diff --git a/reference/verifier-service/server/README.md b/reference/verifier-service/server/README.md index 3f92349..b07dbaf 100644 --- a/reference/verifier-service/server/README.md +++ b/reference/verifier-service/server/README.md @@ -81,6 +81,9 @@ There are a few command line flags: Listening port (default ":8888") ``` +> [!NOTE] +> We included a setup that is useful for US-based RPs with AAMVA VICAL which includes IACA certs from several US issuers. If you'd like to integrate with other VICALs, a similar setup can be followed. + ## Running There must be a `circuits` directory that contains all of the circuits used by the system. This directory is part of the main Longfellow ZK repository, so the server should run out of the box. diff --git a/reference/verifier-service/server/main.go b/reference/verifier-service/server/main.go index f560bc2..b743cc2 100644 --- a/reference/verifier-service/server/main.go +++ b/reference/verifier-service/server/main.go @@ -39,6 +39,7 @@ import ( var ( port = flag.String("port", ":8888", "Listening port") certs = flag.String("cacerts", "certs.pem", "File containing issuer CA certs") + vicalUrl = flag.String("vical_url", "https://vical.dts.aamva.org/vical/vc", "URL to fetch AAMVA VICAL from") circuitDir = flag.String("circuit_dir", "circuits", "Directory from which to load circuits") ) @@ -76,6 +77,11 @@ func main() { os.Exit(1) } + if err := zk.LoadVICAL(*vicalUrl); err != nil { + logger.Error("could not load VICAL", "url", *vicalUrl, "err", err) + // We decide not to exit here, as the server might still be useful with just local certs + } + server := NewServer(*port, logger) mux := http.NewServeMux() diff --git a/reference/verifier-service/server/vical.cbor b/reference/verifier-service/server/vical.cbor new file mode 100644 index 0000000..96f9cb7 Binary files /dev/null and b/reference/verifier-service/server/vical.cbor differ diff --git a/reference/verifier-service/server/zk/cbor.go b/reference/verifier-service/server/zk/cbor.go index 9968245..b4a928b 100644 --- a/reference/verifier-service/server/zk/cbor.go +++ b/reference/verifier-service/server/zk/cbor.go @@ -66,11 +66,6 @@ import ( "github.com/fxamacker/cbor/v2" ) -var ( - // IssuerRoots is a pool of trusted root certificate authorities. - IssuerRoots = x509.NewCertPool() -) - // X5ChainIndex is the index of the x509 chain in the COSE_Sign1 unprotected header. const X5ChainIndex = 33 diff --git a/reference/verifier-service/server/zk/roots.go b/reference/verifier-service/server/zk/roots.go new file mode 100644 index 0000000..4b7d359 --- /dev/null +++ b/reference/verifier-service/server/zk/roots.go @@ -0,0 +1,8 @@ +package zk + +import "crypto/x509" + +var ( + // IssuerRoots is a pool of trusted root certificate authorities. + IssuerRoots = x509.NewCertPool() +) diff --git a/reference/verifier-service/server/zk/vical.go b/reference/verifier-service/server/zk/vical.go new file mode 100644 index 0000000..1928305 --- /dev/null +++ b/reference/verifier-service/server/zk/vical.go @@ -0,0 +1,75 @@ +package zk + +import ( + "crypto/x509" + "fmt" + "io" + "log" + "net/http" + + "github.com/fxamacker/cbor/v2" +) + +// LoadVICAL fetches the VICAL from the given URL and adds the certificates to the IssuerRoots pool. +func LoadVICAL(url string) error { + log.Printf("Fetching VICAL from %s", url) + resp, err := http.Get(url) + if err != nil { + return fmt.Errorf("failed to fetch VICAL: %w", err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return fmt.Errorf("failed to fetch VICAL: status %s", resp.Status) + } + + data, err := io.ReadAll(resp.Body) + if err != nil { + return fmt.Errorf("failed to read VICAL body: %w", err) + } + + var rawItems []interface{} + if err := cbor.Unmarshal(data, &rawItems); err != nil { + return fmt.Errorf("failed to unmarshal VICAL CBOR: %w", err) + } + + count := 0 + var findCerts func(item interface{}, depth int) + findCerts = func(item interface{}, depth int) { + if depth > 10 { + return // Avoid infinite recursion + } + switch v := item.(type) { + case []byte: + // Try to parse as certificate first + if len(v) > 0 && v[0] == 0x30 { + cert, err := x509.ParseCertificate(v) + if err == nil { + IssuerRoots.AddCert(cert) + count++ + return // Found a cert, stop digging in this branch + } + } + // If not a cert or cert parse failed, try treating as CBOR + var child interface{} + if err := cbor.Unmarshal(v, &child); err == nil { + findCerts(child, depth+1) + } + case []interface{}: + for _, child := range v { + findCerts(child, depth+1) + } + case map[interface{}]interface{}: + for _, val := range v { + findCerts(val, depth+1) + } + } + } + + for _, item := range rawItems { + findCerts(item, 0) + } + + log.Printf("Loaded %d certificates from VICAL", count) + return nil +} diff --git a/reference/verifier-service/server/zk/vical_test.go b/reference/verifier-service/server/zk/vical_test.go new file mode 100644 index 0000000..2a45f3f --- /dev/null +++ b/reference/verifier-service/server/zk/vical_test.go @@ -0,0 +1,36 @@ +package zk + +import ( + "net/http" + "net/http/httptest" + "os" + "testing" +) + +func TestLoadVICAL(t *testing.T) { + // Load real test data + cborData, err := os.ReadFile("../vical.cbor") + if err != nil { + t.Fatalf("Failed to read vical.cbor: %v", err) + } + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/cbor") + w.Write(cborData) + })) + defer ts.Close() + + // Check initial count + initialCount := len(IssuerRoots.Subjects()) + + err = LoadVICAL(ts.URL) + if err != nil { + t.Fatalf("LoadVICAL failed: %v", err) + } + + // Check final count + finalCount := len(IssuerRoots.Subjects()) + if finalCount <= initialCount { + t.Errorf("Expected to load certificates, but count did not increase. Initial: %d, Final: %d", initialCount, finalCount) + } +}