Merge pull request #48 from imsglc/add-http-key-support

Add support for remote key material to inspector-vc
This commit is contained in:
Xavi Aracil 2022-11-15 10:05:02 +01:00 committed by GitHub
commit 347f44e804

View File

@ -2,24 +2,30 @@ package org.oneedtech.inspect.vc.probe;
import java.io.StringReader;
import java.net.URI;
import java.util.Optional;
import org.oneedtech.inspect.core.probe.Probe;
import org.oneedtech.inspect.core.probe.RunContext;
import org.oneedtech.inspect.core.report.ReportItems;
import org.oneedtech.inspect.vc.Credential;
import com.apicatalog.ld.DocumentError;
import com.apicatalog.jsonld.StringUtils;
import com.apicatalog.jsonld.document.Document;
import com.apicatalog.jsonld.loader.DocumentLoaderOptions;
import com.apicatalog.multibase.Multibase;
import com.apicatalog.multicodec.Multicodec;
import com.apicatalog.multicodec.Multicodec.Codec;
import com.apicatalog.vc.processor.StatusVerifier;
import com.danubetech.verifiablecredentials.VerifiableCredential;
import foundation.identity.jsonld.ConfigurableDocumentLoader;
import info.weboftrust.ldsignatures.LdProof;
import info.weboftrust.ldsignatures.verifier.Ed25519Signature2020LdVerifier;
import jakarta.json.JsonObject;
import jakarta.json.JsonStructure;
/**
* A Probe that verifies a credential's embedded proof.
*
* @author mgylling
*/
public class EmbeddedProofProbe extends Probe<Credential> {
@ -28,43 +34,56 @@ public class EmbeddedProofProbe extends Probe<Credential> {
super(ID);
}
/*
* Using verifiable-credentials-java (https://github.com/danubetech/verifiable-credentials-java)
* Using verifiable-credentials-java from Danubetech
* (https://github.com/danubetech/verifiable-credentials-java)
*/
@Override
public ReportItems run(Credential crd, RunContext ctx) throws Exception {
//TODO check that proof is Ed25519 - issue error if not ("type": "Ed25519Signature2020",
//TODO check value "proofPurpose": "assertionMethod", if not error
// TODO: What there are multiple proofs?
VerifiableCredential vc = VerifiableCredential.fromJson(new StringReader(crd.getJson().toString()));
ConfigurableDocumentLoader documentLoader = new ConfigurableDocumentLoader();
documentLoader.setEnableHttp(true);
documentLoader.setEnableHttps(true);
vc.setDocumentLoader(new CachingDocumentLoader());
vc.setDocumentLoader(documentLoader);
URI method = vc.getLdProof().getVerificationMethod();
LdProof proof = vc.getLdProof();
if (proof == null) {
return error("The verifiable credential is missing a proof.", ctx);
}
if (!proof.isType("Ed25519Signature2020")) {
return error("Unknown proof type: " + proof.getType(), ctx);
}
if (!proof.getProofPurpose().equals("assertionMethod")) {
return error("Invalid proof purpose: " + proof.getProofPurpose(), ctx);
}
URI method = proof.getVerificationMethod();
// The verification method must dereference to an Ed25519VerificationKey2020.
// Danubetech's Ed25519Signature2020LdVerifier expects the decoded public key
// from the Ed25519VerificationKey2020 (32 bytes).
String publicKeyMultibase = "";
String publicKeyMultibase;
String controller = null;
// Formats accepted:
//
// [controller]#[publicKeyMultibase]
// did:key:[publicKeyMultibase]
// http/s://[location of a Ed25519VerificationKey2020 document]
// http/s://[location of a controller document with a 'verificationMethod' with a Ed25519VerificationKey2020]
// [publicKeyMultibase]
// TODO fourth format that we don't support yet: a URL that returns a Ed25519VerificationKey2020
// if starts with http and does not have hashcode, try fetch and see if returns Ed25519VerificationKey2020
// property is publicKeyMultibase
publicKeyMultibase = method.toString();
if (method.getFragment() != null) {
publicKeyMultibase = method.getFragment();
controller = method.toString().substring(0, method.toString().indexOf("#"));
} else {
if (method.getScheme().equals("did")) {
if (method.getSchemeSpecificPart().startsWith("key:")) {
@ -73,7 +92,32 @@ public class EmbeddedProofProbe extends Probe<Credential> {
return error("Unknown verification method: " + method, ctx);
}
} else if (method.getScheme().equals("http") || method.getScheme().equals("https")) {
return error("Cannot parse http verification key yet", ctx);
// TODO: Can we use proof.getDocumentLoader()?
