fix: check signature of fetched credential, w3cjwt support

GHkrishna · GHkrishna · commit 9786c847b6be · 2025-02-27T19:59:42.000+05:30
Signed-off-by: Krishna Waske &lt;krishna.waske@ayanworks.com&gt;
diff --git a/packages/core/src/modules/vc/data-integrity/W3cJsonLdCredentialService.ts b/packages/core/src/modules/vc/data-integrity/W3cJsonLdCredentialService.ts
@@ -9,7 +9,7 @@ import type {
   W3cJsonLdVerifyCredentialOptions,
   W3cJsonLdVerifyPresentationOptions,
 } from '../W3cCredentialServiceOptions'
-import type { W3cVerifyCredentialResult, W3cVerifyPresentationResult } from '../models'
+import { ClaimFormat, type W3cVerifyCredentialResult, type W3cVerifyPresentationResult } from '../models'
 import type { W3cJsonCredential } from '../models/credential/W3cJsonCredential'
 
 import { createWalletKeyPairClass } from '../../../crypto/WalletKeyPair'
@@ -116,7 +116,7 @@ export class W3cJsonLdCredentialService {
             // await verifyBitStringCredentialStatus(credential, agentContext)
             // Add a verification function that then checks which type of credentailStatus we have
             // If the type is supported, we validate it and return the result
-            await validateStatus(credential.credentialStatus, agentContext)
+            await validateStatus(credential.credentialStatus, agentContext, ClaimFormat.LdpVc)
           }
           return {
             verified: true,
@@ -275,7 +275,7 @@ export class W3cJsonLdCredentialService {
             // await verifyBitStringCredentialStatus(credential, agentContext)
             // Add a verification function that then checks which type of credentailStatus we have
             // If the type is supported, we validate it and return the result
-            await validateStatus(credential.credentialStatus, agentContext)
+            await validateStatus(credential.credentialStatus, agentContext, ClaimFormat.LdpVc)
           }
           return {
             verified: true,
diff --git a/packages/core/src/modules/vc/data-integrity/libraries/credentialStatus.ts b/packages/core/src/modules/vc/data-integrity/libraries/credentialStatus.ts
@@ -9,11 +9,13 @@ import {
 } from '../../models/credential/w3c-credential-status'
 import { W3cCredentialStatusSupportedTypes } from '../../models/credential/w3c-credential-status/W3cCredentialStatus'
 import { SingleOrArray } from '../../../../utils'
+import { ClaimFormat } from '../../models'
 
 // Function to validate the status using the updated method
 export const validateStatus = async (
   credentialStatus: SingleOrArray<W3cCredentialStatus>,
-  agentContext: AgentContext
+  agentContext: AgentContext,
+  credentialFormat: ClaimFormat.JwtVc | ClaimFormat.LdpVc
 ): Promise<boolean> => {
 
   if (Array.isArray(credentialStatus)) {
@@ -27,7 +29,11 @@ export const validateStatus = async (
     case W3cCredentialStatusSupportedTypes.BitstringStatusListEntry:
       agentContext.config.logger.debug('Credential status type is BitstringStatusListEntry')
       try {
-        await verifyBitStringCredentialStatus(credentialStatus as unknown as BitStringStatusListEntry, agentContext)
+        await verifyBitStringCredentialStatus(
+          credentialStatus as unknown as BitStringStatusListEntry,
+          agentContext,
+          credentialFormat
+        )
       } catch (errors) {
         throw new CredoError(`Error while validating credential status`, errors)
       }
diff --git a/packages/core/src/modules/vc/jwt-vc/W3cJwtCredentialService.ts b/packages/core/src/modules/vc/jwt-vc/W3cJwtCredentialService.ts
@@ -8,7 +8,7 @@ import type {
   W3cJwtVerifyCredentialOptions,
   W3cJwtVerifyPresentationOptions,
 } from '../W3cCredentialServiceOptions'
-import type { SingleValidationResult, W3cVerifyCredentialResult, W3cVerifyPresentationResult } from '../models'
+import { ClaimFormat, type SingleValidationResult, type W3cVerifyCredentialResult, type W3cVerifyPresentationResult } from '../models'
 
 import { JwsService } from '../../../crypto'
 import { getJwkFromKey, getJwkClassFromJwaSignatureAlgorithm } from '../../../crypto/jose/jwk'
@@ -23,6 +23,7 @@ import { W3cJwtVerifiableCredential } from './W3cJwtVerifiableCredential'
 import { W3cJwtVerifiablePresentation } from './W3cJwtVerifiablePresentation'
 import { getJwtPayloadFromCredential } from './credentialTransformer'
 import { getJwtPayloadFromPresentation } from './presentationTransformer'
+import { validateStatus } from '../data-integrity/libraries/credentialStatus'
 
