Skip to content

🔐 Check authentication proof purpose #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 20, 2024
Merged

🔐 Check authentication proof purpose #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f9492da
refactor(credential): add utility to extract proof
bdeneux Aug 20, 2024
28a2844
feat(credential): check authentication proof purpose for auth claim
bdeneux Aug 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions credential/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@
"github.com/piprate/json-gold/ld"
)

const ClaimToService = "toService"
const (
ClaimToService = "toService"
ProofPurposeAuthentication = "authentication"
)

const ErrAuthClaim MessageError = "invalid auth claim"

Expand Down Expand Up @@ -63,9 +66,18 @@
return nil, NewVCError(ErrMalformed, err)
}

proof, err := extractProof(cred)
if err != nil {
return nil, NewVCError(ErrInvalidProof, err)

Check warning on line 71 in credential/auth.go

View check run for this annotation

Codecov / codecov/patch

credential/auth.go#L71 

Added line #L71 was not covered by tests
}
if proof.ProofPurpose != ProofPurposeAuthentication {
return nil, NewVCError(ErrAuthClaim,
fmt.Errorf("proof purpose not targeting `%s` (proof purpose: `%s`)", ProofPurposeAuthentication, proof.ProofPurpose))
}

if cred.Issuer.ID != authClaim.ID {
return nil, NewVCError(ErrAuthClaim,
fmt.Errorf("subject differs from issuer (subject: %s, issuer: %s)", authClaim.ID, cred.Issuer.ID))
fmt.Errorf("subject differs from issuer (subject: `%s`, issuer: `%s`)", authClaim.ID, cred.Issuer.ID))
}
return authClaim, nil
}
18 changes: 15 additions & 3 deletions credential/auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,14 @@ func TestAuthParser_ParseSigned(t *testing.T) {
file: "testdata/valid.jsonld",
wantErr: nil,
result: &credential.AuthClaim{
ID: "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
ID: "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
ToService: "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz",
},
},
{
name: "credential not signed",
file: "testdata/invalid_not-signed.jsonld",
wantErr: credential.NewVCError(credential.ErrMissingProof, nil),
wantErr: credential.NewVCError(credential.ErrInvalidProof, credential.NewVCError(credential.ErrMissingProof, nil)),
result: nil,
},
{
Expand All @@ -67,7 +67,7 @@ func TestAuthParser_ParseSigned(t *testing.T) {
{
name: "credential with issuer different from subject",
file: "testdata/invalid_issuer-differs-subject.jsonld",
wantErr: credential.NewVCError(credential.ErrAuthClaim, fmt.Errorf("subject differs from issuer (subject: did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr, issuer: did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz)")),
wantErr: credential.NewVCError(credential.ErrAuthClaim, fmt.Errorf("subject differs from issuer (subject: `did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr`, issuer: `did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj`)")),
result: nil,
},
{
Expand All @@ -94,6 +94,18 @@ func TestAuthParser_ParseSigned(t *testing.T) {
wantErr: credential.NewVCError(credential.ErrIssued, fmt.Errorf("2200-01-01 20:30:59.627706 +0200 +0200")),
result: nil,
},
{
name: "credential not issued now",
file: "testdata/invalid_futur-issued.jsonld",
wantErr: credential.NewVCError(credential.ErrIssued, fmt.Errorf("2200-01-01 20:30:59.627706 +0200 +0200")),
result: nil,
},
{
name: "credential with not authentication proof purpose",
file: "testdata/invalid_not-authentication-proof.jsonld",
wantErr: credential.NewVCError(credential.ErrAuthClaim, fmt.Errorf("proof purpose not targeting `authentication` (proof purpose: `assertionMethod`)")),
result: nil,
},
}

for _, test := range tests {
Expand Down
1 change: 1 addition & 0 deletions credential/errors.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ const (
ErrExpired MessageError = "verifiable credential expired"
ErrIssued MessageError = "verifiable credential issued in the future"
ErrMissingProof MessageError = "missing verifiable credential proof"
ErrInvalidProof MessageError = "invalid verifiable credential proof"
ErrMalformedSubject MessageError = "malformed verifiable credential subject"
ErrExpectSingleClaim MessageError = "expect a single verifiable credential claim"
ErrExtractClaim MessageError = "failed to extract claim"
Expand Down
18 changes: 16 additions & 2 deletions credential/parser.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

