npm - @bedrock/vc-verifier - Versions diffs - 23.0.0 → 23.2.0 - Mend

@bedrock/vc-verifier 23.0.0 → 23.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/lib/config.js +1 -0
package/lib/envelopes.js +11 -2
package/lib/http.js +2 -1
package/lib/index.js +8 -3
package/lib/mdl.js +193 -0
package/lib/vcb.js +41 -6
package/lib/verify.js +24 -4
package/package.json +2 -1
package/schemas/bedrock-vc-verifier.js +61 -1

package/lib/config.js CHANGED Viewed

@@ -42,6 +42,7 @@ cfg.supportedSuites = [
 cfg.routes = {
   challenges: '/challenges',
   credentialsVerify: '/credentials/verify',
+  mdl: '/mdl',
   presentationsVerify: '/presentations/verify'
 };

package/lib/envelopes.js CHANGED Viewed

@@ -2,6 +2,7 @@
  * Copyright (c) 2019-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
+import * as mdl from './mdl.js';
 import * as vcb from './vcb.js';
 import * as vcjwt from './vcjwt.js';
@@ -33,7 +34,7 @@ export async function verifyEnvelopedCredential({
 }
 export async function verifyEnvelopedPresentation({
-  envelopedPresentation, challenge, domain
+  config, envelopedPresentation, challenge, domain, checks, options
 } = {}) {
   let format;
   try {
@@ -46,6 +47,14 @@ export async function verifyEnvelopedPresentation({
       result = await vcjwt.verifyEnvelopedPresentation({
         jwt: contents, challenge, domain
       });
+    } else if(format.typeAndSubType === 'application/vcb') {
+      result = await vcb.verifyEnvelopedPresentation({
+        config, contents, format, challenge, checks
+      });
+    } else if(format.typeAndSubType === 'application/mdl-vp-token') {
+      result = await mdl.verifyEnvelopedPresentation({
+        config, contents, format, challenge, domain, checks, options
+      });
     } else {
       _throwUnknownFormat(format);
     }
@@ -75,7 +84,7 @@ function _parseEnvelope({envelope}) {
 function _throwUnknownFormat(format) {
   throw new BedrockError(
     `Unknown envelope format "${format.mediaType}".`, {
-      name: 'DataError',
+      name: 'NotSupportedError',
       details: {
         httpStatusCode: 400,
         public: true

package/lib/http.js CHANGED Viewed

@@ -157,7 +157,8 @@ export async function addRoutes({app, service} = {}) {
         const expectedDomain = domain ??
           (presentation?.proof?.domain && 'issuer.example.com');
         const result = await verifyPresentation({
-          config, presentation, challenge, domain: expectedDomain, checks
+          config, presentation, challenge, domain: expectedDomain, checks,
+          options
         });
         response = _createResponse({result, challengeUses, checks});
       } catch(e) {

package/lib/index.js CHANGED Viewed

@@ -6,6 +6,7 @@ import {
   addCborldRoutes, addContextRoutes
 } from '@bedrock/service-context-store';
 import {createService, schemas} from '@bedrock/service-core';
+import {addCaStoreRoutes as addMdlCaStoreRoutes} from './mdl.js';
 import {addRoutes} from './http.js';
 import {initializeServiceAgent} from '@bedrock/service-agent';
 import {verifyOptions} from '../schemas/bedrock-vc-verifier.js';
@@ -53,6 +54,7 @@ bedrock.events.on('bedrock.init', async () => {
   bedrock.events.on('bedrock-express.configure.routes', async app => {
     await addCborldRoutes({app, service});
     await addContextRoutes({app, service});
+    await addMdlCaStoreRoutes({app, service});
     await addRoutes({app, service});
   });
@@ -72,10 +74,13 @@ async function validateConfigFn({config} = {}) {
     // set default `verifyOptions` if not given
     const {verifyOptions} = config;
     if(verifyOptions === undefined) {
+      config.verifyOptions = {};
+    }
+    // set default `documentLoader` options
+    if(config.verifyOptions.documentLoader === undefined) {
       config.verifyOptions = {
-        documentLoader: {
-          allowRemoteContexts: false
-        }
+        ...config.verifyOptions,
+        documentLoader: {allowRemoteContexts: false}
       };
     }
   } catch(error) {

