@bedrock/vc-verifier 8.0.0 → 11.0.0

package/CHANGELOG.md

@@ -1,5 +1,30 @@
 # bedrock-vc-verifier ChangeLog
 
+## 11.0.0 - 2022-06-05
+
+### Changed
+- **BREAKING** Use `@digitalbazaar/vc-status-list` v4.0.  If `statusPurpose`
+  in credential does not match the `statusPurpose` of status list credential,
+  an error will be thrown.
+
+## 10.0.0 - 2022-05-17
+
+### Changed
+- **BREAKING**: Use `@bedrock-service-context-store@7` to cause migration of
+  old EDV context documents to the new EDV attribute version.
+
+## 9.0.0 - 2022-05-05
+
+### Changed
+- **BREAKING**: Update peer deps:
+  - `@bedrock/service-agent@5`
+  - `@bedrock/service-context-store@6`.
+- **BREAKING**: The updated peer dependencies use a new EDV client with a
+  new blind attribute version. This version is incompatible with previous
+  versions and a manual migration must be performed to update all
+  EDV documents to use the new blind attribute version -- or a new
+  deployment is required.
+
 ## 8.0.0 - 2022-04-29
 
 ### Changed

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-verifier",
-  "version": "8.0.0",
+  "version": "11.0.0",
   "type": "module",
   "description": "Bedrock VC Verifier",
   "main": "./lib/index.js",
@@ -24,7 +24,7 @@
     "@digitalbazaar/ed25519-signature-2018": "^2.1.0",
     "@digitalbazaar/ed25519-signature-2020": "^3.0.0",
     "@digitalbazaar/vc": "^2.1.0",
-    "@digitalbazaar/vc-status-list": "^3.0.0",
+    "@digitalbazaar/vc-status-list": "^4.0.0",
     "assert-plus": "^1.0.0",
     "bnid": "^2.1.0",
     "body-parser": "^1.19.0",
@@ -41,8 +41,8 @@
     "@bedrock/jsonld-document-loader": "^3.0.0",
     "@bedrock/mongodb": "^10.0.0",
     "@bedrock/security-context": "^7.0.0",
-    "@bedrock/service-agent": "^4.0.0",
-    "@bedrock/service-context-store": "^5.0.0",
+    "@bedrock/service-agent": "^5.0.0",
+    "@bedrock/service-context-store": "^7.0.0",
     "@bedrock/service-core": "^5.0.0",
     "@bedrock/vc-status-list-context": "^4.0.0",
     "@bedrock/vc-revocation-list-context": "^3.0.0",

package/test/mocha/30-credential-status.js

@@ -39,8 +39,11 @@ const encodedList100KWith50KthRevoked =
 const key = fs.readFileSync(__dirname + '/key.pem');
 const cert = fs.readFileSync(__dirname + '/cert.pem');
 
-let slCredential;
-let unsignedCredentialSl2021Type;
+let slCredentialRevocation;
+let unsignedCredentialSl2021TypeRevocation;
+let slCredentialSuspension;
+let unsignedCredentialSl2021TypeSuspension;
+let unsignedCredentialSl2021WithUnmatchingStatusPurpose;
 let revokedSlCredential;
 let revokedUnsignedCredential;
 let rlCredential;
@@ -71,8 +74,8 @@ function _startServer({app}) {
       testServerBaseUrl = BASE_URL;
       console.log(`Test server listening at ${BASE_URL}`);
 
-      // Status List 2021 Credential
-      slCredential = {
+      // Status List 2021 Credential with statusPurpose `revocation`
+      slCredentialRevocation = {
         '@context': [
           'https://www.w3.org/2018/credentials/v1',
           VC_SL_CONTEXT_URL
@@ -84,12 +87,14 @@ function _startServer({app}) {
         credentialSubject: {
           id: `${BASE_URL}/status/748a7d8e-9111-11ec-a934-10bf48838a41#list`,
           type: 'StatusList2021',
+          statusPurpose: 'revocation',
           encodedList: encodedList100k
         }
       };
 