"github.com/btcsuite/btcd/btcec"
secp "github.com/decred/dcrd/dcrec/secp256k1/v4"
"github.com/hyperledger/aries-framework-go/component/models/ld/proof"
"github.com/hyperledger/aries-framework-go/pkg/doc/did"
"github.com/hyperledger/aries-framework-go/pkg/doc/jose/jwk/jwksupport"
"github.com/hyperledger/aries-framework-go/pkg/doc/signature/suite"
Expand Down Expand Up @@ -75,9 +76,10 @@
return nil, NewVCError(ErrIssued, fmt.Errorf("%s", vc.Issued.Time))
}

if len(vc.Proofs) == 0 {
return nil, NewVCError(ErrMissingProof, nil)
if _, err := extractProof(vc); err != nil {
return nil, NewVCError(ErrInvalidProof, err)
}

return vc, nil
}

Expand Down Expand Up @@ -132,3 +134,15 @@
}
return strField, nil
}

func extractProof(vc *verifiable.Credential) (*proof.Proof, error) {
if len(vc.Proofs) == 0 {
return nil, NewVCError(ErrMissingProof, nil)
}

pf, err := proof.NewProof(vc.Proofs[0])
if err != nil {
return nil, err

Check warning on line 145 in credential/parser.go

View check run for this annotation

Codecov / codecov/patch

credential/parser.go#L145 

Added line #L145 was not covered by tests
}
return pf, nil
}
42 changes: 21 additions & 21 deletions credential/testdata/invalid_issuer-differs-subject.jsonld
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,23 @@
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz",
"proof": {
"created": "2024-08-12T21:11:26.371751+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..c8UxNOUbNI__NATC1LRvEqWKFER3MFS9Pmze14EF-O4z_5qeIdueWv8hfgSUUtKSITEGW50qM4mZSJM-iURKQg",
"proofPurpose": "assertionMethod",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz#zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
"proof": {
"created": "2024-08-20T11:05:22.520483+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..W9RrEnbPbkvYl5NgHbXqQXZgzOyjbYqkoWyq2GxBTvhywQ51A7Sjj5xTCEfBOz0bnjnuNAVevRnSQnJGIPgvIw",
"proofPurpose": "authentication",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj#zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
}
23 changes: 23 additions & 0 deletions credential/testdata/invalid_not-authentication-proof.jsonld
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"proof": {
"created": "2024-08-12T20:34:59.627706+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..S24mi6JvsM_8quNQ1Out4_0uub6zwkWmzl2FT_6lrCVE9Ih5le2JcNhmAUyOjizhHiCoa0qXKldyXYXUDMMh2w",
"proofPurpose": "assertionMethod",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr#zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
}
42 changes: 21 additions & 21 deletions credential/testdata/valid.jsonld
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,23 @@
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"proof": {
"created": "2024-08-12T20:34:59.627706+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..S24mi6JvsM_8quNQ1Out4_0uub6zwkWmzl2FT_6lrCVE9Ih5le2JcNhmAUyOjizhHiCoa0qXKldyXYXUDMMh2w",
"proofPurpose": "assertionMethod",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr#zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
"proof": {
"created": "2024-08-20T11:03:40.941182+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..XPcHZRhGRsV2vmaswNb5Y8Ff1e00FMbzGCvbHy6gUG55wYkWDSS0T7VI5jPVSgVMZQHZi-GJT4-g8sTLCMVV6Q",
"proofPurpose": "authentication",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj#zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
}
Loading