UNPKG

@ew-did-registry/claims

Version:

The package exposes functionality needed to create, inspect, approve, and verify Private and Public claims

148 lines (140 loc) 4.63 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
import { IDIDDocumentFull } from '@ew-did-registry/did-document'; import { IJWT, JWT, JwtPayload } from '@ew-did-registry/jwt'; import { IDidStore } from '@ew-did-registry/did-store-interface'; import { IDIDDocument, IServiceEndpoint, } from '@ew-did-registry/did-resolver-interface'; import { EwSigner } from '@ew-did-registry/did-ethr-resolver'; import { IClaims, IPublicClaim, IPrivateClaim, VerificationPurpose, } from '../models'; import { hashes } from '../utils'; import { ProofVerifier } from '../claimsVerifier/proofVerifier'; /** * @class * Base class for extending by other claims classes */ export class Claims implements IClaims { public jwt: IJWT; public keys: { privateKey?: string; publicKey: string; }; public did: string; /** * @constructor * * @param { IKeys } keys * @param document * @param store */ constructor( owner: EwSigner, protected document: IDIDDocumentFull, protected store: IDidStore ) { this.keys = { publicKey: owner.publicKey, privateKey: owner.privateKey }; this.jwt = new JWT(owner); this.did = document.did; } /** * Verifies issuance and publishing of claim at `claimUrl`. * On success returns claim. * Verification takes into account purpose on which claim was issued. * * @param claimUrl: Url of claim to be verified. This method will retrieve * the claim using the didStore configured for the class * @param params.hashFns: The function used to determine the of hash of the claim * token used in the DID document. Used to verify that the DID document service endpoint * matches the retrieved claim. * @param params.issuerDoc: Document with verification methods to verify claim issuance with * @param params.holderDoc: Document with service endpoints to verify claim publishing with * @param params.verificationPurpose: Specifies which verification methods to use. * `VerificationPurpose.Authenticate` is used to verify claim issued to authenticate identity * `VerificationPurpose.Assertion` is used to assert issuer approval. * By default verification asserts claim approval. * */ async verify( claimUrl: string, { hashFns, issuerDoc, holderDoc, verificationPurpose = VerificationPurpose.Assertion, }: { hashFns?: { [alg: string]: (data: string) => string }; issuerDoc?: IDIDDocument; holderDoc?: IDIDDocument; verificationPurpose?: VerificationPurpose; } = {} ): Promise<IPublicClaim | IPrivateClaim> { const token = await this.store.get(claimUrl); const claim = this.jwt.decode(token) as (IPublicClaim | IPrivateClaim) & JwtPayload; if (!issuerDoc) { issuerDoc = await this.document.read(claim.iss); } if (!holderDoc) { holderDoc = await this.document.read(claim.sub); } await this.validateServiceEndpointToken(claimUrl, { hashFns, holderDoc, }); const proofVerifier = new ProofVerifier(issuerDoc); switch (verificationPurpose) { case VerificationPurpose.Authentication: if (await proofVerifier.verifyAuthenticationProof(token)) { return claim; } break; case VerificationPurpose.Assertion: if (await proofVerifier.verifyAssertionProof(token)) { return claim; } break; default: break; } throw new Error('Token is not verified'); } /** * @description Verifies that token stored at `claimUrl` is one of the services of `holderDoc`. * * @param claimUrl: url of the published claim * @param params.hashFns: The function used to determine the of hash of the claim * token used in the DID document. Used to verify that the DID document service endpoint * matches the retrieved claim. * @param params.holderDoc: Document in which to search for service endpoint. */ async validateServiceEndpointToken( claimUrl: string, { hashFns, holderDoc, }: { hashFns?: { [alg: string]: (data: string) => string }; holderDoc: IDIDDocument; } ) { const token = await this.store.get(claimUrl); const service = holderDoc.service.find( (s) => s.serviceEndpoint === claimUrl ) as IServiceEndpoint; if (!service) { throw new Error( `No service endpoint found for ${claimUrl} in holder DID document` ); } const { hash, hashAlg } = service; const createHash = { ...hashes, ...hashFns }[hashAlg as string]; if (hash !== createHash(token)) { throw new Error(`Claim at ${claimUrl} was changed`); } } }