proof

package
v0.0.0-...-55a0270 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 15, 2022 License: Apache-2.0 Imports: 19 Imported by: 3

Documentation

Index

Constants

View Source 
const (
	// The only key type that should be used for Ed25519 keys
	Ed25519KeyType KeyType = "Ed25519VerificationKey2018"

	JCSEdSignatureType   SignatureType = "JcsEd25519Signature2020"
	Ed25519SignatureType SignatureType = "Ed25519Signature2018"

	EcdsaSecp256k1KeyType       KeyType       = "EcdsaSecp256k1VerificationKey2019"
	EcdsaSecp256k1SignatureType SignatureType = "EcdsaSecp256k1Signature2019"

	// Deprecated: do not use this signature type
	Ed25519KeySignatureType SignatureType = "Ed25519VerificationKey2018"

	// Deprecated: Do not create more keys of this type. The system can still use these keys
	// for support of existing DID Documents.
	WorkEdKeyType KeyType = "WorkEd25519VerificationKey2020"

	// Deprecated: Do not create more signatures of this type. The system can still verify these
	// signatures in existing signed documents.
	WorkEdSignatureType SignatureType = "WorkEd25519Signature2020"

	V1 ModelVersion = 1
	V2 ModelVersion = 2

	AuthenticationPurpose  ProofPurpose = "authentication"
	AssertionMethodPurpose ProofPurpose = "assertionMethod"
)

Variables

View Source 
var (
	EmptyProof = Proof{}
)

Functions

func VerifySecp256k1Signature 

func VerifySecp256k1Signature(publicKeyDerBase58, messageBase64, signatureBase58 string) (bool, error)

TODO This method should be deprecated in place of signature suite validation VerifySecp256k1Signature decodes the base64 message and verifies that the Secp256k1 digital signature was generated by the private key associated with publicKeyDerBase58.

Types

type AppendOptions 

type AppendOptions struct {
	Nonce  string
	Header string
}

type Base64Encoder 

type Base64Encoder struct{}

TODO(gabe) consider moving the Base64 encoding into the Canonicalizer instead of as a Digest. Base64Encoder base64 encodes the payload. This is only included to be compatible with the existing proof signatures on verifiable credentials. There's no benefit to base64 encoding a byte array that represents utf-8 characters, since little- and big-endianness does not apply.

func (*Base64Encoder) Digest 

func (e *Base64Encoder) Digest(data []byte) ([]byte, error)

type Canonicalizer 

type Canonicalizer interface {
	Canonicalize(jsonBytes []byte) ([]byte, error)
}

Canonicalizer transforms a JSON byte array into its canonical form.

type Ed25519Signer 

type Ed25519Signer struct {
	// The fully qualified key id (e.g. did:work:abcd#key-1)
	KeyID      string
	PrivateKey ed25519.PrivateKey
}

Unification type for all ed25519 based signers Intended to be constructed via the `NewEd25519Signer` method

func (*Ed25519Signer) ID 

func (s *Ed25519Signer) ID() string

func (*Ed25519Signer) Sign 

func (s *Ed25519Signer) Sign(toSign []byte) ([]byte, error)

func (*Ed25519Signer) Type 

func (s *Ed25519Signer) Type() KeyType

type Ed25519Verifier 

type Ed25519Verifier struct {
	PubKey ed25519.PublicKey
}

func (*Ed25519Verifier) Type 

func (v *Ed25519Verifier) Type() KeyType

func (*Ed25519Verifier) Verify 

func (v *Ed25519Verifier) Verify(data, signature []byte) (bool, error)

type EmbeddedProofMarshaler 

type EmbeddedProofMarshaler struct{}

EmbeddedProofMarshaler transforms the Provable into JSON, and leaves an embedded Proof sans the signature value. This will effectively pass the Proof Options (metadata) into the signing algorithm as part of the canonicalized JSON payload.

