewResolver([]resolution.Resolver{key.Resolver{}}...)
assert.NoError(tt, err)
_, _, vp, err := credential.VerifyVerifiablePresentationJWT(context.Background(), *verifier, resolver, string(submissionBytes))
_, _, vp, err := integrity.VerifyVerifiablePresentationJWT(context.Background(), *verifier, resolver, string(submissionBytes))
assert.NoError(tt, err)

assert.NoError(tt, vp.IsValid())
Expand Down Expand Up @@ -339,7 +340,7 @@ func TestBuildPresentationSubmissionVP(t *testing.T) {
assert.Equal(tt, "test-verifiable-credential", asVC.ID)
assert.Equal(tt, "Block", asVC.CredentialSubject["company"])

_, vcJWTToken, asVCJWT, err := credential.ParseVerifiableCredentialFromJWT(*(vp.VerifiableCredential[1].(*string)))
_, vcJWTToken, asVCJWT, err := integrity.ParseVerifiableCredentialFromJWT(*(vp.VerifiableCredential[1].(*string)))
assert.NoError(tt, err)
assert.NotEmpty(tt, vcJWTToken)
assert.NotEmpty(tt, asVCJWT)
Expand Down
16 changes: 9 additions & 7 deletions credential/exchange/verification.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ import (
"fmt"
"strings"

"github.com/TBD54566975/ssi-sdk/credential/integrity"
"github.com/TBD54566975/ssi-sdk/credential/parsing"
"github.com/TBD54566975/ssi-sdk/crypto/jwx"
"github.com/TBD54566975/ssi-sdk/did/resolution"
"github.com/TBD54566975/ssi-sdk/schema"
Expand All @@ -17,7 +19,7 @@ import (
"github.com/TBD54566975/ssi-sdk/util"
)

// VerifiedSubmissionData is the result of a successful verification of a presentation submission
// VerifiedSubmissionData is the result of a successful validation of a presentation submission
// corresponds to the data that was verified, and the filtered data that was used to verify it for a given
// input descriptor
type VerifiedSubmissionData struct {
Expand Down Expand Up @@ -56,9 +58,9 @@ func VerifyPresentationSubmission(ctx context.Context, verifier any, resolver re
return nil, fmt.Errorf("verifier<%T> is not a JWT verifier", verifier)
}
// verify the VP, which in turn verifies all credentials in it
_, _, vp, err := credential.VerifyVerifiablePresentationJWT(ctx, jwtVerifier, resolver, string(submission))
_, _, vp, err := integrity.VerifyVerifiablePresentationJWT(ctx, jwtVerifier, resolver, string(submission))
if err != nil {
return nil, errors.Wrap(err, "verification of the presentation submission failed")
return nil, errors.Wrap(err, "validation of the presentation submission failed")
}
return VerifyPresentationSubmissionVP(def, *vp)
default:
Expand All @@ -67,7 +69,7 @@ func VerifyPresentationSubmission(ctx context.Context, verifier any, resolver re
}

// VerifyPresentationSubmissionVP verifies whether a verifiable presentation is a valid presentation submission
// for a given presentation definition. No signature verification happens here.
// for a given presentation definition. No signature validation happens here.
func VerifyPresentationSubmissionVP(def PresentationDefinition, vp credential.VerifiablePresentation) ([]VerifiedSubmissionData, error) {
if err := vp.IsValid(); err != nil {
return nil, errors.Wrap(err, "presentation submission does not contain a valid VP")
Expand Down Expand Up @@ -134,8 +136,8 @@ func VerifyPresentationSubmissionVP(def PresentationDefinition, vp credential.Ve
submissionDescriptor.ID, submissionDescriptor.Path)
}

// TODO(gabe) add in signature verification of claims here https://github.com/TBD54566975/ssi-sdk/issues/71
_, _, cred, err := credential.ToCredential(claim)
// TODO(gabe) add in signature validation of claims here https://github.com/TBD54566975/ssi-sdk/issues/71
_, _, cred, err := parsing.ToCredential(claim)
if err != nil {
return nil, errors.Wrapf(err, "getting claim as json: <%s>", claim)
}
Expand All @@ -150,7 +152,7 @@ func VerifyPresentationSubmissionVP(def PresentationDefinition, vp credential.Ve

// TODO(gabe) consider enforcing limited disclosure if present
// for each field we need to verify at least one path matches
credJSON, err := credential.ToCredentialJSONMap(claim)
credJSON, err := parsing.ToCredentialJSONMap(claim)
if err != nil {
return nil, errors.Wrapf(err, "getting credential as json: %v", cred)
}
Expand Down
11 changes: 6 additions & 5 deletions credential/exchange/verification_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"testing"

