feat: Added MultiSignaturePolicy to validate JWT credentials with mul…

…tiple embedded signatures based on JWS JSON Serialization
walt-id · Sep 22, 2023 · f3deccf · f3deccf
1 parent 7aa0054
commit f3deccf
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/src/main/kotlin/id/walt/auditor/PolicyRegistryService.kt b/src/main/kotlin/id/walt/auditor/PolicyRegistryService.kt
@@ -165,6 +165,7 @@ open class PolicyRegistryService : WaltIdService() {
         )
         register(CredentialStatusPolicy::class, "Verify by credential status")
         register(DynamicPolicy::class, DynamicPolicyArg::class, "Verify credential by rego policy")
+        register(MultiSignaturePolicy::class, "Verify embedded multiple signatures")
 
         // predefined, hardcoded rego policy specializations
         // VerifiableMandate policy as specialized rego policy

diff --git a/src/main/kotlin/id/walt/auditor/policies/MultiSignaturePolicy.kt b/src/main/kotlin/id/walt/auditor/policies/MultiSignaturePolicy.kt
@@ -0,0 +1,37 @@
+package id.walt.auditor.policies
+
+import id.walt.auditor.SimpleVerificationPolicy
+import id.walt.auditor.VerificationPolicyResult
+import id.walt.credentials.w3c.VerifiableCredential
+
+class JwtHelper(val credential: String) {
+    val header get() = credential.substringBefore(".")
+    val payload get() = credential.substringAfter(".").substringBefore(".")
+    val signature get() = credential.substringAfterLast(".")
+    val jwsSignaturePart get() = mapOf(
+        "protected" to header,
+        "signature" to signature
+    )
+
+    companion object {
+        fun fromJWS(payload: String, sig: Map<String, String>): JwtHelper {
+            val h = sig["protected"] ?: throw Exception("No header found")
+            val s = sig["signature"] ?: throw Exception("No sig found")
+            return JwtHelper("$h.$payload.$s")
+        }
+    }
+}
+
+class MultiSignaturePolicy: SimpleVerificationPolicy() {
+    override val description: String
+        get() = "JWS Multi Signature Verification Policy"
+
+    override fun doVerify(vc: VerifiableCredential): VerificationPolicyResult {
+        val payload = (vc.credentialSubject?.properties?.get("payload") as? String) ?: return VerificationPolicyResult.failure()
+        val signatures = (vc.credentialSubject?.properties?.get("signatures") as? List<Map<String, String>>) ?: return VerificationPolicyResult.failure()
+        val credentials = signatures.map { JwtHelper.fromJWS(payload, it).credential }
+        return if(credentials.all { SignaturePolicy().verify(VerifiableCredential.fromString(it)).isSuccess }) {
+            VerificationPolicyResult.success()
+        } else VerificationPolicyResult.failure()
+    }
+}