@bedrock/vc-verifier 19.1.0 → 20.1.0

package/README.md

@@ -1,6 +1,6 @@
 # Bedrock VC Verifier API module _(@bedrock/vc-verifier)_
 
-[![Build Status](https://img.shields.io/github/workflow/status/digitalbazaar/bedrock-vc-verifier/Bedrock%20Node.js%20CI)](https://github.com/digitalbazaar/bedrock-vc-verifier/actions?query=workflow%3A%22Bedrock+Node.js+CI%22)
+[![Build Status](https://img.shields.io/github/actions/workflow/status/digitalbazaar/bedrock-vc-verifier/main.yml)](https://github.com/digitalbazaar/bedrock-vc-verifier/actions/workflows/main.yml)
 [![NPM Version](https://img.shields.io/npm/v/bedrock-vc-verifier.svg)](https://npm.im/bedrock-vc-verifier)
 
 > A VC Verifier API library for use with Bedrock applications.

package/lib/config.js

@@ -17,9 +17,11 @@ cfg.challenges = {
 // also allow any verifier instance to optionally load `http` and `https`
 // documents directly from the Web
 cfg.documentLoader = {
-  // `true` enables all verifiers to fetch `http` documents from the Web
+  // `true` enables all verifier instances that do not have document loader
+  // instance-specific constraints to fetch `http` documents from the Web
   http: false,
-  // `true` enables all verifiers to fetch `https` documents from the Web
+  // `true` enables all verifier instances that do not have document loader
+  // instance-specific constraints to fetch `https` documents from the Web
   https: true
 };
 

package/lib/di.js

@@ -0,0 +1,63 @@
+/*!
+ * Copyright (c) 2018-2024 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as vc from '@digitalbazaar/vc';
+import {checkStatus} from './status.js';
+import {createDocumentLoader} from './documentLoader.js';
+import {createSuites} from './suites.js';
+
+export async function verifyCredential({config, credential, checks} = {}) {
+  const documentLoader = await createDocumentLoader({config});
+  const suite = createSuites();
+
+  const result = await vc.verifyCredential({
+    credential,
+    documentLoader,
+    suite,
+    // only check credential status when option is set
+    checkStatus: checks.includes('credentialStatus') ?
+      checkStatus : () => ({verified: true})
+  });
+  // if proof should have been checked but wasn't due to an error,
+  // try to run the check again using the VC's issuance date
+  if(checks.includes('proof') &&
+    result.error && !result.proof && result.results?.[0] &&
+    typeof credential.issuanceDate === 'string') {
+    const proofResult = await vc.verifyCredential({
+      credential,
+      documentLoader,
+      suite,
+      now: new Date(credential.issuanceDate),
+      // only check credential status when option is set
+      checkStatus: checks.includes('credentialStatus') ?
+        checkStatus : () => ({verified: true})
+    });
+    if(proofResult.verified) {
+      // overlay original (failed) results on top of proof results
+      result.results[0] = {
+        ...proofResult.results[0],
+        ...result.results[0],
+        proofVerified: true
+      };
+    }
+  }
+  // ensure all proofs are verified in order to return `verified`
+  let {verified} = result;
+  verified = !!(verified && result?.results?.every(({verified}) => verified));
+  return {...result, verified};
+}
+
+export async function verifyPresentation({
+  config, presentation, challenge, domain, checks
+} = {}) {
+  const verifyOptions = {
+    challenge,
+    domain,
+    presentation,
+    documentLoader: await createDocumentLoader({config}),
+    suite: createSuites(),
+    unsignedPresentation: !checks.includes('proof'),
+    checkStatus
+  };
+  return vc.verify(verifyOptions);
+}

package/lib/documentLoader.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2019-2022 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2019-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
 import {
@@ -9,6 +9,7 @@ import {
 } from '@bedrock/jsonld-document-loader';
 import {createContextDocumentLoader} from '@bedrock/service-context-store';
 import {didIo} from '@bedrock/did-io';
+import {klona} from 'klona';
 import '@bedrock/credentials-context';
 import '@bedrock/data-integrity-context';
 import '@bedrock/did-context';
@@ -53,9 +54,17 @@ export async function createDocumentLoader({config} = {}) {
     {config, serviceType});
 
