verifier

package
v0.0.0-...-580780f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2025 License: Apache-2.0 Imports: 45 Imported by: 0

Documentation

Index

Constants

View Source 
const CACHE_EXPIRY = 60
View Source 
const DidElsiPrefix = "did:elsi:"
View Source 
const DidPartsSeparator = ":"
View Source 
const Ed25519VerificationKey2018 = "Ed25519VerificationKey2018"
View Source 
const RsaVerificationKey2018 = "RsaVerificationKey2018"
View Source 
const WILDCARD_TIL = "*"

Variables

View Source 
var ErrorCannotConverContext = errors.New("cannot_convert_context")
View Source 
var ErrorCertHeaderEmpty = errors.New("cert_header_is_empty")
View Source 
var ErrorInvalidJAdESSignature = errors.New("invalid_jades_signature")
View Source 
var ErrorInvalidTil = errors.New("invalid_til_configured")
View Source 
var ErrorInvalidVC = errors.New("invalid_vc")
View Source 
var ErrorIssuerValidationFailed = errors.New("isser_validation_failed")
View Source 
var ErrorNoCertInHeader = errors.New("no_certificate_found_in_jwt_header")
View Source 
var ErrorNoDID = errors.New("no_did_configured")
View Source 
var ErrorNoKID = errors.New("no_kid_provided")
View Source 
var ErrorNoSuchCode = errors.New("no_such_code")
View Source 
var ErrorNoSuchSession = errors.New("no_such_session")
View Source 
var ErrorNoTIR = errors.New("no_tir_configured")
View Source 
var ErrorNoValidationEndpoint = errors.New("no_validation_endpoint_configured")
View Source 
var ErrorNoValidationHost = errors.New("no_validation_host_configured")
View Source 
var ErrorNoVerificationKey = errors.New("no_verification_key")
View Source 
var ErrorNotAValidVerficationMethod = errors.New("not_a_valid_verfication_method")
View Source 
var ErrorPemDecodeFailed = errors.New("failed_to_decode_pem_from_header")
View Source 
var ErrorRedirectUriMismatch = errors.New("redirect_uri_does_not_match")
View Source 
var ErrorRequiredCredentialNotProvided = errors.New("required_credential_not_provided")
View Source 
var ErrorTokenUnparsable = errors.New("unable_to_parse_token")
View Source 
var ErrorUnresolvableDid = errors.New("unresolvable_did")
View Source 
var ErrorUnsupportedKeyAlgorithm = errors.New("unsupported_key_algorithm")
View Source 
var ErrorUnsupportedValidationMode = errors.New("unsupported_validation_mode")
View Source 
var ErrorVerficationContextSetup = errors.New("no_valid_verification_context")
View Source 
var ErrorWrongGrantType = errors.New("wrong_grant_type")
View Source 
var SupportedModes = []string{"none", "combined", "jsonLd", "baseContext"}

Functions

func InitPresentationParser 

func InitPresentationParser(config *configModel.Configuration, healthCheck *health.Health) error

init the presentation parser depending on the config, either with or without did:elsi support

func InitVerifier 

func InitVerifier(config *configModel.Configuration) (err error)

* * Initialize the verifier and all its components from the configuration *

func NewCachingDocumentLoader 

func NewCachingDocumentLoader(defaultLoader ld.DocumentLoader) ld.DocumentLoader

Types

type CachingDocumentLoader 

type CachingDocumentLoader struct {
	// contains filtered or unexported fields
}

func (CachingDocumentLoader) LoadDocument 

func (cdl CachingDocumentLoader) LoadDocument(u string) (document *ld.RemoteDocument, err error)

type ConfigurablePresentationParser 

type ConfigurablePresentationParser struct {
	PresentationOpts []verifiable.PresentationOpt
}

func (*ConfigurablePresentationParser) ParsePresentation 

func (cpp *ConfigurablePresentationParser) ParsePresentation(tokenBytes []byte) (*verifiable.Presentation, error)

type CredentialVerifier 

type CredentialVerifier struct {
	// contains filtered or unexported fields
}

implementation of the verifier, using trustbloc and gaia-x compliance issuers registry as a validation backends.

func (*CredentialVerifier) AuthenticationResponse 

func (v *CredentialVerifier) AuthenticationResponse(state string, verifiablePresentation *verifiable.Presentation) (sameDevice SameDeviceResponse, err error)

* * Receive credentials and verify them in the context of an already present login-session. Will return either an error if failed, a sameDevice response to be used for * redirection or notify the original initiator(in case of a cross-device flow) *

func (*CredentialVerifier) GenerateToken 

func (v *CredentialVerifier) GenerateToken(clientId, subject, audience string, scopes []string, verifiablePresentation *verifiable.Presentation) (int64, string, error)

func (*CredentialVerifier) GetJWKS 

func (v *CredentialVerifier) GetJWKS() jwk.Set

* * Return the JWKS used by the verifier to allow jwt verification *

func (*CredentialVerifier) GetOpenIDConfiguration 

func (v *CredentialVerifier) GetOpenIDConfiguration(serviceIdentifier string) (metadata common.OpenIDProviderMetadata, err error)

func (*CredentialVerifier) GetToken 

func (v *CredentialVerifier) GetToken(authorizationCode string, redirectUri string) (jwtString string, expiration int64, err error)

