feat(pollux): add sdjwt verifier flow

Now the SDK can as a verifier request presentation of a sdjwt and verify all the claims.

Fixes ATL-6865

Signed-off-by: goncalo-frade-iohk <[email protected]>

Author: goncalo-frade-iohk

EdgeAgentSDK/Domain/Sources/Models/Errors.swift

@@ -793,6 +793,12 @@ public enum PolluxError: KnownPrismError {
         internalErrors: [Error]
     )
 
+    /// An error case indicating that a credential cannot be verified..
+    case cannotVerifyCredential(
+        credential: String? = nil,
+        internalErrors: [Error]
+    )
+
     /// An error case indicating that a specified input path was not found.
     case inputPathNotFound(path: String)
 
@@ -874,6 +880,8 @@ public enum PolluxError: KnownPrismError {
             return 78
         case .credentialIsSuspended:
             return 79
+        case .cannotVerifyCredential:
+            return 80
         }
     }
 
@@ -960,6 +968,12 @@ Cannot verify input descriptor field \(name.map { "with name: \($0)"} ?? ""), wi
 
         case .credentialIsSuspended(let jwtString):
             return "Credential (\(jwtString)) is suspended"
+        case .cannotVerifyCredential(let credential, let fieldErrors):
+            let errors = fieldErrors.map { " - \(errorMessage($0))" }.joined(separator: "\n")
+            return
+"""
+Cannot verify credential: \(credential.map { "with name: \($0)"} ?? ""), with errors: \n \(errors)
+"""
         }
     }
 }

EdgeAgentSDK/EdgeAgent/Sources/EdgeAgent+Proof.swift

@@ -71,7 +71,8 @@ public extension EdgeAgent {
                 request: request.makeMessage(),
                 options: [
                     .exportableKey(exporting),
-                    .subjectDID(subjectDID)
+                    .subjectDID(subjectDID),
+                    .disclosingClaims(claims: credential.claims.map(\.key))
                 ]
             )
         default:

EdgeAgentSDK/EdgeAgent/Tests/PresentationExchangeTests.swift

@@ -1,6 +1,7 @@
 import Builders
 import Core
 import Domain
+import eudi_lib_sdjwt_swift
 import Logging
 import JSONWebSignature
 import JSONWebToken
@@ -99,6 +100,44 @@ final class PresentationExchangeFlowTests: XCTestCase {
         }
     }
 
+    func testSDJWTPresentationRequest() async throws {
+        let prismDID = try await edgeAgent.createNewPrismDID()
+        let subjectDID = try await edgeAgent.createNewPrismDID()
+
+        let sdjwt = try await makeCredentialSDJWT(issuerDID: prismDID, subjectDID: subjectDID)
+        let credential = try SDJWTCredential(sdjwtString: sdjwt)
+
+        logger.info("Creating presentation request")
+        let message = try await edgeAgent.initiatePresentationRequest(
+            type: .jwt,
+            fromDID: DID(method: "test", methodId: "alice"),
+            toDID: DID(method: "test", methodId: "bob"),
+            claimFilters: [
+                .init(
+                    paths: ["$.vc.credentialSubject.test"],
+                    type: "string",
+                    required: true,
+                    pattern: "aliceTest"
+                )
+            ]
+        )
+
+        try await edgeAgent.pluto.storeMessage(message: message.makeMessage(), direction: .sent).first().await()
+
+        let presentation = try await edgeAgent.createPresentationForRequestProof(
+            request: message,
+            credential: credential
+        )
+
+        let verification = try await edgeAgent.pollux.verifyPresentation(
+            message: presentation.makeMessage(),
+            options: []
+        )
+
+        logger.info(verification ? "Verification was successful" : "Verification failed")
+        XCTAssertTrue(verification)
+    }
+
     private func makeCredentialJWT(issuerDID: DID, subjectDID: DID) async throws -> String {
         let payload = MockCredentialClaim(
             iss: issuerDID.string,
@@ -121,6 +160,31 @@ final class PresentationExchangeFlowTests: XCTestCase {
         }
         return try JWT.signed(payload: payload, protectedHeader: jwsHeader, key: jwkD.toJoseJWK()).jwtString
     }
+
+    private func makeCredentialSDJWT(issuerDID: DID, subjectDID: DID) async throws -> String {
+        guard
+            let key = try await edgeAgent.pluto.getDIDPrivateKeys(did: issuerDID).first().await()?.first,
+            let jwkD = try await edgeAgent.apollo.restorePrivateKey(key).exporting?.jwk
+        else {
+            XCTFail()
+            fatalError()
+        }
+
+        let sdjwt = try SDJWTIssuer.issue(
+            issuersPrivateKey: try jwkD.toJoseJWK(),
+            header: DefaultJWSHeaderImpl(algorithm: .ES256K)
+        ) {
+            ConstantClaims.iss(domain: issuerDID.string)
+            ConstantClaims.sub(subject: subjectDID.string)
+            ObjectClaim("vc") {
+                ObjectClaim("credentialSubject") {
+                    FlatDisclosedClaim("test", "aliceTest")
+                }
+            }
+        }
+
+        return CompactSerialiser(signedSDJWT: sdjwt).serialised
+    }
 }
 