func (*EmbeddedProofMarshaler) Marshal 

func (m *EmbeddedProofMarshaler) Marshal(provable Provable) ([]byte, error)

type EncodeOptions 

type EncodeOptions struct {
	JWSHeader string
}

type Encoder 

type Encoder interface {
	Encode(provable Provable) ([]byte, error)
	SetSignatureValue(provable Provable, signature []byte) error
	DecodeSignature(provable Provable) ([]byte, error)
}

type GenericProvable 

type GenericProvable struct {
	JSONData string
	*Proof   `json:"proof"`
}

A generic holder for an object with an embedded proof. The JSON cannot be assumed to be canonical and it is recommended that it is run through the appropriate canonicalizer before signing.

func (*GenericProvable) GetProof 

func (g *GenericProvable) GetProof() *Proof

func (*GenericProvable) SetProof 

func (g *GenericProvable) SetProof(p *Proof)

type HeaderPrepender 

type HeaderPrepender struct{}

HeaderPrepender prepends a header to the data for a JWS

func (*HeaderPrepender) Append 

func (h *HeaderPrepender) Append(data []byte, options *AppendOptions) []byte

type JCSCanonicalizer 

type JCSCanonicalizer struct{}

JCSCanonicalizer transforms a JSON byte array using the JSON Canonicalization Scheme algorithm.

func (*JCSCanonicalizer) Canonicalize 

func (c *JCSCanonicalizer) Canonicalize(jsonBytes []byte) ([]byte, error)

type JWSEncoder 

type JWSEncoder struct {
	// contains filtered or unexported fields
}

func (*JWSEncoder) DecodeSignature 

func (e *JWSEncoder) DecodeSignature(provable Provable) ([]byte, error)

func (*JWSEncoder) Encode 

func (e *JWSEncoder) Encode(provable Provable) ([]byte, error)

Prepare a provable for JWSification https://w3c-ccg.github.io/ld-proofs/#create-verify-hash-algorithm

func (*JWSEncoder) SetSignatureValue 

func (e *JWSEncoder) SetSignatureValue(provable Provable, signature []byte) error

type JWSProofMarshaler 

type JWSProofMarshaler struct{}

type KeyType 

type KeyType string

Type is the type of cryptographic key that is listed in a DID Document.

type LDSignatureEncoder 

type LDSignatureEncoder struct {
	// contains filtered or unexported fields
}

func (*LDSignatureEncoder) DecodeSignature 

func (e *LDSignatureEncoder) DecodeSignature(provable Provable) ([]byte, error)

func (*LDSignatureEncoder) Encode 

func (e *LDSignatureEncoder) Encode(provable Provable) ([]byte, error)

func (*LDSignatureEncoder) SetSignatureValue 

func (e *LDSignatureEncoder) SetSignatureValue(provable Provable, signature []byte) error

type LDSignatureSuite 

type LDSignatureSuite struct {
	SignatureType SignatureType
	KeyType       KeyType
	ProofFactory  ProofFactory
	Encoder       Encoder
}

LDSignatureSuite is a SignatureSuite based on the Linked-Data Signatures specification. See https://w3c-ccg.github.io/ld-proofs/#linked-data-signatures.

func (LDSignatureSuite) Sign 

func (s LDSignatureSuite) Sign(provable Provable, signer Signer, opts *ProofOptions) error

Sign adds a digital signature to the provable object in the form of a Proof. The type of Proof is determined by the ProofFactory used to construct this suite. Returns an error if the provable object already contains a Proof or if any error is encountered when generating the digital signature.

func (LDSignatureSuite) Type 

func (s LDSignatureSuite) Type() SignatureType

Type returns the SignatureType that this suite is capable of generating and verifying.

func (LDSignatureSuite) Verify 

func (s LDSignatureSuite) Verify(provable Provable, verifier Verifier) error

Verify checks that the provable's Proof is valid. Returns an error if the Proof is missing or invalid.

type Marshaler 

type Marshaler interface {
	Marshal(provable Provable) ([]byte, error)
}

Marshaler turns a Provable object into a JSON byte array. The JSON is not expected to be in canonical form; we have a separate Canonicalizer for that. Instead, this method gives the flexibility to add custom marshaling over the standard json.Marshal(). For example, some suites expect an embedded Proof object, while others do not. This type of manipulation should be handled here (or in OptionAppender if after canonicalization).

type MessageDigest 

type MessageDigest interface {
	Digest(data []byte) ([]byte, error)
}

MessageDigest transforms a byte array into a more compact byte array using a hashing digest algorithm, such as sha256. This creates a smaller payload for the digital signature.

