iotaledger · eike-hass · May 15, 2024 · May 15, 2024 · May 16, 2024 · May 16, 2024
@@ -20,6 +20,7 @@ path = "src/main.rs"
 anyhow = "1.0.75"
 futures = { version = "0.3" }
 identity_eddsa_verifier = { path = "../../identity_eddsa_verifier" }
+identity_ecdsa_verifier = { path = "../../identity_ecdsa_verifier" }
 identity_iota = { path = "../../identity_iota", features = ["resolver", "sd-jwt", "domain-linkage", "domain-linkage-fetch", "status-list-2021"] }
 identity_stronghold = { path = "../../identity_stronghold", features = ["send-sync-storage"] }
 iota-sdk = { version = "1.1.5", features = ["stronghold"] }

@@ -21,6 +21,7 @@ Make sure to provide a valid stronghold snapshot at the provided `SNAPSHOT_PATH`
 | SD-JWT Validation                                                              | `sd_jwt/Verification.verify`                                             | [sd_jwt.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/sd_jwt.proto)                     |
 | Credential JWT creation                                                        | `credentials/Jwt.create`                                                 | [credentials.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/credentials.proto)           |
 | Credential JWT validation                                                      | `credentials/VcValidation.validate`                                      | [credentials.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/credentials.proto)           |
+| Presentation JWT validation                                                    | `presentation/JwtPresentation.validate`                                  | [presentation.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/presentation.proto)         |
 | DID Document Creation                                                          | `document/DocumentService.create`                                        | [document.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/document.proto)                 |
 | Domain Linkage - validate domain, let server fetch did-configuration           | `domain_linkage/DomainLinkage.validate_domain`                           | [domain_linkage.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/domain_linkage.proto)     |
 | Domain Linkage - validate domain, pass did-configuration to service            | `domain_linkage/DomainLinkage.validate_domain_against_did_configuration` | [domain_linkage.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/domain_linkage.proto)     |

@@ -0,0 +1,25 @@
+// Copyright 2020-2024 IOTA Stiftung
+// SPDX-License-Identifier: Apache-2.0
+
+syntax = "proto3";
+package presentation;
+
+message JwtPresentationRequest {
+    // Presentation's compact JWT serialization.
+    string jwt = 1;
+}
+
+message CredentialValidationResult {
+    oneof result {
+        string credential = 1;
+        string error = 2;
+    }
+}
+
+message JwtPresentationResponse {
+    repeated CredentialValidationResult credentials = 1;
+}
+
+service CredentialPresentation {
+    rpc validate(JwtPresentationRequest) returns (JwtPresentationResponse);
+}
@@ -9,6 +9,8 @@ message DataSigningRequest {
     bytes data = 1;
     // Signing key's ID.
     string key_id = 2;
+    // Key type of the key with id `key_id`. Valid values are: Ed25519, ES256, ES256K.
+    string key_type = 3;
 }
 
 message DataSigningResponse {
@@ -21,3 +23,29 @@ service Signing {
     rpc sign(DataSigningRequest) returns (DataSigningResponse);
 }
 
+message DidJwkResolutionRequest {
+    // did:jwk string
+    string did = 1;
+}
+
+message DidJwkResolutionResponse {
+    // JSON DID Document
+    string doc = 1;
+}
+
+service DidJwk {
+    rpc resolve(DidJwkResolutionRequest) returns (DidJwkResolutionResponse);
+}
+
+message IotaDidToAliasAddressRequest {
+    string did = 1;
+}
+
+message IotaDidToAliasAddressResponse {
+    string alias_address = 1;
+    string network = 2;
+}
+
+service IotaUtils {
+    rpc did_iota_to_alias_address(IotaDidToAliasAddressRequest) returns (IotaDidToAliasAddressResponse);
+}
@@ -5,3 +5,5 @@
 
 pub mod server;
 pub mod services;
+pub mod verifier;
+
@@ -1,7 +1,6 @@
 // Copyright 2020-2024 IOTA Stiftung
 // SPDX-License-Identifier: Apache-2.0
 
-use identity_eddsa_verifier::EdDSAJwsVerifier;
 use identity_iota::core::FromJson;
 use identity_iota::core::Object;
 use identity_iota::core::ToJson;
@@ -27,6 +26,8 @@ use tonic::Request;
 use tonic::Response;
 use tonic::Status;
 
+use crate::verifier::Verifier;
+
 mod _credentials {
   tonic::include_proto!("credentials");
 }
@@ -98,7 +99,7 @@ impl VcValidation for VcValidator {
       validation_option = validation_option.status_check(StatusCheck::SkipAll);
     }
 
-    let validator = JwtCredentialValidator::with_signature_verifier(EdDSAJwsVerifier::default());
+    let validator = JwtCredentialValidator::with_signature_verifier(Verifier::default());
     let decoded_credential = validator
       .validate::<_, Object>(&jwt, &issuer_doc, &validation_option, FailFast::FirstError)
       .map_err(|mut e| match e.validation_errors.swap_remove(0) {