 /**
  * Supports signing and verification of credentials according to the [Verifiable Credential Data Model](https://www.w3.org/TR/vc-data-model)
@@ -193,9 +194,13 @@ export class W3cJwtCredentialService {
           isValid: true,
         }
       } else if (verifyCredentialStatus && credential.credentialStatus) {
+        // TODO: Add similar verification for JWT VCs
+        // validationResults.validations.credentialStatus = {
+        //   isValid: false,
+        //   error: new CredoError('Verifying credential status is not supported for JWT VCs'),
+        // }
         validationResults.validations.credentialStatus = {
-          isValid: false,
-          error: new CredoError('Verifying credential status is not supported for JWT VCs'),
+          isValid: await validateStatus(credential.credentialStatus, agentContext, ClaimFormat.JwtVc)
         }
       }
 
@@ -376,6 +381,7 @@ export class W3cJwtCredentialService {
             }
           }
 
+          // Already verifying credentialStatus, so might not need to have to check credential status explicitly here
           const credentialResult = await this.verifyCredential(agentContext, {
             credential,
             verifyCredentialStatus: options.verifyCredentialStatus,
diff --git a/packages/core/src/modules/vc/models/credential/w3c-credential-status/bitstring-status-list/VerifyBitStringCredentialStatus.ts b/packages/core/src/modules/vc/models/credential/w3c-credential-status/bitstring-status-list/VerifyBitStringCredentialStatus.ts
@@ -5,6 +5,9 @@ import type { AgentContext } from '../../../../../../agent/context'
 import { inflate } from 'pako'
 
 import { CredoError } from '../../../../../../error'
+import { W3cCredentialService } from '../../../../W3cCredentialService'
+import { W3cJsonLdVerifyCredentialOptions, W3cJwtVerifyCredentialOptions } from '../../../../W3cCredentialServiceOptions'
+import { ClaimFormat } from '../../../ClaimFormat'
 
 // Function to fetch and parse the bit string status list credential
 const fetchBitStringStatusListCredential = async (
@@ -30,7 +33,8 @@ const fetchBitStringStatusListCredential = async (
 
 export const verifyBitStringCredentialStatus = async (
   credentialStatus: BitStringStatusListEntry,
-  agentContext: AgentContext
+  agentContext: AgentContext,
+  credentialFormat: ClaimFormat.JwtVc | ClaimFormat.LdpVc
 ) => {
   try {
     if (Array.isArray(credentialStatus)) {
@@ -62,7 +66,18 @@ export const verifyBitStringCredentialStatus = async (
       `This is the fetched BSLC ${JSON.stringify(bitStringStatusListCredential, null, 2)}`
     )
 
-    // TODO: Add logic to validate Credential signature
+    // verify signatures of the credential
+    const w3cCredentialService = agentContext.dependencyManager.resolve(W3cCredentialService)
+
+    let result
+    if (credentialFormat === ClaimFormat.JwtVc){
+      result = await w3cCredentialService.verifyCredential(agentContext, bitStringStatusListCredential as unknown as W3cJwtVerifyCredentialOptions)
+    } else if (credentialFormat === ClaimFormat.LdpVc){
+      result = await w3cCredentialService.verifyCredential(agentContext, bitStringStatusListCredential as unknown as W3cJsonLdVerifyCredentialOptions)
+    }
+    if (result && !result.isValid) {
+      throw new CredoError(`Failed to validate credential, error = ${result.error}`)
+    }
 
     // Decode the encoded bit string
     let decodedBitStringArray;
@@ -74,30 +89,6 @@ export const verifyBitStringCredentialStatus = async (
     } catch(err) {
       throw new CredoError('Error decoding Bitstring of fetched Bitstring StatusList Credential')
     }
-    
-    // 1st approach
-    // agentContext.config.logger.debug(`This is encodedBitString: ${encodedBitString}`)
-    // const compressedBuffer = Uint8Array.from(atob(encodedBitString), (char) => char.charCodeAt(0))
-    // agentContext.config.logger.debug('Decoding the encoded bit string for fetched BitString StatusList Credential')
-
-    // // Decompress the bit string using pako
-    // const decodedBitString = ungzip(compressedBuffer, { to: 'string' })
-
-    // 2nd approach - worked
-    // const base64ToUint8Array = (base64: string): Uint8Array => {
-    //   const binaryString = atob(base64.replace(/-/g, '+').replace(/_/g, '/')) // Handle URL-safe Base64
-    //   return new Uint8Array([...binaryString].map((char) => char.charCodeAt(0)))
-    // }
-
-    // const compressedBuffer = base64ToUint8Array(encodedBitString)
-
-    // console.debug(`compressedBuffer: ${compressedBuffer}`)
-    // console.debug('Decoding the encoded bit string for fetched BitString StatusList Credential')
-
-    // // Decompress the bit string using pako
-    // const decodedBitString = new TextDecoder().decode(ungzip(compressedBuffer))
-
-    // console.debug(`Decoded BitString: ${decodedBitString}`)
 
     const statusListIndex = Number(credentialStatus.statusListIndex)
 