package/lib/mdl.js ADDED Viewed

@@ -0,0 +1,193 @@
+/*
+ * Copyright (c) 2025 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import {addDocumentRoutes, documentStores} from '@bedrock/service-agent';
+import {
+  createMdlCaStoreBody, updateMdlCaStoreBody
+} from '../schemas/bedrock-vc-verifier.js';
+import {DataItem, Verifier} from '@auth0/mdl';
+const {util: {BedrockError}} = bedrock;
+const VC_CONTEXT_2 = 'https://www.w3.org/ns/credentials/v2';
+const MDL_NAMESPACE = 'org.iso.18013.5.1';
+const MDOC_TYPE_MDL = `${MDL_NAMESPACE}.mDL`;
+const MDL_CA_STORE_TYPE = 'MdlCAStore';
+const serviceType = 'vc-verifier';
+export async function addCaStoreRoutes({app, service} = {}) {
+  const cfg = bedrock.config['vc-verifier'];
+  const basePath = `${cfg.routes.mdl}/ca-stores`;
+  addDocumentRoutes({
+    app, service,
+    type: MDL_CA_STORE_TYPE,
+    typeName: 'mDL Certificate Authority Store',
+    contentProperty: 'trustedCertificates',
+    basePath,
+    pathParam: 'caStoreId',
+    createBodySchema: createMdlCaStoreBody(),
+    updateBodySchema: updateMdlCaStoreBody()
+  });
+}
+export async function verifyEnvelopedPresentation({
+  config, contents, format, challenge, domain, options
+} = {}) {
+  // base64 encoding must NOT be used; vp token is `base64url` encoded
+  if(format.parameters.has('base64')) {
+    throw new BedrockError(
+      `Unknown envelope format "${format.mediaType}".`, {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        },
+      });
+  }
+  // decoded `contents` is the mDL device response
+  const deviceResponse = Buffer.from(contents, 'base64url');
+  // session transcription must be provided modulo:
+  // `domain` which is used as the `responseUri`
+  // `challenge` which is used as the `verifierGeneratedNonce`
+  const sessionTranscript = {
+    ..._getSessionTranscriptFromOptions({options}),
+    responseUri: domain,
+    verifierGeneratedNonce: challenge
+  };
+  // fetch CA store(s)
+  const {documentStore} = await documentStores.get({config, serviceType});
+  const caStoreIds = config.verifyOptions?.mdl?.caStores;
+  const caStore = new Set();
+  // FIXME: implement parallel lookup w/limits, for now one CA store is
+  // expected and multiples will be slow, discouraging too many from being used
+  for(const url of caStoreIds) {
+    const doc = await _getCAStoreDocument({documentStore, url});
+    doc.content.trustedCertificates.forEach(caStore.add, caStore);
+  }
+  return verifyPresentation({
+    deviceResponse, sessionTranscript, trustedCertificates: [...caStore]
+  });
+}
+export async function verifyPresentation({
+  deviceResponse, sessionTranscript, trustedCertificates
+} = {}) {
+  try {
+    const verifier = new Verifier(trustedCertificates);
+    const encodedSessionTranscript = _encodeSessionTranscript(
+      sessionTranscript);
+    // uncomment to debug
+    /*
+    const diagnostic = await verifier.getDiagnosticInformation(
+      deviceResponse, {encodedSessionTranscript});
+    console.debug('Diagnostic information:', diagnostic);
+    */
+    // verify device response and get selectively disclosed mdoc result
+    const mdoc = await verifier.verify(deviceResponse, {
+      encodedSessionTranscript
+    });
+    // ensure `mdoc` has one document and its `type` is `MDOC_TYPE_MDL`
+    if(!(mdoc.documents?.length === 1 &&
+      mdoc.documents[0].docType === MDOC_TYPE_MDL)) {
+      throw new BedrockError(
+        `Unknown mdoc document type "${mdoc.documents[0].docType}"; ` +
+        `expecting "${MDOC_TYPE_MDL}".`, {
+          name: 'NotSupportedError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+    // express CBOR-encoded mdoc as an enveloped VC in a VP
+    const cborMdoc = mdoc.encode();
+    const b64Mdl = Buffer.from(cborMdoc).toString('base64');
+    const presentation = {
+      '@context': [VC_CONTEXT_2],
+      type: 'VerifiablePresentation',
+      verifiableCredential: {
+        id: `data:application/mdl;base64,${b64Mdl}`,
+        type: 'EnvelopedVerifiableCredential'
+      }
+    };
+    return {verified: true, presentation};
+  } catch(err) {
+    // capture `err` message, name, and code
+    const cause = new Error(err.message);
+    cause.name = err.name;
+    cause.code = err.code;
+    const error = new Error('Verification error.');
+    error.name = 'VerificationError';
+    error.errors = [cause];
+    return {verified: false, error};
+  }
+}
+// returns a full or partial session transcript
+function _getSessionTranscriptFromOptions({options}) {
+  if(!options.mdl?.sessionTranscript) {
+    // no `mdl` session transcription options given
+    return {};
+  }
+  // `mdocGeneratedNonce` and `verifierGeneratedNonce` are base64url-encoded
+  // values; the others are passthrough strings
+  const sessionTranscript = {...options.mdl.sessionTranscript};
+  if(sessionTranscript.mdocGeneratedNonce) {
+    sessionTranscript.mdocGeneratedNonce = Buffer
+      .from(sessionTranscript.mdocGeneratedNonce, 'base64url')
+      // note: ISO 18013-7 requires `verifierGeneratedNonce` to be a string
+      .toString('utf8');
+  }
+  if(sessionTranscript.verifierGeneratedNonce) {
+    sessionTranscript.verifierGeneratedNonce = Buffer
+      .from(sessionTranscript.verifierGeneratedNonce, 'base64url')
+      // note: ISO 18013-7 requires `verifierGeneratedNonce` to be a string
+      .toString('utf8');
+  }
+  return sessionTranscript;
+}
+function _encodeSessionTranscript(sessionTranscript) {
+  const {
+    mdocGeneratedNonce,
+    clientId,
+    responseUri,
+    verifierGeneratedNonce
+  } = sessionTranscript;
+  const encoded = DataItem.fromData([
+    // deviceEngagementBytes
+    null,
+    // eReaderKeyBytes
+    null,
+    [mdocGeneratedNonce, clientId, responseUri, verifierGeneratedNonce],
+  ]);
+  return DataItem.fromData(encoded).buffer;
+}
+async function _getCAStoreDocument({documentStore, url}) {
+  const doc = await documentStore.get({id: url});
+  if(doc.meta.type !== MDL_CA_STORE_TYPE) {
+    // wrong meta type; treat as not found error
+    throw new BedrockError(`Document "${url}" not found.`, {
+      name: 'NotFoundError',
+      details: {
+        url,
+        httpStatusCode: 404,
+        public: true
+      }
+    });
+  }
+  return doc;
+}

