Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(grpc): grpc rebased extended with did:key #1426

Draft
wants to merge 15 commits into
base: feat/identity-rebased
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions bindings/grpc/.dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
target
tests
3 changes: 2 additions & 1 deletion bindings/grpc/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ path = "src/main.rs"
anyhow = "1.0"
futures = { version = "0.3" }
identity_eddsa_verifier = { path = "../../identity_eddsa_verifier" }
identity_ecdsa_verifier = { path = "../../identity_ecdsa_verifier" }
identity_iota = { path = "../../identity_iota", features = [
"resolver",
"sd-jwt",
Expand All @@ -33,7 +34,7 @@ identity_stronghold = { path = "../../identity_stronghold", features = [
"send-sync-storage",
] }
identity_sui_name_tbd = { path = "../../identity_sui_name_tbd" }
iota-sdk = { version = "1.1.2", features = ["stronghold"] }
iota-sdk = { version = "1.1.5", features = ["stronghold"] }
iota-sdk-move = { git = "https://github.com/iotaledger/iota.git", package = "iota-sdk" }
openssl = { version = "0.10", features = ["vendored"] }
prost = "0.13"
Expand Down
4 changes: 2 additions & 2 deletions bindings/grpc/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM rust:bookworm as builder
FROM rust:bookworm AS builder

# install protobuf
RUN apt-get update && apt-get install -y protobuf-compiler libprotobuf-dev musl-tools
Expand All @@ -8,7 +8,7 @@ WORKDIR /usr/src/app/bindings/grpc
RUN rustup target add x86_64-unknown-linux-musl
RUN cargo build --target x86_64-unknown-linux-musl --release --bin identity-grpc

FROM gcr.io/distroless/static-debian11 as runner
FROM gcr.io/distroless/static-debian11 AS runner

# get binary
COPY --from=builder /usr/src/app/bindings/grpc/target/x86_64-unknown-linux-musl/release/identity-grpc /
Expand Down
1 change: 1 addition & 0 deletions bindings/grpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ Make sure to provide a valid stronghold snapshot at the provided `SNAPSHOT_PATH`
| SD-JWT Validation | `sd_jwt/Verification.verify` | [sd_jwt.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/sd_jwt.proto) |
| Credential JWT creation | `credentials/Jwt.create` | [credentials.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/credentials.proto) |
| Credential JWT validation | `credentials/VcValidation.validate` | [credentials.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/credentials.proto) |
| Presentation JWT validation | `presentation/JwtPresentation.validate` | [presentation.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/presentation.proto) |
| DID Document Creation | `document/DocumentService.create` | [document.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/document.proto) |
| Domain Linkage - validate domain, let server fetch did-configuration | `domain_linkage/DomainLinkage.validate_domain` | [domain_linkage.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/domain_linkage.proto) |
| Domain Linkage - validate domain, pass did-configuration to service | `domain_linkage/DomainLinkage.validate_domain_against_did_configuration` | [domain_linkage.proto](https://github.com/iotaledger/identity.rs/blob/main/bindings/grpc/proto/domain_linkage.proto) |
Expand Down
25 changes: 25 additions & 0 deletions bindings/grpc/proto/presentation.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// Copyright 2020-2024 IOTA Stiftung
// SPDX-License-Identifier: Apache-2.0

syntax = "proto3";
package presentation;

message JwtPresentationRequest {
// Presentation's compact JWT serialization.
string jwt = 1;
}

message CredentialValidationResult {
oneof result {
string credential = 1;
string error = 2;
}
}

message JwtPresentationResponse {
repeated CredentialValidationResult credentials = 1;
}

service CredentialPresentation {
rpc validate(JwtPresentationRequest) returns (JwtPresentationResponse);
}
28 changes: 28 additions & 0 deletions bindings/grpc/proto/utils.proto
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ message DataSigningRequest {
bytes data = 1;
// Signing key's ID.
string key_id = 2;
// Key type of the key with id `key_id`. Valid values are: Ed25519, ES256, ES256K.
string key_type = 3;
}

