support verification with gaia-x registry

GAIA_X.md

@@ -0,0 +1,6 @@
+# Check trust anchor
+
+allow to configure for a credential the registry to be used
+
+-> check linked certificate chain at <registry>/api/trustAnchor/chain/file
+

config/configClient.go

@@ -49,13 +49,20 @@ type Credential struct {
 	// Type of the credential
 	Type string `json:"type" mapstructure:"type"`
 	// A list of (EBSI Trusted Issuers Registry compatible) endpoints to  retrieve the trusted participants from.
-	TrustedParticipantsLists []string `json:"trustedParticipantsLists,omitempty" mapstructure:"trustedParticipantsLists,omitempty"`
+	TrustedParticipantsLists []TrustedParticipantsList `json:"trustedParticipantsLists,omitempty" mapstructure:"trustedParticipantsLists,omitempty"`
 	// A list of (EBSI Trusted Issuers Registry compatible) endpoints to  retrieve the trusted issuers from. The attributes need to be formated to comply with the verifiers requirements.
 	TrustedIssuersLists []string `json:"trustedIssuersLists,omitempty" mapstructure:"trustedIssuersLists,omitempty"`
 	// Configuration of Holder Verfification
 	HolderVerification HolderVerification `json:"holderVerification" mapstructure:"holderVerification"`
 }
 
+type TrustedParticipantsList struct {
+	// Type of praticipants list to be used - either gaia-x or ebsi
+	Type string `json:"type" mapstructure:"type"`
+	// url of the list
+	Url string `json:"url" mapstructure:"url"`
+}
+
 type HolderVerification struct {
 	// should holder verification be enabled
 	Enabled bool `json:"enabled" mapstructure:"enabled"`

config/configClient_test.go

@@ -43,7 +43,7 @@ func Test_getServices(t *testing.T) {
 				"did_write": {
 					{
 						Type:                     "VerifiableCredential",
-						TrustedParticipantsLists: []string{"https://tir-pdc.gaia-x.fiware.dev"},
+						TrustedParticipantsLists: []TrustedParticipantsList{{Type: "ebsi", Url: "https://tir-pdc.gaia-x.fiware.dev"}},
 						TrustedIssuersLists:      []string{"https://til-pdc.gaia-x.fiware.dev"},
 						HolderVerification:       HolderVerification{Enabled: false, Claim: "subject"},
 					},

config/data/ccs_full.json

@@ -11,7 +11,10 @@
             {
               "type": "VerifiableCredential",
               "trustedParticipantsLists": [
-                "https://tir-pdc.gaia-x.fiware.dev"
+                {
+                  "type": "ebsi",
+                  "url": "https://tir-pdc.gaia-x.fiware.dev"
+                }
               ],
               "trustedIssuersLists": [
                 "https://til-pdc.gaia-x.fiware.dev"

config/data/config_test.yaml

@@ -35,7 +35,8 @@ configRepo:
         someScope:
           - type: VerifiableCredential
             trustedParticipantsLists:
-              - https://tir-pdc.gaia-x.fiware.dev
+              - type: ebsi
+                url: https://tir-pdc.gaia-x.fiware.dev
             trustedIssuersLists:
               - https://til-pdc.gaia-x.fiware.dev
 

config/provider_test.go

@@ -64,7 +64,7 @@ func Test_ReadConfig(t *testing.T) {
 								"someScope": {
 									{
 										Type:                     "VerifiableCredential",
-										TrustedParticipantsLists: []string{"https://tir-pdc.gaia-x.fiware.dev"},
+										TrustedParticipantsLists: []TrustedParticipantsList{{Type: "ebsi", Url: "https://tir-pdc.gaia-x.fiware.dev"}},
 										TrustedIssuersLists:      []string{"https://til-pdc.gaia-x.fiware.dev"},
 									},
 								},

