From ba9f404077e9df35be875a197e25e574f5c0f52a Mon Sep 17 00:00:00 2001 From: Andres Uribe Gonzalez Date: Fri, 7 Jul 2023 15:10:53 -0400 Subject: [PATCH 1/3] Replace logic with sdk functions Fixes https://github.com/TBD54566975/ssi-service/issues/122. Blocked by https://github.com/TBD54566975/ssi-sdk/pull/424 --- internal/credential/verification.go | 38 +++------------------------- pkg/server/server_credential_test.go | 2 +- 2 files changed, 5 insertions(+), 35 deletions(-) diff --git a/internal/credential/verification.go b/internal/credential/verification.go index 1bf7e6595..dbf2f994f 100644 --- a/internal/credential/verification.go +++ b/internal/credential/verification.go @@ -47,47 +47,17 @@ func NewCredentialValidator(didResolver resolution.Resolver, schemaResolver sche }, nil } -// TODO(gabe) consider moving this verification logic to the sdk https://github.com/TBD54566975/ssi-service/issues/122 - // VerifyJWTCredential first parses and checks the signature on the given JWT credential. Next, it runs // a set of static verification checks on the credential as per the credential service's configuration. func (v Validator) VerifyJWTCredential(ctx context.Context, token keyaccess.JWT) error { - // first, parse the token to see if it contains a valid verifiable credential - gotHeaders, _, cred, err := integrity.ParseVerifiableCredentialFromJWT(token.String()) - if err != nil { - return sdkutil.LoggingErrorMsg(err, "could not parse credential from JWT") - } - - kid, ok := gotHeaders.Get(jws.KeyIDKey) - if !ok { - return sdkutil.LoggingNewError("could not find key ID in JWT headers") - } - jwtKID, ok := kid.(string) - if !ok { - return sdkutil.LoggingNewErrorf("could not convert key ID to string: %v", kid) - } - - // resolve the issuer's key material - issuerDID, ok := cred.Issuer.(string) - if !ok { - return sdkutil.LoggingNewErrorf("could not convert issuer to string: %v", cred.Issuer) - } - pubKey, err := didint.ResolveKeyForDID(ctx, v.didResolver, issuerDID, jwtKID) + _, err := integrity.VerifyJWTCredential(ctx, token.String(), v.didResolver) if err != nil { - return sdkutil.LoggingError(err) + return err } - - // construct a signature validator from the verification information - verifier, err := keyaccess.NewJWKKeyAccessVerifier(issuerDID, jwtKID, pubKey) + _, _, cred, err := integrity.ParseVerifiableCredentialFromJWT(token.String()) if err != nil { - return sdkutil.LoggingErrorMsg(err, "could not create validator") + return err } - - // verify the signature on the credential - if err = verifier.Verify(token); err != nil { - return sdkutil.LoggingErrorMsg(err, "could not verify credential's signature") - } - return v.staticValidationChecks(ctx, *cred) } diff --git a/pkg/server/server_credential_test.go b/pkg/server/server_credential_test.go index a5dcb30d2..e38c99808 100644 --- a/pkg/server/server_credential_test.go +++ b/pkg/server/server_credential_test.go @@ -811,7 +811,7 @@ func TestCredentialAPI(t *testing.T) { assert.NoError(ttt, err) assert.NotEmpty(ttt, verifyResp) assert.False(ttt, verifyResp.Verified) - assert.Contains(ttt, verifyResp.Reason, "could not parse credential from JWT") + assert.Contains(ttt, verifyResp.Reason, "parsing JWT: parsing credential token: invalid JWT") }) tt.Run("Test Create Revocable Credential", func(ttt *testing.T) { From 9f650cd6975d78dbd1161719d2abb3eaa5ca94f8 Mon Sep 17 00:00:00 2001 From: Andres Uribe Gonzalez Date: Fri, 7 Jul 2023 16:34:46 -0400 Subject: [PATCH 2/3] Uptake the ssi-sdk --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index eaa76a9d5..07279ee1f 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/BurntSushi/toml v1.3.2 - github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20230629211408-d0031cf86600 + github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20230707203029-1bbf9c13be59 github.com/alicebob/miniredis/v2 v2.30.4 github.com/ardanlabs/conf v1.5.0 github.com/benbjohnson/clock v1.3.5 @@ -42,7 +42,7 @@ require ( go.opentelemetry.io/otel/sdk v1.16.0 go.opentelemetry.io/otel/trace v1.16.0 golang.org/x/crypto v0.10.0 - golang.org/x/term v0.9.0 + golang.org/x/term v0.10.0 google.golang.org/api v0.129.0 gopkg.in/go-playground/validator.v9 v9.31.0 gopkg.in/h2non/gock.v1 v1.1.2 @@ -163,7 +163,7 @@ require ( golang.org/x/mod v0.10.0 // indirect golang.org/x/net v0.11.0 // indirect golang.org/x/oauth2 v0.9.0 // indirect - golang.org/x/sys v0.9.0 // indirect + golang.org/x/sys v0.10.0 // indirect golang.org/x/text v0.10.0 // indirect golang.org/x/tools v0.9.3 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 023800042..413a8800e 100644 --- a/go.sum +++ b/go.sum @@ -46,8 +46,8 @@ github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc= github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE= -github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20230629211408-d0031cf86600 h1:POzVbjLxtQYQGVGaU95uQtUvhf3djJsAAWrADV6Ou4Y= -github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20230629211408-d0031cf86600/go.mod h1:yPkVO9MCC/kRu+lut3jllhnCV0gEqSubaaSVT7xLSOs= +github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20230707203029-1bbf9c13be59 h1:O7GtPvUMsbJYFGx+In7ai1Sxm7gQaF7fenwlovpYbvs= +github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20230707203029-1bbf9c13be59/go.mod h1:yPkVO9MCC/kRu+lut3jllhnCV0gEqSubaaSVT7xLSOs= github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc= github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 h1:uvdUDbHQHO85qeSydJtItA4T55Pw6BtAejd0APRJOCE= github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc= @@ -697,16 +697,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s= -golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28= -golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= +golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= +golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From d3c4ae957703c18956e008358ed443ec6c846064 Mon Sep 17 00:00:00 2001 From: Andres Uribe Gonzalez Date: Fri, 7 Jul 2023 16:36:56 -0400 Subject: [PATCH 3/3] Better errors. --- internal/credential/verification.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/credential/verification.go b/internal/credential/verification.go index dbf2f994f..d095324b4 100644 --- a/internal/credential/verification.go +++ b/internal/credential/verification.go @@ -52,11 +52,11 @@ func NewCredentialValidator(didResolver resolution.Resolver, schemaResolver sche func (v Validator) VerifyJWTCredential(ctx context.Context, token keyaccess.JWT) error { _, err := integrity.VerifyJWTCredential(ctx, token.String(), v.didResolver) if err != nil { - return err + return errors.Wrap(err, "verifying JWT credential") } _, _, cred, err := integrity.ParseVerifiableCredentialFromJWT(token.String()) if err != nil { - return err + return errors.Wrap(err, "parsing vc from jwt") } return v.staticValidationChecks(ctx, *cred) }