@sphereon/ssi-sdk.credential-vcdm 0.33.1-feature.jose.vcdm.55

package/src/action-handler.ts

@@ -0,0 +1,209 @@
+import type { IAgentPlugin, IIdentifier, IVerifyResult, VerifiableCredential, VerifiablePresentation } from '@veramo/core'
+import { schema } from '@veramo/core'
+
+import type {
+  ICreateVerifiableCredentialLDArgs,
+  ICreateVerifiablePresentationLDArgs,
+  IVcdmCredentialPlugin,
+  IVcdmCredentialProvider,
+  IVcdmIssuerAgentContext,
+  IVcdmVerifierAgentContext,
+  IVerifyCredentialLDArgs,
+  IVerifyPresentationLDArgs,
+} from './types'
+
+import { isDefined, MANDATORY_CREDENTIAL_CONTEXT, processEntryToArray } from '@veramo/utils'
+import Debug from 'debug'
+import { extractIssuer, isRevoked } from './functions'
+import type { W3CVerifiableCredential, W3CVerifiablePresentation } from '@sphereon/ssi-types'
+import type { VerifiableCredentialSP, VerifiablePresentationSP } from '@sphereon/ssi-sdk.core'
+
+const debug = Debug('sphereon:ssi-sdk:vcdm')
+
+/**
+ * A plugin that implements the {@link @sphereon/ssi-sdk.credential-vcdm#IVcdmCredentialPlugin} methods.
+ *
+ * @public
+ */
+export class VcdmCredentialPlugin implements IAgentPlugin {
+  readonly methods: IVcdmCredentialPlugin
+  readonly schema = {
+    components: {
+      schemas: {
+        ...schema.ICredentialIssuer.components.schemas,
+        ...schema.ICredentialVerifier.components.schemas,
+      },
+      methods: {
+        ...schema.ICredentialIssuer.components.methods,
+        ...schema.ICredentialVerifier.components.methods,
+      },
+    },
+  }
+  private issuers: IVcdmCredentialProvider[]
+
+  constructor(options: { issuers: IVcdmCredentialProvider[] }) {
+    this.issuers = options.issuers
+    this.methods = {
+      listUsableProofFormats: this.listUsableProofFormats.bind(this),
+      createVerifiableCredential: this.createVerifiableCredential.bind(this),
+      verifyCredential: this.verifyCredential.bind(this),
+      createVerifiablePresentation: this.createVerifiablePresentation.bind(this),
+      verifyPresentation: this.verifyPresentation.bind(this),
+    }
+  }
+
+  async listUsableProofFormats(did: IIdentifier, context: IVcdmIssuerAgentContext): Promise<string[]> {
+    const signingOptions: string[] = []
+    const keys = did.keys
+    for (const key of keys) {
+      for (const issuer of this.issuers) {
+        if (issuer.matchKeyForType(key)) {
+          signingOptions.push(issuer.getTypeProofFormat())
+        }
+      }
+    }
+    return signingOptions
+  }
+
+  /** {@inheritdoc @veramo/core#ICredentialIssuer.createVerifiableCredential} */
+  async createVerifiableCredential(args: ICreateVerifiableCredentialLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiableCredentialSP> {
+    let { credential, proofFormat, /* keyRef, removeOriginalFields,*/ now /*, ...otherOptions */ } = args
+    const credentialContext = processEntryToArray(credential['@context'], MANDATORY_CREDENTIAL_CONTEXT)
+    const credentialType = processEntryToArray(credential.type, 'VerifiableCredential')
+
+    // only add issuanceDate for JWT
+    now = typeof now === 'number' ? new Date(now * 1000) : now
+    if (!Object.getOwnPropertyNames(credential).includes('issuanceDate')) {
+      credential.issuanceDate = (now instanceof Date ? now : new Date()).toISOString()
+    }
+
+    credential = {
+      ...credential,
+      '@context': credentialContext,
+      type: credentialType,
+    }
+
+    //FIXME: if the identifier is not found, the error message should reflect that.
+    const issuer = extractIssuer(credential, { removeParameters: true })
+    if (!issuer || typeof issuer === 'undefined') {
+      throw new Error('invalid_argument: credential.issuer must not be empty')
+    }
+
+    try {
+      await context.agent.didManagerGet({ did: issuer })
+    } catch (e) {
+      throw new Error(`invalid_argument: credential.issuer must be a DID managed by this agent. ${e}`)
+    }
+    try {
+      async function findAndIssueCredential(issuers: IVcdmCredentialProvider[]) {
+        for (const issuer of issuers) {
+          if (issuer.canIssueCredentialType({ proofFormat })) {
+            return await issuer.createVerifiableCredential(args, context)
+          }
+        }
+        throw new Error('invalid_setup: No issuer found for the requested proof format')