"github.com/TBD54566975/ssi-sdk/credential/integrity"
"github.com/TBD54566975/ssi-sdk/cryptosuite/jws2020"
"github.com/stretchr/testify/assert"

Expand Down Expand Up @@ -67,7 +68,7 @@ func TestVerifyPresentationSubmission(t *testing.T) {
_, verifier := getJWKSignerVerifier(tt)
_, err = VerifyPresentationSubmission(context.Background(), *verifier, resolver, JWTVPTarget, def, []byte{0, 1, 2, 3})
assert.Error(tt, err)
assert.Contains(tt, err.Error(), "verification of the presentation submission failed")
assert.Contains(tt, err.Error(), "validation of the presentation submission failed")
})

t.Run("Supported embed target, valid submission, invalid credential format", func(tt *testing.T) {
Expand Down Expand Up @@ -134,7 +135,7 @@ func TestVerifyPresentationSubmission(t *testing.T) {

signer, verifier := getJWKSignerVerifier(tt)
testVC := getTestVerifiableCredential(signer.ID, signer.ID)
credJWT, err := credential.SignVerifiableCredentialJWT(*signer, testVC)
credJWT, err := integrity.SignVerifiableCredentialJWT(*signer, testVC)
assert.NoError(tt, err)
presentationClaim := PresentationClaim{
Token: util.StringPtr(string(credJWT)),
Expand All @@ -151,7 +152,7 @@ func TestVerifyPresentationSubmission(t *testing.T) {
}

func TestVerifyPresentationSubmissionVP(t *testing.T) {
t.Run("Simple verification", func(tt *testing.T) {
t.Run("Simple validation", func(tt *testing.T) {
def := PresentationDefinition{
ID: "test-id",
InputDescriptors: []InputDescriptor{
Expand Down Expand Up @@ -182,7 +183,7 @@ func TestVerifyPresentationSubmissionVP(t *testing.T) {
assert.NoError(tt, err)
assert.NotEmpty(tt, submissionBytes)

_, _, verifiablePresentation, err := credential.ParseVerifiablePresentationFromJWT(string(submissionBytes))
_, _, verifiablePresentation, err := integrity.ParseVerifiablePresentationFromJWT(string(submissionBytes))
assert.NoError(tt, err)

_, err = VerifyPresentationSubmissionVP(def, *verifiablePresentation)
Expand Down Expand Up @@ -519,7 +520,7 @@ func TestVerifyPresentationSubmissionVP(t *testing.T) {
}
signer, _ := getJWKSignerVerifier(tt)
testVC := getTestVerifiableCredential("test-issuer", "test-subject")
vcData, err := credential.SignVerifiableCredentialJWT(*signer, testVC)
vcData, err := integrity.SignVerifiableCredentialJWT(*signer, testVC)
assert.NoError(tt, err)
b := NewPresentationSubmissionBuilder(def.ID)
assert.NoError(tt, b.SetDescriptorMap([]SubmissionDescriptor{
Expand Down
11 changes: 6 additions & 5 deletions credential/jws.go → credential/integrity/jws.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package credential
package integrity

import (
"github.com/TBD54566975/ssi-sdk/credential"
"github.com/TBD54566975/ssi-sdk/crypto/jwx"
"github.com/goccy/go-json"
"github.com/lestrrat-go/jwx/v2/jwa"
Expand All @@ -14,7 +15,7 @@ const (

// SignVerifiableCredentialJWS is prepared according to https://transmute-industries.github.io/vc-jws/.
// This is currently an experimental. It's unstable and subject to change. Use at your own peril.
func SignVerifiableCredentialJWS(signer jwx.Signer, cred VerifiableCredential) ([]byte, error) {
func SignVerifiableCredentialJWS(signer jwx.Signer, cred credential.VerifiableCredential) ([]byte, error) {
payload, err := json.Marshal(cred)
if err != nil {
return nil, errors.Wrap(err, "marshalling credential")
Expand All @@ -38,7 +39,7 @@ func SignVerifiableCredentialJWS(signer jwx.Signer, cred VerifiableCredential) (
// ParseVerifiableCredentialFromJWS parses a JWS. Depending on the `cty` header value, it parses as a JWT or simply
// decodes the payload.
// This is currently an experimental. It's unstable and subject to change. Use at your own peril.
func ParseVerifiableCredentialFromJWS(token string) (*jws.Message, *VerifiableCredential, error) {
func ParseVerifiableCredentialFromJWS(token string) (*jws.Message, *credential.VerifiableCredential, error) {
parsed, err := jws.Parse([]byte(token))
if err != nil {
return nil, nil, errors.Wrap(err, "parsing JWS")
Expand All @@ -55,7 +56,7 @@ func ParseVerifiableCredentialFromJWS(token string) (*jws.Message, *VerifiableCr
return parsed, cred, err
}

