feat(credential): check authentication proof purpose for auth claim

bdeneux · bdeneux · commit acd37119b4b1 · 2024-08-20T11:39:45.000+02:00
diff --git a/credential/auth.go b/credential/auth.go
@@ -7,7 +7,10 @@ import (
 	"github.com/piprate/json-gold/ld"
 )
 
-const ClaimToService = "toService"
+const (
+	ClaimToService             = "toService"
+	ProofPurposeAuthentication = "authentication"
+)
 
 const ErrAuthClaim MessageError = "invalid auth claim"
 
@@ -63,9 +66,18 @@ func (ap *AuthParser) ParseSigned(raw []byte) (*AuthClaim, error) {
 		return nil, NewVCError(ErrMalformed, err)
 	}
 
+	proof, err := extractProof(cred)
+	if err != nil {
+		return nil, err
+	}
+	if proof.ProofPurpose != ProofPurposeAuthentication {
+		return nil, NewVCError(ErrAuthClaim,
+			fmt.Errorf("proof purpose not targeting `%s` (proof purpose: `%s`)", ProofPurposeAuthentication, proof.ProofPurpose))
+	}
+
 	if cred.Issuer.ID != authClaim.ID {
 		return nil, NewVCError(ErrAuthClaim,
-			fmt.Errorf("subject differs from issuer (subject: %s, issuer: %s)", authClaim.ID, cred.Issuer.ID))
+			fmt.Errorf("subject differs from issuer (subject: `%s`, issuer: `%s`)", authClaim.ID, cred.Issuer.ID))
 	}
 	return authClaim, nil
 }
diff --git a/credential/auth_test.go b/credential/auth_test.go
@@ -36,7 +36,7 @@ func TestAuthParser_ParseSigned(t *testing.T) {
 			file:    "testdata/valid.jsonld",
 			wantErr: nil,
 			result: &credential.AuthClaim{
-				ID:        "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
+				ID:        "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
 				ToService: "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz",
 			},
 		},
@@ -67,7 +67,7 @@ func TestAuthParser_ParseSigned(t *testing.T) {
 		{
 			name:    "credential with issuer different from subject",
 			file:    "testdata/invalid_issuer-differs-subject.jsonld",
-			wantErr: credential.NewVCError(credential.ErrAuthClaim, fmt.Errorf("subject differs from issuer (subject: did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr, issuer: did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz)")),
+			wantErr: credential.NewVCError(credential.ErrAuthClaim, fmt.Errorf("subject differs from issuer (subject: `did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr`, issuer: `did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj`)")),
 			result:  nil,
 		},
 		{
@@ -94,6 +94,18 @@ func TestAuthParser_ParseSigned(t *testing.T) {
 			wantErr: credential.NewVCError(credential.ErrIssued, fmt.Errorf("2200-01-01 20:30:59.627706 +0200 +0200")),
 			result:  nil,
 		},
+		{
+			name:    "credential not issued now",
+			file:    "testdata/invalid_futur-issued.jsonld",
+			wantErr: credential.NewVCError(credential.ErrIssued, fmt.Errorf("2200-01-01 20:30:59.627706 +0200 +0200")),
+			result:  nil,
+		},
+		{
+			name:    "credential with not authentication proof purpose",
+			file:    "testdata/invalid_not-authentication-proof.jsonld",
+			wantErr: credential.NewVCError(credential.ErrAuthClaim, fmt.Errorf("proof purpose not targeting `authentication` (proof purpose: `assertionMethod`)")),
+			result:  nil,
+		},
 	}
 
 	for _, test := range tests {
diff --git a/credential/parser.go b/credential/parser.go
@@ -3,11 +3,13 @@ package credential
 import (
 	"crypto/ecdsa"
 	"fmt"
-	"github.com/hyperledger/aries-framework-go/component/models/ld/proof"
 	"time"
 