+      }
+      const verifiableCredential = await findAndIssueCredential(this.issuers)
+      return verifiableCredential
+    } catch (error) {
+      debug(error)
+      return Promise.reject(error)
+    }
+  }
+
+  /** {@inheritdoc @veramo/core#ICredentialVerifier.verifyCredential} */
+  async verifyCredential(args: IVerifyCredentialLDArgs, context: IVcdmVerifierAgentContext): Promise<IVerifyResult> {
+    let { credential, policies /*, ...otherOptions*/ } = args
+    let verifiedCredential: VerifiableCredential
+    let verificationResult: IVerifyResult | undefined = { verified: false }
+
+    async function findAndVerifyCredential(issuers: IVcdmCredentialProvider[]): Promise<IVerifyResult> {
+      for (const issuer of issuers) {
+        if (issuer.canVerifyDocumentType({ document: credential as W3CVerifiableCredential })) {
+          return issuer.verifyCredential(args, context)
+        }
+      }
+      return Promise.reject(Error('invalid_setup: No issuer found for the provided credential'))
+    }
+    verificationResult = await findAndVerifyCredential(this.issuers)
+    verifiedCredential = <VerifiableCredential>credential
+
+    if (policies?.credentialStatus !== false && (await isRevoked(verifiedCredential, context as any))) {
+      verificationResult = {
+        verified: false,
+        error: {
+          message: 'revoked: The credential was revoked by the issuer',
+          errorCode: 'revoked',
+        },
+      }
+    }
+
+    return verificationResult
+  }
+
+  /** {@inheritdoc @veramo/core#ICredentialIssuer.createVerifiablePresentation} */
+  async createVerifiablePresentation(args: ICreateVerifiablePresentationLDArgs, context: IVcdmIssuerAgentContext): Promise<VerifiablePresentationSP> {
+    let {
+      presentation,
+      proofFormat,
+      /*      domain,
+      challenge,
+      removeOriginalFields,
+      keyRef,*/
+      // save,
+      /*now,*/
+      /*...otherOptions*/
+    } = args
+    const presentationContext: string[] = processEntryToArray(args?.presentation?.['@context'], MANDATORY_CREDENTIAL_CONTEXT)
+    const presentationType = processEntryToArray(args?.presentation?.type, 'VerifiablePresentation')
+    presentation = {
+      ...presentation,
+      '@context': presentationContext,
+      type: presentationType,
+    }
+
+    if (!isDefined(presentation.holder)) {
+      throw new Error('invalid_argument: presentation.holder must not be empty')
+    }
+
+    if (presentation.verifiableCredential) {
+      presentation.verifiableCredential = presentation.verifiableCredential.map((cred) => {
+        // map JWT credentials to their canonical form
+        if (typeof cred !== 'string' && cred.proof.jwt) {
+          return cred.proof.jwt
+        } else {
+          return cred
+        }
+      })
+    }
+
+    let verifiablePresentation: VerifiablePresentation | undefined
+
+    async function findAndCreatePresentation(issuers: IVcdmCredentialProvider[]) {
+      for (const issuer of issuers) {
+        if (issuer.canIssueCredentialType({ proofFormat })) {
+          return await issuer.createVerifiablePresentation(args, context)
+        }
+      }
+      throw new Error('invalid_setup: No issuer found for the requested proof format')
+    }
+
+    verifiablePresentation = await findAndCreatePresentation(this.issuers)
+    return verifiablePresentation as VerifiablePresentationSP // fixme: this is a hack to get around the fact that the return type is not correct.
+  }
+
+  /** {@inheritdoc @veramo/core#ICredentialVerifier.verifyPresentation} */
+  async verifyPresentation(args: IVerifyPresentationLDArgs, context: IVcdmVerifierAgentContext): Promise<IVerifyResult> {
+    let { presentation /*domain, challenge, fetchRemoteContexts, policies, ...otherOptions*/ } = args
+    async function findAndVerifyPresentation(issuers: IVcdmCredentialProvider[]): Promise<IVerifyResult> {
+      for (const issuer of issuers) {
+        if (issuer.canVerifyDocumentType({ document: presentation as W3CVerifiablePresentation })) {
+          return issuer.verifyPresentation(args, context)
+        }
+      }
+      throw new Error('invalid_setup: No verifier found for the provided presentation')
+    }
+    const result = await findAndVerifyPresentation(this.issuers)
+    return result
+  }
+}

