adapt X509Credential validation, use nested JSON structure

vcr/credential/validator.go

@@ -339,21 +339,28 @@ func validatePolicyAssertions(issuer did.DID, credential vc.VerifiableCredential
 
 		// for each assertion create a string as "%s:%s" with key/value
 		// check if the resulting string is present in the policyString
-		for key, value := range credentialSubject {
-			split := strings.Split(key, ":")
-			if len(split) != 2 {
-				return fmt.Errorf("invalid credentialSubject assertion name '%s'", key)
-			}
-			policyValueMap, ok := policyMap[split[0]]
+		for policyName, values := range credentialSubject {
+			valueMap, ok := values.(map[string]interface{})
 			if !ok {
-				return fmt.Errorf("policy '%s' not found in did:x509 policy", split[0])
+				return fmt.Errorf("invalid assertion value type for 'credentialSubject.%s'", policyName)
 			}
-			policyValue, ok := policyValueMap[split[1]]
+			policyValueMap, ok := policyMap[policyName]
 			if !ok {
-				return fmt.Errorf("assertion '%s' not found in did:x509 policy", key)
+				return fmt.Errorf("policy '%s' not found in did:x509 policy", policyName)
 			}
-			if value != policyValue {
-				return fmt.Errorf("invalid assertion value '%s' for '%s' did:x509 policy", value, key)
+
+			for key, value := range valueMap {
+				valueString, ok := value.(string)
+				if !ok {
+					return fmt.Errorf("invalid assertion value type for 'credentialSubject.%s.%s'", policyName, key)
+				}
+				policyValue, ok := policyValueMap[key]
+				if !ok {
+					return fmt.Errorf("assertion 'credentialSubject.%s.%s' not found in did:x509 policy", policyName, key)
+				}
+				if valueString != policyValue {
+					return fmt.Errorf("invalid assertion value '%s' for '%s:%s' did:x509 policy", valueString, policyName, key)
+				}
 			}
 		}
 	}

vcr/credential/validator_test.go

@@ -559,28 +559,28 @@ func TestX509CredentialValidator_Validate(t *testing.T) {
 			{
 				name: "invalid assertion value",
 				claim: map[string]interface{}{
-					"san:otherName": "A_BIG_STRIN",
+					"san": map[string]interface{}{"otherName": "A_BIG_STRIN"},
 				},
 				expectedError: "invalid assertion value 'A_BIG_STRIN' for 'san:otherName' did:x509 policy",
 			},
 			{
-				name: "invalid assertion name",
+				name: "invalid assertion type",
 				claim: map[string]interface{}{
 					"san": "A_BIG_STRING",
 				},
-				expectedError: "invalid credentialSubject assertion name 'san'",
+				expectedError: "invalid assertion value type for 'credentialSubject.san'",
 			},
 			{
 				name: "unknown assertion",
 				claim: map[string]interface{}{
-					"san:ip": "10.0.0.1",
+					"san": map[string]interface{}{"ip": "10.0.0.1"},
 				},
-				expectedError: "assertion 'san:ip' not found in did:x509 policy",
+				expectedError: "assertion 'credentialSubject.san.ip' not found in did:x509 policy",
 			},
 			{
 				name: "unknown policy",
 				claim: map[string]interface{}{
-					"stan:ip": "10.0.0.1",
+					"stan": map[string]interface{}{"ip": "10.0.0.1"},
 				},
 				expectedError: "policy 'stan' not found in did:x509 policy",
 			},

vcr/test/credentials.go

@@ -162,12 +162,16 @@ func ValidX509Credential(t *testing.T, options ...credentialOption) vc.Verifiabl
 			"@context": []string{"https://www.w3.org/2018/credentials/v1"},
 			"type":     []string{vc.VerifiableCredentialType, "X509Credential"},
 			"credentialSubject": map[string]interface{}{
-				"id":            rootDID.String(),
-				"subject:C":     "NL",
-				"subject:O":     "NUTS Foundation",
-				"subject:L":     "Amsterdam",
-				"subject:CN":    "www.example.com",
-				"san:otherName": otherNameValue,
+				"id": rootDID.String(),
+				"subject": map[string]interface{}{
+					"C":  "NL",
+					"O":  "NUTS Foundation",
+					"L":  "Amsterdam",
+					"CN": "www.example.com",
+				},
+				"san": map[string]interface{}{
+					"otherName": otherNameValue,
+				},
 			},
 		})
 	for _, option := range options {