@bedrock/vc-verifier 6.0.0

package/lib/documentLoader.js

@@ -0,0 +1,83 @@
+/*!
+ * Copyright (c) 2019-2022 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import '@bedrock/credentials-context';
+import '@bedrock/did-context';
+import '@bedrock/did-io';
+import '@bedrock/security-context';
+import '@bedrock/vc-status-list-context';
+import '@bedrock/vc-revocation-list-context';
+import '@bedrock/veres-one-context';
+import {createContextDocumentLoader} from '@bedrock/service-context-store';
+import {didIo} from '@bedrock/did-io';
+import {
+  documentLoader as brDocLoader,
+  httpClientHandler,
+  JsonLdDocumentLoader
+} from '@bedrock/jsonld-document-loader';
+
+const serviceType = 'vc-verifier';
+let webLoader;
+
+bedrock.events.on('bedrock.init', () => {
+  // build web loader if configuration calls for it
+  const cfg = bedrock.config['vc-verifier'];
+  if(cfg.documentLoader.http || cfg.documentLoader.https) {
+    const jdl = new JsonLdDocumentLoader();
+
+    if(cfg.documentLoader.http) {
+      jdl.setProtocolHandler({protocol: 'http', handler: httpClientHandler});
+    }
+    if(cfg.documentLoader.https) {
+      jdl.setProtocolHandler({protocol: 'https', handler: httpClientHandler});
+    }
+
+    webLoader = jdl.build();
+  }
+});
+
+/**
+ * Creates a document loader for the verifier instance identified via the
+ * given config.
+ *
+ * @param {object} options - The options to use.
+ * @param {object} options.config - The verifier instance config.
+ *
+ * @returns {Promise<Function>} The document loader.
+ */
+export async function createDocumentLoader({config} = {}) {
+  const contextDocumentLoader = await createContextDocumentLoader(
+    {config, serviceType});
+
+  return async function documentLoader(url) {
+    // resolve all DID URLs through did-io
+    if(url.startsWith('did:')) {
+      const document = await didIo.get({url});
+      return {
+        contextUrl: null,
+        documentUrl: url,
+        document
+      };
+    }
+
+    try {
+      // try to resolve URL through built-in doc loader
+      return await brDocLoader(url);
+    } catch(e) {
+      // FIXME: improve to check for `NotFoundError` once `e.name`
+      // supports it
+    }
+
+    try {
+      // try to resolve URL through context doc loader
+      return await contextDocumentLoader(url);
+    } catch(e) {
+      // use web loader if configured
+      if(url.startsWith('http') && e.name === 'NotFoundError' && webLoader) {
+        return webLoader(url);
+      }
+      throw e;
+    }
+  };
+}

