Merge pull request #887 from fqutishat/nq1

chore: add WithStrictValidation for jsonld not jwt
trustbloc · Oct 18, 2022 · f958990 · f958990
2 parents 283a5bc + 7a0c740
commit f958990
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 15 deletions.
diff --git a/pkg/service/verifycredential/verifycredential_service.go b/pkg/service/verifycredential/verifycredential_service.go
@@ -81,7 +81,7 @@ func (s *Service) VerifyCredential(credential *verifiable.Credential, opts *Opti
 			return nil, fmt.Errorf("unexpected error on credential marshal: %w", err)
 		}
 
-		err = s.ValidateCredentialProof(vcBytes, opts.Challenge, opts.Domain, false)
+		err = s.ValidateCredentialProof(vcBytes, opts.Challenge, opts.Domain, false, credential.JWT != "")
 		if err != nil {
 			result = append(result, CredentialsVerificationCheckResult{
 				Check: "proof",
@@ -102,20 +102,29 @@ func (s *Service) VerifyCredential(credential *verifiable.Credential, opts *Opti
 	return result, nil
 }
 
-func (s *Service) parseAndVerifyVCStrictMode(vcBytes []byte) (*verifiable.Credential, error) {
+func (s *Service) parseAndVerifyVC(vcBytes []byte, isJWT bool) (*verifiable.Credential, error) {
+	opts := make([]verifiable.CredentialOpt, 0)
+
+	opts = append(opts, verifiable.WithPublicKeyFetcher(
+		verifiable.NewVDRKeyResolver(s.vdr).PublicKeyFetcher(),
+	),
+		verifiable.WithJSONLDDocumentLoader(s.documentLoader))
+
+	if !isJWT {
+		opts = append(opts, verifiable.WithStrictValidation())
+	}
+
 	cred, err := verifiable.ParseCredential(
 		vcBytes,
-		verifiable.WithPublicKeyFetcher(
-			verifiable.NewVDRKeyResolver(s.vdr).PublicKeyFetcher(),
-		),
-		verifiable.WithStrictValidation(),
-		verifiable.WithJSONLDDocumentLoader(s.documentLoader),
+		opts...,
 	)
 	return cred, err
 }
 
-func (s *Service) ValidateCredentialProof(vcByte []byte, proofChallenge, proofDomain string, vcInVPValidation bool) error { // nolint: lll,gocyclo
-	credential, err := s.parseAndVerifyVCStrictMode(vcByte)
+// ValidateCredentialProof validate credential proof.
+func (s *Service) ValidateCredentialProof(vcByte []byte, proofChallenge, proofDomain string, vcInVPValidation,
+	isJWT bool) error { // nolint: lll,gocyclo
+	credential, err := s.parseAndVerifyVC(vcByte, isJWT)
 	if err != nil {
 		return fmt.Errorf("verifiable credential proof validation error : %w", err)
 	}

diff --git a/pkg/service/verifycredential/verifycredential_service_test.go b/pkg/service/verifycredential/verifycredential_service_test.go
@@ -641,7 +641,8 @@ func TestService_ValidateCredentialProof(t *testing.T) {
 				tt.args.getVcByte(),
 				tt.args.proofChallenge,
 				tt.args.proofDomain,
-				tt.args.vcInVPValidation); (err != nil) != tt.wantErr {
+				tt.args.vcInVPValidation,
+				true); (err != nil) != tt.wantErr {
 				t.Errorf("ValidateCredentialProof() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})

diff --git a/pkg/service/verifypresentation/verifypresentation_service.go b/pkg/service/verifypresentation/verifypresentation_service.go
@@ -23,7 +23,7 @@ import (
 )
 
 type vcVerifier interface {
-	ValidateCredentialProof(vcByte []byte, proofChallenge, proofDomain string, vcInVPValidation bool) error
+	ValidateCredentialProof(vcByte []byte, proofChallenge, proofDomain string, vcInVPValidation, isJWT bool) error
 	ValidateVCStatus(vcStatus *verifiable.TypedID, issuer string) error
 }
 
@@ -178,7 +178,7 @@ func (s *Service) validateCredentialsProof(vp *verifiable.Presentation) error {
 			return err
 		}
 
-		err = s.vcVerifier.ValidateCredentialProof(vcBytes, "", "", true)
+		err = s.vcVerifier.ValidateCredentialProof(vcBytes, "", "", true, vp.JWT != "")
 		if err != nil {
 			return err
 		}

diff --git a/pkg/service/verifypresentation/verifypresentation_service_test.go b/pkg/service/verifypresentation/verifypresentation_service_test.go
@@ -94,6 +94,7 @@ func TestService_VerifyPresentation(t *testing.T) {
 						gomock.Any(),
 						gomock.Any(),
 						gomock.Any(),
+						gomock.Any(),
 						gomock.Any()).Times(1).Return(nil)
 					mockVerifier.EXPECT().ValidateVCStatus(
 						gomock.Any(),
@@ -249,6 +250,7 @@ func TestService_VerifyPresentation(t *testing.T) {
 						gomock.Any(),
 						gomock.Any(),
 						gomock.Any(),
+						gomock.Any(),
 						gomock.Any()).Times(1).Return(errors.New("some error"))
 					mockVerifier.EXPECT().ValidateVCStatus(
 						gomock.Any(),
@@ -654,6 +656,7 @@ func TestService_validateCredentialsProof(t *testing.T) {
 						gomock.Any(),
 						gomock.Any(),
 						gomock.Any(),
+						gomock.Any(),
 						gomock.Any()).Times(1).Return(nil)
 					return mockVerifier
 				},
@@ -677,6 +680,7 @@ func TestService_validateCredentialsProof(t *testing.T) {
 						gomock.Any(),
 						gomock.Any(),
 						gomock.Any(),
+						gomock.Any(),
 						gomock.Any()).Times(1).Return(errors.New("some error"))
 					return mockVerifier
 				},

diff --git a/test/bdd/pkg/v1/oidc4vp/oidc4vp.go b/test/bdd/pkg/v1/oidc4vp/oidc4vp.go
@@ -219,12 +219,12 @@ func (e *Steps) sendAuthorizedResponse() error {
 		Iss:   e.walletDidID,
 	}
 
-	idTokenJWS, err := singToken(idToken, e.walletDidKeyID, e.ariesServices.crypto, e.ariesServices.kms)
+	idTokenJWS, err := signToken(idToken, e.walletDidKeyID, e.ariesServices.crypto, e.ariesServices.kms)
 	if err != nil {
 		return fmt.Errorf("sign id_token: %w", err)
 	}
 
-	vpTokenJWS, err := singToken(vpToken, e.walletDidKeyID, e.ariesServices.crypto, e.ariesServices.kms)
+	vpTokenJWS, err := signToken(vpToken, e.walletDidKeyID, e.ariesServices.crypto, e.ariesServices.kms)
 	if err != nil {
 		return fmt.Errorf("sign vp_token: %w", err)
 	}
@@ -338,7 +338,7 @@ func verifyTokenSignature(rawJwt string, claims interface{}, verifier jose.Signa
 	return nil
 }
 
-func singToken(claims interface{}, didKeyID string, crpt crypto.Crypto,
+func signToken(claims interface{}, didKeyID string, crpt crypto.Crypto,
 	km kms.KeyManager) (string, error) {
 
 	signr, err := signer.NewKMSSigner(km, crpt, didKeyID, "ES384")