+	"github.com/hyperledger/aries-framework-go/component/models/ld/proof"
+
 	"github.com/btcsuite/btcd/btcec"
 	secp "github.com/decred/dcrd/dcrec/secp256k1/v4"
+	"github.com/hyperledger/aries-framework-go/component/models/ld/proof"
 	"github.com/hyperledger/aries-framework-go/pkg/doc/did"
 	"github.com/hyperledger/aries-framework-go/pkg/doc/jose/jwk/jwksupport"
 	"github.com/hyperledger/aries-framework-go/pkg/doc/signature/suite"
diff --git a/credential/testdata/invalid_issuer-differs-subject.jsonld b/credential/testdata/invalid_issuer-differs-subject.jsonld
@@ -1,23 +1,23 @@
 {
-    "@context": [
-        "https://www.w3.org/2018/credentials/v1",
-        "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
-    ],
-    "credentialSubject": {
-        "id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
-        "toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
-    },
-    "id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
-    "issuer": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz",
-    "proof": {
-        "created": "2024-08-12T21:11:26.371751+02:00",
-        "jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..c8UxNOUbNI__NATC1LRvEqWKFER3MFS9Pmze14EF-O4z_5qeIdueWv8hfgSUUtKSITEGW50qM4mZSJM-iURKQg",
-        "proofPurpose": "assertionMethod",
-        "type": "EcdsaSecp256k1Signature2019",
-        "verificationMethod": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz#zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
-    },
-    "type": [
-        "VerifiableCredential",
-        "DigitalServiceAuthenticationCredential"
-    ]
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
+  ],
+  "credentialSubject": {
+    "id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
+    "toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
+  },
+  "id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
+  "issuer": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
+  "proof": {
+    "created": "2024-08-20T11:05:22.520483+02:00",
+    "jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..W9RrEnbPbkvYl5NgHbXqQXZgzOyjbYqkoWyq2GxBTvhywQ51A7Sjj5xTCEfBOz0bnjnuNAVevRnSQnJGIPgvIw",
+    "proofPurpose": "authentication",
+    "type": "EcdsaSecp256k1Signature2019",
+    "verificationMethod": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj#zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj"
+  },
+  "type": [
+    "VerifiableCredential",
+    "DigitalServiceAuthenticationCredential"
+  ]
 }
diff --git a/credential/testdata/invalid_not-authentication-proof.jsonld b/credential/testdata/invalid_not-authentication-proof.jsonld
@@ -0,0 +1,23 @@
+{
+    "@context": [
+        "https://www.w3.org/2018/credentials/v1",
+        "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
+    ],
+    "credentialSubject": {
+        "id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
+        "toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
+    },
+    "id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
+    "issuer": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
+    "proof": {
+        "created": "2024-08-12T20:34:59.627706+02:00",
+        "jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..S24mi6JvsM_8quNQ1Out4_0uub6zwkWmzl2FT_6lrCVE9Ih5le2JcNhmAUyOjizhHiCoa0qXKldyXYXUDMMh2w",
+        "proofPurpose": "assertionMethod",
+        "type": "EcdsaSecp256k1Signature2019",
+        "verificationMethod": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr#zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr"
+    },
+    "type": [
+        "VerifiableCredential",
+        "DigitalServiceAuthenticationCredential"
+    ]
+}
diff --git a/credential/testdata/valid.jsonld b/credential/testdata/valid.jsonld
@@ -1,23 +1,23 @@
 {
-    "@context": [
-        "https://www.w3.org/2018/credentials/v1",
-        "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
-    ],
-    "credentialSubject": {
-        "id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
-        "toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
-    },
-    "id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
-    "issuer": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
-    "proof": {
-        "created": "2024-08-12T20:34:59.627706+02:00",
-        "jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..S24mi6JvsM_8quNQ1Out4_0uub6zwkWmzl2FT_6lrCVE9Ih5le2JcNhmAUyOjizhHiCoa0qXKldyXYXUDMMh2w",
-        "proofPurpose": "assertionMethod",
-        "type": "EcdsaSecp256k1Signature2019",
-        "verificationMethod": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr#zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr"
-    },
-    "type": [
-        "VerifiableCredential",
-        "DigitalServiceAuthenticationCredential"
-    ]
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
+  ],
+  "credentialSubject": {
+    "id": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
+    "toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
+  },
+  "id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
+  "issuer": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
+  "proof": {
+    "created": "2024-08-20T11:03:40.941182+02:00",
+    "jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..XPcHZRhGRsV2vmaswNb5Y8Ff1e00FMbzGCvbHy6gUG55wYkWDSS0T7VI5jPVSgVMZQHZi-GJT4-g8sTLCMVV6Q",
+    "proofPurpose": "authentication",
+    "type": "EcdsaSecp256k1Signature2019",
+    "verificationMethod": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj#zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj"
+  },
+  "type": [
+    "VerifiableCredential",
+    "DigitalServiceAuthenticationCredential"
+  ]
 }