 private struct MockCredentialClaim: JWTRegisteredFieldsClaims, Codable {

EdgeAgentSDK/Pollux/Sources/Models/JWT/JWTCredential+ProofableCredential.swift

@@ -33,7 +33,7 @@ extension JWTCredential: ProvableCredential {
             let requestData = try JSONDecoder.didComm().decode(PresentationExchangeRequest.self, from: jsonData)
             let payload: Data = try JWT.getPayload(jwtString: jwtString)
             do {
-                try VerifyPresentationSubmission.verifyPresentationSubmissionClaims(
+                try VerifyPresentationSubmissionJWT.verifyPresentationSubmissionClaims(
                     request: requestData.presentationDefinition, credentials: [payload]
                 )
                 return true

EdgeAgentSDK/Pollux/Sources/Models/JWT/JWTPresentation.swift

@@ -127,11 +127,11 @@ struct JWTPresentation {
             PresentationSubmission.Descriptor(
                 id: $0.id,
                 path: "$.verifiable_credential[0]",
-                format: "jwt_vp",
+                format: "jwt",
                 pathNested: .init(
                     id: $0.id,
                     path: "$.vp.verifiableCredential[0]",
-                    format: "jwt_vc"
+                    format: "jwt"
                 )
             )
         }

EdgeAgentSDK/Pollux/Sources/Models/PresentationExchage/PresentationDefinition.swift

@@ -88,6 +88,8 @@ public struct PresentationDefinition: Codable {
         public var ldpVp: LDPFormat?
         /// Generic LDP format.
         public var ldp: LDPFormat?
+        /// Generic SDJWT format..
+        public var sdJwt: JWTFormat?
     }
 
     /// Unique identifier for the presentation definition.

EdgeAgentSDK/Pollux/Sources/Models/PresentationExchage/PresentationExchangeClaimVerifier.swift

@@ -0,0 +1,5 @@
+import Foundation
+
+public protocol PresentationExchangeClaimVerifier {
+    func verifyClaim(inputDescriptor: InputDescriptor) throws
+}

EdgeAgentSDK/Pollux/Sources/Models/PresentationExchage/SubmissionDescriptorFormatParser.swift

@@ -0,0 +1,8 @@
+import Foundation
+
+public protocol SubmissionDescriptorFormatParser {
+    var format: String { get }
+    func parse(path: String, presentationData: Data) async throws -> String
+    func parsePayload(path: String, presentationData: Data) async throws -> Data
+    func parseClaimVerifier(descriptor: PresentationSubmission.Descriptor, presentationData: Data) async throws -> PresentationExchangeClaimVerifier
+}