@@ -18,7 +18,6 @@ use _domain_linkage::ValidateDidResponse;
 use _domain_linkage::ValidateDomainAgainstDidConfigurationRequest;
 use _domain_linkage::ValidateDomainRequest;
 use _domain_linkage::ValidateDomainResponse;
-use identity_eddsa_verifier::EdDSAJwsVerifier;
 use identity_iota::core::FromJson;
 use identity_iota::core::Url;
 use identity_iota::credential::DomainLinkageConfiguration;
@@ -38,6 +37,8 @@ use tonic::Response;
 use tonic::Status;
 use url::Origin;
 
+use crate::verifier::Verifier;
+
 mod _domain_linkage {
   tonic::include_proto!("domain_linkage");
 }
@@ -276,7 +277,7 @@ impl DomainLinkageService {
       .for_each(|(credential, issuer_did_doc)| {
         let id = issuer_did_doc.id().to_string();
 
-        if let Err(err) = JwtDomainLinkageValidator::with_signature_verifier(EdDSAJwsVerifier::default())
+        if let Err(err) = JwtDomainLinkageValidator::with_signature_verifier(Verifier::default())
           .validate_linkage(
             &issuer_did_doc,
             &domain_linkage_configuration,

@@ -5,6 +5,7 @@ pub mod credential;
 pub mod document;
 pub mod domain_linkage;
 pub mod health_check;
+pub mod presentation;
 pub mod sd_jwt;
 pub mod status_list_2021;
 pub mod utils;
@@ -22,7 +23,8 @@ pub fn routes(client: &Client, stronghold: &StrongholdStorage) -> Routes {
   routes.add_service(domain_linkage::service(client));
   routes.add_service(document::service(client, stronghold));
   routes.add_service(status_list_2021::service());
-  routes.add_service(utils::service(stronghold));
+  utils::init_services(&mut routes, stronghold);
+  routes.add_service(presentation::service(client));
 