message DataSigningResponse {
Expand All @@ -21,3 +23,29 @@ service Signing {
rpc sign(DataSigningRequest) returns (DataSigningResponse);
}

message DidJwkResolutionRequest {
// did:jwk string
string did = 1;
}

message DidJwkResolutionResponse {
// JSON DID Document
string doc = 1;
}

service DidJwk {
rpc resolve(DidJwkResolutionRequest) returns (DidJwkResolutionResponse);
}

message IotaDidToAliasAddressRequest {
string did = 1;
}

message IotaDidToAliasAddressResponse {
string alias_address = 1;
string network = 2;
}

service IotaUtils {
rpc did_iota_to_alias_address(IotaDidToAliasAddressRequest) returns (IotaDidToAliasAddressResponse);
}
2 changes: 2 additions & 0 deletions bindings/grpc/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,5 @@

pub mod server;
pub mod services;
pub mod verifier;

5 changes: 3 additions & 2 deletions bindings/grpc/src/services/credential/validation.rs
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
// Copyright 2020-2024 IOTA Stiftung
// SPDX-License-Identifier: Apache-2.0

use identity_eddsa_verifier::EdDSAJwsVerifier;
use identity_iota::core::FromJson;
use identity_iota::core::Object;
use identity_iota::core::ToJson;
Expand All @@ -27,6 +26,8 @@ use tonic::Request;
use tonic::Response;
use tonic::Status;

use crate::verifier::Verifier;

mod _credentials {
tonic::include_proto!("credentials");
}
Expand Down Expand Up @@ -98,7 +99,7 @@ impl VcValidation for VcValidator {
validation_option = validation_option.status_check(StatusCheck::SkipAll);
}

let validator = JwtCredentialValidator::with_signature_verifier(EdDSAJwsVerifier::default());
let validator = JwtCredentialValidator::with_signature_verifier(Verifier::default());
let decoded_credential = validator
.validate::<_, Object>(&jwt, &issuer_doc, &validation_option, FailFast::FirstError)
.map_err(|mut e| match e.validation_errors.swap_remove(0) {
Expand Down
2 changes: 1 addition & 1 deletion bindings/grpc/src/services/document.rs
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ impl DocumentService for DocumentSvc {
let pub_key = self
.storage
.key_id_storage()
.get_public_key(&key_id)
.get_public_key_with_type(&key_id, identity_stronghold::StrongholdKeyType::Ed25519)
.await
.map_err(Error::StrongholdError)?;

Expand Down
17 changes: 8 additions & 9 deletions bindings/grpc/src/services/domain_linkage.rs
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ use _domain_linkage::ValidateDidResponse;
use _domain_linkage::ValidateDomainAgainstDidConfigurationRequest;
use _domain_linkage::ValidateDomainRequest;
use _domain_linkage::ValidateDomainResponse;
use identity_eddsa_verifier::EdDSAJwsVerifier;
use identity_iota::core::FromJson;
use identity_iota::core::Url;
use identity_iota::credential::DomainLinkageConfiguration;
Expand All @@ -38,6 +37,8 @@ use tonic::Response;
use tonic::Status;
use url::Origin;

use crate::verifier::Verifier;

mod _domain_linkage {
tonic::include_proto!("domain_linkage");
}
Expand Down Expand Up @@ -276,14 +277,12 @@ impl DomainLinkageService {
.for_each(|(credential, issuer_did_doc)| {
let id = issuer_did_doc.id().to_string();

