Update go-did (#2473)

nuts-foundation · Sep 8, 2023 · e3304a1 · e3304a1
1 parent 302b0e0
commit e3304a1
Show file tree

Hide file tree

Showing 7 changed files with 19 additions and 49 deletions.
diff --git a/auth/services/oauth/authz_server.go b/auth/services/oauth/authz_server.go
@@ -473,15 +473,12 @@ func (s *authzServer) validateAuthorizationCredentials(context *validationContex
 		}
 
 		// The credential credentialSubject.id equals the iss field of the JWT.
-		authCredSubjects := make([]credential.NutsAuthorizationCredentialSubject, 0)
-		if err := authCred.UnmarshalCredentialSubject(&authCredSubjects); err != nil {
+		subjectDID, err := authCred.SubjectDID()
+		if err != nil {
 			return fmt.Errorf(errInvalidVCClaim, err)
 		}
-		// should be only 1 credentialSubject, but we do the range just to make sure and to avoid [0] specific code.
-		for _, authCredSubject := range authCredSubjects {
-			if authCredSubject.ID != iss {
-				return fmt.Errorf("credentialSubject.ID %s of authorization credential with ID: %s does not match jwt.iss: %s", authCredSubject.ID, authCred.ID.String(), iss)
-			}
+		if subjectDID.String() != iss {
+			return fmt.Errorf("credentialSubject.ID %s of authorization credential with ID: %s does not match jwt.iss: %s", subjectDID, authCred.ID.String(), iss)
 		}
 	}
 

diff --git a/go.mod b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/nats-io/nats-server/v2 v2.9.21
 	github.com/nats-io/nats.go v1.28.0
 	github.com/nuts-foundation/crypto-ecies v0.0.0-20211207143025-5b84f9efce2b
-	github.com/nuts-foundation/go-did v0.6.3
+	github.com/nuts-foundation/go-did v0.6.5
 	github.com/nuts-foundation/go-leia/v4 v4.0.0
 	github.com/nuts-foundation/go-stoabs v1.9.0
 	// check the oapi-codegen tool version in the makefile when upgrading the runtime

diff --git a/go.sum b/go.sum
@@ -437,6 +437,8 @@ github.com/nuts-foundation/crypto-ecies v0.0.0-20211207143025-5b84f9efce2b h1:80
 github.com/nuts-foundation/crypto-ecies v0.0.0-20211207143025-5b84f9efce2b/go.mod h1:6YUioYirD6/8IahZkoS4Ypc8xbeJW76Xdk1QKcziNTM=
 github.com/nuts-foundation/go-did v0.6.3 h1:jN6Y8TWieyHjIetxvO4W467fwjJ5JQo50HpAKgaU9ig=
 github.com/nuts-foundation/go-did v0.6.3/go.mod h1:Jb3IgnO2Zeed970JMIlfjr4g1kvikmgWUJA0EfeDEFE=
+github.com/nuts-foundation/go-did v0.6.5 h1:y2gPygRN1gBeMI9y8OIWwARp8NpHHheqnbpLwCxajFw=
+github.com/nuts-foundation/go-did v0.6.5/go.mod h1:Jb3IgnO2Zeed970JMIlfjr4g1kvikmgWUJA0EfeDEFE=
 github.com/nuts-foundation/go-leia/v4 v4.0.0 h1:/unYCk18qGG2HWcJK4ld4CaM6k7Tdr0bR1vQd1Jwfcg=
 github.com/nuts-foundation/go-leia/v4 v4.0.0/go.mod h1:A246dA4nhY99OPCQpG/XbQ/iPyyfSaJchanivuPWpao=
 github.com/nuts-foundation/go-stoabs v1.9.0 h1:zK+ugfolaJYyBvGwsRuavLVdycXk4Yw/1gI+tz17lWQ=

diff --git a/vcr/holder/wallet.go b/vcr/holder/wallet.go
@@ -121,21 +121,16 @@ func (h wallet) BuildPresentation(ctx context.Context, credentials []vc.Verifiab
 }
 
 func (h wallet) resolveSubjectDID(credentials []vc.VerifiableCredential) (*did.DID, error) {
-	type credentialSubject struct {
-		ID did.DID `json:"id"`
-	}
 	var subjectID did.DID
 	for _, credential := range credentials {
-		var subjects []credentialSubject
-		err := credential.UnmarshalCredentialSubject(&subjects)
-		if err != nil || len(subjects) != 1 {
-			return nil, errors.New("not all VCs contain credentialSubject.id")
+		sid, err := credential.SubjectDID()
+		if err != nil {
+			return nil, err
 		}
-		subject := subjects[0]
-		if !subjectID.Empty() && !subjectID.Equals(subject.ID) {
+		if !subjectID.Empty() && !subjectID.Equals(*sid) {
 			return nil, errors.New("not all VCs have the same credentialSubject.id")
 		}
-		subjectID = subject.ID
+		subjectID = *sid
 	}
 
 	if subjectID.Empty() {

diff --git a/vcr/holder/wallet_test.go b/vcr/holder/wallet_test.go
@@ -220,7 +220,7 @@ func TestWallet_Present(t *testing.T) {
 
 			resultingPresentation, err := w.BuildPresentation(ctx, []vc.VerifiableCredential{testCredential, secondCredential}, options, nil, false)
 
