@bedrock/vc-verifier 23.1.0 → 23.2.0

package/lib/config.js

@@ -42,6 +42,7 @@ cfg.supportedSuites = [
 cfg.routes = {
   challenges: '/challenges',
   credentialsVerify: '/credentials/verify',
+  mdl: '/mdl',
   presentationsVerify: '/presentations/verify'
 };
 

package/lib/envelopes.js

@@ -2,6 +2,7 @@
  * Copyright (c) 2019-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
+import * as mdl from './mdl.js';
 import * as vcb from './vcb.js';
 import * as vcjwt from './vcjwt.js';
 
@@ -33,7 +34,7 @@ export async function verifyEnvelopedCredential({
 }
 
 export async function verifyEnvelopedPresentation({
-  config, envelopedPresentation, challenge, domain, checks
+  config, envelopedPresentation, challenge, domain, checks, options
 } = {}) {
   let format;
   try {
@@ -50,6 +51,10 @@ export async function verifyEnvelopedPresentation({
       result = await vcb.verifyEnvelopedPresentation({
         config, contents, format, challenge, checks
       });
+    } else if(format.typeAndSubType === 'application/mdl-vp-token') {
+      result = await mdl.verifyEnvelopedPresentation({
+        config, contents, format, challenge, domain, checks, options
+      });
     } else {
       _throwUnknownFormat(format);
     }
@@ -79,7 +84,7 @@ function _parseEnvelope({envelope}) {
 function _throwUnknownFormat(format) {
   throw new BedrockError(
     `Unknown envelope format "${format.mediaType}".`, {
-      name: 'DataError',
+      name: 'NotSupportedError',
       details: {
         httpStatusCode: 400,
         public: true

package/lib/http.js

@@ -157,7 +157,8 @@ export async function addRoutes({app, service} = {}) {
         const expectedDomain = domain ??
           (presentation?.proof?.domain && 'issuer.example.com');
         const result = await verifyPresentation({
-          config, presentation, challenge, domain: expectedDomain, checks
+          config, presentation, challenge, domain: expectedDomain, checks,
+          options
         });
         response = _createResponse({result, challengeUses, checks});
       } catch(e) {

package/lib/index.js

@@ -6,6 +6,7 @@ import {
   addCborldRoutes, addContextRoutes
 } from '@bedrock/service-context-store';
 import {createService, schemas} from '@bedrock/service-core';
+import {addCaStoreRoutes as addMdlCaStoreRoutes} from './mdl.js';
 import {addRoutes} from './http.js';
 import {initializeServiceAgent} from '@bedrock/service-agent';
 import {verifyOptions} from '../schemas/bedrock-vc-verifier.js';
@@ -53,6 +54,7 @@ bedrock.events.on('bedrock.init', async () => {
   bedrock.events.on('bedrock-express.configure.routes', async app => {
     await addCborldRoutes({app, service});
     await addContextRoutes({app, service});
+    await addMdlCaStoreRoutes({app, service});
     await addRoutes({app, service});
   });
 
@@ -72,10 +74,13 @@ async function validateConfigFn({config} = {}) {
     // set default `verifyOptions` if not given
     const {verifyOptions} = config;
     if(verifyOptions === undefined) {
+      config.verifyOptions = {};
+    }
+    // set default `documentLoader` options
+    if(config.verifyOptions.documentLoader === undefined) {
       config.verifyOptions = {
-        documentLoader: {
-          allowRemoteContexts: false
-        }
+        ...config.verifyOptions,
+        documentLoader: {allowRemoteContexts: false}
       };
     }
   } catch(error) {