var cred VerifiableCredential
var cred credential.VerifiableCredential
if err = json.Unmarshal(parsed.Payload(), &cred); err != nil {
return nil, nil, errors.Wrap(err, "reconstructing Verifiable Credential")
}
Expand All @@ -66,7 +67,7 @@ func ParseVerifiableCredentialFromJWS(token string) (*jws.Message, *VerifiableCr
// VerifyVerifiableCredentialJWS verifies the signature validity on the token and parses
// the token in a verifiable credential.
// This is currently an experimental. It's unstable and subject to change. Use at your own peril.
func VerifyVerifiableCredentialJWS(verifier jwx.Verifier, token string) (*jws.Message, *VerifiableCredential, error) {
func VerifyVerifiableCredentialJWS(verifier jwx.Verifier, token string) (*jws.Message, *credential.VerifiableCredential, error) {
if err := verifier.VerifyJWS(token); err != nil {
return nil, nil, errors.Wrap(err, "verifying JWS")
}
Expand Down
5 changes: 3 additions & 2 deletions credential/jws_test.go → credential/integrity/jws_test.go
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
package credential
package integrity

import (
"testing"

"github.com/TBD54566975/ssi-sdk/credential"
"github.com/lestrrat-go/jwx/v2/jws"
"github.com/stretchr/testify/assert"
)

func TestVerifiableCredentialJWS(t *testing.T) {
testCredential := VerifiableCredential{
testCredential := credential.VerifiableCredential{
Context: []any{"https://www.w3.org/2018/credentials/v1", "https://w3id.org/security/suites/jws-2020/v1"},
Type: []any{"VerifiableCredential"},
Issuer: "did:example:123",
Expand Down
27 changes: 14 additions & 13 deletions credential/jwt.go → credential/integrity/jwt.go
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
package credential
package integrity

import (
"context"
"fmt"
"time"

"github.com/TBD54566975/ssi-sdk/credential"
"github.com/TBD54566975/ssi-sdk/crypto/jwx"
"github.com/TBD54566975/ssi-sdk/did/resolution"

Expand All @@ -24,7 +25,7 @@ const (

// SignVerifiableCredentialJWT is prepared according to https://w3c.github.io/vc-jwt/#version-1.1
// which will soon be deprecated by https://w3c.github.io/vc-jwt/ see: https://github.com/TBD54566975/ssi-sdk/issues/191
func SignVerifiableCredentialJWT(signer jwx.Signer, cred VerifiableCredential) ([]byte, error) {
func SignVerifiableCredentialJWT(signer jwx.Signer, cred credential.VerifiableCredential) ([]byte, error) {
if cred.IsEmpty() {
return nil, errors.New("credential cannot be empty")
}
Expand Down Expand Up @@ -98,9 +99,9 @@ func SignVerifiableCredentialJWT(signer jwx.Signer, cred VerifiableCredential) (

// VerifyVerifiableCredentialJWT verifies the signature validity on the token and parses
// the token in a verifiable credential.
// TODO(gabe) modify this to add additional verification steps such as credential status, expiration, etc.
// TODO(gabe) modify this to add additional validation steps such as credential status, expiration, etc.
// related to https://github.com/TBD54566975/ssi-service/issues/122
func VerifyVerifiableCredentialJWT(verifier jwx.Verifier, token string) (jws.Headers, jwt.Token, *VerifiableCredential, error) {
func VerifyVerifiableCredentialJWT(verifier jwx.Verifier, token string) (jws.Headers, jwt.Token, *credential.VerifiableCredential, error) {
if err := verifier.Verify(token); err != nil {
return nil, nil, nil, errors.Wrap(err, "verifying JWT")
}
Expand All @@ -111,7 +112,7 @@ func VerifyVerifiableCredentialJWT(verifier jwx.Verifier, token string) (jws.Hea
// https://www.w3.org/TR/vc-data-model/#jwt-decoding
// If there are any issues during decoding, an error is returned. As a result, a successfully
// decoded VerifiableCredential object is returned.
func ParseVerifiableCredentialFromJWT(token string) (jws.Headers, jwt.Token, *VerifiableCredential, error) {
func ParseVerifiableCredentialFromJWT(token string) (jws.Headers, jwt.Token, *credential.VerifiableCredential, error) {
parsed, err := jwt.Parse([]byte(token), jwt.WithValidate(false), jwt.WithVerify(false))
if err != nil {
return nil, nil, nil, errors.Wrap(err, "parsing credential token")
Expand All @@ -133,7 +134,7 @@ func ParseVerifiableCredentialFromJWT(token string) (jws.Headers, jwt.Token, *Ve
}