gaiax/gaiaXClient.go

@@ -0,0 +1,107 @@
+package gaiax
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strings"
+
+	"github.com/fiware/VCVerifier/common"
+	"github.com/fiware/VCVerifier/logging"
+	"github.com/trustbloc/did-go/doc/did"
+	"github.com/trustbloc/did-go/vdr"
+)
+
+const GAIAX_REGISTRY_TRUSTANCHOR_FILE = "/v2/api/trustAnchor/chain/file"
+
+var ErrorUnresolvableDid = errors.New("unresolvable_did")
+
+/**
+* A client to retrieve infromation from EBSI-compatible TrustedIssuerRegistry APIs.
+ */
+type GaiaXHttpClient struct {
+	client common.HttpClient
+	// TODO: check if needed
+	didCache    common.Cache
+	didRegistry *vdr.Registry
+}
+
+func (ghc GaiaXHttpClient) IsTrustedParticipant(registryEndpoint string, did string) (trusted bool) {
+
+	// 1. get jwk from did
+	didDocument, err := ghc.resolveIssuer(did)
+
+	if err != nil {
+		return false
+	}
+
+	// 2. verify at the registry
+	for _, verficationMethod := range didDocument.DIDDocument.VerificationMethod {
+		if verficationMethod.ID == did {
+			return ghc.verifiyIssuer(registryEndpoint, verficationMethod)
+		}
+	}
+
+	return false
+}
+
+func (ghc GaiaXHttpClient) verifiyIssuer(registryEndpoint string, verificationMethod did.VerificationMethod) (trusted bool) {
+	jwk := verificationMethod.JSONWebKey()
+
+	if jwk.CertificatesURL != nil {
+		return ghc.verifyFileChain(registryEndpoint, jwk.CertificatesURL.String())
+	}
+	// gaia-x did-json need to provide an x5u, thus x5c checks should not be required.
+	return false
+}
+
+func (ghc GaiaXHttpClient) verifyFileChain(registryEndpoint string, x5u string) (trusted bool) {
+	requestBody := FileChainRequest{Uri: x5u}
+
+	encodedRequest, err := json.Marshal(requestBody)
+	if err != nil {
+		logging.Log().Warnf("Was not able to build a valid certificate check bode. E: %v", err)
+		return false
+	}
+
+	request, err := http.NewRequest("POST", buildURL(registryEndpoint, GAIAX_REGISTRY_TRUSTANCHOR_FILE), bytes.NewBuffer(encodedRequest))
+
+	response, err := ghc.client.Do(request)
+	if err != nil {
+		logging.Log().Infof("Was not able to check cert chain %s at %s. E: %v", x5u, registryEndpoint, err)
+		return false
+	}
+	defer response.Body.Close()
+	if response.StatusCode != 200 {
+		logging.Log().Infof("x5u %s was not verified to be a trust anchor at %s.", x5u, registryEndpoint)
+		return false
+	}
+	// according to the doc, all 200s are valid chains, thus no need to parse the body
+	return true
+}
+
+func (ghc GaiaXHttpClient) resolveIssuer(did string) (didDocument *did.DocResolution, err error) {
+	didDocument, err = ghc.didRegistry.Resolve(did)
+	if err != nil {
+		logging.Log().Warnf("Was not able to resolve the issuer %s.", did)
+		return nil, ErrorUnresolvableDid
+	}
+	return didDocument, err
+}
+
+func buildURL(host, path string) string {
+	return strings.TrimSuffix(host, "/") + "/" + strings.TrimPrefix(path, "/")
+}
+
+type FileChainRequest struct {
+	Uri string `json:"uri"`
+}
+
+type CertChainRequest struct {
+	Certs string `json:"certs"`
+}
+
+type VerificationResult struct {
+	Result bool `json:"result"`
+}

gaiax/registry.go

@@ -23,6 +23,10 @@ func InitGaiaXRegistryVerificationService(url string) RegistryClient {
 	return &GaiaXRegistryClient{url}
 }
 
