Feature/vc20 trust integration #240
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…r W3C spec This commit fixes ECDSA-SD-2023 BASE proof verification for real-world credentials (such as Singapore Academy of Law eApostille) by implementing W3C VC-DI-ECDSA spec Section 3.4.11 createInitialSelection correctly. The Problem: - SAL eApostille credentials failed verification despite W3C test vectors (59/59) passing - Root cause: mandatory hash mismatch between Go and reference implementation (Digital Bazaar di-sd-primitives) The Fix: Per W3C spec Section 3.4.11: 'The selection MUST include all types in the path of any JSON Pointer, including any root document type.' Changes: - sd_helpers.go: Updated selectMandatoryNQuads to track container paths and include root document rdf:type quads when any pointer touches the root - sd_helpers.go: Added helper functions parseJSONPointer, getValueAtPointer, parseEphemeralPublicKey, ellipticMarshalCompressed, applyHMACLabelReplacement - sd_suite.go: Updated verifyBaseProof to use the fixed mandatory selection logic and properly validate BASE proofs Test Results: - All 24 ECDSA tests pass (go test -tags vc20 ./pkg/vc20/crypto/ecdsa/) - SAL eApostille verification now succeeds - W3C test vectors continue to pass (59/59)
ADR-10: Mandatory N-Quad selection must include type quads per W3C spec 3.4.11 ADR-11: Real-world test vectors required beyond W3C conformance tests ADR-12: Support both BASE and DERIVED proof verification ADR-13: Align with Digital Bazaar reference implementation for interop
Add real-world test vectors from Singapore issuers: - Accredify corporate and citizen ID credentials (eddsa-rdfc-2022) - Singapore Academy of Law eApostille credentials (ecdsa-sd-2023) Add integration tests: - singapore_testvectors_test.go: Tests for verifying Singapore credentials using DID resolution against live issuer endpoints - gotrust_testserver_test.go: Tests using go-trust test server for controlled integration testing Update dependencies: - Bump go-trust for test server support - Add transitive dependencies for SAML/XML signing support Fix sd_suite_coverage_test.go: - Improve proof tampering test to modify signature region rather than just the trailing character, ensuring proper tampering detection These test vectors validate the ECDSA-SD-2023 BASE proof verification fix from the previous commit against real-world credentials.
Add verify-sal.mjs - a Node.js script using Digital Bazaar's ecdsa-sd-2023-cryptosuite reference implementation for verifying Singapore credentials. Useful for debugging and comparing behavior against the Go implementation.
Fix RDF credential normalization and serialization for proper Data Integrity proof generation and verification.
This ADR documents the plan for integrating W3C Verifiable Credentials Data Integrity into the issuer and verifier with: - OpenID4VCI compliance for ldp_vc format issuance - OpenID4VP compliance for presentation verification - Feature parity with existing SD-JWT and mDoc formats - DID-based key resolution (did:key, did:web) - DCQL query support for W3C VC format - BitstringStatusList revocation support Includes detailed implementation specification (14a) with: - VC20Handler interface design following existing patterns - DIDKeyResolver implementation - Code examples for all major components - Feature parity matrix - Testing requirements
Add new pkg/trust package providing a protocol-agnostic trust evaluation interface that integrates with go-trust's policy-based routing via action.name. Core components: - trust.go: Core types (TrustEvaluator, KeyResolver, EvaluationRequest, TrustDecision) - gotrust.go: GoTrustEvaluator using go-trust AuthZEN client (build tag: vc20) - local.go: LocalTrustEvaluator for offline x5c certificate chain validation - composite.go: CompositeEvaluator combining multiple evaluators with strategies - helpers.go: JWK/x509/crypto conversion utilities (build tag: vc20) Key features: - GetEffectiveAction() maps Role+CredentialType to action.name for policy routing (e.g., PID+Issuer -> 'pid-provider', Verifier -> 'credential-verifier') - TrustOptions for controlling trust chain inclusion, caching, certificates - X5CCertChain helper for certificate chain operations - CompositeStrategy supports FirstSuccess, AllMustSucceed, Fallback patterns This enables using go-trust's PolicyManager for different credential types with appropriate trust policies (OIDF trust marks, ETSI service types, etc.).
Document the architecture decision for the unified trust management package that provides a common interface for trust evaluation across different credential formats (SD-JWT, mdoc, W3C VC 2.0). Covers the TrustEvaluator interface, integration with go-trust, and composite evaluation strategies.
Add VC20TrustAdapter that wraps the TrustEvaluator interface for use with W3C VC 2.0 Data Integrity credentials. - vc20_adapter.go: Adapter implementation (build tag: vc20) - vc20_adapter_test.go: Unit tests for the adapter - local_resolver_test.go: Tests for local key resolution
Add VC20Handler for processing W3C VC 2.0 Data Integrity credentials in OpenID4VP presentations. - vc20_handler.go: Handler implementation supporting ecdsa-sd-2023 and eddsa-rdfc-2022 cryptographic suites - vc20_handler_test.go: Unit tests - vc20_handler_integration_test.go: Integration tests with full flow The handler implements selective disclosure verification, credential status checking, and trust evaluation via the TrustEvaluator interface.