package/src/functions.ts

@@ -0,0 +1,96 @@
+import {
+  CredentialPayload,
+  IAgentContext, ICredentialStatusVerifier,
+  IIdentifier,
+  IKey,
+  IssuerType,
+  PresentationPayload,
+  VerifiableCredential,
+  W3CVerifiableCredential,
+  W3CVerifiablePresentation
+} from '@veramo/core'
+import { isDefined } from '@veramo/utils'
+import { decodeJWT } from 'did-jwt'
+
+/**
+ * Decodes a credential or presentation and returns the issuer ID
+ * `iss` from a JWT or `issuer`/`issuer.id` from a VC or `holder` from a VP
+ *
+ * @param input - the credential or presentation whose issuer/holder needs to be extracted.
+ * @param options - options for the extraction
+ *   removeParameters - Remove all DID parameters from the issuer ID
+ *
+ * @beta This API may change without a BREAKING CHANGE notice.
+ */
+export function extractIssuer(
+  input?:
+    | W3CVerifiableCredential
+    | W3CVerifiablePresentation
+    | CredentialPayload
+    | PresentationPayload
+    | null,
+  options: { removeParameters?: boolean } = {}
+): string {
+  if (!isDefined(input)) {
+    return ''
+  } else if (typeof input === 'string') {
+    // JWT
+    try {
+      const { payload } = decodeJWT(input.split(`~`)[0])
+      const iss = payload.iss ?? ''
+      return !!options.removeParameters ? removeDIDParameters(iss) : iss
+    } catch (e: any) {
+      return ''
+    }
+  } else {
+    // JSON
+    let iss: IssuerType
+    if (input.issuer) {
+      iss = input.issuer
+    } else if (input.holder) {
+      iss = input.holder
+    } else {
+      iss = ''
+    }
+    if (typeof iss !== 'string') iss = iss.id ?? ''
+    return !!options.removeParameters ? removeDIDParameters(iss) : iss
+  }
+}
+
+
+/**
+ * Remove all DID parameters from a DID url after the query part (?)
+ *
+ * @param did - the DID URL
+ *
+ * @beta This API may change without a BREAKING CHANGE notice.
+ */
+export function removeDIDParameters(did: string): string {
+  return did.replace(/\?.*$/, '')
+}
+
+
+export function pickSigningKey(identifier: IIdentifier, keyRef?: string): IKey {
+  let key: IKey | undefined
+
+  if (!keyRef) {
+    key = identifier.keys.find((k) => k.type === 'Secp256k1' || k.type === 'Ed25519' || k.type === 'Secp256r1')
+    if (!key) throw Error('key_not_found: No signing key for ' + identifier.did)
+  } else {
+    key = identifier.keys.find((k) => k.kid === keyRef)
+    if (!key) throw Error('key_not_found: No signing key for ' + identifier.did + ' with kid ' + keyRef)
+  }
+
+  return key as IKey
+}
+
+export async function isRevoked(credential: VerifiableCredential, context: IAgentContext<ICredentialStatusVerifier>): Promise<boolean> {
+  if (!credential.credentialStatus) return false
+
+  if (typeof context.agent.checkCredentialStatus === 'function') {
+    const status = await context.agent.checkCredentialStatus({ credential })
+    return status?.revoked == true || status?.verified === false
+  }
+
+  throw new Error(`invalid_setup: The credential status can't be verified because there is no ICredentialStatusVerifier plugin installed.`)
+}

package/src/index.ts

@@ -0,0 +1,25 @@
+/**
+ * Provides a {@link @veramo/credential-w3c#CredentialPlugin | plugin} for the {@link @veramo/core#Agent} that
+ * implements
+ * {@link @veramo/core#ICredentialIssuer} interface.
+ *
+ * Provides a {@link @veramo/credential-w3c#W3cMessageHandler | plugin} for the
+ * {@link @veramo/message-handler#MessageHandler} that verifies Credentials and Presentations in a message.
+ *
+ * @packageDocumentation
+ */
+export type * from './types'
+export { W3cMessageHandler, MessageTypes } from './message-handler'
+import { VcdmCredentialPlugin } from './action-handler'
+
+/**
+ * @deprecated please use {@link VcdmCredentialPlugin} instead
+ * @public
+ */
+const CredentialIssuer = VcdmCredentialPlugin
+export { CredentialIssuer, VcdmCredentialPlugin }
+
+// For backward compatibility, re-export the plugin types that were moved to core in v4
+export type { ICredentialIssuer, ICredentialVerifier } from '@veramo/core'
+
+export * from './functions'