package/lib/mdl.js

@@ -0,0 +1,193 @@
+/*
+ * Copyright (c) 2025 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import {addDocumentRoutes, documentStores} from '@bedrock/service-agent';
+import {
+  createMdlCaStoreBody, updateMdlCaStoreBody
+} from '../schemas/bedrock-vc-verifier.js';
+import {DataItem, Verifier} from '@auth0/mdl';
+
+const {util: {BedrockError}} = bedrock;
+
+const VC_CONTEXT_2 = 'https://www.w3.org/ns/credentials/v2';
+
+const MDL_NAMESPACE = 'org.iso.18013.5.1';
+const MDOC_TYPE_MDL = `${MDL_NAMESPACE}.mDL`;
+const MDL_CA_STORE_TYPE = 'MdlCAStore';
+
+const serviceType = 'vc-verifier';
+
+export async function addCaStoreRoutes({app, service} = {}) {
+  const cfg = bedrock.config['vc-verifier'];
+  const basePath = `${cfg.routes.mdl}/ca-stores`;
+  addDocumentRoutes({
+    app, service,
+    type: MDL_CA_STORE_TYPE,
+    typeName: 'mDL Certificate Authority Store',
+    contentProperty: 'trustedCertificates',
+    basePath,
+    pathParam: 'caStoreId',
+    createBodySchema: createMdlCaStoreBody(),
+    updateBodySchema: updateMdlCaStoreBody()
+  });
+}
+
+export async function verifyEnvelopedPresentation({
+  config, contents, format, challenge, domain, options
+} = {}) {
+  // base64 encoding must NOT be used; vp token is `base64url` encoded
+  if(format.parameters.has('base64')) {
+    throw new BedrockError(
+      `Unknown envelope format "${format.mediaType}".`, {
+        name: 'DataError',
+        details: {
+          httpStatusCode: 400,
+          public: true
+        },
+      });
+  }
+
+  // decoded `contents` is the mDL device response
+  const deviceResponse = Buffer.from(contents, 'base64url');
+
+  // session transcription must be provided modulo:
+  // `domain` which is used as the `responseUri`
+  // `challenge` which is used as the `verifierGeneratedNonce`
+  const sessionTranscript = {
+    ..._getSessionTranscriptFromOptions({options}),
+    responseUri: domain,
+    verifierGeneratedNonce: challenge
+  };
+
+  // fetch CA store(s)
+  const {documentStore} = await documentStores.get({config, serviceType});
+  const caStoreIds = config.verifyOptions?.mdl?.caStores;
+  const caStore = new Set();
+  // FIXME: implement parallel lookup w/limits, for now one CA store is
+  // expected and multiples will be slow, discouraging too many from being used
+  for(const url of caStoreIds) {
+    const doc = await _getCAStoreDocument({documentStore, url});
+    doc.content.trustedCertificates.forEach(caStore.add, caStore);
+  }
+
+  return verifyPresentation({
+    deviceResponse, sessionTranscript, trustedCertificates: [...caStore]
+  });
+}
+
+export async function verifyPresentation({
+  deviceResponse, sessionTranscript, trustedCertificates
+} = {}) {
+  try {
+    const verifier = new Verifier(trustedCertificates);
+    const encodedSessionTranscript = _encodeSessionTranscript(
+      sessionTranscript);
+
+    // uncomment to debug
+    /*
+    const diagnostic = await verifier.getDiagnosticInformation(
+      deviceResponse, {encodedSessionTranscript});
+    console.debug('Diagnostic information:', diagnostic);
+    */
+
+    // verify device response and get selectively disclosed mdoc result