Add VC20VPBuilder for constructing Verifiable Presentations from W3C VC 2.0 credentials with selective disclosure. - vc20_vp_builder.go: Builder implementation supporting derived proof creation with claim selection - vc20_vp_builder_test.go: Unit tests for the builder Supports ecdsa-sd-2023 derived proofs with selective disclosure of mandatory and optional claims based on DCQL queries.
Add comprehensive tests for DCQL queries with W3C VC 2.0 credentials, covering claim selection, selective disclosure, and credential matching.
Add handlers for issuing W3C VC 2.0 Data Integrity credentials: - internal/issuer/apiv1/handlers_vc20.go: HTTP API handlers - internal/issuer/apiv1/handlers_vc20_test.go: Handler tests - internal/issuer/grpcserver/api_vc20.go: gRPC API implementation - internal/issuer/grpcserver/endpoints_vc20.go: gRPC endpoint registration Supports issuing credentials with ecdsa-sd-2023 selective disclosure proofs for PID and other credential types.
Update ADR-14 and ADR-14a with implementation details and refinements based on the actual VC20Handler implementation.
Update key resolver to support the new trust package: - resolver.go: Add TrustEvaluator integration points - gotrust_testserver_test.go: Update test server for trust evaluation
Extend DCQL processor to handle W3C VC 2.0 Data Integrity credentials alongside existing SD-JWT and mdoc formats.
Update mdoc verifier and SD-JWT verification to prepare for integration with the unified trust package.
Extend OpenID4VCI to support W3C VC 2.0 Data Integrity credentials: - credential.go: Add vc20 format handling - issuer_metadata.go: Add vc20 format metadata - proof_jwt.go: Support proof creation for vc20
Add configuration fields for W3C VC 2.0 credential issuance, including cryptographic suite selection and proof options.
Add routing for VC20 credential issuance in the API gateway handlers.
Add protobuf definitions and generated code for VC20 credential issuance gRPC service.
- ADR-14: Mark Phase 3.4 (unified trust package) complete, update effort - ADR-14a: Update feature parity matrix - all features now complete except BitstringStatusList (planned) - ADR-15: Change status from 'Accepted' to 'Implemented' - GO_TRUST_INTEGRATION_PLAN: Mark as implemented with summary All phases through 4.1 are now complete. Only Phase 5.1 (BitstringStatusList) remains planned for future work.
Update SD-JWT and mDoc verifiers to pass credential context to TrustEvaluator for policy-based trust decisions: SD-JWT verifier: - Add CredentialType field to VerificationOptions - Extract vct claim as credential type if not explicitly set - Pass CredentialType in trust evaluation request - Use RoleCredentialIssuer instead of generic RoleIssuer mDoc verifier: - Pass DocType to certificate chain verification - Include DocType in trust evaluation request - Use RoleCredentialIssuer for clarity Trust package: - Update GetEffectiveAction() to handle DocType - Add mDL-specific policy routing (mdl-issuer, mdl-verifier) - Handle RoleCredentialIssuer in addition to RoleIssuer - Add test cases for DocType-based routing This enables go-trust to apply different policies based on the credential type (e.g., PID, mDL) for fine-grained trust control.
Implements trust decision caching using ttlcache (per ADR-04): - TrustCache: wraps ttlcache for trust decisions - CachedDecision: stores decision with metadata (cached time) - CachingTrustEvaluator: decorator that adds caching to any TrustEvaluator - buildCacheKey: deterministic key from SubjectID, KeyType, Action, DocType - computeKeyFingerprint: SHA256 hash of key material (cert.Raw or JWK JSON) Cache behavior: - Only caches positive (Trusted=true) decisions - Honors Options.BypassCache to skip cache - Default TTL: 5 minutes, Max TTL: 1 hour - Cache key includes key fingerprint to distinguish different keys for same subject Tests cover: basic operations, key type distinction, role distinction, certificate fingerprints, JWK fingerprints, bypass cache, negative result handling
Refactor vc/pkg/trust to use github.com/sirosfoundation/go-trust/pkg/trustapi for shared type definitions. This provides type compatibility across the ecosystem (vc, go-wallet-backend) while keeping vc-specific logic local. Changes: - Import trustapi and use type aliases for TrustDecision, KeyType, Role, etc. - EvaluationRequest now embeds trustapi.EvaluationRequest - Keep GetEffectiveAction() as vc-specific policy routing logic - Add NewEvaluationRequest() convenience constructor - Update tests to use embedded struct syntax Benefits: - Type compatibility with go-wallet-backend and other consumers - Shared interface definition (TrustEvaluator, KeyResolver) - Common vocabulary for trust evaluation across the ecosystem
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
denna beror på #239 och innehåller integration av W3c 2.0 i issuern och verifiern. Den innehåller också en full integration av go-trust. Samtidigt har go-trust fått en del ansiktslyftning så att man tex kan styra val av backend via action.name