feat: add sdk jwt revocation verification (#231)

Signed-off-by: Javier Ribó <elribonazo@gmail.com>

Author: elribonazo

package-lock.json

@@ -39,7 +39,9 @@
     "coverage": "npm run test -- --coverage",
     "lint": "npx eslint .",
     "docs": "npx typedoc --options typedoc.js",
-    "prepare": "npx husky"
+    "prepare": "npx husky",
+    "preinstall": "sh preinstall.sh",
+    "postinstall": "sh postinstall.sh"
   },
   "author": "IOHK",
   "repository": {
@@ -81,7 +83,9 @@
     "@types/elliptic": "^6.4.16",
     "@types/google-protobuf": "^3.15.6",
     "@types/jest": "^29.5.5",
+    "@types/jsonld": "^1.5.14",
     "@types/node": "^18.14.2",
+    "@types/pako": "^2.0.3",
     "@types/sinon": "^10.0.13",
     "@types/sinon-chai": "^3.2.9",
     "@types/uuid": "^9.0.1",
@@ -119,7 +123,7 @@
     "rollup-plugin-polyfill-node": "^0.12.0",
     "rollup-plugin-strip-code": "^0.2.7",
     "rollup-plugin-typescript2": "^0.34.1",
-    "semantic-release": "^21.1.1",
+    "semantic-release": "^24.0.0",
     "semantic-release-slack-bot": "^4.0.2",
     "sinon": "^15.0.1",
     "sinon-chai": "^3.7.0",
@@ -205,8 +209,12 @@
     "hash.js": "1.1.7",
     "isows": "^1.0.3",
     "jose": "^4.15.5",
+    "jsonld": "^8.3.2",
     "jsonwebtoken": "^9.0.0",
     "multiformats": "^9.9.0",
+    "pako": "^2.1.0",
+    "patch-package": "^8.0.0",
+    "postinstall-postinstall": "^2.1.0",
     "rxdb": "^14.17.1",
     "text-encoding": "^0.7.0",
     "util": "^0.12.5",

package.json

@@ -0,0 +1,14 @@
+#!/bin/bash
+FILE="./node_modules/rxdb"
+set -e
+# Patching RXDB package for 2 main reasons
+# 1. Its using crypto-js which is an insecure dependency we don't want to even
+# include in our package-locks, its 100% not used as we have created as we have
+# created our own package
+# 2. The second one is around a replication package that rxdb uses
+# firebase which includes a medium severity vuleranility which we also don't
+# want to be including in our package locks, despite 100% not being used.
+# Workaround: We install 
+rm -rf ./package-lock.json
+rm -rf ./node_modules/.package-lock.json
+npm i --ignore-scripts

patches/rxdb+14.17.1.patch

@@ -0,0 +1,21 @@
+#!/bin/bash
+FILE="./node_modules/rxdb"
+set -e
+
+
+
+
+if [ -z "./node_modules/rxdb/patched/done" ]; then
+    echo "preinstall completed"
+else 
+    npm i rxdb@14.17.1 --ignore-scripts
+    npx patch-package
+    touch ./node_modules/rxdb/patched/done
+fi
+
+
+
+
+
+
+

postinstall.sh

@@ -13,7 +13,6 @@ import {
 } from "../../domain/models/keyManagement";
 
 import ApolloPKG from "@atala/apollo";
-import { rawToDER } from "../../domain/utils/DER";
 const ApolloSDK = ApolloPKG.org.hyperledger.identus.apollo;
 
 /**
@@ -188,9 +187,8 @@ export class Secp256k1PublicKey extends PublicKey implements StorableKey, Export
   }
 
   verify(message: Buffer, signature: Buffer) {
-    const normalised = rawToDER(signature)
     return this.native.verify(
-      Int8Array.from(normalised),
+      Int8Array.from(signature),
       Int8Array.from(message)
     );
   }

preinstall.sh

@@ -53,6 +53,8 @@ export interface Pollux {
     [name: string]: any
   }>;
 