+    const mdoc = await verifier.verify(deviceResponse, {
+      encodedSessionTranscript
+    });
+
+    // ensure `mdoc` has one document and its `type` is `MDOC_TYPE_MDL`
+    if(!(mdoc.documents?.length === 1 &&
+      mdoc.documents[0].docType === MDOC_TYPE_MDL)) {
+      throw new BedrockError(
+        `Unknown mdoc document type "${mdoc.documents[0].docType}"; ` +
+        `expecting "${MDOC_TYPE_MDL}".`, {
+          name: 'NotSupportedError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+
+    // express CBOR-encoded mdoc as an enveloped VC in a VP
+    const cborMdoc = mdoc.encode();
+    const b64Mdl = Buffer.from(cborMdoc).toString('base64');
+    const presentation = {
+      '@context': [VC_CONTEXT_2],
+      type: 'VerifiablePresentation',
+      verifiableCredential: {
+        id: `data:application/mdl;base64,${b64Mdl}`,
+        type: 'EnvelopedVerifiableCredential'
+      }
+    };
+    return {verified: true, presentation};
+  } catch(err) {
+    // capture `err` message, name, and code
+    const cause = new Error(err.message);
+    cause.name = err.name;
+    cause.code = err.code;
+    const error = new Error('Verification error.');
+    error.name = 'VerificationError';
+    error.errors = [cause];
+    return {verified: false, error};
+  }
+}
+
+// returns a full or partial session transcript
+function _getSessionTranscriptFromOptions({options}) {
+  if(!options.mdl?.sessionTranscript) {
+    // no `mdl` session transcription options given
+    return {};
+  }
+
+  // `mdocGeneratedNonce` and `verifierGeneratedNonce` are base64url-encoded
+  // values; the others are passthrough strings
+  const sessionTranscript = {...options.mdl.sessionTranscript};
+  if(sessionTranscript.mdocGeneratedNonce) {
+    sessionTranscript.mdocGeneratedNonce = Buffer
+      .from(sessionTranscript.mdocGeneratedNonce, 'base64url')
+      // note: ISO 18013-7 requires `verifierGeneratedNonce` to be a string
+      .toString('utf8');
+  }
+  if(sessionTranscript.verifierGeneratedNonce) {
+    sessionTranscript.verifierGeneratedNonce = Buffer
+      .from(sessionTranscript.verifierGeneratedNonce, 'base64url')
+      // note: ISO 18013-7 requires `verifierGeneratedNonce` to be a string
+      .toString('utf8');
+  }
+  return sessionTranscript;
+}
+
+function _encodeSessionTranscript(sessionTranscript) {
+  const {
+    mdocGeneratedNonce,
+    clientId,
+    responseUri,
+    verifierGeneratedNonce
+  } = sessionTranscript;
+  const encoded = DataItem.fromData([
+    // deviceEngagementBytes
+    null,
+    // eReaderKeyBytes
+    null,
+    [mdocGeneratedNonce, clientId, responseUri, verifierGeneratedNonce],
+  ]);
+  return DataItem.fromData(encoded).buffer;
+}
+
+async function _getCAStoreDocument({documentStore, url}) {
+  const doc = await documentStore.get({id: url});
+  if(doc.meta.type !== MDL_CA_STORE_TYPE) {
+    // wrong meta type; treat as not found error
+    throw new BedrockError(`Document "${url}" not found.`, {
+      name: 'NotFoundError',
+      details: {
+        url,
+        httpStatusCode: 404,
+        public: true
+      }
+    });
+  }
+  return doc;
+}