It should be noted that some ProofAlgorithms natively use a digest, such as the Ed25519 Ecdsa, which uses SHA512 under the hood. Therefore, we don't need to use a separate MessageDigest when signing with Ed25519 keys.

type ModelVersion 

type ModelVersion int

type NonceAppender 

type NonceAppender struct{}

NonceAppender appends ".<nonce>" to the payload before signing or verifying. The nonce adds randomness in order to prevent a replay attack. Workday's earlier signature algorithms only included this field and did not sign over the other proof metadata fields.

func (*NonceAppender) Append 

func (n *NonceAppender) Append(data []byte, options *AppendOptions) []byte

type OptionsAppender 

type OptionsAppender interface {
	Append(data []byte, options *AppendOptions) []byte
}

OptionsAppender appends the proof options (metadata) to the payload before signing or verifying.

type Proof 

type Proof struct {
	// Created is the datetime (RFC3339) when the signature was generated.
	Created string `json:"created,omitempty"` // required

	// ProofPurpose is the specific intent for the proof, the reason why an entity created it.
	// Acts as a safeguard to prevent the proof from being misused for a purpose other than the one it was intended for.
	ProofPurpose ProofPurpose `json:"proofPurpose,omitempty"` // required

	// Deprecated: Creator is a reference to the public key used to verify this signature.
	Creator string `json:"creator,omitempty"`

	// VerificationMethod is a reference to the public key used to verify this signature.
	VerificationMethod string `json:"verificationMethod,omitempty"` // required

	// Deprecated (use challenge): Nonce is a random value (e.g. uuid) used to prevent replay attacks.
	Nonce string `json:"nonce,omitempty"`

	// SignatureValue is the digital signature.
	SignatureValue string `json:"signatureValue,omitempty"`

	// Type is the algorithm used to generate and verify the signature.
	Type SignatureType `json:"type"`

	// JWS represents an optional field for an encoded JSON Web Signature
	JWS string `json:"jws,omitempty"`

	// Domain is a string value specifying the restricted domain of the proof.
	Domain string `json:"domain,omitempty"`

	// Challenge is a random or pseudo-random value used by some authentication protocols to mitigate replay attacks.
	Challenge string `json:"challenge,omitempty"`
}

Proof represents a verifiable digital signature conforming to https://www.w3.org/TR/vc-data-model/#proofs-signatures

func (*Proof) GetProof 

func (p *Proof) GetProof() *Proof

func (*Proof) GetVerificationMethod 

func (p *Proof) GetVerificationMethod() string

Utility for backwards compatibility of the "creator" property, which has been replaced by "verificationMethod" in later drafts of the Verifiable Credentials specification.

func (*Proof) IsEmpty 

func (p *Proof) IsEmpty() bool

IsEmpty returns true if the proof is nil or contains no data.

func (*Proof) ModelVersion 

func (p *Proof) ModelVersion() ModelVersion

func (*Proof) SetProof 

func (p *Proof) SetProof(pr *Proof)

type ProofFactory 

type ProofFactory interface {
	Create(signer Signer, signatureType SignatureType, opts *ProofOptions) *Proof
}

ProofFactory creates proofs given a signer and signature type

type ProofOptions 

type ProofOptions struct {
	ProofPurpose ProofPurpose
	Domain       string
	Challenge    string
}

type ProofPurpose 

type ProofPurpose string

type Provable 

type Provable interface {
	GetProof() *Proof
	SetProof(p *Proof)
}

Provable is an interface that allows in-place retrieval and modification of proof objects.