package/src/message-handler.ts

@@ -0,0 +1,167 @@
+import type {
+  IAgentContext,
+  ICredentialVerifier,
+  IResolver,
+  VerifiableCredential,
+  VerifiablePresentation,
+} from '@veramo/core'
+import { AbstractMessageHandler, Message } from '@veramo/message-handler'
+import { asArray, computeEntryHash, decodeCredentialToObject, extractIssuer } from '@veramo/utils'
+
+import {
+  normalizeCredential,
+  normalizePresentation,
+  validateJwtCredentialPayload,
+  validateJwtPresentationPayload,
+}// @ts-ignore
+from 'did-jwt-vc'
+
+import { v4 as uuidv4 } from 'uuid'
+import Debug from 'debug'
+
+const debug = Debug('sphereon:vcdm:message-handler')
+
+/**
+ * These types are used by `@veramo/data-store` when storing Verifiable Credentials and Presentations
+ *
+ * @internal
+ */
+export const MessageTypes = {
+  /** Represents a Verifiable Credential */
+  vc: 'w3c.vc',
+  /** Represents a Verifiable Presentation */
+  vp: 'w3c.vp',
+}
+
+/**
+ * Represents the requirements that this plugin has.
+ * The agent that is using this plugin is expected to provide these methods.
+ *
+ * This interface can be used for static type checks, to make sure your application is properly initialized.
+ */
+export type IContext = IAgentContext<IResolver & ICredentialVerifier>
+
+/**
+ * An implementation of the {@link @veramo/message-handler#AbstractMessageHandler}.
+ *
+ * This plugin can handle incoming W3C Verifiable Credentials and Presentations and prepare them
+ * for internal storage as {@link @veramo/message-handler#Message} types.
+ *
+ * The current version can only handle `JWT` encoded
+ *
+ * @remarks {@link @veramo/core#IDataStore | IDataStore }
+ *
+ * @public
+ */
+export class W3cMessageHandler extends AbstractMessageHandler {
+  async handle(message: Message, context: IContext): Promise<Message> {
+    const meta = message.getLastMetaData()
+
+    // console.log(JSON.stringify(message, null,  2))
+
+    //FIXME: messages should not be expected to be only JWT
+    if (meta?.type === 'JWT' && message.raw) {
+      const { data } = message
+
+      try {
+        validateJwtPresentationPayload(data)
+
+        //FIXME: flagging this for potential privacy leaks
+        debug('JWT is', MessageTypes.vp)
+        const presentation = normalizePresentation(message.raw)
+        const credentials = presentation.verifiableCredential
+
+        message.id = computeEntryHash(message.raw)
+        message.type = MessageTypes.vp
+        message.from = presentation.holder
+        message.to = presentation.verifier?.[0]
+
+        if (presentation.tag) {
+          message.threadId = presentation.tag
+        }
+
+        message.createdAt = presentation.issuanceDate
+        message.presentations = [presentation]
+        message.credentials = credentials
+
+        return message
+      } catch (e) {}
+
+      try {
+        validateJwtCredentialPayload(data)
+        //FIXME: flagging this for potential privacy leaks
+        debug('JWT is', MessageTypes.vc)
+        const credential = normalizeCredential(message.raw)
+
+        message.id = computeEntryHash(message.raw)
+        message.type = MessageTypes.vc
+        message.from = credential.issuer.id
+        message.to = credential.credentialSubject.id
+
+        if (credential.tag) {
+          message.threadId = credential.tag
+        }
+
+        message.createdAt = credential.issuanceDate
+        message.credentials = [credential]
+        return message
+      } catch (e) {}
+    }
+
+    // LDS Verification and Handling
+    if (message.type === MessageTypes.vc && message.data) {
+      // verify credential
+      const credential = message.data as VerifiableCredential
+
+      const result = await context.agent.verifyCredential({ credential })
+      if (result.verified) {
+        message.id = computeEntryHash(message.raw || message.id || uuidv4())
+        message.type = MessageTypes.vc
+        message.from = extractIssuer(credential)
+        message.to = credential.credentialSubject.id
+
+        if (credential.tag) {
+          message.threadId = credential.tag
+        }
+
+        message.createdAt = credential.issuanceDate
+        message.credentials = [credential]
+        return message
+      } else {
+        throw new Error(result.error?.message)
+      }
+    }
+
+    if (message.type === MessageTypes.vp && message.data) {
+      // verify presentation
+      const presentation = message.data as VerifiablePresentation
+
+      // throws on error.
+      const result = await context.agent.verifyPresentation({
+        presentation,
+        // FIXME: HARDCODED CHALLENGE VERIFICATION FOR NOW
+        challenge: 'VERAMO',
+        domain: 'VERAMO',
+      })
+      if (result.verified) {
+        message.id = computeEntryHash(message.raw || message.id || uuidv4())
+        message.type = MessageTypes.vp
+        message.from = presentation.holder
+        // message.to = presentation.verifier?.[0]
+
+        if (presentation.tag) {
+          message.threadId = presentation.tag
+        }
+
+        // message.createdAt = presentation.issuanceDate
+        message.presentations = [presentation]
+        message.credentials = asArray(presentation.verifiableCredential).map(decodeCredentialToObject)
+        return message
+      } else {
+        throw new Error(result.error?.message)
+      }
+    }
+
+    return super.handle(message, context)
+  }
+}