   return async function documentLoader(url) {
-    // resolve all DID URLs through did-io
+    // handle DID URLs...
     if(url.startsWith('did:')) {
-      const document = await didIo.get({url});
+      let document;
+      if(config.verifyOptions?.didResolver) {
+        // resolve via configured DID resolver
+        const {verifyOptions: {didResolver}} = config;
+        document = await _resolve({didResolver, didUrl: url});
+      } else {
+        // resolve via did-io
+        document = await didIo.get({url});
+      }
       return {
         contextUrl: null,
         documentUrl: url,
@@ -75,11 +84,74 @@ export async function createDocumentLoader({config} = {}) {
       // try to resolve URL through context doc loader
       return await contextDocumentLoader(url);
     } catch(e) {
-      // use web loader if configured
-      if(url.startsWith('http') && e.name === 'NotFoundError' && webLoader) {
+      // use web loader if configured and instance config allows it and
+      // the url starts with `http`, and the core config allows it
+      const allowRemoteContexts = !config.verifyOptions?.documentLoader ||
+        config.verifyOptions.documentLoader.allowRemoteContexts;
+      if(allowRemoteContexts &&
+        url.startsWith('http') && e.name === 'NotFoundError' && webLoader) {
         return webLoader(url);
       }
       throw e;
     }
   };
 }
+
+async function _resolve({didResolver, didUrl}) {
+  // split on `?` query or `#` fragment
+  const [did] = didUrl.split(/(?=[\?#])/);
+
+  // fetch DID document using DID resolver, assume DID param is prepended
+  const url = didResolver.url.endsWith('/') ?
+    `${didResolver.url}${encodeURIComponent(did)}` :
+    `${didResolver.url}/${encodeURIComponent(did)}`;
+  const data = await httpClientHandler.get({url});
+
+  if(data?.didDocument?.id !== did) {
+    throw new Error(`DID document for DID "${did}" not found.`);
+  }
+
+  // FIXME: perform DID document validation
+  // FIXME: handle URL query param / services
+  const {didDocument} = data;
+
+  // if a fragment was found use the fragment to dereference a subnode
+  // in the did doc
+  const [, fragment] = didUrl.split('#');
+  if(fragment) {
+    const id = `${didDocument.id}#${fragment}`;
+    return _getNode({didDocument, id});
+  }
+  // resolve the full DID Document
+  return didDocument;
+}
+
+function _getNode({didDocument, id}) {
+  // do verification method search first
+  let match = didDocument?.verificationMethod?.find(vm => vm?.id === id);
+  if(!match) {
+    // check other top-level nodes
+    for(const [key, value] of Object.entries(didDocument)) {
+      if(key === '@context' || key === 'verificationMethod') {
+        continue;
+      }
+      if(Array.isArray(value)) {
+        match = value.find(e => e?.id === id);
+      } else if(value?.id === id) {
+        match = value;
+      }
+      if(match) {
+        break;
+      }
+    }
+  }
+
+  if(!match) {
+    throw new Error(`DID document entity with id "${id}" not found.`);
+  }
+
+  return {
+    '@context': klona(didDocument['@context']),
+    ...klona(match)
+  };
+}

package/lib/envelopes.js

@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2019-2024 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import * as vcjwt from './vcjwt.js';
+
+const {util: {BedrockError}} = bedrock;
+
+export async function verifyEnvelopedCredential({envelopedCredential} = {}) {
+  try {
+    const {contents: jwt} = _parseEnvelope({
+      envelope: envelopedCredential
+    });
+    return vcjwt.verifyEnvelopedCredential({jwt});
+  } catch(error) {
+    return {verified: false, error};
+  }
+}
+
+export async function verifyEnvelopedPresentation({
+  envelopedPresentation, challenge, domain
+} = {}) {
+  try {
+    const {contents: jwt} = _parseEnvelope({
+      envelope: envelopedPresentation
+    });
+    return vcjwt.verifyEnvelopedPresentation({jwt, challenge, domain});
+  } catch(error) {
+    return {verified: false, error};
+  }
+}
+
+function _parseEnvelope({envelope}) {
+  const {id} = envelope;
+  let format;
+  const comma = id.indexOf(',');
+  if(id.startsWith('data:') && comma !== -1) {
+    format = id.slice('data:'.length, comma);
+  }
+  if(format !== 'application/jwt') {
+    throw new BedrockError(
+      `Unknown envelope format "${format}".`, {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        },
+      });
+  }
+  return {contents: id.slice(comma + 1), format};
+}

package/lib/http.js

@@ -1,8 +1,7 @@
 /*!
- * Copyright (c) 2018-2022 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2018-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as vc from '@digitalbazaar/vc';
 import {createChallenge, verifyChallenge} from './challenges.js';
 import {
   createChallengeBody,
@@ -10,12 +9,10 @@ import {
   verifyPresentationBody
 } from '../schemas/bedrock-vc-verifier.js';
 import {metering, middleware} from '@bedrock/service-core';
+import {verifyCredential, verifyPresentation} from './verify.js';
 import {asyncHandler} from '@bedrock/express';
 import bodyParser from 'body-parser';
-import {checkStatus} from './status.js';
 import cors from 'cors';
-import {createDocumentLoader} from './documentLoader.js';
-import {createSuites} from './suites.js';
 import {serializeError} from 'serialize-error';
 import {createValidateMiddleware as validate} from '@bedrock/validation';
 