type RDFCanonicalizer 

type RDFCanonicalizer struct{}

func (*RDFCanonicalizer) Canonicalize 

func (c *RDFCanonicalizer) Canonicalize(jsonBytes []byte) ([]byte, error)

type SHA256Encoder 

type SHA256Encoder struct{}

SHA256Encoder creates a SHA-256 hash of the payload.

func (*SHA256Encoder) Digest 

func (e *SHA256Encoder) Digest(data []byte) ([]byte, error)

type SecP256K1KMSSigner 

type SecP256K1KMSSigner struct {
	KeyID *string
	Svc   *kms.KMS
	Ctx   context.Context
}

func (SecP256K1KMSSigner) ID 

func (s SecP256K1KMSSigner) ID() string

func (SecP256K1KMSSigner) Sign 

func (s SecP256K1KMSSigner) Sign(toSign []byte) ([]byte, error)

func (SecP256K1KMSSigner) Type 

func (s SecP256K1KMSSigner) Type() KeyType

type Secp256K1Verifier 

type Secp256K1Verifier struct {
	PublicKey []byte
}

func (*Secp256K1Verifier) Type 

func (v *Secp256K1Verifier) Type() KeyType

func (*Secp256K1Verifier) Verify 

func (v *Secp256K1Verifier) Verify(data, signature []byte) (bool, error)

type SignatureSuite 

type SignatureSuite interface {
	Type() SignatureType
	Sign(provable Provable, signer Signer, opts *ProofOptions) error
	Verify(provable Provable, verifier Verifier) error
}

SignatureSuite is a set of algorithms that specify how to sign and verify provable objects. This model is based on the W3C Linked-Data Proofs, see https://w3c-ccg.github.io/ld-proofs.

type SignatureSuiteFactory 

type SignatureSuiteFactory interface {
	// GetSuiteForProof returns the corresponding signature suite the proof was created using
	GetSuiteForProof(proof *Proof) (SignatureSuite, error)

	// GetSuiteForCredentialsProof returns the corresponding signature suite the credential proof was created using
	GetSuiteForCredentialsProof(proof *Proof) (SignatureSuite, error)

	// GetSuite returns the signature suite corresponding to the provided type and version of the suite
	GetSuite(signatureType SignatureType, version ModelVersion) (SignatureSuite, error)

	// GetSuiteForCredentials returns the signature suite corresponding to the provided
	// type and version of the suite for credential signing
	GetSuiteForCredentials(signatureType SignatureType, version ModelVersion) (SignatureSuite, error)
}

func SignatureSuites 

func SignatureSuites() SignatureSuiteFactory

type SignatureType 

type SignatureType string

SignatureType is the signature suite that was used to generate a digital signature, and therefore the algorithm that must be used to verify a signature.

func (SignatureType) UsesNonce 

func (s SignatureType) UsesNonce() bool

Provides which signature types use a nonce in their proofs

type Signer 

type Signer interface {
	ID() string
	Sign(toSign []byte) ([]byte, error)
	Type() KeyType
}

Signer can generate digital signatures using a particular signing algorithm. This is basically a wrapper around a private key.

Note: some signature suites require more sophisticated introspection (into json/structs), which can be used in conjunction with what this interface provides.

func NewEd25519Signer 

func NewEd25519Signer(key ed25519.PrivateKey, keyID string) (Signer, error)

NewEd25519Signer is used to build a signer with validations

type Verifier 

type Verifier interface {
	Verify(data, signature []byte) (bool, error)
	Type() KeyType
}

Verifier can verify a digital signature of a particular signing algorithm. This is basically a wrapper around a public key.

type WithoutProofMarshaler 

type WithoutProofMarshaler struct{}

WithoutProofMarshaler transforms the Provable into JSON, and strips the proof.

func (*WithoutProofMarshaler) Marshal 

func (m *WithoutProofMarshaler) Marshal(provable Provable) ([]byte, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.