package/lib/http.js

@@ -0,0 +1,284 @@
+/*!
+ * Copyright (c) 2018-2022 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import {createChallenge, verifyChallenge} from './challenges.js';
+import {asyncHandler} from '@bedrock/express';
+import bodyParser from 'body-parser';
+import {checkStatus} from './status.js';
+import cors from 'cors';
+import {
+  createChallengeBody,
+  verifyCredentialBody,
+  verifyPresentationBody
+} from '../schemas/bedrock-vc-verifier.js';
+import {createDocumentLoader} from './documentLoader.js';
+import {createRequire} from 'module';
+import {createValidateMiddleware as validate} from '@bedrock/validation';
+import {metering, middleware} from '@bedrock/service-core';
+const require = createRequire(import.meta.url);
+const {Ed25519Signature2020} =
+  require('@digitalbazaar/ed25519-signature-2020');
+const {Ed25519Signature2018} =
+  require('@digitalbazaar/ed25519-signature-2018');
+const vc = require('@digitalbazaar/vc');
+
+const {util: {BedrockError}} = bedrock;
+
+// FIXME: remove and apply at top-level application
+bedrock.events.on('bedrock-express.configure.bodyParser', app => {
+  app.use(bodyParser.json({limit: '10MB', type: ['json', '+json']}));
+});
+
+export async function addRoutes({app, service} = {}) {
+  const {routePrefix} = service;
+
+  const cfg = bedrock.config['vc-verifier'];
+  const baseUrl = `${routePrefix}/:localId`;
+  const routes = {
+    challenges: `${baseUrl}${cfg.routes.challenges}`,
+    credentialsVerify: `${baseUrl}${cfg.routes.credentialsVerify}`,
+    presentationsVerify: `${baseUrl}${cfg.routes.presentationsVerify}`
+  };
+
+  const {supportedSuites} = cfg;
+  const suite = [];
+  if(supportedSuites.includes('Ed25519Signature2018')) {
+    suite.push(new Ed25519Signature2018());
+  }
+  if(supportedSuites.includes('Ed25519Signature2020')) {
+    suite.push(new Ed25519Signature2020());
+  }
+
+  const getConfigMiddleware = middleware.createGetConfigMiddleware({service});
+
+  /* Note: CORS is used on all endpoints. This is safe because authorization
+  uses HTTP signatures + capabilities or OAuth2, not cookies; CSRF is not
+  possible. */
+
+  // create a challenge
+  app.options(routes.challenges, cors());
+  app.post(
+    routes.challenges,
+    cors(),
+    validate({bodySchema: createChallengeBody}),
+    getConfigMiddleware,
+    // FIXME: add middleware to switch between oauth2 / zcap based on headers
+    middleware.authorizeConfigZcapInvocation(),
+    asyncHandler(async (req, res) => {
+      const {config} = req.serviceObject;
+      const challenge = await createChallenge({verifierId: config.id});
+      res.json({challenge});
+
+      // meter operation usage
+      metering.reportOperationUsage({req});
+    }));
+
+  // verify a credential
+  app.options(routes.credentialsVerify, cors());
+  app.post(
+    routes.credentialsVerify,
+    cors(),
+    validate({bodySchema: verifyCredentialBody}),
+    getConfigMiddleware,
+    // FIXME: add middleware to switch between oauth2 / zcap based on headers
+    middleware.authorizeConfigZcapInvocation(),
+    asyncHandler(async (req, res) => {
+      const {config} = req.serviceObject;
+      const documentLoader = await createDocumentLoader({config});
+
+      let response;
+      try {
+        const {
+          options = {},
+          verifiableCredential: credential,
+        } = req.body;
+
+        const {checks} = options;
+        _validateChecks({checks});
+        const result = await vc.verifyCredential({
+          credential,
+          documentLoader,
+          suite,
+          // only check credential status when option is set
+          checkStatus: checks.includes('credentialStatus') ?
+            checkStatus : () => ({verified: true})
+        });
+        response = _createResponse({credential, result, checks});
+      } catch(e) {
+        response = _createResponse({error: e});
+      }
+
+      if(response.verified) {
+        res.status(200).json(response);
+      } else {
+        res.status(400).json(response).end();
+      }
+
+      // meter operation usage
+      metering.reportOperationUsage({req});
+    }));
+
+  // verify a presentation
+  app.options(routes.presentationsVerify, cors());
+  /**
+   * Verifies a Verifiable Presentation.
+   *
+   * POST /verifiers/z1234/presentations/verify
+   * {
+   *   "verifiablePresentation": {...},
+   *   "options": {
+   *     "challenge": "...",
+   *     "checks": ["proof", "credentialStatus"],
+   *     "domain": "issuer.example.com"
+   *   }
+   * }.
+   */