EdgeAgentSDK/Pollux/Sources/Models/SDJWT/SDJWT.swift

@@ -54,3 +54,9 @@ extension SDJWTCredential: Credential {
         return "sd-jwt"
     }
 }
+
+extension SDJWTCredential {
+    func getAlg() throws -> String? {
+        return sdjwt.jwt.protectedHeader.algorithm?.rawValue
+    }
+}

EdgeAgentSDK/Pollux/Sources/Models/SDJWT/SDJWTPresentation.swift

@@ -1,3 +1,4 @@
+import Core
 import Domain
 import eudi_lib_sdjwt_swift
 import Foundation
@@ -50,6 +51,13 @@ struct SDJWTPresentation {
         }
 
         switch attachment.format {
+        case "dif/presentation-exchange/[email protected]":
+            return try presentation(
+                credential: credential,
+                request: requestData,
+                disclosingClaims: disclosingClaims,
+                key: exportableKey
+            )
         default:
             return try vcPresentation(
                 credential: credential,
@@ -60,6 +68,58 @@ struct SDJWTPresentation {
         }
     }
 
+    private func presentation(
+        credential: SDJWTCredential,
+        request: Data,
+        disclosingClaims: [String],
+        key: ExportableKey
+    ) throws -> String {
+        let presentationRequest = try JSONDecoder.didComm().decode(PresentationExchangeRequest.self, from: request)
+
+        guard
+            let jwtFormat = presentationRequest.presentationDefinition.format?.sdJwt,
+            try jwtFormat.supportedTypes.contains(where: { try $0 == credential.getAlg() })
+        else {
+            throw PolluxError.credentialIsNotOfPresentationDefinitionRequiredAlgorithm
+        }
+
+        let credentialSubject = try credential.sdjwt.recreateClaims().recreatedClaims.rawData()
+
+        try presentationRequest.presentationDefinition.inputDescriptors.forEach {
+            try $0.constraints.fields.forEach {
+                guard credentialSubject.query(values: $0.path) != nil else {
+                    throw PolluxError.credentialDoesntProvideOneOrMoreInputDescriptors(path: $0.path)
+                }
+            }
+        }
+        let presentationDefinitions = presentationRequest.presentationDefinition.inputDescriptors.map {
+            PresentationSubmission.Descriptor(
+                id: $0.id,
+                path: "$.verifiable_credential[0]",
+                format: "sd_jwt"
+            )
+        }
+
+        let presentationSubmission = PresentationSubmission(
+            definitionId: presentationRequest.presentationDefinition.id,
+            descriptorMap: presentationDefinitions
+        )
+
+        let payload = try vcPresentation(
+            credential: credential,
+            request: request,
+            disclosingClaims: disclosingClaims,
+            key: key
+        )
+
+        let container = PresentationContainer(
+            presentationSubmission: presentationSubmission,
+            verifiableCredential: [AnyCodable(stringLiteral: payload)]
+        )
+
+        return try JSONEncoder.didComm().encode(container).tryToString()
+    }
+
     private func vcPresentation(
         credential: SDJWTCredential,
         request: Data,

EdgeAgentSDK/Pollux/Sources/Operation/JWT/JWTPresentationExchangeParser.swift

@@ -0,0 +1,37 @@
+import Domain
+import Foundation
+import JSONSchema
+import JSONWebToken
+
+struct JWTPresentationExchangeParser: SubmissionDescriptorFormatParser {
+    let format = "jwt"
+    let verifier: VerifyJWT
+
+    func parse(path: String, presentationData: Data) async throws -> String {
+        guard
+            let jwt = presentationData.query(string: path)
+        else {
+            throw PolluxError.credentialPathInvalid(path: path)
+        }
+
+        guard try await verifier.verifyJWT(jwtString: jwt) else {
+            throw PolluxError.cannotVerifyCredential(credential: jwt, internalErrors: [])
+        }
+
+        return jwt
+    }
+
+    func parsePayload(path: String, presentationData: Data) async throws -> Data {
+        let jwt = try await parse(path: path, presentationData: presentationData)
+        return try JWT.getPayload(jwtString: jwt)
+    }
+
+    func parseClaimVerifier(descriptor: PresentationSubmission.Descriptor, presentationData: Data) async throws -> PresentationExchangeClaimVerifier {
+        let jwt = try await parse(path: descriptor.path, presentationData: presentationData)
+        return JWTVerifierPresentationExchange(
+            castor: verifier.castor,
+            jwtString: jwt,
+            submissionDescriptor: descriptor
+        )
+    }
+}