package/lib/vcb.js CHANGED Viewed

@@ -29,6 +29,41 @@ const SUPPORTED_BARCODE_FORMATS = new Set([
 const TEXT_DECODER = new TextDecoder();
+export async function verifyEnvelopedPresentation({
+  config, contents, format, challenge, checks
+} = {}) {
+  // handle base64 encoding
+  let {parameters} = format;
+  if(parameters.has('base64')) {
+    contents = new Uint8Array(Buffer.from(contents, 'base64'));
+    parameters = new Map(parameters);
+    parameters.delete('base64');
+  }
+  // only parameter understood is `barcode-format` with values of:
+  // 'qr_code' (default)
+  const barcodeFormat = parameters.size === 1 ?
+    parameters.get('barcode-format') : (parameters.size === 0 && 'qr_code');
+  if(barcodeFormat !== 'qr_code') {
+    _throwUnknownFormat(format);
+  }
+  // create loaders for JSON-LD contexts and CBOR-LD type tables
+  const documentLoader = await createDocumentLoader({config});
+  const typeTableLoader = await createCborldTypeTableLoader({
+    config, serviceType: 'vc-verifier'
+  });
+  // parse credential and any verification options from contents...
+  const {jsonldDocument: presentation, options} = await _parseQrCodeEnvelope({
+    contents, documentLoader, typeTableLoader, expectedHeader: 'VP1-'
+  });
+  // checks for VCB VPs only applies if there is actually a proof to check
+  checks = presentation.proof ? checks : [];
+  // verify VP
+  const result = await di.verifyPresentation({
+    config, presentation, options, challenge, checks
+  });
+  return {...result, presentation};
+}
 export async function verifyEnvelopedCredential({
   config, contents, format, checks
 } = {}) {
@@ -58,8 +93,8 @@ export async function verifyEnvelopedCredential({
   let credential;
   let options;
   if(barcodeFormat === 'qr_code') {
-    ({credential, options} = await _parseQrCodeEnvelope({
-      contents, documentLoader, typeTableLoader
+    ({jsonldDocument: credential, options} = await _parseQrCodeEnvelope({
+      contents, documentLoader, typeTableLoader, expectedHeader: 'VC1-'
     }));
   }
   if(barcodeFormat === 'pdf417') {
@@ -76,19 +111,19 @@ export async function verifyEnvelopedCredential({
 }
 async function _parseQrCodeEnvelope({
-  contents, documentLoader, typeTableLoader
+  contents, documentLoader, typeTableLoader, expectedHeader
 }) {
   // `fromQrCode` requires text, so convert to text as needed
   if(contents instanceof Uint8Array) {
     contents = TEXT_DECODER.decode(contents);
   }
-  const {jsonldDocument: credential} = await util.fromQrCode({
+  const {jsonldDocument} = await util.fromQrCode({
     text: contents,
     documentLoader,
     typeTableLoader,
-    expectedHeader: 'VC1-'
+    expectedHeader
   });
-  return {credential};
+  return {jsonldDocument};
 }
 async function _parsePdf417Envelope({