// ParseVerifiableCredentialFromToken takes a JWT object and parses it into a VerifiableCredential
func ParseVerifiableCredentialFromToken(token jwt.Token) (*VerifiableCredential, error) {
func ParseVerifiableCredentialFromToken(token jwt.Token) (*credential.VerifiableCredential, error) {
// parse remaining JWT properties and set in the credential
vcClaim, ok := token.Get(VCJWTProperty)
if !ok {
Expand All @@ -143,7 +144,7 @@ func ParseVerifiableCredentialFromToken(token jwt.Token) (*VerifiableCredential,
if err != nil {
return nil, errors.Wrap(err, "marshalling credential claim")
}
var cred VerifiableCredential
var cred credential.VerifiableCredential
if err = json.Unmarshal(vcBytes, &cred); err != nil {
return nil, errors.Wrap(err, "reconstructing Verifiable Credential")
}
Expand Down Expand Up @@ -179,7 +180,7 @@ func ParseVerifiableCredentialFromToken(token jwt.Token) (*VerifiableCredential,
if cred.CredentialSubject == nil {
cred.CredentialSubject = make(map[string]any)
}
cred.CredentialSubject[VerifiableCredentialIDProperty] = subStr
cred.CredentialSubject[credential.VerifiableCredentialIDProperty] = subStr
}

return &cred, nil
Expand All @@ -195,7 +196,7 @@ type JWTVVPParameters struct {

// SignVerifiablePresentationJWT transforms a VP into a VP JWT and signs it
// According to https://w3c.github.io/vc-jwt/#version-1.1
func SignVerifiablePresentationJWT(signer jwx.Signer, parameters JWTVVPParameters, presentation VerifiablePresentation) ([]byte, error) {
func SignVerifiablePresentationJWT(signer jwx.Signer, parameters JWTVVPParameters, presentation credential.VerifiablePresentation) ([]byte, error) {
if presentation.IsEmpty() {
return nil, errors.New("presentation cannot be empty")
}
Expand Down Expand Up @@ -270,7 +271,7 @@ func SignVerifiablePresentationJWT(signer jwx.Signer, parameters JWTVVPParameter
// After decoding the signature of each credential in the presentation is verified. If there are any issues during
// decoding or signature validation, an error is returned. As a result, a successfully decoded VerifiablePresentation
// object is returned.
func VerifyVerifiablePresentationJWT(ctx context.Context, verifier jwx.Verifier, r resolution.Resolver, token string) (jws.Headers, jwt.Token, *VerifiablePresentation, error) {
func VerifyVerifiablePresentationJWT(ctx context.Context, verifier jwx.Verifier, r resolution.Resolver, token string) (jws.Headers, jwt.Token, *credential.VerifiablePresentation, error) {
if r == nil {
return nil, nil, nil, errors.New("r cannot be empty")
}
Expand Down Expand Up @@ -306,7 +307,7 @@ func VerifyVerifiablePresentationJWT(ctx context.Context, verifier jwx.Verifier,
return nil, nil, nil, errors.Wrapf(err, "verifying credential %d", i)
}
if !verified {
return nil, nil, nil, errors.Errorf("credential %d failed signature verification", i)
return nil, nil, nil, errors.Errorf("credential %d failed signature validation", i)
}
}

Expand All @@ -318,7 +319,7 @@ func VerifyVerifiablePresentationJWT(ctx context.Context, verifier jwx.Verifier,
// https://www.w3.org/TR/vc-data-model/#jwt-decoding
// If there are any issues during decoding, an error is returned. As a result, a successfully
// decoded VerifiablePresentation object is returned.
func ParseVerifiablePresentationFromJWT(token string) (jws.Headers, jwt.Token, *VerifiablePresentation, error) {
func ParseVerifiablePresentationFromJWT(token string) (jws.Headers, jwt.Token, *credential.VerifiablePresentation, error) {
parsed, err := jwt.Parse([]byte(token), jwt.WithValidate(false), jwt.WithVerify(false))
if err != nil {
return nil, nil, nil, errors.Wrap(err, "parsing vp token")
Expand All @@ -331,7 +332,7 @@ func ParseVerifiablePresentationFromJWT(token string) (jws.Headers, jwt.Token, *
if err != nil {
return nil, nil, nil, errors.Wrap(err, "could not marshalling vp claim")
}
var pres VerifiablePresentation
var pres credential.VerifiablePresentation
if err = json.Unmarshal(vpBytes, &pres); err != nil {
return nil, nil, nil, errors.Wrap(err, "reconstructing Verifiable Presentation")
}
Expand Down
Loading