-      // Unsigned 2021 Credential
-      unsignedCredentialSl2021Type = {
+      // Unsigned 2021 Credential with "credentialStatus.statusPurpose"
+      // `revocation`
+      unsignedCredentialSl2021TypeRevocation = {
         '@context': [
           'https://www.w3.org/2018/credentials/v1',
           VC_SL_CONTEXT_URL,
@@ -106,13 +111,82 @@ function _startServer({app}) {
           type: 'StatusList2021Entry',
           statusPurpose: 'revocation',
           statusListIndex: '67342',
-          statusListCredential: slCredential.id
+          statusListCredential: slCredentialRevocation.id
         },
-        issuer: slCredential.issuer,
+        issuer: slCredentialRevocation.issuer,
+      };
+
+      // Status List 2021 Credential with statusPurpose `suspension`
+      slCredentialSuspension = {
+        '@context': [
+          'https://www.w3.org/2018/credentials/v1',
+          VC_SL_CONTEXT_URL
+        ],
+        id: `${BASE_URL}/status/5d3e7a97-1121-11ec-9b38-10bf48838a41`,
+        issuer: 'did:key:z6Mktpn6cXks1PBKLMgZH2VaahvCtBMF6K8eCa7HzrnuYLZv',
+        issuanceDate: '2022-01-10T04:24:12.164Z',
+        type: ['VerifiableCredential', 'StatusList2021Credential'],
+        credentialSubject: {
+          id: `${BASE_URL}/status/5d3e7a97-1121-11ec-9b38-10bf48838a41#list`,
+          type: 'StatusList2021',
+          statusPurpose: 'suspension',
+          encodedList: encodedList100k
+        }
+      };
+
+      // Unsigned 2021 Credential with "credentialStatus.statusPurpose"
+      // `suspension`
+      unsignedCredentialSl2021TypeSuspension = {
+        '@context': [
+          'https://www.w3.org/2018/credentials/v1',
+          VC_SL_CONTEXT_URL,
+          'https://w3id.org/security/suites/ed25519-2020/v1'
+        ],
+        id: 'urn:uuid:a0418a78-7924-11ea-8a23-10bf48838a41',
+        type: ['VerifiableCredential', 'example:TestCredential'],
+        credentialSubject: {
+          id: 'urn:uuid:4886029a-7925-11ea-9274-10bf48838a41',
+          'example:test': 'foo'
+        },
+        credentialStatus: {
+          id: `${BASE_URL}/status/5d3e7a97-1121-11ec-9b38-10bf48838a41#67342`,
+          type: 'StatusList2021Entry',
+          statusPurpose: 'suspension',
+          statusListIndex: '67342',
+          statusListCredential: slCredentialSuspension.id
+        },
+        issuer: slCredentialSuspension.issuer,
+      };
+
+      // Unsigned 2021 Credential with unmatching status purpose
+      unsignedCredentialSl2021WithUnmatchingStatusPurpose = {
+        '@context': [
+          'https://www.w3.org/2018/credentials/v1',
+          VC_SL_CONTEXT_URL,
+          'https://w3id.org/security/suites/ed25519-2020/v1'
+        ],
+        id: 'urn:uuid:a0418a78-7924-11ea-8a23-10bf48838a41',
+        type: ['VerifiableCredential', 'example:TestCredential'],
+        credentialSubject: {
+          id: 'urn:uuid:4886029a-7925-11ea-9274-10bf48838a41',
+          'example:test': 'foo'
+        },
+        credentialStatus: {
+          id: `${BASE_URL}/status/748a7d8e-9111-11ec-a934-10bf48838a41#67342`,
+          type: 'StatusList2021Entry',
+          // intentionally set status purpose that does not match status purpose
+          // of sl credential that it fetches.
+          statusPurpose: 'suspension',
+          statusListIndex: '67342',
+          // intentionally point `statusListCredential` to a sl credential
+          // with status purpose `revocation`.
+          statusListCredential: slCredentialRevocation.id
+        },
+        issuer: slCredentialRevocation.issuer,
       };
 