package/lib/verify.js CHANGED Viewed

@@ -30,7 +30,7 @@ export async function verifyCredential({config, credential, checks} = {}) {
 }
 export async function verifyPresentation({
-  config, presentation, challenge, domain, checks
+  config, presentation, challenge, domain, checks, options
 } = {}) {
   if(presentation?.type !== 'EnvelopedVerifiablePresentation') {
     const result = await di.verifyPresentation({
@@ -74,20 +74,40 @@ export async function verifyPresentation({
   }
   const presentationResult = await verifyEnvelopedPresentation({
-    envelopedPresentation: presentation, challenge, domain
+    config, envelopedPresentation: presentation, challenge, domain, checks,
+    options
   });
-  // verify each `verifiableCredential` in the resulting VP
+  // verify each `verifiableCredential` in the resulting VP, unless the VP
+  // format was mDL, which means there will always be one VC (an enveloped mDL)
+  // and it will already have been verified
   let verified = presentationResult.verified;
   let credentialResults;
   if(!verified) {
     credentialResults = [];
+  } else if(
+    presentationResult.format.typeAndSubType === 'application/mdl-vp-token') {
+    let {verifiableCredential} = presentationResult.presentation;
+    if(Array.isArray(verifiableCredential)) {
+      verifiableCredential = verifiableCredential[0];
+    }
+    credentialResults = [{
+      verified: true,
+      credential: verifiableCredential,
+      format: {
+        mediaType: 'application/mdl',
+        typeAndSubType: 'application/mdl',
+        type: 'application',
+        subType: 'mdl',
+        parameters: {}
+      }
+    }];
   } else if(presentationResult.presentation?.proof &&
     presentationResult.format.typeAndSubType === 'application/jwt') {
     // presentation in the envelope has a `proof` and envelope format is JWT,
     // so recurse to check `proof` field
     const proofResult = await verifyPresentation({
       config, presentation: presentationResult.presentation,
-      challenge, domain, checks
+      challenge, domain, checks, options
     });
     verified = !!(verified && proofResult.presentationResult?.verified);
     presentationResult.proofResult = proofResult;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-verifier",
-  "version": "23.0.0",
+  "version": "23.2.0",
   "type": "module",
   "description": "Bedrock VC Verifier",
   "main": "./lib/index.js",
@@ -25,6 +25,7 @@
   },
   "homepage": "https://github.com/digitalbazaar/bedrock-vc-verifier",
   "dependencies": {
+    "@auth0/mdl": "^3.0.0",
     "@digitalbazaar/bbs-2023-cryptosuite": "^2.0.1",
     "@digitalbazaar/cborld": "^8.0.0",
     "@digitalbazaar/data-integrity": "^2.5.0",

package/schemas/bedrock-vc-verifier.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import {schemas} from '@bedrock/validation';
@@ -182,6 +182,8 @@ export const verifyOptions = {
     required: ['didResolver']
   }, {
     required: ['documentLoader']
+  }, {
+    required: ['mdl']
   }],
   additionalProperties: false,
   properties: {
@@ -207,6 +209,20 @@ export const verifyOptions = {
           type: 'boolean'
         }
       }
+    },
+    mdl: {
+      title: 'mDL Verification Options',
+      type: 'object',
+      required: ['caStores'],
+      additionalProperties: false,
+      properties: {
+        caStores: {
+          title: 'mDL Certificate Authority Store IDs',
+          type: 'array',
+          minItems: 1,
+          items: {type: 'string'}
+        }
+      }
     }
   }
 };
@@ -258,3 +274,47 @@ export function verifyPresentationBody() {
     }
   };
 }
+const sequence = {
+  title: 'sequence',
+  type: 'integer',
+  minimum: 0,
+  maximum: Number.MAX_SAFE_INTEGER - 1
+};
+const mdlCaStoreBody = {
+  title: 'mDL Certificate Authority Store Record',
+  type: 'object',
+  required: ['id', 'trustedCertificates'],
+  additionalProperties: false,
+  properties: {
+    id: {
+      title: 'CA Store ID',
+      type: 'string',
+      pattern: '^urn:mdl-ca-store:'
+    },
+    trustedCertificates: {
+      type: 'array',
+      items: {type: 'string'}
+    }
+  }
+};
+export function createMdlCaStoreBody() {
+  return {
+    ...mdlCaStoreBody,
+    title: 'createMdlCaStoreBody'
+  };
+}
+export function updateMdlCaStoreBody() {
+  return {
+    ...mdlCaStoreBody,
+    required: ['id', 'trustedCertificates', 'sequence'],
+    properties: {
+      ...mdlCaStoreBody.properties,
+      sequence
+    },
+    title: 'updateMdlCaStoreBody'
+  };
+}