Skip to content

Commit

Permalink
feat(credential): check authentication proof purpose for auth claim
Browse files Browse the repository at this point in the history
  • Loading branch information
@bdeneux
bdeneux committed Aug 20, 2024
1 parent f9492da commit 28a2844
Show file tree
Hide file tree
Showing 6 changed files with 97 additions and 50 deletions.
16 changes: 14 additions & 2 deletions credential/auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@ import (
"github.com/piprate/json-gold/ld"
)

const ClaimToService = "toService"
const (
ClaimToService = "toService"
ProofPurposeAuthentication = "authentication"
)

const ErrAuthClaim MessageError = "invalid auth claim"

Expand Down Expand Up @@ -63,9 +66,18 @@ func (ap *AuthParser) ParseSigned(raw []byte) (*AuthClaim, error) {
return nil, NewVCError(ErrMalformed, err)
}

proof, err := extractProof(cred)
if err != nil {
return nil, NewVCError(ErrInvalidProof, err)

Check warning on line 71 in credential/auth.go

View check run for this annotation

Codecov / codecov/patch

credential/auth.go#L71 

Added line #L71 was not covered by tests
}
if proof.ProofPurpose != ProofPurposeAuthentication {
return nil, NewVCError(ErrAuthClaim,
fmt.Errorf("proof purpose not targeting `%s` (proof purpose: `%s`)", ProofPurposeAuthentication, proof.ProofPurpose))
}

if cred.Issuer.ID != authClaim.ID {
return nil, NewVCError(ErrAuthClaim,
fmt.Errorf("subject differs from issuer (subject: %s, issuer: %s)", authClaim.ID, cred.Issuer.ID))
fmt.Errorf("subject differs from issuer (subject: `%s`, issuer: `%s`)", authClaim.ID, cred.Issuer.ID))
}
return authClaim, nil
}
18 changes: 15 additions & 3 deletions credential/auth_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,14 @@ func TestAuthParser_ParseSigned(t *testing.T) {
file: "testdata/valid.jsonld",
wantErr: nil,
result: &credential.AuthClaim{
ID: "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
ID: "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
ToService: "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz",
},
},
{
name: "credential not signed",
file: "testdata/invalid_not-signed.jsonld",
wantErr: credential.NewVCError(credential.ErrMissingProof, nil),
wantErr: credential.NewVCError(credential.ErrInvalidProof, credential.NewVCError(credential.ErrMissingProof, nil)),
result: nil,
},
{
Expand All @@ -67,7 +67,7 @@ func TestAuthParser_ParseSigned(t *testing.T) {
{
name: "credential with issuer different from subject",
file: "testdata/invalid_issuer-differs-subject.jsonld",
wantErr: credential.NewVCError(credential.ErrAuthClaim, fmt.Errorf("subject differs from issuer (subject: did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr, issuer: did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz)")),
wantErr: credential.NewVCError(credential.ErrAuthClaim, fmt.Errorf("subject differs from issuer (subject: `did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr`, issuer: `did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj`)")),
result: nil,
},
{
Expand All @@ -94,6 +94,18 @@ func TestAuthParser_ParseSigned(t *testing.T) {
wantErr: credential.NewVCError(credential.ErrIssued, fmt.Errorf("2200-01-01 20:30:59.627706 +0200 +0200")),
result: nil,
},
{
name: "credential not issued now",
file: "testdata/invalid_futur-issued.jsonld",
wantErr: credential.NewVCError(credential.ErrIssued, fmt.Errorf("2200-01-01 20:30:59.627706 +0200 +0200")),
result: nil,
},
{
name: "credential with not authentication proof purpose",
file: "testdata/invalid_not-authentication-proof.jsonld",
wantErr: credential.NewVCError(credential.ErrAuthClaim, fmt.Errorf("proof purpose not targeting `authentication` (proof purpose: `assertionMethod`)")),
result: nil,
},
}

for _, test := range tests {
Expand Down
6 changes: 3 additions & 3 deletions credential/parser.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ package credential
import (
"crypto/ecdsa"
"fmt"
"github.com/hyperledger/aries-framework-go/component/models/ld/proof"
"time"