EdgeAgentSDK/Pollux/Sources/Operation/JWT/JWTVCPresentationExchangeParser.swift

@@ -0,0 +1,37 @@
+import Domain
+import Foundation
+import JSONSchema
+import JSONWebToken
+
+struct JWTVCPresentationExchangeParser: SubmissionDescriptorFormatParser {
+    let format = "jwt_vc"
+    let verifier: VerifyJWT
+
+    func parse(path: String, presentationData: Data) async throws -> String {
+        guard
+            let jwt = presentationData.query(string: path)
+        else {
+            throw PolluxError.credentialPathInvalid(path: path)
+        }
+
+        guard try await verifier.verifyJWT(jwtString: jwt) else {
+            throw PolluxError.cannotVerifyCredential(credential: jwt, internalErrors: [])
+        }
+
+        return jwt
+    }
+
+    func parsePayload(path: String, presentationData: Data) async throws -> Data {
+        let jwt = try await parse(path: path, presentationData: presentationData)
+        return try JWT.getPayload(jwtString: jwt)
+    }
+
+    func parseClaimVerifier(descriptor: PresentationSubmission.Descriptor, presentationData: Data) async throws -> PresentationExchangeClaimVerifier {
+        let jwt = try await parse(path: descriptor.path, presentationData: presentationData)
+        return JWTVerifierPresentationExchange(
+            castor: verifier.castor,
+            jwtString: jwt,
+            submissionDescriptor: descriptor
+        )
+    }
+}

EdgeAgentSDK/Pollux/Sources/Operation/JWT/JWTVPPresentationExchangeParser.swift

@@ -0,0 +1,37 @@
+import Domain
+import Foundation
+import JSONSchema
+import JSONWebToken
+
+struct JWTVPPresentationExchangeParser: SubmissionDescriptorFormatParser {
+    let format = "jwt_vp"
+    let verifier: VerifyJWT
+
+    func parse(path: String, presentationData: Data) async throws -> String {
+        guard
+            let jwt = presentationData.query(string: path)
+        else {
+            throw PolluxError.credentialPathInvalid(path: path)
+        }
+
+        guard try await verifier.verifyJWT(jwtString: jwt) else {
+            throw PolluxError.cannotVerifyCredential(credential: jwt, internalErrors: [])
+        }
+
+        return jwt
+    }
+
+    func parsePayload(path: String, presentationData: Data) async throws -> Data {
+        let jwt = try await parse(path: path, presentationData: presentationData)
+        return try JWT.getPayload(jwtString: jwt)
+    }
+
+    func parseClaimVerifier(descriptor: PresentationSubmission.Descriptor, presentationData: Data) async throws -> PresentationExchangeClaimVerifier {
+        let jwt = try await parse(path: descriptor.path, presentationData: presentationData)
+        return JWTVerifierPresentationExchange(
+            castor: verifier.castor,
+            jwtString: jwt,
+            submissionDescriptor: descriptor
+        )
+    }
+}

EdgeAgentSDK/Pollux/Sources/Operation/JWT/PresentationExchangeJWTClaimVerifier.swift

@@ -0,0 +1,14 @@
+import Domain
+import Foundation
+import JSONWebToken
+
+struct JWTVerifierPresentationExchange: PresentationExchangeClaimVerifier {
+    let castor: Castor
+    let jwtString: String
+    let submissionDescriptor: PresentationSubmission.Descriptor
+
+    func verifyClaim(inputDescriptor: InputDescriptor) throws {
+        let payload = try JWT.getPayload(jwtString: jwtString)
+        try VerifyJsonClaim.verify(inputDescriptor: inputDescriptor, jsonData: payload)
+    }
+}