   routes.routes()
 }
@@ -0,0 +1,164 @@
+// Copyright 2020-2024 IOTA Stiftung
+// SPDX-License-Identifier: Apache-2.0
+
+use _presentation::credential_presentation_server::CredentialPresentation as PresentationService;
+use _presentation::credential_presentation_server::CredentialPresentationServer;
+use _presentation::credential_validation_result::Result as ValidationResult;
+use _presentation::CredentialValidationResult;
+use _presentation::JwtPresentationRequest;
+use _presentation::JwtPresentationResponse;
+use crate::verifier::Verifier;
+use identity_iota::core::Object;
+use identity_iota::core::ToJson;
+use identity_iota::credential::CompoundJwtPresentationValidationError;
+use identity_iota::credential::FailFast;
+use identity_iota::credential::Jwt;
+use identity_iota::credential::JwtCredentialValidationOptions;
+use identity_iota::credential::JwtCredentialValidator;
+use identity_iota::credential::JwtCredentialValidatorUtils;
+use identity_iota::credential::JwtPresentationValidationOptions;
+use identity_iota::credential::JwtPresentationValidator;
+use identity_iota::credential::JwtPresentationValidatorUtils;
+use identity_iota::credential::JwtValidationError;
+use identity_iota::did::CoreDID;
+use identity_iota::iota::IotaDocument;
+use identity_iota::resolver::Error as ResolverError;
+use identity_iota::resolver::Resolver;
+use iota_sdk::client::Client;
+use tonic::async_trait;
+use tonic::Code;
+use tonic::Request;
+use tonic::Response;
+use tonic::Status;
+
+mod _presentation {
+  tonic::include_proto!("presentation");
+}
+
+#[derive(thiserror::Error, Debug)]
+pub enum Error {
+  #[error("Invalid JWT presentation: {0}")]
+  InvalidJwtPresentation(#[source] JwtValidationError),
+  #[error("Resolution error: {0}")]
+  ResolutionError(#[source] ResolverError),
+  #[error("Presentation validation error: {0}")]
+  PresentationValidationError(#[source] CompoundJwtPresentationValidationError),
+  #[error("Failed to validate jwt credential: {0}")]
+  CredentialValidationError(#[source] anyhow::Error),
+}
+
+impl From<Error> for Status {
+  fn from(value: Error) -> Self {
+    let code = match &value {
+      Error::InvalidJwtPresentation(_) => Code::InvalidArgument,
+      Error::ResolutionError(_) | Error::PresentationValidationError(_) | Error::CredentialValidationError(_) => {
+        Code::Internal
+      }
+    };
+
+    Status::new(code, value.to_string())
+  }
+}
+
+pub struct PresentationSvc {
+  resolver: Resolver<IotaDocument>,
+}
+
+impl PresentationSvc {
+  pub fn new(client: Client) -> Self {
+    let mut resolver = Resolver::<IotaDocument>::new_with_did_key_handler();
+    resolver.attach_did_jwk_handler();
+    resolver.attach_iota_handler(client);
+
+    Self { resolver }
+  }
+}
+
+#[async_trait]
+impl PresentationService for PresentationSvc {
+  async fn validate(&self, req: Request<JwtPresentationRequest>) -> Result<Response<JwtPresentationResponse>, Status> {
+    let jwt_presentation = {
+      let JwtPresentationRequest { jwt } = req.into_inner();
+      Jwt::new(jwt)
+    };
+
+    let holder_did = JwtPresentationValidatorUtils::extract_holder::<CoreDID>(&jwt_presentation)
+      .map_err(Error::InvalidJwtPresentation)?;
+    let holder_doc = self
+      .resolver
+      .resolve(&holder_did)
+      .await
+      .map_err(Error::ResolutionError)?;
+
+    let presentation_validator = JwtPresentationValidator::with_signature_verifier(Verifier::default());
+    let mut decoded_presentation = presentation_validator
+      .validate::<IotaDocument, Jwt, Object>(
+        &jwt_presentation,
+        &holder_doc,
+        &JwtPresentationValidationOptions::default(),
+      )
+      .map_err(Error::PresentationValidationError)?;
+
+    let credentials = std::mem::take(&mut decoded_presentation.presentation.verifiable_credential);
+    let mut decoded_credentials = Vec::with_capacity(credentials.len());
+    let credential_validator = JwtCredentialValidator::with_signature_verifier(Verifier::default());
+    for credential_jwt in credentials {
+      let issuer_did = JwtCredentialValidatorUtils::extract_issuer_from_jwt::<CoreDID>(&credential_jwt)
+        .map_err(|e| Error::CredentialValidationError(e.into()));
+
+      if let Err(e) = issuer_did {
+        let validation_result = CredentialValidationResult {
+          result: Some(ValidationResult::Error(e.to_string())),
+        };
+        decoded_credentials.push(validation_result);
+        continue;
+      }
+      let issuer_did = issuer_did.unwrap();
+
+      let issuer_doc = self
+        .resolver
+        .resolve(&issuer_did)
+        .await
+        .map_err(|e| Error::CredentialValidationError(e.into()));
+
+      if let Err(e) = issuer_doc {
+        let validation_result = CredentialValidationResult {
+          result: Some(ValidationResult::Error(e.to_string())),
+        };
+        decoded_credentials.push(validation_result);
+        continue;
+      }
+      let issuer_doc = issuer_doc.unwrap();
+
+      let validation_result = match credential_validator
+        .validate::<IotaDocument, Object>(
+          &credential_jwt,
+          &issuer_doc,
+          &JwtCredentialValidationOptions::default(),
+          FailFast::FirstError,
+        )
+        .map_err(|e| Error::CredentialValidationError(e.into()))
+      {
+        Ok(decoded_credential) => ValidationResult::Credential(
+          decoded_credential
+            .credential
+            .to_json()
+            .map_err(|e| Status::internal(e.to_string()))?,
+        ),
+        Err(e) => ValidationResult::Error(e.to_string()),
+      };
+
+      decoded_credentials.push(CredentialValidationResult {
+        result: Some(validation_result),
+      })
+    }
+
+    Ok(Response::new(JwtPresentationResponse {
+      credentials: decoded_credentials,
+    }))
+  }
+}
+
+pub fn service(client: &Client) -> CredentialPresentationServer<PresentationSvc> {
+  CredentialPresentationServer::new(PresentationSvc::new(client.clone()))
+}
@@ -5,7 +5,6 @@ use _sd_jwt::verification_server::Verification;
 use _sd_jwt::verification_server::VerificationServer;
 use _sd_jwt::VerificationRequest;
 use _sd_jwt::VerificationResponse;
-use identity_eddsa_verifier::EdDSAJwsVerifier;
 use identity_iota::core::Object;
 use identity_iota::core::Timestamp;
 use identity_iota::core::ToJson;
@@ -25,6 +24,8 @@ use serde::Deserialize;
 use serde::Serialize;
 use thiserror::Error;
 
+use crate::verifier::Verifier;
+
 use self::_sd_jwt::KeyBindingOptions;
 
 mod _sd_jwt {
@@ -125,7 +126,7 @@ impl Verification for SdJwtService {
     sd_jwt.jwt = jwt.into();
 
     let decoder = SdObjectDecoder::new_with_sha256();
-    let validator = SdJwtCredentialValidator::with_signature_verifier(EdDSAJwsVerifier::default(), decoder);
+    let validator = SdJwtCredentialValidator::with_signature_verifier(Verifier::default(), decoder);
     let credential = validator
       .validate_credential::<_, Object>(
         &sd_jwt,