"github.com/btcsuite/btcd/btcec"
secp "github.com/decred/dcrd/dcrec/secp256k1/v4"
"github.com/hyperledger/aries-framework-go/component/models/ld/proof"
"github.com/hyperledger/aries-framework-go/pkg/doc/did"
"github.com/hyperledger/aries-framework-go/pkg/doc/jose/jwk/jwksupport"
"github.com/hyperledger/aries-framework-go/pkg/doc/signature/suite"
Expand Down Expand Up @@ -77,7 +77,7 @@ func withCheck(vc *verifiable.Credential) (*verifiable.Credential, error) {
}

if _, err := extractProof(vc); err != nil {
return nil, err
return nil, NewVCError(ErrInvalidProof, err)
}

return vc, nil
Expand Down Expand Up @@ -142,7 +142,7 @@ func extractProof(vc *verifiable.Credential) (*proof.Proof, error) {

pf, err := proof.NewProof(vc.Proofs[0])
if err != nil {
return nil, NewVCError(ErrInvalidProof, err)
return nil, err

Check warning on line 145 in credential/parser.go

View check run for this annotation

Codecov / codecov/patch

credential/parser.go#L145 

Added line #L145 was not covered by tests
}
return pf, nil
}
42 changes: 21 additions & 21 deletions credential/testdata/invalid_issuer-differs-subject.jsonld
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,23 @@
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz",
"proof": {
"created": "2024-08-12T21:11:26.371751+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..c8UxNOUbNI__NATC1LRvEqWKFER3MFS9Pmze14EF-O4z_5qeIdueWv8hfgSUUtKSITEGW50qM4mZSJM-iURKQg",
"proofPurpose": "assertionMethod",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz#zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
"proof": {
"created": "2024-08-20T11:05:22.520483+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..W9RrEnbPbkvYl5NgHbXqQXZgzOyjbYqkoWyq2GxBTvhywQ51A7Sjj5xTCEfBOz0bnjnuNAVevRnSQnJGIPgvIw",
"proofPurpose": "authentication",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj#zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
}
23 changes: 23 additions & 0 deletions credential/testdata/invalid_not-authentication-proof.jsonld
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"proof": {
"created": "2024-08-12T20:34:59.627706+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..S24mi6JvsM_8quNQ1Out4_0uub6zwkWmzl2FT_6lrCVE9Ih5le2JcNhmAUyOjizhHiCoa0qXKldyXYXUDMMh2w",
"proofPurpose": "assertionMethod",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr#zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
}
42 changes: 21 additions & 21 deletions credential/testdata/valid.jsonld
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,23 @@
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr",
"proof": {
"created": "2024-08-12T20:34:59.627706+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..S24mi6JvsM_8quNQ1Out4_0uub6zwkWmzl2FT_6lrCVE9Ih5le2JcNhmAUyOjizhHiCoa0qXKldyXYXUDMMh2w",
"proofPurpose": "assertionMethod",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr#zQ3shpoUHzwcgdt2gxjqHHnJnNkBVd4uX3ZBhmPiM7J93yqCr"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/"
],
"credentialSubject": {
"id": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
"toService": "did:key:zQ3shZxyDoD3QorxHJrFS68EjzDgQZSqZcj3wQqc1ngbF1vgz"
},
"id": "https://w3id.org/axone/ontology/v4/schema/credential/digital-service/authentication/72cab400-5bd6-4eb4-8605-a5ee8c1a45c9",
"issuer": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj",
"proof": {
"created": "2024-08-20T11:03:40.941182+02:00",
"jws": "eyJhbGciOiJ1bmtub3duIiwiYjY0IjpmYWxzZSwiY3JpdCI6WyJiNjQiXX0..XPcHZRhGRsV2vmaswNb5Y8Ff1e00FMbzGCvbHy6gUG55wYkWDSS0T7VI5jPVSgVMZQHZi-GJT4-g8sTLCMVV6Q",
"proofPurpose": "authentication",
"type": "EcdsaSecp256k1Signature2019",
"verificationMethod": "did:key:zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj#zQ3shhCAzQcroi4RqZ48eNudKWf75Fvv9ryJsxbaWCCPsfnFj"
},
"type": [
"VerifiableCredential",
"DigitalServiceAuthenticationCredential"
]
}

0 comments on commit 28a2844

Please sign in to comment.