+  app.post(
+    routes.presentationsVerify,
+    cors(),
+    validate({bodySchema: verifyPresentationBody}),
+    getConfigMiddleware,
+    // FIXME: add middleware to switch between oauth2 / zcap based on headers
+    middleware.authorizeConfigZcapInvocation(),
+    asyncHandler(async (req, res) => {
+      const {config} = req.serviceObject;
+      const documentLoader = await createDocumentLoader({config});
+
+      let response;
+      try {
+        const {
+          verifiablePresentation,
+          options = {}
+        } = req.body;
+
+        const {challenge, checks, domain} = options;
+        if(!challenge) {
+          throw new BedrockError(
+            '"options.challenge" is required.', 'TypeError', {
+              httpStatusCode: 400,
+              public: true
+            });
+        }
+
+        _validateChecks({checks});
+        const unsignedPresentation = !checks.includes('proof');
+
+        // FIXME: allow for `checks` to request whether or not the challenge
+        // should be checked; for now, default to checking it
+
+        // first, check the challenge
+        const {verified, uses: challengeUses, error} = await verifyChallenge(
+          {challenge, verifierId: config.id});
+        if(!verified) {
+          throw error;
+        }
+
+        const verifyOptions = {
+          challenge,
+          presentation: verifiablePresentation,
+          documentLoader,
+          suite,
+          unsignedPresentation,
+          checkStatus
+        };
+        const {proof} = verifiablePresentation;
+        if(proof && proof.domain) {
+          // FIXME: do not set a default
+          verifyOptions.domain = domain || 'issuer.example.com';
+        }
+        const result = await vc.verify(verifyOptions);
+        response = _createResponse({result, challengeUses, checks});
+      } catch(e) {
+        response = _createResponse({error: e});
+      }
+
+      if(response.verified) {
+        res.status(200).json(response);
+      } else {
+        res.status(400).json(response);
+      }
+
+      // meter operation usage
+      metering.reportOperationUsage({req});
+    }));
+}
+
+function _validateChecks({checks}) {
+  if(!Array.isArray(checks)) {
+    throw new BedrockError(
+      '"options.checks" must be an array.', 'TypeError', {
+        httpStatusCode: 400,
+        public: true
+      });
+  }
+}
+
+function _createResponse({credential, result, challengeUses, error, checks}) {
+  result = result || {verified: false, error};
+
+  let response;
+  if(result.verified) {
+    result.checks = checks;
+    response = {...result, challengeUses, checks};
+  } else {
+    // debugging purposes
+    // console.log('RESULT:', JSON.stringify(result, null, 2));
+
+    // get verification method for presentation/credential
+    let verificationMethod;
+    const results = result.results ||
+      (result.presentationResult && result.presentationResult.results);
+    if(results && results.length > 0) {
+      const [{proof}] = results;
+      ({verificationMethod} = proof);
+    }
+
+    if(!result.error) {
+      // try to get error from credential results
+      const firstCredentialResult = (result.presentationResult &&
+        result.credentialResults && result.credentialResults[0]) ||
+        result;
+      if(!firstCredentialResult.error &&
+        firstCredentialResult.statusResult &&
+        !firstCredentialResult.statusResult.verified) {
+        if(firstCredentialResult.statusResult.error) {
+          error = {
+            message: 'The credential status could not be checked.',
+            cause: firstCredentialResult.statusResult.error.message
+          };
+        } else {
+          // FIXME: surface status type information so it can be included here
+          error = {
+            message: 'The credential failed a status check.'
+          };
+        }
+      } else {
+        error = firstCredentialResult.error;
+      }
+      error = error || {message: 'Verification error.'};
+    } else {
+      error = result.error;
+      if(!error.message) {
+        error.message = 'Verification error.';
+      }
+    }
+
+    let message = error.message;
+    if(error.errors && error.errors.length > 0) {
+      message = error.errors[0].message;
+    }
+    response = {
+      ...result,
+      verified: false,
+      error,
+      checks: [{
+        check: checks,
+        id: credential && credential.id,
+        error: message,
+        verificationMethod
+      }]
+    };
+  }
+  return response;
+}

