🔐 Allow choose proof purpose when signing VC

client/credential/sign.go

@@ -36,6 +36,7 @@ const (
 	flagOverwrite = "overwrite"
 	flagDate      = "date"
 	flagSchemaMap = "schema-map"
+	flagPurpose   = "purpose"
 )
 
 const (
@@ -65,6 +66,9 @@ It will read a verifiable credential from a file (or stdin), sign it, and print
 			"Multiple mappings can be provided by repeating the flag. Example usage: "+
 			"--%[1]s originalURI1=alternativeURI1 --%[1]s originalURI2=alternativeURI2",
 		flagSchemaMap))
+	cmd.Flags().String(flagPurpose, "assertionMethod", "Proof that describes credential purpose, helps prevent it from being "+
+		"misused for some other purpose. Example of commonly used proof purpose values:  "+
+		"authentication, assertionMethod, keyAgreement, capabilityDelegation, capabilityInvocation.")
 
 	_ = cmd.MarkFlagRequired(flags.FlagFrom)
 
@@ -120,7 +124,13 @@ func runSignCmd(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	err = signVerifiableCredential(documentLoader, vc, signer, date)
+
+	purpose, err := cmd.Flags().GetString(flagPurpose)
+	if err != nil {
+		return err
+	}
+
+	err = signVerifiableCredential(documentLoader, vc, signer, date, purpose)
 	if err != nil {
 		return errorsmod.Wrapf(sdkerr.ErrInvalidRequest, "failed to sign: %v", err)
 	}
@@ -245,7 +255,7 @@ func loadVerifiableCredential(documentLoader ld.DocumentLoader, bs []byte) (*ver
 }
 
 func signVerifiableCredential(
-	documentLoader ld.DocumentLoader, vc *verifiable.Credential, signer KeyringSigner, date time.Time,
+	documentLoader ld.DocumentLoader, vc *verifiable.Credential, signer KeyringSigner, date time.Time, purpose string,
 ) error {
 	didKeyID, err := signer.DIDKeyID()
 	if err != nil {
@@ -265,6 +275,7 @@ func signVerifiableCredential(
 			Suite:                   ed25519signature2020.New(suite.WithSigner(signer)),
 			SignatureRepresentation: verifiable.SignatureProofValue,
 			VerificationMethod:      didKeyID,
+			Purpose:                 purpose,
 		}, jsonld.WithDocumentLoader(documentLoader))
 	case *secp256k1.PubKey:
 		return vc.AddLinkedDataProof(&verifiable.LinkedDataProofContext{
@@ -273,6 +284,7 @@ func signVerifiableCredential(
 			Suite:                   ecdsasecp256k1signature2019.New(suite.WithSigner(signer)),
 			SignatureRepresentation: verifiable.SignatureJWS,
 			VerificationMethod:      didKeyID,
+			Purpose:                 purpose,
 		}, jsonld.WithDocumentLoader(documentLoader))
 	default:
 		return fmt.Errorf("invalid pubkey type: %s; expected oneof %+q",

docs/command/axoned_credential_sign.md

@@ -21,6 +21,7 @@ axoned credential sign [file] [flags]
       --keyring-backend string   Select keyring's backend (os|file|kwallet|pass|test|memory) (default "test")
       --keyring-dir string       The client Keyring directory; if omitted, the default 'home' directory will be used
       --overwrite                Overwrite existing signatures with a new one. If disabled, new signature will be appended
+      --purpose string           Proof that describes credential purpose, helps prevent it from being misused for some other purpose. Example of commonly used proof purpose values:  authentication, assertionMethod, keyAgreement, capabilityDelegation, capabilityInvocation. (default "assertionMethod")
       --schema-map strings       Map original URIs to alternative URIs for resolving JSON-LD schemas. Useful for redirecting network-based URIs to local filesystem paths or other URIs. Each mapping should be in the format 'originalURI=alternativeURI'. Multiple mappings can be provided by repeating the flag. Example usage: --schema-map originalURI1=alternativeURI1 --schema-map originalURI2=alternativeURI2
 ```