if let Err(err) = JwtDomainLinkageValidator::with_signature_verifier(EdDSAJwsVerifier::default())
.validate_linkage(
&issuer_did_doc,
&domain_linkage_configuration,
&domain,
&JwtCredentialValidationOptions::default(),
)
{
if let Err(err) = JwtDomainLinkageValidator::with_signature_verifier(Verifier::default()).validate_linkage(
&issuer_did_doc,
&domain_linkage_configuration,
domain,
&JwtCredentialValidationOptions::default(),
) {
invalid_dids.push(InvalidDid {
service_id: Some(id),
credential: Some(credential.as_str().to_string()),
Expand Down
4 changes: 3 additions & 1 deletion bindings/grpc/src/services/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ pub mod credential;
pub mod document;
pub mod domain_linkage;
pub mod health_check;
pub mod presentation;
pub mod sd_jwt;
pub mod status_list_2021;
pub mod utils;
Expand All @@ -22,7 +23,8 @@ pub fn routes(client: &IdentityClientReadOnly, stronghold: &StrongholdStorage) -
routes.add_service(domain_linkage::service(client));
routes.add_service(document::service(client, stronghold));
routes.add_service(status_list_2021::service());
routes.add_service(utils::service(stronghold));
utils::init_services(&mut routes, stronghold);
routes.add_service(presentation::service(client));

routes.routes()
}
164 changes: 164 additions & 0 deletions bindings/grpc/src/services/presentation.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
// Copyright 2020-2024 IOTA Stiftung
// SPDX-License-Identifier: Apache-2.0

use crate::verifier::Verifier;
use _presentation::credential_presentation_server::CredentialPresentation as PresentationService;
use _presentation::credential_presentation_server::CredentialPresentationServer;
use _presentation::credential_validation_result::Result as ValidationResult;
use _presentation::CredentialValidationResult;
use _presentation::JwtPresentationRequest;
use _presentation::JwtPresentationResponse;
use identity_iota::core::Object;
use identity_iota::core::ToJson;
use identity_iota::credential::CompoundJwtPresentationValidationError;
use identity_iota::credential::FailFast;
use identity_iota::credential::Jwt;
use identity_iota::credential::JwtCredentialValidationOptions;
use identity_iota::credential::JwtCredentialValidator;
use identity_iota::credential::JwtCredentialValidatorUtils;
use identity_iota::credential::JwtPresentationValidationOptions;
use identity_iota::credential::JwtPresentationValidator;
use identity_iota::credential::JwtPresentationValidatorUtils;
use identity_iota::credential::JwtValidationError;
use identity_iota::did::CoreDID;
use identity_iota::iota::IotaDocument;
use identity_iota::resolver::Error as ResolverError;
use identity_iota::resolver::Resolver;
use identity_sui_name_tbd::client::IdentityClientReadOnly;
use tonic::async_trait;
use tonic::Code;
use tonic::Request;
use tonic::Response;
use tonic::Status;

mod _presentation {
tonic::include_proto!("presentation");
}

#[derive(thiserror::Error, Debug)]
pub enum Error {
#[error("Invalid JWT presentation: {0}")]
InvalidJwtPresentation(#[source] JwtValidationError),
#[error("Resolution error: {0}")]
ResolutionError(#[source] ResolverError),
#[error("Presentation validation error: {0}")]
PresentationValidationError(#[source] CompoundJwtPresentationValidationError),
#[error("Failed to validate jwt credential: {0}")]
CredentialValidationError(#[source] anyhow::Error),
}

impl From<Error> for Status {
fn from(value: Error) -> Self {
let code = match &value {
Error::InvalidJwtPresentation(_) => Code::InvalidArgument,
Error::ResolutionError(_) | Error::PresentationValidationError(_) | Error::CredentialValidationError(_) => {
Code::Internal
}
};

Status::new(code, value.to_string())
}
}

pub struct PresentationSvc {
resolver: Resolver<IotaDocument>,
}

impl PresentationSvc {
pub fn new(client: IdentityClientReadOnly) -> Self {
let mut resolver = Resolver::<IotaDocument>::new_with_did_key_handler();
resolver.attach_did_jwk_handler();
resolver.attach_kinesis_iota_handler(client);