package/lib/index.js

@@ -0,0 +1,55 @@
+/*!
+ * Copyright (c) 2021-2022 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import {addRoutes} from './http.js';
+import {
+  addRoutes as addContextStoreRoutes
+} from '@bedrock/service-context-store';
+import {createService} from '@bedrock/service-core';
+import {initializeServiceAgent} from '@bedrock/service-agent';
+
+// load config defaults
+import './config.js';
+
+const serviceType = 'vc-verifier';
+
+bedrock.events.on('bedrock.init', async () => {
+  // create `vc-verifier` service
+  const service = await createService({
+    serviceType,
+    routePrefix: '/verifiers',
+    storageCost: {
+      config: 1,
+      revocation: 1
+    },
+    validation: {
+      // require these zcaps (by reference ID)
+      zcapReferenceIds: [{
+        referenceId: 'edv',
+        required: true
+      }, {
+        referenceId: 'hmac',
+        required: true
+      }, {
+        referenceId: 'keyAgreementKey',
+        required: true
+      }]
+    }
+  });
+
+  bedrock.events.on('bedrock-express.configure.routes', async app => {
+    await addContextStoreRoutes({app, service});
+    await addRoutes({app, service});
+  });
+
+  // initialize vc-verifier service agent early (after database is ready) if
+  // KMS system is externalized; otherwise we must wait until KMS system
+  // is ready
+  const externalKms = !bedrock.config['service-agent'].kms.baseUrl.startsWith(
+    bedrock.config.server.baseUri);
+  const event = externalKms ? 'bedrock-mongodb.ready' : 'bedrock.ready';
+  bedrock.events.on(event, async () => {
+    await initializeServiceAgent({serviceType});
+  });
+});

package/lib/status.js

@@ -0,0 +1,52 @@
+/*!
+ * Copyright (c) 2019-2022 Digital Bazaar, Inc. All rights reserved.
+ */
+import assert from 'assert-plus';
+import {createRequire} from 'module';
+const require = createRequire(import.meta.url);
+const {
+  checkStatus: statusListCheckStatus,
+  statusTypeMatches: statusListStatusTypeMatches
+} = require('@digitalbazaar/vc-status-list');
+const {
+  checkStatus: revocationListCheckStatus,
+  statusTypeMatches: revocationListStatusTypeMatches
+} = require('vc-revocation-list');
+
+const handlerMap = new Map();
+handlerMap.set('RevocationList2020Status', {
+  checkStatus: revocationListCheckStatus,
+  statusTypeMatches: revocationListStatusTypeMatches
+});
+handlerMap.set('RevocationList2021Status', {
+  checkStatus: statusListCheckStatus,
+  statusTypeMatches: statusListStatusTypeMatches
+});
+handlerMap.set('SuspensionList2021Status', {
+  checkStatus: statusListCheckStatus,
+  statusTypeMatches: statusListStatusTypeMatches
+});
+
+export async function checkStatus(options = {}) {
+  assert.object(options, 'options');
+  assert.object(options.credential, 'options.credential');
+
+  try {
+    const {credential} = options;
+    const {credentialStatus} = credential;
+    if(!credentialStatus) {
+      // no status to check
+      return {verified: true};
+    }
+
+    const handlers = handlerMap.get(credentialStatus.type);
+    if(!(handlers && handlers.statusTypeMatches({credential}))) {
+      throw new Error(
+        `Unsupported credentialStatus type "${credentialStatus.type}".`);
+    }
+
+    return await handlers.checkStatus(options);
+  } catch(error) {
+    return {verified: false, error};
+  }
+}