+  isCredentialRevoked: (credential: Credential) => Promise<boolean>;
+
   parseCredential: (
     credentialBuffer: Uint8Array,
     options?: { type: CredentialType;[name: string]: any; }

src/apollo/utils/Secp256k1PublicKey.ts

@@ -21,12 +21,14 @@ export enum DescriptorItemFormat {
 }
 
 export enum W3CVerifiableCredentialContext {
-  credential = "https://www.w3.org/2018/credentials/v1"
+  credential = "https://www.w3.org/2018/credentials/v1",
+  revocation = "https://w3id.org/vc/status-list/2021/v1"
 }
 
 export enum W3CVerifiableCredentialType {
   presentation = "VerifiablePresentation",
-  credential = "VerifiableCredential"
+  credential = "VerifiableCredential",
+  revocation = "StatusList2021Credential"
 }
 
 export enum SDJWTVerifiableCredentialProperties {
@@ -259,9 +261,73 @@ export type W3CVerifiableCredential = {
     id: string,
     type: string
   },
-  credentialStatus?: {
+  credentialStatus?: JWTRevocationStatus | unknown
+}
+
+export interface W3CVerifiableCredentialData {
+  id: string,
+  type: string
+}
+
+
+export enum JWTRevocationStatusPurpose {
+  Revocation = "Revocation",
+  Suspension = 'Suspension'
+}
+
+export enum CredentialStatusType {
+  StatusList2021Entry = 'StatusList2021Entry'
+}
+
+
+export enum RevocationType {
+  StatusList2021 = 'StatusList2021'
+}
+
+export interface JWTRevocationStatus extends W3CVerifiableCredentialData {
+  statusPurpose: JWTRevocationStatusPurpose,
+  statusListIndex: number,
+  id: string,
+  type: RevocationType,
+  statusListCredential: string
+}
+
+export enum JWTProofType {
+  EcdsaSecp256k1Signature2019 = "EcdsaSecp256k1Signature2019",
+  DataIntegrityProof = "DataIntegrityProof",
+  Unknown = "Unknown"
+}
+
+export enum JWTProofPurpose {
+  ProofPurpose = 'assertionMethod'
+}
+
+export interface JWTStatusListResponse {
+  "@context": [
+    W3CVerifiableCredentialContext.credential,
+    W3CVerifiableCredentialContext.revocation
+  ],
+  type: [
+    W3CVerifiableCredentialType.credential,
+    W3CVerifiableCredentialType.revocation
+  ],
+  issuer: string,
+  id: string,
+  issuanceDate: string,
+  credentialSubject: {
     id: string,
-    type: string
+    type: string,
+    statusPurpose: string,
+    encodedList: string
+  },
+  proof: {
+    type: JWTProofType,
+    jws: string,
+    proofPurpose: JWTProofPurpose,
+    verificationMethod: string,
+    created: string,
+    proofValue: string,
+    cryptoSuite: string
   }
 }
 

src/domain/buildingBlocks/Pollux.ts

@@ -16,6 +16,30 @@ export class InvalidPresentationProofArgs extends Error {
     }
 }
 
+export class CredentialRevocationTypeInvalid extends Error {
+    constructor(message?: string) {
+        super(message || "CredentialStatus revocation type not supported");
+    }
+}
+
+export class InvalidCredentialStatus extends Error {
+    constructor(message?: string) {
+        super(message || "CredentialStatus status is invalid");
+    }
+}
+
+export class InvalidRevocationStatusResponse extends Error {
+    constructor(message?: string) {
+        super(message || "CredentialStatus response is invalid");
+    }
+}
+
+export class InvalidRevocationStatusResponseSignature extends Error {
+    constructor(message?: string) {
+        super(message || "CredentialStatus response proof signatue mismatch or invalid.");
+    }
+}
+
 export class CredentialTypeNotSupported extends Error {
     constructor(message?: string) {
         super(message || "Credential type not supported");