* * Returns an already generated jwt from the cache to properly authorized requests. Every token will only be returend once. *

func (*CredentialVerifier) ReturnLoginQR 

func (v *CredentialVerifier) ReturnLoginQR(host string, protocol string, callback string, sessionId string, clientId string) (qr string, err error)

* * Initializes the cross-device login flow and returns all neccessary information as a qr-code *

func (*CredentialVerifier) StartSameDeviceFlow 

func (v *CredentialVerifier) StartSameDeviceFlow(host string, protocol string, sessionId string, redirectPath string, clientId string) (authenticationRequest string, err error)

* * Starts a same-device siop-flow and returns the required redirection information *

func (*CredentialVerifier) StartSiopFlow 

func (v *CredentialVerifier) StartSiopFlow(host string, protocol string, callback string, sessionId string, clientId string) (connectionString string, err error)

* * Starts a siop-flow and returns the required connection information *

type CredentialsConfig 

type CredentialsConfig interface {
	// should return the list of credentialtypes to be requested via the scope parameter
	GetScope(serviceIdentifier string) (credentialTypes []string, err error)
	// get (EBSI TrustedIssuersRegistry compliant) endpoints for the given service/credential combination, to check its issued by a trusted participant.
	GetTrustedParticipantLists(serviceIdentifier string, scope string, credentialType string) (trustedIssuersRegistryUrl []string, err error)
	// get (EBSI TrustedIssuersRegistry compliant) endpoints for the given service/credential combination, to check that credentials are issued by trusted issuers
	// and that the issuer has permission to issue such claims.
	GetTrustedIssuersLists(serviceIdentifier string, scope string, credentialType string) (trustedIssuersRegistryUrl []string, err error)
	// The credential types that are required for the given service and scope
	RequiredCredentialTypes(serviceIdentifier string, scope string) (credentialTypes []string, err error)
	// Get holder verification
	GetHolderVerification(serviceIdentifier string, scope string, credentialType string) (isEnabled bool, holderClaim string, err error)
}

* * Provides information about credentialTypes associated with services and there trust anchors.

func InitServiceBackedCredentialsConfig 

func InitServiceBackedCredentialsConfig(repoConfig *config.ConfigRepo) (credentialsConfig CredentialsConfig, err error)

type ElsiProofChecker 

type ElsiProofChecker struct {
	// contains filtered or unexported fields
}

ProofChecker implementation supporting the did:elsi method -> https://alastria.github.io/did-method-elsi/

func (ElsiProofChecker) CheckJWTProof 

func (epc ElsiProofChecker) CheckJWTProof(headers jose.Headers, expectedProofIssuer string, msg, signature []byte) error

func (*ElsiProofChecker) CheckLDProof 

func (epc *ElsiProofChecker) CheckLDProof(proof *proof.Proof, expectedProofIssuer string, msg, signature []byte) error

func (ElsiProofChecker) GetLDPCanonicalDocument 

func (epc ElsiProofChecker) GetLDPCanonicalDocument(proof *proof.Proof, doc map[string]interface{}, opts ...processor.Opts) ([]byte, error)

func (ElsiProofChecker) GetLDPDigest 

func (epc ElsiProofChecker) GetLDPDigest(proof *proof.Proof, doc []byte) ([]byte, error)

type GaiaXRegistryValidationService 

type GaiaXRegistryValidationService struct {
	// contains filtered or unexported fields
}

func InitGaiaXRegistryValidationService 

func InitGaiaXRegistryValidationService(verifierConfig *configModel.Verifier) GaiaXRegistryValidationService

func (*GaiaXRegistryValidationService) ValidateVC 

func (v *GaiaXRegistryValidationService) ValidateVC(verifiableCredential *verifiable.Credential, validationContext ValidationContext) (result bool, err error)

type HolderValidationContext 

type HolderValidationContext struct {
	// contains filtered or unexported fields
}

func (HolderValidationContext) GetClaim 

func (hvc HolderValidationContext) GetClaim() string

func (HolderValidationContext) GetHolder 

func (hvc HolderValidationContext) GetHolder() string

type HolderValidationService 

type HolderValidationService struct{}

func (*HolderValidationService) ValidateVC 

func (hvs *HolderValidationService) ValidateVC(verifiableCredential *verifiable.Credential, validationContext ValidationContext) (result bool, err error)

type JWTVerfificationMethodResolver 

type JWTVerfificationMethodResolver struct{}

func (JWTVerfificationMethodResolver) ResolveVerificationMethod 

func (jwtVMR JWTVerfificationMethodResolver) ResolveVerificationMethod(verificationMethod string, expectedProofIssuer string) (*vermethod.VerificationMethod, error)

type NonceGenerator 

type NonceGenerator interface {
	GenerateNonce() string
}

type PresentationParser 

type PresentationParser interface {
	ParsePresentation(tokenBytes []byte) (*verifiable.Presentation, error)
}

parser interface

func GetPresentationParser 

func GetPresentationParser() PresentationParser

* * Global singelton access to the parser *

type SameDeviceResponse 

type SameDeviceResponse struct {
	// the redirect target to be informed
	RedirectTarget string
	// code of the siop flow
	Code string
	// session id provided by the client
	SessionId string
}