package/package.json

@@ -0,0 +1,62 @@
+{
+  "name": "@bedrock/vc-verifier",
+  "version": "6.0.0",
+  "type": "module",
+  "description": "Bedrock VC Verifier",
+  "main": "./lib/index.js",
+  "scripts": {
+    "lint": "eslint ."
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/digitalbazaar/bedrock-vc-verifier.git"
+  },
+  "author": {
+    "name": "Digital Bazaar, Inc.",
+    "email": "support@digitalbazaar.com",
+    "url": "https://digitalbazaar.com"
+  },
+  "bugs": {
+    "url": "https://github.com/digitalbazaar/bedrock-vc-verifier/issues"
+  },
+  "homepage": "https://github.com/digitalbazaar/bedrock-vc-verifier",
+  "dependencies": {
+    "@digitalbazaar/ed25519-signature-2018": "^2.1.0",
+    "@digitalbazaar/ed25519-signature-2020": "^3.0.0",
+    "@digitalbazaar/vc": "^2.1.0",
+    "@digitalbazaar/vc-status-list": "^2.1.0",
+    "assert-plus": "^1.0.0",
+    "bnid": "^2.1.0",
+    "body-parser": "^1.19.0",
+    "cors": "^2.8.5",
+    "vc-revocation-list": "^3.0.0"
+  },
+  "peerDependencies": {
+    "@bedrock/core": "^5.0.0",
+    "@bedrock/credentials-context": "^2.0.0",
+    "@bedrock/did-context": "^3.0.0",
+    "@bedrock/did-io": "^7.0.0",
+    "@bedrock/express": "^7.0.0",
+    "@bedrock/https-agent": "^3.0.0",
+    "@bedrock/jsonld-document-loader": "^2.0.0",
+    "@bedrock/mongodb": "^9.0.0",
+    "@bedrock/security-context": "^6.0.0",
+    "@bedrock/service-agent": "^3.0.0",
+    "@bedrock/service-context-store": "^4.0.0",
+    "@bedrock/service-core": "^4.0.0",
+    "@bedrock/vc-status-list-context": "^2.0.0",
+    "@bedrock/vc-revocation-list-context": "^2.0.0",
+    "@bedrock/veres-one-context": "^13.0.0",
+    "@bedrock/validation": "^6.0.0"
+  },
+  "devDependencies": {
+    "eslint": "^7.32.0",
+    "eslint-config-digitalbazaar": "^2.8.0",
+    "eslint-plugin-jsdoc": "^28.6.1",
+    "jsdoc": "^3.6.4",
+    "jsdoc-to-markdown": "^7.1.1"
+  },
+  "engines": {
+    "node": ">=14"
+  }
+}

package/schemas/bedrock-vc-verifier.js

@@ -0,0 +1,59 @@
+/*!
+ * Copyright (c) 2022 Digital Bazaar, Inc. All rights reserved.
+ */
+const context = {
+  title: '@context',
+  type: 'array',
+  minItems: 1,
+  items: {
+    type: ['string', 'object']
+  }
+};
+
+export const createChallengeBody = {
+  title: 'Create Challenge Body',
+  type: 'object',
+  additionalProperties: false,
+  // body must be empty
+  properties: {}
+};
+
+export const verifyCredentialBody = {
+  title: 'Verify Credential Body',
+  type: 'object',
+  required: ['verifiableCredential'],
+  additionalProperties: false,
+  properties: {
+    options: {
+      type: 'object'
+    },
+    verifiableCredential: {
+      type: 'object',
+      additionalProperties: true,
+      required: ['@context'],
+      properties: {
+        '@context': context
+      }
+    }
+  }
+};
+
+export const verifyPresentationBody = {
+  title: 'Verify Presentation Body',
+  type: 'object',
+  required: ['verifiablePresentation'],
+  additionalProperties: false,
+  properties: {
+    options: {
+      type: 'object'
+    },
+    verifiablePresentation: {
+      type: 'object',
+      additionalProperties: true,
+      required: ['@context'],
+      properties: {
+        '@context': context
+      }
+    }
+  }
+};

package/test/mocha/.eslintrc.cjs

@@ -0,0 +1,9 @@
+module.exports = {
+  env: {
+    mocha: true
+  },
+  globals: {
+    assertNoError: true,
+    should: true
+  }
+};