Merge pull request #727 from axone-protocol/feat/sign-purpose

bdeneux · web-flow · commit 9e4d7607fe04 · 2024-08-19T16:38:30.000+02:00
🔐 Allow choose proof purpose when signing VC
diff --git a/client/credential/sign.go b/client/credential/sign.go
@@ -36,6 +36,7 @@ const (
 	flagOverwrite = "overwrite"
 	flagDate      = "date"
 	flagSchemaMap = "schema-map"
+	flagPurpose   = "purpose"
 )
 
 const (
@@ -65,6 +66,9 @@ It will read a verifiable credential from a file (or stdin), sign it, and print
 			"Multiple mappings can be provided by repeating the flag. Example usage: "+
 			"--%[1]s originalURI1=alternativeURI1 --%[1]s originalURI2=alternativeURI2",
 		flagSchemaMap))
+	cmd.Flags().String(flagPurpose, "assertionMethod", "Proof that describes credential purpose, helps prevent it from being "+
+		"misused for some other purpose. Example of commonly used proof purpose values:  "+
+		"authentication, assertionMethod, keyAgreement, capabilityDelegation, capabilityInvocation.")
 
 	_ = cmd.MarkFlagRequired(flags.FlagFrom)
 
@@ -102,7 +106,6 @@ func runSignCmd(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	documentLoader := newDocumentLoader(schemaMap)
-
 	vc, err := loadVerifiableCredential(documentLoader, bs)
 	if err != nil {
 		return errorsmod.Wrapf(sdkerr.ErrInvalidRequest, "failed to load verifiable credential: %v", err)
@@ -115,12 +118,15 @@ func runSignCmd(cmd *cobra.Command, args []string) error {
 	if overrideProofs {
 		vc.Proofs = nil
 	}
-
 	date, err := parseStringAsDate(cmd, flagDate)
 	if err != nil {
-		return err
+		return errorsmod.Wrapf(sdkerr.ErrInvalidType, "%s is not a valid date: %v", flagDate, err)
+	}
+	purpose, err := cmd.Flags().GetString(flagPurpose)
+	if err != nil {
+		return errorsmod.Wrapf(sdkerr.ErrInvalidType, "%s is not a valid string: %v", flagPurpose, err)
 	}
-	err = signVerifiableCredential(documentLoader, vc, signer, date)
+	err = signVerifiableCredential(documentLoader, vc, signer, date, purpose)
 	if err != nil {
 		return errorsmod.Wrapf(sdkerr.ErrInvalidRequest, "failed to sign: %v", err)
 	}
@@ -245,7 +251,7 @@ func loadVerifiableCredential(documentLoader ld.DocumentLoader, bs []byte) (*ver
 }
 
 func signVerifiableCredential(
-	documentLoader ld.DocumentLoader, vc *verifiable.Credential, signer KeyringSigner, date time.Time,
+	documentLoader ld.DocumentLoader, vc *verifiable.Credential, signer KeyringSigner, date time.Time, purpose string,
 ) error {
 	didKeyID, err := signer.DIDKeyID()
 	if err != nil {
@@ -265,6 +271,7 @@ func signVerifiableCredential(
 			Suite:                   ed25519signature2020.New(suite.WithSigner(signer)),
 			SignatureRepresentation: verifiable.SignatureProofValue,
 			VerificationMethod:      didKeyID,
+			Purpose:                 purpose,
 		}, jsonld.WithDocumentLoader(documentLoader))
 	case *secp256k1.PubKey:
 		return vc.AddLinkedDataProof(&verifiable.LinkedDataProofContext{
@@ -273,6 +280,7 @@ func signVerifiableCredential(
 			Suite:                   ecdsasecp256k1signature2019.New(suite.WithSigner(signer)),
 			SignatureRepresentation: verifiable.SignatureJWS,
 			VerificationMethod:      didKeyID,
+			Purpose:                 purpose,
 		}, jsonld.WithDocumentLoader(documentLoader))
 	default:
 		return fmt.Errorf("invalid pubkey type: %s; expected oneof %+q",
diff --git a/docs/command/axoned_credential_sign.md b/docs/command/axoned_credential_sign.md
@@ -21,6 +21,7 @@ axoned credential sign [file] [flags]
       --keyring-backend string   Select keyring's backend (os|file|kwallet|pass|test|memory) (default "test")
       --keyring-dir string       The client Keyring directory; if omitted, the default 'home' directory will be used
       --overwrite                Overwrite existing signatures with a new one. If disabled, new signature will be appended
+      --purpose string           Proof that describes credential purpose, helps prevent it from being misused for some other purpose. Example of commonly used proof purpose values:  authentication, assertionMethod, keyAgreement, capabilityDelegation, capabilityInvocation. (default "assertionMethod")
       --schema-map strings       Map original URIs to alternative URIs for resolving JSON-LD schemas. Useful for redirecting network-based URIs to local filesystem paths or other URIs. Each mapping should be in the format 'originalURI=alternativeURI'. Multiple mappings can be provided by repeating the flag. Example usage: --schema-map originalURI1=alternativeURI1 --schema-map originalURI2=alternativeURI2
 ```
 