Self { resolver }
}
}

#[async_trait]
impl PresentationService for PresentationSvc {
async fn validate(&self, req: Request<JwtPresentationRequest>) -> Result<Response<JwtPresentationResponse>, Status> {
let jwt_presentation = {
let JwtPresentationRequest { jwt } = req.into_inner();
Jwt::new(jwt)
};

let holder_did = JwtPresentationValidatorUtils::extract_holder::<CoreDID>(&jwt_presentation)
.map_err(Error::InvalidJwtPresentation)?;
let holder_doc = self
.resolver
.resolve(&holder_did)
.await
.map_err(Error::ResolutionError)?;

let presentation_validator = JwtPresentationValidator::with_signature_verifier(Verifier::default());
let mut decoded_presentation = presentation_validator
.validate::<IotaDocument, Jwt, Object>(
&jwt_presentation,
&holder_doc,
&JwtPresentationValidationOptions::default(),
)
.map_err(Error::PresentationValidationError)?;

let credentials = std::mem::take(&mut decoded_presentation.presentation.verifiable_credential);
let mut decoded_credentials = Vec::with_capacity(credentials.len());
let credential_validator = JwtCredentialValidator::with_signature_verifier(Verifier::default());
for credential_jwt in credentials {
let issuer_did = JwtCredentialValidatorUtils::extract_issuer_from_jwt::<CoreDID>(&credential_jwt)
.map_err(|e| Error::CredentialValidationError(e.into()));

if let Err(e) = issuer_did {
let validation_result = CredentialValidationResult {
result: Some(ValidationResult::Error(e.to_string())),
};
decoded_credentials.push(validation_result);
continue;
}
let issuer_did = issuer_did.unwrap();

let issuer_doc = self
.resolver
.resolve(&issuer_did)
.await
.map_err(|e| Error::CredentialValidationError(e.into()));

if let Err(e) = issuer_doc {
let validation_result = CredentialValidationResult {
result: Some(ValidationResult::Error(e.to_string())),
};
decoded_credentials.push(validation_result);
continue;
}
let issuer_doc = issuer_doc.unwrap();

let validation_result = match credential_validator
.validate::<IotaDocument, Object>(
&credential_jwt,
&issuer_doc,
&JwtCredentialValidationOptions::default(),
FailFast::FirstError,
)
.map_err(|e| Error::CredentialValidationError(e.into()))
{
Ok(decoded_credential) => ValidationResult::Credential(
decoded_credential
.credential
.to_json()
.map_err(|e| Status::internal(e.to_string()))?,
),
Err(e) => ValidationResult::Error(e.to_string()),
};

decoded_credentials.push(CredentialValidationResult {
result: Some(validation_result),
})
}

Ok(Response::new(JwtPresentationResponse {
credentials: decoded_credentials,
}))
}
}

pub fn service(client: &IdentityClientReadOnly) -> CredentialPresentationServer<PresentationSvc> {
CredentialPresentationServer::new(PresentationSvc::new(client.clone()))
}
5 changes: 3 additions & 2 deletions bindings/grpc/src/services/sd_jwt.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ use _sd_jwt::verification_server::Verification;
use _sd_jwt::verification_server::VerificationServer;
use _sd_jwt::VerificationRequest;
use _sd_jwt::VerificationResponse;
use identity_eddsa_verifier::EdDSAJwsVerifier;
use identity_iota::core::Object;
use identity_iota::core::Timestamp;
use identity_iota::core::ToJson;
Expand All @@ -25,6 +24,8 @@ use serde::Deserialize;
use serde::Serialize;
use thiserror::Error;

use crate::verifier::Verifier;

use self::_sd_jwt::KeyBindingOptions;

mod _sd_jwt {
Expand Down Expand Up @@ -125,7 +126,7 @@ impl Verification for SdJwtService {
sd_jwt.jwt = jwt.into();

let decoder = SdObjectDecoder::new_with_sha256();
let validator = SdJwtCredentialValidator::with_signature_verifier(EdDSAJwsVerifier::default(), decoder);
let validator = SdJwtCredentialValidator::with_signature_verifier(Verifier::default(), decoder);
let credential = validator
.validate_credential::<_, Object>(
&sd_jwt,
Expand Down
Loading