From 31fc540dfff1cf58e03ce6ada147fc5704da33d1 Mon Sep 17 00:00:00 2001 From: javieralvarezin2 Date: Tue, 22 Oct 2024 16:19:23 +0200 Subject: [PATCH] change check to mandatorOrganizationIdentifier instead mandatee and refactor tests --- .../service/impl/VpServiceImpl.java | 31 ++++++++++++++----- .../es/in2/vcverifier/util/Constants.java | 2 ++ .../vcverifier/service/VpServiceImplTest.java | 11 +++++-- 3 files changed, 34 insertions(+), 10 deletions(-) diff --git a/src/main/java/es/in2/vcverifier/service/impl/VpServiceImpl.java b/src/main/java/es/in2/vcverifier/service/impl/VpServiceImpl.java index 388e59d..fde7d89 100644 --- a/src/main/java/es/in2/vcverifier/service/impl/VpServiceImpl.java +++ b/src/main/java/es/in2/vcverifier/service/impl/VpServiceImpl.java @@ -25,6 +25,8 @@ import java.util.List; import java.util.Map; +import static es.in2.vcverifier.util.Constants.DID_ELSI_PREFIX; + /** * This class contains basic validation steps for the scope of validating a Verifiable Presentation (VP) * that includes a LEARCredential, following the technical guidelines described in the DOME document. @@ -66,17 +68,18 @@ public boolean validateVerifiablePresentation(String verifiablePresentation) { validateCredentialTypeWithIssuerCapabilities(issuerCapabilitiesList, credentialTypes); log.info("Issuer DID {} is a trusted participant", credentialIssuerDid); - // Step 5: Extract the mandateeId from the Verifiable Credential - String mandateeId = extractMandateeId(credentialTypes, payload); + // Step 5: Extract the mandateId from the Verifiable Credential + String mandatorOrganizationIdentifier = extractMandatorOrganizationIdentifier(credentialTypes, payload); //TODO this must be validated against the participants list, not the issuer list // Validate the mandatee ID with trusted issuer service, if is not present the trustedIssuerListService throws an exception - trustFrameworkService.getTrustedIssuerListData(mandateeId); + trustFrameworkService.getTrustedIssuerListData(DID_ELSI_PREFIX + mandatorOrganizationIdentifier); - log.info("Mandatee ID {} is valid and allowed", mandateeId); + log.info("Mandator OrganizationIdentifier {} is valid and allowed", mandatorOrganizationIdentifier); // Step 6: Validate the VP's signature with the DIDService (the DID of the holder of the VP) + String mandateeId = extractMandateeId(credentialTypes, payload); PublicKey holderPublicKey = didService.getPublicKeyFromDid(mandateeId); // Get the holder's public key in bytes jwtService.verifyJWTSignature(verifiablePresentation, holderPublicKey, KeyType.EC); // Validate the VP was signed by the holder DID @@ -124,16 +127,30 @@ private List getCredentialTypes(Payload payload) { } } - private String extractMandateeId(List credentialTypes, Payload payload) { Object vcObject = jwtService.getVCFromPayload(payload); if (credentialTypes.contains(LEARCredentialType.LEAR_CREDENTIAL_EMPLOYEE.getValue())) { LEARCredentialEmployee learCredentialEmployee = mapCredentialToLEARCredentialEmployee(vcObject); - return learCredentialEmployee.credentialSubject().mandate().id(); + return learCredentialEmployee.credentialSubject().mandate().mandatee().id(); + } else if (credentialTypes.contains(LEARCredentialType.LEAR_CREDENTIAL_MACHINE.getValue())) { + LEARCredentialMachine learCredentialMachine = mapCredentialToLEARCredentialMachine(vcObject); + return learCredentialMachine.credentialSubject().mandate().mandatee().id(); + } else { + throw new InvalidCredentialTypeException("Invalid Credential Type. LEARCredentialEmployee or LEARCredentialMachine required."); + } + } + + + private String extractMandatorOrganizationIdentifier(List credentialTypes, Payload payload) { + Object vcObject = jwtService.getVCFromPayload(payload); + + if (credentialTypes.contains(LEARCredentialType.LEAR_CREDENTIAL_EMPLOYEE.getValue())) { + LEARCredentialEmployee learCredentialEmployee = mapCredentialToLEARCredentialEmployee(vcObject); + return learCredentialEmployee.credentialSubject().mandate().mandator().organizationIdentifier(); } else if (credentialTypes.contains(LEARCredentialType.LEAR_CREDENTIAL_MACHINE.getValue())) { LEARCredentialMachine learCredentialMachine = mapCredentialToLEARCredentialMachine(vcObject); - return learCredentialMachine.credentialSubject().mandate().id(); + return learCredentialMachine.credentialSubject().mandate().mandator().organizationIdentifier(); } else { throw new InvalidCredentialTypeException("Invalid Credential Type. LEARCredentialEmployee or LEARCredentialMachine required."); } diff --git a/src/main/java/es/in2/vcverifier/util/Constants.java b/src/main/java/es/in2/vcverifier/util/Constants.java index 66fb29a..2762e0b 100644 --- a/src/main/java/es/in2/vcverifier/util/Constants.java +++ b/src/main/java/es/in2/vcverifier/util/Constants.java @@ -10,6 +10,8 @@ private Constants() { public static final String RESPONSE_TYPE= "response_type"; public static final String SCOPE = "scope"; public static final String AUTHORIZATION_RESPONSE_ENDPOINT= "/oid4vp/auth-response"; + public static final String DID_ELSI_PREFIX = "did:elsi:"; + public static final long MSB = 0x80L; public static final long MSBALL = 0xFFFFFF80L; diff --git a/src/test/java/es/in2/vcverifier/service/VpServiceImplTest.java b/src/test/java/es/in2/vcverifier/service/VpServiceImplTest.java index 2876b35..93d35f2 100644 --- a/src/test/java/es/in2/vcverifier/service/VpServiceImplTest.java +++ b/src/test/java/es/in2/vcverifier/service/VpServiceImplTest.java @@ -8,6 +8,7 @@ import com.nimbusds.jwt.SignedJWT; import es.in2.vcverifier.exception.CredentialMappingException; import es.in2.vcverifier.exception.JsonConversionException; +import es.in2.vcverifier.model.credentials.Mandator; import es.in2.vcverifier.model.credentials.employee.CredentialSubjectLCEmployee; import es.in2.vcverifier.model.credentials.employee.LEARCredentialEmployee; import es.in2.vcverifier.model.credentials.employee.MandateLCEmployee; @@ -95,7 +96,7 @@ void getCredentialFromTheVerifiablePresentationAsJsonNode_with_VC_JSONObject_suc } @Test - void getCredentialFromTheVerifiablePresentationAsJsonNode_with_VC_Map_success() throws JsonProcessingException { + void getCredentialFromTheVerifiablePresentationAsJsonNode_with_VC_Map_success() { String verifiablePresentation = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJkaWQ6a2V5OnpEbmFlblF6WEthVE5SNlYyaWZyY0VFU042VFR1WWpweWFmUGh0c1pZU3Y0VlJia3IiLCJuYmYiOjE3MTc0MzgwMDMsImlzcyI6ImRpZDprZXk6ekRuYWVuUXpYS2FUTlI2VjJpZnJjRUVTTjZUVHVZanB5YWZQaHRzWllTdjRWUmJrciIsInZwIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sImhvbGRlciI6ImRpZDprZXk6ekRuYWVuUXpYS2FUTlI2VjJpZnJjRUVTTjZUVHVZanB5YWZQaHRzWllTdjRWUmJrciIsImlkIjoiNDFhY2FkYTMtNjdiNC00OTRlLWE2ZTMtZTA5NjY0NDlmMjVkIiwidHlwZSI6WyJWZXJpZmlhYmxlUHJlc2VudGF0aW9uIl0sInZlcmlmaWFibGVDcmVkZW50aWFsIjpbImV5SmhiR2NpT2lKSVV6STFOaUlzSW5SNWNDSTZJa3BYVkNKOS5leUp6ZFdJaU9pSXhNak0wTlRZM09Ea3dJaXdpYm1GdFpTSTZJa3B2YUc0Z1JHOWxJaXdpYVdGMElqb3hOVEUyTWpNNU1ESXlmUS5TZmxLeHdSSlNNZUtLRjJRVDRmd3BNZUpmMzZQT2s2eUpWX2FkUXNzdzVjIl19LCJleHAiOjE3MjAwMzAwMDMsImlhdCI6MTcxNzQzODAwMywianRpIjoiNDFhY2FkYTMtNjdiNC00OTRlLWE2ZTMtZTA5NjY0NDlmMjVkIn0._tIB_9fsQjZmJV2cgGDWtYXmps9fbLbMDtu8wZhIwC9u6I7RAaR4NK5WrnRC1TIVbQa06ZeneELxc_ktTkdhfA"; Payload payload = mock(Payload.class); @@ -198,7 +199,9 @@ void validateVerifiablePresentation_vp_claim_with_verifiableCredential_claim_wit LEARCredentialMachine.builder() .credentialSubject(CredentialSubjectLCMachine .builder().mandate(MandateLCMachine - .builder().mandatee(MandateeLCMachine + .builder() + .mandator(Mandator.builder().organizationIdentifier("organizationIdentifier").build()) + .mandatee(MandateeLCMachine .builder().id("mandateeId") .build()) .build()) @@ -237,7 +240,9 @@ void validateVerifiablePresentation_vp_claim_with_verifiableCredential_claim_wit LEARCredentialEmployee.builder() .credentialSubject(CredentialSubjectLCEmployee .builder().mandate(MandateLCEmployee - .builder().mandatee(MandateeLCEmployee + .builder() + .mandator(Mandator.builder().organizationIdentifier("organizationIdentifier").build()) + .mandatee(MandateeLCEmployee .builder().id("mandateeId") .build()) .build())