package/lib/verify.js

@@ -30,7 +30,7 @@ export async function verifyCredential({config, credential, checks} = {}) {
 }
 
 export async function verifyPresentation({
-  config, presentation, challenge, domain, checks
+  config, presentation, challenge, domain, checks, options
 } = {}) {
   if(presentation?.type !== 'EnvelopedVerifiablePresentation') {
     const result = await di.verifyPresentation({
@@ -74,20 +74,40 @@ export async function verifyPresentation({
   }
 
   const presentationResult = await verifyEnvelopedPresentation({
-    config, envelopedPresentation: presentation, challenge, domain, checks
+    config, envelopedPresentation: presentation, challenge, domain, checks,
+    options
   });
-  // verify each `verifiableCredential` in the resulting VP
+  // verify each `verifiableCredential` in the resulting VP, unless the VP
+  // format was mDL, which means there will always be one VC (an enveloped mDL)
+  // and it will already have been verified
   let verified = presentationResult.verified;
   let credentialResults;
   if(!verified) {
     credentialResults = [];
+  } else if(
+    presentationResult.format.typeAndSubType === 'application/mdl-vp-token') {
+    let {verifiableCredential} = presentationResult.presentation;
+    if(Array.isArray(verifiableCredential)) {
+      verifiableCredential = verifiableCredential[0];
+    }
+    credentialResults = [{
+      verified: true,
+      credential: verifiableCredential,
+      format: {
+        mediaType: 'application/mdl',
+        typeAndSubType: 'application/mdl',
+        type: 'application',
+        subType: 'mdl',
+        parameters: {}
+      }
+    }];
   } else if(presentationResult.presentation?.proof &&
     presentationResult.format.typeAndSubType === 'application/jwt') {
     // presentation in the envelope has a `proof` and envelope format is JWT,
     // so recurse to check `proof` field
     const proofResult = await verifyPresentation({
       config, presentation: presentationResult.presentation,
-      challenge, domain, checks
+      challenge, domain, checks, options
     });
     verified = !!(verified && proofResult.presentationResult?.verified);
     presentationResult.proofResult = proofResult;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-verifier",
-  "version": "23.1.0",
+  "version": "23.2.0",
   "type": "module",
   "description": "Bedrock VC Verifier",
   "main": "./lib/index.js",
@@ -25,6 +25,7 @@
   },
   "homepage": "https://github.com/digitalbazaar/bedrock-vc-verifier",
   "dependencies": {
+    "@auth0/mdl": "^3.0.0",
     "@digitalbazaar/bbs-2023-cryptosuite": "^2.0.1",
     "@digitalbazaar/cborld": "^8.0.0",
     "@digitalbazaar/data-integrity": "^2.5.0",

package/schemas/bedrock-vc-verifier.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import {schemas} from '@bedrock/validation';
 
@@ -182,6 +182,8 @@ export const verifyOptions = {
     required: ['didResolver']
   }, {
     required: ['documentLoader']
+  }, {
+    required: ['mdl']
   }],
   additionalProperties: false,
   properties: {
@@ -207,6 +209,20 @@ export const verifyOptions = {
           type: 'boolean'
         }
       }
+    },
+    mdl: {
+      title: 'mDL Verification Options',
+      type: 'object',
+      required: ['caStores'],
+      additionalProperties: false,
+      properties: {
+        caStores: {
+          title: 'mDL Certificate Authority Store IDs',
+          type: 'array',
+          minItems: 1,
+          items: {type: 'string'}
+        }
+      }
     }
   }
 };
@@ -258,3 +274,47 @@ export function verifyPresentationBody() {
     }
   };
 }
+
+const sequence = {
+  title: 'sequence',
+  type: 'integer',
+  minimum: 0,
+  maximum: Number.MAX_SAFE_INTEGER - 1
+};
+
+const mdlCaStoreBody = {
+  title: 'mDL Certificate Authority Store Record',
+  type: 'object',
+  required: ['id', 'trustedCertificates'],
+  additionalProperties: false,
+  properties: {
+    id: {
+      title: 'CA Store ID',
+      type: 'string',
+      pattern: '^urn:mdl-ca-store:'
+    },
+    trustedCertificates: {
+      type: 'array',
+      items: {type: 'string'}
+    }
+  }
+};
+
+export function createMdlCaStoreBody() {
+  return {
+    ...mdlCaStoreBody,
+    title: 'createMdlCaStoreBody'
+  };
+}
+
+export function updateMdlCaStoreBody() {
+  return {
+    ...mdlCaStoreBody,
+    required: ['id', 'trustedCertificates', 'sequence'],
+    properties: {
+      ...mdlCaStoreBody.properties,
+      sequence
+    },
+    title: 'updateMdlCaStoreBody'
+  };
+}