-			assert.EqualError(t, err, "unable to resolve signer DID from VCs for creating VP: not all VCs contain credentialSubject.id")
+			assert.EqualError(t, err, "unable to resolve signer DID from VCs for creating VP: unable to get subject DID from VC: there must be at least 1 credentialSubject")
 			assert.Nil(t, resultingPresentation)
 		})
 	})

diff --git a/vcr/issuer/issuer.go b/vcr/issuer/issuer.go
@@ -156,19 +156,11 @@ func (i issuer) Issue(ctx context.Context, credentialOptions vc.VerifiableCreden
 // issueUsingOpenID4VCI tries to issue the credential over OpenID4VCI. It returns whether the credential was offered successfully.
 // If no error is returned and bool is false, it means the wallet does not support OpenID4VCI.
 func (i issuer) issueUsingOpenID4VCI(ctx context.Context, credential vc.VerifiableCredential) (bool, error) {
-	type credentialSubject struct {
-		ID did.DID `json:"id"`
-	}
-	var subjects []credentialSubject
-	err := credential.UnmarshalCredentialSubject(&subjects)
+	subjectID, err := credential.SubjectDID()
 	if err != nil {
-		return false, fmt.Errorf("unable to unmarshal credential subject: %w", err)
-	}
-	if len(subjects) != 1 {
-		return false, fmt.Errorf("expected exactly 1 credential subject, got %d", len(subjects))
+		return false, err
 	}
-
-	walletIdentifier, err := i.walletResolver.Resolve(subjects[0].ID)
+	walletIdentifier, err := i.walletResolver.Resolve(*subjectID)
 	if err != nil {
 		return false, fmt.Errorf("unable to discover wallet identifier: %w", err)
 	}

diff --git a/vcr/issuer/openid.go b/vcr/issuer/openid.go
@@ -250,7 +250,7 @@ func (i *openidHandler) HandleCredentialRequest(ctx context.Context, request ope
 	}
 
 	credential := flow.Credentials[0] // there's always just one (at least for now)
-	subjectDID, _ := getSubjectDID(credential)
+	subjectDID, _ := credential.SubjectDID()
 
 	// check credential.Issuer against given issuer
 	if credential.Issuer.String() != i.issuerDID.String() {
@@ -290,7 +290,7 @@ func (i *openidHandler) HandleCredentialRequest(ctx context.Context, request ope
 // See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
 func (i *openidHandler) validateProof(ctx context.Context, flow *Flow, request openid4vci.CredentialRequest) error {
 	credential := flow.Credentials[0] // there's always just one (at least for now)
-	wallet, _ := getSubjectDID(credential)
+	wallet, _ := credential.SubjectDID()
 
 	// augment invalid_proof errors according to §7.3.2 of openid4vci spec
 	generateProofError := func(err openid4vci.Error) error {
@@ -433,7 +433,7 @@ func (i *openidHandler) createOffer(ctx context.Context, credential vc.Verifiabl
 			openid4vci.PreAuthorizedCodeGrant: grantParams,
 		},
 	}
-	subjectDID, _ := getSubjectDID(credential) // succeeded in previous step, can't fail
+	subjectDID, _ := credential.SubjectDID() // succeeded in previous step, can't fail
 
 	flow := Flow{
 		ID:          uuid.NewString(),
@@ -501,22 +501,6 @@ func (i *openidHandler) loadCredentialDefinitions() error {
 	}
 
 	return err
-
-}
-
-func getSubjectDID(verifiableCredential vc.VerifiableCredential) (did.DID, error) {
-	type subjectType struct {
-		ID did.DID `json:"id"`
-	}
-	var subject []subjectType
-	err := verifiableCredential.UnmarshalCredentialSubject(&subject)
-	if err != nil {
-		return did.DID{}, fmt.Errorf("unable to unmarshal credential subject: %w", err)
-	}
-	if len(subject) == 0 {
-		return did.DID{}, errors.New("missing subject ID")
-	}
-	return subject[0].ID, err
 }
 
 func generateCode() string {