ConfigurableDocumentLoader documentLoader = new ConfigurableDocumentLoader();
documentLoader.setEnableHttp(true);
documentLoader.setEnableHttps(true);
Document keyDocument = documentLoader.loadDocument(method, new DocumentLoaderOptions());
Optional<JsonStructure> keyStructure = keyDocument.getJsonContent();
if (keyStructure.isEmpty()) {
return error("Key document not found at " + method, ctx);
}
// First look for a Ed25519VerificationKey2020 document
controller = keyStructure.get().asJsonObject().getString("controller");
if (StringUtils.isBlank(controller)) {
// Then look for a controller document (e.g. DID Document) with a 'verificationMethod'
// that is a Ed25519VerificationKey2020 document
JsonObject keyVerificationMethod = keyStructure.get().asJsonObject()
.getJsonObject("verificationMethod");
if (keyVerificationMethod.isEmpty()) {
return error("Cannot parse key document from " + method, ctx);
}
controller = keyVerificationMethod.getString("controller");
publicKeyMultibase = keyVerificationMethod.getString("publicKeyMultibase");
} else {
publicKeyMultibase = keyStructure.get().asJsonObject().getString("publicKeyMultibase");
}
}
}
@ -86,7 +130,13 @@ public class EmbeddedProofProbe extends Probe<Credential> {
return error("Verification method does not contain an Ed25519 public key", ctx);
}
} catch (Exception e) {
return error("Verification method is invalid: " + e.getMessage(), ctx);
return fatal("Invalid public key: " + e.getMessage(), ctx);
}
if (controller != null) {
if (!controller.equals(vc.getIssuer().toString())) {
return error("Key controller does not match issuer: " + vc.getIssuer(), ctx);
}
}
// Extract the publicKey bytes from the Multicodec
@ -94,71 +144,17 @@ public class EmbeddedProofProbe extends Probe<Credential> {
Ed25519Signature2020LdVerifier verifier = new Ed25519Signature2020LdVerifier(publicKey);
//TODO find out whether we also should check that controller matches issuer ID:
// if [controller]#[publicKeyMultibase] format - check [controller] segment
// if did:key:[publicKeyMultibase] format: issuer ID must match the entire URI
// if [publicKeyMultibase] -- don't check issuer ID. Maybe we should warn about this syntax.
try {
boolean verify = verifier.verify(vc);
if (!verify) {
return error("Embedded proof verification failed.", ctx);
}
} catch (Exception e) {
return fatal("Embedded proof verification failed:" + e.getMessage(), ctx);
return fatal("Embedded proof verification failed: " + e.getMessage(), ctx);
}
return success(ctx);
}
/*
* Note: if using com.apicatalog Iron, we get a generic VC verifier that
* will test other stuff than the Proof. So sometimes it may be that
* Iron internally retests something that we're already testing out in the
* Inspector class (e.g. expiration). But use this for now -- and remember
* that this probe is only run if the given credential has internal proof
* (aka is not a jwt).
*/
// /*
// * Using iron-verifiable-credentials (https://github.com/filip26/iron-verifiable-credentials)
// */
// @Override
// public ReportItems run(Credential crd, RunContext ctx) throws Exception {
// JsonDocument jsonDoc = JsonDocument.of(new StringReader(crd.getJson().toString()));
// JsonObject json = jsonDoc.getJsonContent().get().asJsonObject();
// try {
// Vc.verify(json)
// .loader(new CachingDocumentLoader())
// .useBundledContexts(false) //we control the cache in the loader
// .statusVerifier(new IronNoopStatusVerifier())
// //.domain(...)
// //.didResolver(...)
// .isValid();
// } catch (DocumentError e) {
// return error(e.getType() + " " + e.getSubject(), ctx);
// } catch (VerificationError e) {
// //System.err.println(e.getCode() + " (ProofVerifierProbe)");
// if(e.getCode() == Code.Internal) {
// return exception(e.getMessage(), ctx.getResource());
// } else if(e.getCode().equals(Code.Expired)) {
// //handled by other probe
// } else {
// return fatal(e.getCode().name() + " " + e.getMessage(), ctx);
// }
//
// }
// return success(ctx);
// }
private static final class IronNoopStatusVerifier implements StatusVerifier {
@Override
public void verify(Status status) throws DocumentError, VerifyError {
// noop
}
}
public static final String ID = EmbeddedProofProbe.class.getSimpleName();
}