       // Revoked Status List 2021 Credential
-      revokedSlCredential = klona(slCredential);
+      revokedSlCredential = klona(slCredentialRevocation);
 
       revokedSlCredential.id =
         `${BASE_URL}/status/8ec30054-9111-11ec-9ab5-10bf48838a41`,
@@ -122,7 +196,7 @@ function _startServer({app}) {
         `${BASE_URL}/status/8ec30054-9111-11ec-9ab5-10bf48838a41#list`;
 
       // Revoked Unsigned 2021 Credential
-      revokedUnsignedCredential = klona(unsignedCredentialSl2021Type);
+      revokedUnsignedCredential = klona(unsignedCredentialSl2021TypeRevocation);
       revokedUnsignedCredential.credentialStatus.id =
         `${revokedSlCredential.id}#50000`;
       revokedUnsignedCredential.credentialStatus.statusListIndex = 50000;
@@ -202,7 +276,13 @@ app.get('/status/748a7d8e-9111-11ec-a934-10bf48838a41',
   // eslint-disable-next-line no-unused-vars
   (req, res, next) => {
     // responds with a valid status list 2021 type credential
-    res.json(slCredential);
+    res.json(slCredentialRevocation);
+  });
+app.get('/status/5d3e7a97-1121-11ec-9b38-10bf48838a41',
+  // eslint-disable-next-line no-unused-vars
+  (req, res, next) => {
+    // responds with a valid status list 2021 type credential
+    res.json(slCredentialSuspension);
   });
 app.get('/status/8ec30054-9111-11ec-9ab5-10bf48838a41',
   // eslint-disable-next-line no-unused-vars
@@ -301,14 +381,60 @@ describe('verify credential status', () => {
     verifierId = verifierConfig.id;
     rootZcap = `urn:zcap:root:${encodeURIComponent(verifierId)}`;
   });
-  it('should verify "StatusList2021Credential" type', async () => {
-    slCredential = await vc.issue({
-      credential: slCredential,
+  it('should verify "StatusList2021Credential" type with "statusPurpose" ' +
+    'revocation', async () => {
+    slCredentialRevocation = await vc.issue({
+      credential: slCredentialRevocation,
+      documentLoader: _documentLoader,
+      suite
+    });
+    const verifiableCredential = await vc.issue({
+      credential: unsignedCredentialSl2021TypeRevocation,
+      documentLoader: _documentLoader,
+      suite
+    });
+    let error;
+    let result;
+    try {
+      const zcapClient = helpers.createZcapClient({capabilityAgent});
+      result = await zcapClient.write({
+        url: `${verifierId}/credentials/verify`,
+        capability: rootZcap,
+        json: {
+          options: {
+            checks: ['proof', 'credentialStatus'],
+          },
+          verifiableCredential
+        }
+      });
+    } catch(e) {
+      error = e;
+    }
+    assertNoError(error);
+    should.exist(result.data.verified);
+    result.data.verified.should.be.a('boolean');
+    result.data.verified.should.equal(true);
+    const {checks} = result.data;
+    checks.should.be.an('array');
+    checks.should.have.length(2);
+    checks.should.be.an('array');
+    checks.should.eql(['proof', 'credentialStatus']);
+    should.exist(result.data.results);
+    result.data.results.should.be.an('array');
+    result.data.results.should.have.length(1);
+    const [r] = result.data.results;
+    r.verified.should.be.a('boolean');
+    r.verified.should.equal(true);
+  });
+  it('should verify "StatusList2021Credential" type with "statusPurpose" ' +
+    'suspension', async () => {
+    slCredentialSuspension = await vc.issue({
+      credential: slCredentialSuspension,
       documentLoader: _documentLoader,
       suite
     });
     const verifiableCredential = await vc.issue({
-      credential: unsignedCredentialSl2021Type,
+      credential: unsignedCredentialSl2021TypeSuspension,
       documentLoader: _documentLoader,
       suite
     });
@@ -345,6 +471,43 @@ describe('verify credential status', () => {
     r.verified.should.be.a('boolean');
     r.verified.should.equal(true);
   });
+  it('should throw error if "statusPurpose" of the slCredential does not ' +
+    'match the "statusPurpose" of the credentialStatus', async () => {
+    slCredentialRevocation = await vc.issue({
+      credential: slCredentialRevocation,
+      documentLoader: _documentLoader,
+      suite
+    });
+    const verifiableCredential = await vc.issue({
+      credential: unsignedCredentialSl2021WithUnmatchingStatusPurpose,
+      documentLoader: _documentLoader,
+      suite
+    });
+    let error;
+    let result;
+    try {
+      const zcapClient = helpers.createZcapClient({capabilityAgent});
+      result = await zcapClient.write({
+        url: `${verifierId}/credentials/verify`,
+        capability: rootZcap,
+        json: {
+          options: {
+            checks: ['proof', 'credentialStatus'],
+          },
+          verifiableCredential
+        }
+      });
+    } catch(e) {
+      error = e;
+    }
+    should.exist(error);
+    should.not.exist(result);
+    error.data.verified.should.equal(false);
+    const {error: {cause: errorCause}} = error.data;
+    errorCause.should.equal(
+      'The status purpose "revocation" of the status list credential ' +
+      'does not match the status purpose "suspension" in the credential.');
+  });
   it('should fail to verify a revoked "StatusList2021Credential" type',
     async () => {
       revokedSlCredential = await vc.issue({