@@ -33,7 +30,6 @@ bedrock.events.on('bedrock-express.configure.bodyParser', app => {
 
 export async function addRoutes({app, service} = {}) {
   const {routePrefix} = service;
-  const suite = createSuites();
   const cfg = bedrock.config['vc-verifier'];
   const baseUrl = `${routePrefix}/:localId`;
   const routes = {
@@ -70,12 +66,11 @@ export async function addRoutes({app, service} = {}) {
   app.post(
     routes.credentialsVerify,
     cors(),
-    validate({bodySchema: verifyCredentialBody}),
+    validate({bodySchema: verifyCredentialBody()}),
     getConfigMiddleware,
     middleware.authorizeServiceObjectRequest(),
     asyncHandler(async (req, res) => {
       const {config} = req.serviceObject;
-      const documentLoader = await createDocumentLoader({config});
 
       let response;
       try {
@@ -86,37 +81,7 @@ export async function addRoutes({app, service} = {}) {
 
         const {checks} = options;
         _validateChecks({checks});
-        const result = await vc.verifyCredential({
-          credential,
-          documentLoader,
-          suite,
-          // only check credential status when option is set
-          checkStatus: checks.includes('credentialStatus') ?
-            checkStatus : () => ({verified: true})
-        });
-        // if proof should have been checked but wasn't due to an error,
-        // try to run the check again using the VC's issuance date
-        if(checks.includes('proof') &&
-          result.error && !result.proof && result.results[0] &&
-          typeof credential.issuanceDate === 'string') {
-          const proofResult = await vc.verifyCredential({
-            credential,
-            documentLoader,
-            suite,
-            now: new Date(credential.issuanceDate),
-            // only check credential status when option is set
-            checkStatus: checks.includes('credentialStatus') ?
-              checkStatus : () => ({verified: true})
-          });
-          if(proofResult.verified) {
-            // overlay original (failed) results on top of proof results
-            result.results[0] = {
-              ...proofResult.results[0],
-              ...result.results[0],
-              proofVerified: true
-            };
-          }
-        }
+        const result = await verifyCredential({config, credential, checks});
         response = _createResponse({credential, result, checks});
       } catch(e) {
         response = _createResponse({error: e});
@@ -150,17 +115,16 @@ export async function addRoutes({app, service} = {}) {
   app.post(
     routes.presentationsVerify,
     cors(),
-    validate({bodySchema: verifyPresentationBody}),
+    validate({bodySchema: verifyPresentationBody()}),
     getConfigMiddleware,
     middleware.authorizeServiceObjectRequest(),
     asyncHandler(async (req, res) => {
       const {config} = req.serviceObject;
-      const documentLoader = await createDocumentLoader({config});
 
       let response;
       try {
         const {
-          verifiablePresentation,
+          verifiablePresentation: presentation,
           options = {}
         } = req.body;
 
@@ -174,7 +138,6 @@ export async function addRoutes({app, service} = {}) {
         }
 
         _validateChecks({checks});
-        const unsignedPresentation = !checks.includes('proof');
 
         // allow for `checks` to indicate whether or not the challenge
         // should be checked
@@ -190,20 +153,12 @@ export async function addRoutes({app, service} = {}) {
           ({uses: challengeUses} = result);
         }
 
-        const verifyOptions = {
-          challenge,
-          presentation: verifiablePresentation,
-          documentLoader,
-          suite,
-          unsignedPresentation,
-          checkStatus
-        };
-        const {proof} = verifiablePresentation;
-        if(proof && proof.domain) {
-          // FIXME: do not set a default
-          verifyOptions.domain = domain || 'issuer.example.com';
-        }
-        const result = await vc.verify(verifyOptions);
+        // FIXME: do not set a default domain
+        const expectedDomain = domain ??
+          (presentation?.proof?.domain && 'issuer.example.com');
+        const result = await verifyPresentation({
+          config, presentation, challenge, domain: expectedDomain, checks
+        });
         response = _createResponse({result, challengeUses, checks});
       } catch(e) {
         response = _createResponse({error: e});

package/lib/index.js

@@ -1,13 +1,15 @@
 /*!
- * Copyright (c) 2021-2022 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2021-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
+import {createService, schemas} from '@bedrock/service-core';
 import {
   addRoutes as addContextStoreRoutes
 } from '@bedrock/service-context-store';
 import {addRoutes} from './http.js';
-import {createService} from '@bedrock/service-core';
 import {initializeServiceAgent} from '@bedrock/service-agent';
+import {klona} from 'klona';
+import {verifyOptions} from '../schemas/bedrock-vc-verifier.js';
 
 // load config defaults
 import './config.js';
@@ -15,6 +17,15 @@ import './config.js';
 const serviceType = 'vc-verifier';
 
 bedrock.events.on('bedrock.init', async () => {
+  // add customizations to config validators...
+  const createConfigBody = klona(schemas.createConfigBody);
+  const updateConfigBody = klona(schemas.updateConfigBody);
+  const schemasToUpdate = [createConfigBody, updateConfigBody];
+  for(const schema of schemasToUpdate) {
+    // verify options
+    schema.properties.verifyOptions = verifyOptions;
+  }
+
   // create `vc-verifier` service
   const service = await createService({
     serviceType,
@@ -24,6 +35,8 @@ bedrock.events.on('bedrock.init', async () => {
       revocation: 1
     },
     validation: {
+      createConfigBody,
+      updateConfigBody,
       // require these zcaps (by reference ID)
       zcapReferenceIds: [{
         referenceId: 'edv',