From e3304a146928b44063b18c9425985d710865cbc4 Mon Sep 17 00:00:00 2001 From: reinkrul Date: Fri, 8 Sep 2023 11:06:08 +0200 Subject: [PATCH] Update go-did (#2473) --- auth/services/oauth/authz_server.go | 11 ++++------- go.mod | 2 +- go.sum | 2 ++ vcr/holder/wallet.go | 15 +++++---------- vcr/holder/wallet_test.go | 2 +- vcr/issuer/issuer.go | 14 +++----------- vcr/issuer/openid.go | 22 +++------------------- 7 files changed, 19 insertions(+), 49 deletions(-) diff --git a/auth/services/oauth/authz_server.go b/auth/services/oauth/authz_server.go index f10e15efab..f818247849 100644 --- a/auth/services/oauth/authz_server.go +++ b/auth/services/oauth/authz_server.go @@ -473,15 +473,12 @@ func (s *authzServer) validateAuthorizationCredentials(context *validationContex } // The credential credentialSubject.id equals the iss field of the JWT. - authCredSubjects := make([]credential.NutsAuthorizationCredentialSubject, 0) - if err := authCred.UnmarshalCredentialSubject(&authCredSubjects); err != nil { + subjectDID, err := authCred.SubjectDID() + if err != nil { return fmt.Errorf(errInvalidVCClaim, err) } - // should be only 1 credentialSubject, but we do the range just to make sure and to avoid [0] specific code. - for _, authCredSubject := range authCredSubjects { - if authCredSubject.ID != iss { - return fmt.Errorf("credentialSubject.ID %s of authorization credential with ID: %s does not match jwt.iss: %s", authCredSubject.ID, authCred.ID.String(), iss) - } + if subjectDID.String() != iss { + return fmt.Errorf("credentialSubject.ID %s of authorization credential with ID: %s does not match jwt.iss: %s", subjectDID, authCred.ID.String(), iss) } } diff --git a/go.mod b/go.mod index 119522d840..ca3f0a45cc 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/nats-io/nats-server/v2 v2.9.21 github.com/nats-io/nats.go v1.28.0 github.com/nuts-foundation/crypto-ecies v0.0.0-20211207143025-5b84f9efce2b - github.com/nuts-foundation/go-did v0.6.3 + github.com/nuts-foundation/go-did v0.6.5 github.com/nuts-foundation/go-leia/v4 v4.0.0 github.com/nuts-foundation/go-stoabs v1.9.0 // check the oapi-codegen tool version in the makefile when upgrading the runtime diff --git a/go.sum b/go.sum index 08336c3a6e..242223e8d4 100644 --- a/go.sum +++ b/go.sum @@ -437,6 +437,8 @@ github.com/nuts-foundation/crypto-ecies v0.0.0-20211207143025-5b84f9efce2b h1:80 github.com/nuts-foundation/crypto-ecies v0.0.0-20211207143025-5b84f9efce2b/go.mod h1:6YUioYirD6/8IahZkoS4Ypc8xbeJW76Xdk1QKcziNTM= github.com/nuts-foundation/go-did v0.6.3 h1:jN6Y8TWieyHjIetxvO4W467fwjJ5JQo50HpAKgaU9ig= github.com/nuts-foundation/go-did v0.6.3/go.mod h1:Jb3IgnO2Zeed970JMIlfjr4g1kvikmgWUJA0EfeDEFE= +github.com/nuts-foundation/go-did v0.6.5 h1:y2gPygRN1gBeMI9y8OIWwARp8NpHHheqnbpLwCxajFw= +github.com/nuts-foundation/go-did v0.6.5/go.mod h1:Jb3IgnO2Zeed970JMIlfjr4g1kvikmgWUJA0EfeDEFE= github.com/nuts-foundation/go-leia/v4 v4.0.0 h1:/unYCk18qGG2HWcJK4ld4CaM6k7Tdr0bR1vQd1Jwfcg= github.com/nuts-foundation/go-leia/v4 v4.0.0/go.mod h1:A246dA4nhY99OPCQpG/XbQ/iPyyfSaJchanivuPWpao= github.com/nuts-foundation/go-stoabs v1.9.0 h1:zK+ugfolaJYyBvGwsRuavLVdycXk4Yw/1gI+tz17lWQ= diff --git a/vcr/holder/wallet.go b/vcr/holder/wallet.go index fc520b1d1b..273c65e992 100644 --- a/vcr/holder/wallet.go +++ b/vcr/holder/wallet.go @@ -121,21 +121,16 @@ func (h wallet) BuildPresentation(ctx context.Context, credentials []vc.Verifiab } func (h wallet) resolveSubjectDID(credentials []vc.VerifiableCredential) (*did.DID, error) { - type credentialSubject struct { - ID did.DID `json:"id"` - } var subjectID did.DID for _, credential := range credentials { - var subjects []credentialSubject - err := credential.UnmarshalCredentialSubject(&subjects) - if err != nil || len(subjects) != 1 { - return nil, errors.New("not all VCs contain credentialSubject.id") + sid, err := credential.SubjectDID() + if err != nil { + return nil, err } - subject := subjects[0] - if !subjectID.Empty() && !subjectID.Equals(subject.ID) { + if !subjectID.Empty() && !subjectID.Equals(*sid) { return nil, errors.New("not all VCs have the