package/test/mocha/helpers.js

@@ -7,16 +7,18 @@ import {createRequire} from 'module';
 import {didIo} from '@bedrock/did-io';
 import {getAppIdentity} from '@bedrock/app-identity';
 import {mockData} from './mock.data.js';
+import {httpClient} from '@digitalbazaar/http-client';
 const require = createRequire(import.meta.url);
 const {Ed25519Signature2020} = require('@digitalbazaar/ed25519-signature-2020');
 const {EdvClient} = require('@digitalbazaar/edv-client');
-const {httpClient} = require('@digitalbazaar/http-client');
 const {KeystoreAgent, KmsClient} = require('@digitalbazaar/webkms-client');
 const {ZcapClient} = require('@digitalbazaar/ezcap');
 
 const edvBaseUrl = `${mockData.baseUrl}/edvs`;
 const kmsBaseUrl = `${mockData.baseUrl}/kms`;
 
+const FIVE_MINUTES = 1000 * 60 * 5;
+
 export async function createMeter({capabilityAgent, serviceType} = {}) {
   // create signer using the application's capability invocation key
   const {keys: {capabilityInvocationKey}} = getAppIdentity();
@@ -204,7 +206,7 @@ export async function delegate({
 }) {
   const zcapClient = createZcapClient({capabilityAgent: delegator});
   expires = expires || (capability && capability.expires) ||
-    new Date(Date.now() + 5000).toISOString().slice(0, -5) + 'Z';
+    new Date(Date.now() + FIVE_MINUTES).toISOString().slice(0, -5) + 'Z';
   return zcapClient.delegate({
     capability, controller, expires, invocationTarget, allowedActions
   });

package/test/package.json

@@ -35,8 +35,8 @@
     "@bedrock/package-manager": "^3.0.0",
     "@bedrock/security-context": "^7.0.0",
     "@bedrock/server": "^5.0.0",
-    "@bedrock/service-agent": "^4.0.0",
-    "@bedrock/service-context-store": "^5.0.0",
+    "@bedrock/service-agent": "^5.0.0",
+    "@bedrock/service-context-store": "^7.0.0",
     "@bedrock/service-core": "5.0.0",
     "@bedrock/ssm-mongodb": "^9.0.0",
     "@bedrock/test": "^8.0.0",
@@ -49,7 +49,7 @@
     "@digitalbazaar/did-method-key": "^2.0.0",
     "@digitalbazaar/ed25519-signature-2020": "^3.0.0",
     "@digitalbazaar/ed25519-verification-key-2020": "^3.2.0",
-    "@digitalbazaar/edv-client": "^13.0.0",
+    "@digitalbazaar/edv-client": "^14.0.0",
     "@digitalbazaar/ezcap": "^2.0.2",
     "@digitalbazaar/http-client": "^3.0.1",
     "@digitalbazaar/vc": "^2.1.0",