Response structure for successful same-device authentications

type ServiceBackedCredentialsConfig 

type ServiceBackedCredentialsConfig struct {
	// contains filtered or unexported fields
}

func (ServiceBackedCredentialsConfig) GetHolderVerification 

func (cc ServiceBackedCredentialsConfig) GetHolderVerification(serviceIdentifier string, scope string, credentialType string) (isEnabled bool, holderClaim string, err error)

func (ServiceBackedCredentialsConfig) GetScope 

func (cc ServiceBackedCredentialsConfig) GetScope(serviceIdentifier string) (credentialTypes []string, err error)

FIXME shall we return all scopes or just the default one?

func (ServiceBackedCredentialsConfig) GetTrustedIssuersLists 

func (cc ServiceBackedCredentialsConfig) GetTrustedIssuersLists(serviceIdentifier string, scope string, credentialType string) (trustedIssuersRegistryUrl []string, err error)

func (ServiceBackedCredentialsConfig) GetTrustedParticipantLists 

func (cc ServiceBackedCredentialsConfig) GetTrustedParticipantLists(serviceIdentifier string, scope string, credentialType string) (trustedIssuersRegistryUrl []string, err error)

func (ServiceBackedCredentialsConfig) RequiredCredentialTypes 

func (cc ServiceBackedCredentialsConfig) RequiredCredentialTypes(serviceIdentifier string, scope string) (credentialTypes []string, err error)

type TrustBlocValidator 

type TrustBlocValidator struct {
	// contains filtered or unexported fields
}

func (TrustBlocValidator) ValidateVC 

func (tbv TrustBlocValidator) ValidateVC(verifiableCredential *verifiable.Credential, verificationContext ValidationContext) (result bool, err error)

the credential is already verified after parsing it from the VP, only content validation should happen here.

type TrustRegistriesValidationContext 

type TrustRegistriesValidationContext struct {
	// contains filtered or unexported fields
}

func (TrustRegistriesValidationContext) GetRequiredCredentialTypes 

func (trvc TrustRegistriesValidationContext) GetRequiredCredentialTypes() []string

func (TrustRegistriesValidationContext) GetTrustedIssuersLists 

func (trvc TrustRegistriesValidationContext) GetTrustedIssuersLists() map[string][]string

func (TrustRegistriesValidationContext) GetTrustedParticipantLists 

func (trvc TrustRegistriesValidationContext) GetTrustedParticipantLists() map[string][]string

type TrustedIssuerValidationService 

type TrustedIssuerValidationService struct {
	// contains filtered or unexported fields
}

* * The trusted participant verification service will validate the entry of a participant within the trusted list.

func (*TrustedIssuerValidationService) ValidateVC 

func (tpvs *TrustedIssuerValidationService) ValidateVC(verifiableCredential *verifiable.Credential, validationContext ValidationContext) (result bool, err error)

type TrustedParticipantValidationService 

type TrustedParticipantValidationService struct {
	// contains filtered or unexported fields
}

* * The trusted participant validation service will validate the entry of a participant within the trusted list.

func (*TrustedParticipantValidationService) ValidateVC 

func (tpvs *TrustedParticipantValidationService) ValidateVC(verifiableCredential *verifiable.Credential, validationContext ValidationContext) (result bool, err error)

type ValidationContext 

type ValidationContext interface{}

type ValidationService 

type ValidationService interface {
	// Validates the given VC. FIXME Currently a positiv result is returned even when no policy was checked
	ValidateVC(verifiableCredential *verifiable.Credential, verificationContext ValidationContext) (result bool, err error)
}

type Verifier 

type Verifier interface {
	ReturnLoginQR(host string, protocol string, callback string, sessionId string, clientId string) (qr string, err error)
	StartSiopFlow(host string, protocol string, callback string, sessionId string, clientId string) (connectionString string, err error)
	StartSameDeviceFlow(host string, protocol string, sessionId string, redirectPath string, clientId string) (authenticationRequest string, err error)
	GetToken(authorizationCode string, redirectUri string) (jwtString string, expiration int64, err error)
	GetJWKS() jwk.Set
	AuthenticationResponse(state string, verifiablePresentation *verifiable.Presentation) (sameDevice SameDeviceResponse, err error)
	GenerateToken(clientId, subject, audience string, scope []string, verifiablePresentation *verifiable.Presentation) (int64, string, error)
	GetOpenIDConfiguration(serviceIdentifier string) (metadata common.OpenIDProviderMetadata, err error)
}

verifier interface

func GetVerifier 

func GetVerifier() Verifier

* * Global singelton access to the verifier *

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.