same credentialSubject.id") } - subjectID = subject.ID + subjectID = *sid } if subjectID.Empty() { diff --git a/vcr/holder/wallet_test.go b/vcr/holder/wallet_test.go index cbba4170be..80955c2f7e 100644 --- a/vcr/holder/wallet_test.go +++ b/vcr/holder/wallet_test.go @@ -220,7 +220,7 @@ func TestWallet_Present(t *testing.T) { resultingPresentation, err := w.BuildPresentation(ctx, []vc.VerifiableCredential{testCredential, secondCredential}, options, nil, false) - assert.EqualError(t, err, "unable to resolve signer DID from VCs for creating VP: not all VCs contain credentialSubject.id") + assert.EqualError(t, err, "unable to resolve signer DID from VCs for creating VP: unable to get subject DID from VC: there must be at least 1 credentialSubject") assert.Nil(t, resultingPresentation) }) }) diff --git a/vcr/issuer/issuer.go b/vcr/issuer/issuer.go index 226c67085a..3e5f0f796e 100644 --- a/vcr/issuer/issuer.go +++ b/vcr/issuer/issuer.go @@ -156,19 +156,11 @@ func (i issuer) Issue(ctx context.Context, credentialOptions vc.VerifiableCreden // issueUsingOpenID4VCI tries to issue the credential over OpenID4VCI. It returns whether the credential was offered successfully. // If no error is returned and bool is false, it means the wallet does not support OpenID4VCI. func (i issuer) issueUsingOpenID4VCI(ctx context.Context, credential vc.VerifiableCredential) (bool, error) { - type credentialSubject struct { - ID did.DID `json:"id"` - } - var subjects []credentialSubject - err := credential.UnmarshalCredentialSubject(&subjects) + subjectID, err := credential.SubjectDID() if err != nil { - return false, fmt.Errorf("unable to unmarshal credential subject: %w", err) - } - if len(subjects) != 1 { - return false, fmt.Errorf("expected exactly 1 credential subject, got %d", len(subjects)) + return false, err } - - walletIdentifier, err := i.walletResolver.Resolve(subjects[0].ID) + walletIdentifier, err := i.walletResolver.Resolve(*subjectID) if err != nil { return false, fmt.Errorf("unable to discover wallet identifier: %w", err) } diff --git a/vcr/issuer/openid.go b/vcr/issuer/openid.go index d40ae134f6..073cb6b170 100644 --- a/vcr/issuer/openid.go +++ b/vcr/issuer/openid.go @@ -250,7 +250,7 @@ func (i *openidHandler) HandleCredentialRequest(ctx context.Context, request ope } credential := flow.Credentials[0] // there's always just one (at least for now) - subjectDID, _ := getSubjectDID(credential) + subjectDID, _ := credential.SubjectDID() // check credential.Issuer against given issuer if credential.Issuer.String() != i.issuerDID.String() { @@ -290,7 +290,7 @@ func (i *openidHandler) HandleCredentialRequest(ctx context.Context, request ope // See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types func (i *openidHandler) validateProof(ctx context.Context, flow *Flow, request openid4vci.CredentialRequest) error { credential := flow.Credentials[0] // there's always just one (at least for now) - wallet, _ := getSubjectDID(credential) + wallet, _ := credential.SubjectDID() // augment invalid_proof errors according to ยง7.3.2 of openid4vci spec generateProofError := func(err openid4vci.Error) error { @@ -433,7 +433,7 @@ func (i *openidHandler) createOffer(ctx context.Context, credential vc.Verifiabl openid4vci.PreAuthorizedCodeGrant: grantParams, }, } - subjectDID, _ := getSubjectDID(credential) // succeeded in previous step, can't fail + subjectDID, _ := credential.SubjectDID() // succeeded in previous step, can't fail flow := Flow{ ID: uuid.NewString(), @@ -501,22 +501,6 @@ func (i *openidHandler) loadCredentialDefinitions() error { } return err - -} - -func getSubjectDID(verifiableCredential vc.VerifiableCredential) (did.DID, error) { - type subjectType struct { - ID did.DID `json:"id"` - } - var subject []subjectType - err := verifiableCredential.UnmarshalCredentialSubject(&subject) - if err != nil { - return did.DID{}, fmt.Errorf("unable to unmarshal credential subject: %w", err) - } - if len(subject) == 0 { - return did.DID{}, errors.New("missing subject ID") - } - return subject[0].ID, err } func generateCode() string {