+func (rc *GaiaXRegistryClient) CheckTrustAnchor(trustAnchorAddress string) (bool, error) {
+	return true, nil
+}
+
 // TODO Could propably cache the response very generously as new issuers are not added often
 func (rc *GaiaXRegistryClient) GetComplianceIssuers() ([]string, error) {
 	response, err := http.Get(rc.endpoint)

go.mod

@@ -8,16 +8,16 @@ require (
 	github.com/gin-contrib/cors v1.4.0
 	github.com/gin-gonic/gin v1.9.1
 	github.com/google/go-cmp v0.6.0
-	github.com/google/uuid v1.3.0
+	github.com/google/uuid v1.6.0
 	github.com/gookit/config/v2 v2.2.1
 	github.com/hellofresh/health-go/v5 v5.0.0
 	github.com/lestrrat-go/jwx v1.2.25
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/piprate/json-gold v0.5.1-0.20230111113000-6ddbe6e6f19f
-	github.com/stretchr/testify v1.8.4
-	github.com/trustbloc/did-go v1.1.0
-	github.com/trustbloc/kms-go v1.1.0
+	github.com/stretchr/testify v1.10.0
+	github.com/trustbloc/did-go v1.3.3
+	github.com/trustbloc/kms-go v1.2.1
 	github.com/trustbloc/vc-go v1.1.0
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 )
@@ -27,19 +27,19 @@ require (
 	github.com/VictoriaMetrics/fastcache v1.5.7 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bits-and-blooms/bitset v1.7.0 // indirect
-	github.com/btcsuite/btcd/btcec/v2 v2.1.3 // indirect
+	github.com/bits-and-blooms/bitset v1.17.0 // indirect
+	github.com/btcsuite/btcd/btcec/v2 v2.3.4 // indirect
 	github.com/btcsuite/btcutil v1.0.3-0.20201208143702-a53e38424cce // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/consensys/bavard v0.1.13 // indirect
-	github.com/consensys/gnark-crypto v0.12.1 // indirect
+	github.com/consensys/bavard v0.1.22 // indirect
+	github.com/consensys/gnark-crypto v0.14.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/fatih/color v1.14.1 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.1-0.20221117193127-916db76e8214 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/goccy/go-yaml v1.10.0 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/tink/go v1.7.0 // indirect
 	github.com/gookit/color v1.5.2 // indirect
@@ -57,11 +57,11 @@ require (
 	github.com/mmcloughlin/addchain v0.4.0 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/multiformats/go-base32 v0.1.0 // indirect
-	github.com/multiformats/go-base36 v0.1.0 // indirect
+	github.com/multiformats/go-base36 v0.2.0 // indirect
 	github.com/multiformats/go-multibase v0.2.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/pquerna/cachecontrol v0.1.0 // indirect
+	github.com/pquerna/cachecontrol v0.2.0 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
@@ -71,7 +71,7 @@ require (
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tidwall/sjson v1.1.4 // indirect
-	github.com/trustbloc/bbs-signature-go v1.0.1 // indirect
+	github.com/trustbloc/bbs-signature-go v1.0.2 // indirect
 	github.com/trustbloc/sidetree-go v1.0.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
@@ -80,8 +80,8 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opentelemetry.io/otel v1.10.0 // indirect
 	go.opentelemetry.io/otel/trace v1.10.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/sync v0.9.0 // indirect
+	golang.org/x/term v0.26.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	rsc.io/tmplfunc v0.0.3 // indirect
 )
@@ -111,10 +111,10 @@ require (
 	github.com/ugorji/go/codec v1.2.11 // indirect
 	github.com/valyala/fasttemplate v1.2.2
 	golang.org/x/arch v0.5.0 // indirect
-	golang.org/x/crypto v0.16.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.20.0 // indirect
+	google.golang.org/protobuf v1.35.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )