some javadoc

extensions/common/iam/identity-trust/identity-trust-core/src/main/java/org/eclipse/edc/iam/identitytrust/core/IdentityAndTrustExtension.java

@@ -16,9 +16,9 @@
 
 import org.eclipse.edc.iam.did.spi.resolution.DidResolverRegistry;
 import org.eclipse.edc.iam.identitytrust.IdentityAndTrustService;
-import org.eclipse.edc.iam.identitytrust.validation.JwtValidatorImpl;
-import org.eclipse.edc.iam.identitytrust.verification.JwtVerifierImpl;
+import org.eclipse.edc.iam.identitytrust.validation.SelfIssuedIdTokenValidator;
 import org.eclipse.edc.iam.identitytrust.verification.MultiFormatPresentationVerifier;
+import org.eclipse.edc.iam.identitytrust.verification.SelfIssuedIdTokenVerifier;
 import org.eclipse.edc.identitytrust.CredentialServiceClient;
 import org.eclipse.edc.identitytrust.SecureTokenService;
 import org.eclipse.edc.identitytrust.validation.JwtValidator;
@@ -62,7 +62,7 @@ public IdentityService createIdentityService(ServiceExtensionContext context) {
     @Provider
     public JwtValidator getJwtValidator() {
         if (jwtValidator == null) {
-            jwtValidator = new JwtValidatorImpl();
+            jwtValidator = new SelfIssuedIdTokenValidator();
         }
         return jwtValidator;
     }
@@ -75,7 +75,7 @@ public PresentationVerifier createPresentationVerifier() {
     @Provider
     private JwtVerifier getJwtVerifier() {
         if (jwtVerifier == null) {
-            jwtVerifier = new JwtVerifierImpl(resolverRegistry);
+            jwtVerifier = new SelfIssuedIdTokenVerifier(resolverRegistry);
         }
         return jwtVerifier;
     }

extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/IdentityAndTrustService.java

@@ -20,8 +20,8 @@
 import org.eclipse.edc.identitytrust.CredentialServiceClient;
 import org.eclipse.edc.identitytrust.SecureTokenService;
 import org.eclipse.edc.identitytrust.model.VerifiableCredential;
+import org.eclipse.edc.identitytrust.validation.CredentialValidationRule;
 import org.eclipse.edc.identitytrust.validation.JwtValidator;
-import org.eclipse.edc.identitytrust.validation.VcValidationRule;
 import org.eclipse.edc.identitytrust.verification.JwtVerifier;
 import org.eclipse.edc.identitytrust.verification.PresentationVerifier;
 import org.eclipse.edc.spi.iam.ClaimToken;
@@ -123,7 +123,7 @@ public Result<ClaimToken> verifyJwtToken(TokenRepresentation tokenRepresentation
                             new HasValidIssuer(getAllowedIssuers())));
 
                     filters.addAll(getAdditionalValidations());
-                    var results = credentials.stream().map(c -> filters.stream().reduce(t -> Result.success(), VcValidationRule::and).apply(c)).reduce(Result::merge);
+                    var results = credentials.stream().map(c -> filters.stream().reduce(t -> Result.success(), CredentialValidationRule::and).apply(c)).reduce(Result::merge);
 
                     return results.orElseGet(() -> failure("Could not determine the status of the VC validation"));
                 });
@@ -135,7 +135,7 @@ private ClaimToken extractClaimToken(List<VerifiableCredential> credentials) {
         return null;
     }
 
-    private Collection<? extends VcValidationRule> getAdditionalValidations() {
+    private Collection<? extends CredentialValidationRule> getAdditionalValidations() {
         return List.of();
     }
 

extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/validation/HasValidIssuer.java

@@ -15,7 +15,7 @@
 package org.eclipse.edc.iam.identitytrust.validation;
 
 import org.eclipse.edc.identitytrust.model.VerifiableCredential;
-import org.eclipse.edc.identitytrust.validation.VcValidationRule;
+import org.eclipse.edc.identitytrust.validation.CredentialValidationRule;
 import org.eclipse.edc.spi.result.Result;
 
 import java.util.List;
@@ -24,7 +24,13 @@
 import static org.eclipse.edc.spi.result.Result.failure;
 import static org.eclipse.edc.spi.result.Result.success;
 
-public class HasValidIssuer implements VcValidationRule {
+/**
+ * A class that implements the {@link CredentialValidationRule} interface and checks if a {@link VerifiableCredential} has a valid issuer.
+ * Valid issuers are stored in a global list.
+ * <p>
+ * If the issuer object is neither a string nor an object containing an "id" field, a failure is returned.
+ */
+public class HasValidIssuer implements CredentialValidationRule {
     private final List<String> allowedIssuers;
 
     public HasValidIssuer(List<String> allowedIssuers) {
@@ -41,6 +47,9 @@ public Result<Void> apply(VerifiableCredential credential) {
             issuer = issuerObject.toString();
         } else if (issuerObject instanceof Map) {
             issuer = ((Map) issuerObject).get("id").toString();
+            if (issuer == null) {
+                return failure("Issuer was an object, but did not contain an 'id' field");
+            }
         } else {
             return failure("VC Issuer must either be a String or an Object but was %s.".formatted(issuerObject.getClass()));
         }

extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/validation/HasValidSubjectIds.java

@@ -15,13 +15,17 @@
 package org.eclipse.edc.iam.identitytrust.validation;
 
 import org.eclipse.edc.identitytrust.model.VerifiableCredential;
-import org.eclipse.edc.identitytrust.validation.VcValidationRule;
+import org.eclipse.edc.identitytrust.validation.CredentialValidationRule;
 import org.eclipse.edc.spi.result.Result;
 
 import static org.eclipse.edc.spi.result.Result.failure;
 import static org.eclipse.edc.spi.result.Result.success;
 
-public class HasValidSubjectIds implements VcValidationRule {
+/**
+ * This class implements the CredentialValidationRule interface and checks if all subject IDs in a
+ * VerifiableCredential match an expected subject ID, which in practice is the DID of the holder of a VP.
+ */
+public class HasValidSubjectIds implements CredentialValidationRule {
 
     private final String expectedSubjectId;
 

extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/validation/IsRevoked.java

@@ -15,12 +15,15 @@
 package org.eclipse.edc.iam.identitytrust.validation;
 
 import org.eclipse.edc.identitytrust.model.VerifiableCredential;
-import org.eclipse.edc.identitytrust.validation.VcValidationRule;
+import org.eclipse.edc.identitytrust.validation.CredentialValidationRule;
 import org.eclipse.edc.spi.result.Result;
 
 import static org.eclipse.edc.spi.result.Result.success;
 
-public class IsRevoked implements VcValidationRule {
+/**
+ * This class represents a rule that checks if a given VerifiableCredential is revoked based on a StatusList2021 credential.
+ */
+public class IsRevoked implements CredentialValidationRule {
     private final VerifiableCredential statusList2021;
 
     public IsRevoked(VerifiableCredential statusList2021) {

extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/validation/JwtValidatorImpl.java → extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/validation/SelfIssuedIdTokenValidator.java

@@ -28,9 +28,22 @@
 import static org.eclipse.edc.spi.result.Result.success;
 
 /**
- * Default implementation for JWT validation in the context of IATP.
+ * Performs structural validation a Self-Issued ID Token. It asserts that:
+ * <ul>
+ *     <li>{@code iss == sub}</li>
+ *     <li>{@code sub_jwk == null}</li>
+ *     <li>{@code aud == audience} (method argument)</li>
+ *     <li>{@code client_id == iss}</li>
+ *     <li>{@code jti != null} only verifies that a jti claim is there, no further validation</li>
+ *     <li>{@code exp !=null}</li>
+ *     <li>{@code exp < now()} token not expired, epsilon = 60s</li>
+ * </ul>
+ * <p>
+ * Please note that the signature of the JWT is <strong>not</strong> verified, that is done by the {@link org.eclipse.edc.iam.identitytrust.verification.SelfIssuedIdTokenVerifier}.
+ *
+ * @see org.eclipse.edc.iam.identitytrust.verification.SelfIssuedIdTokenVerifier SI Token signature verification
  */
-public class JwtValidatorImpl implements JwtValidator {
+public class SelfIssuedIdTokenValidator implements JwtValidator {
 
     private static final long EPSILON = 60;
 

extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/verification/JsonLdPresentationVerifier.java

@@ -16,11 +16,16 @@
 
 import org.eclipse.edc.spi.result.Result;
 
+/**
+ * Verifies the cryptographic integrity of a VerifiablePresentation that is presented as a JSON-LD.
+ */
 class JsonLdPresentationVerifier {
 
-    JsonLdPresentationVerifier() {
-    }
-
+    /**
+     * Computes the cryptographic integrity of a VerifiablePresentation
+     *
+     * @param rawVp The unaltered JSON-LD string, as it was received from the holder.
+     */
     public Result<Void> verifyPresentation(String rawVp) {
         throw new UnsupportedOperationException("not yet implemented!");
     }

extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/verification/JwtPresentationVerifier.java

@@ -16,8 +16,16 @@
 
 import org.eclipse.edc.spi.result.Result;
 
+/**
+ * Verifies VerifiablePresentations, which are present in JWT format. Only the cryptographic integrity is asserted
+ */
 class JwtPresentationVerifier {
+    /**
+     * Computes the cryptographic integrity of a VerifiablePresentation
+     *
+     * @param rawVp The base64-encoded JWT string
+     */
     public Result<Void> verifyPresentation(String rawVp) {
-        return null;
+        throw new UnsupportedOperationException("not yet implemented!");
     }
 }

extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/verification/JwtVerifierImpl.java → extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/verification/SelfIssuedIdTokenVerifier.java

@@ -30,12 +30,24 @@
 import java.util.Optional;
 
 /**
- * This implementation
+ * Performs cryptographic (and some structural) verification of a self-issued ID token. To that end, the issuer of the token
+ * ({@code iss} claim) is presumed to be a Decentralized Identifier (<a href="https://www.w3.org/TR/did-core/">DID</a>).
+ * <p>
+ * If the JWT contains in its header a {@code kid} field identifying the public key that was used for signing, the DID is
+ * <strong>expected</strong> to have a <a href="https://www.w3.org/TR/did-core/#verification-methods">verificationMethod</a>
+ * with that same ID. If no such verification method is found, {@link Result#failure(String)} is returned.
+ * <p>
+ * If no such {@code kid} header is present, then the <em>first</em> verification method is used.
+ * <p>
+ * Please note that <strong>no structural</strong> validation is done beyond the very basics (must have iss and aud claim).
+ * This is done by the {@link org.eclipse.edc.iam.identitytrust.validation.SelfIssuedIdTokenValidator}.
+ *
+ * @see org.eclipse.edc.iam.identitytrust.validation.SelfIssuedIdTokenValidator For SI Token validation.
  */
-public class JwtVerifierImpl implements JwtVerifier {
+public class SelfIssuedIdTokenVerifier implements JwtVerifier {
     private final DidResolverRegistry resolverRegistry;
 
-    public JwtVerifierImpl(DidResolverRegistry resolverRegistry) {
+    public SelfIssuedIdTokenVerifier(DidResolverRegistry resolverRegistry) {
         this.resolverRegistry = resolverRegistry;
     }
 

extensions/common/iam/identity-trust/identity-trust-service/src/test/java/org/eclipse/edc/iam/identitytrust/validation/JwtValidatorImplTest.java → extensions/common/iam/identity-trust/identity-trust-service/src/test/java/org/eclipse/edc/iam/identitytrust/validation/SelfIssuedIdTokenValidatorTest.java

@@ -26,11 +26,11 @@
 import static org.eclipse.edc.identitytrust.TestFunctions.createJwt;
 import static org.eclipse.edc.junit.assertions.AbstractResultAssert.assertThat;
 
-class JwtValidatorImplTest {
+class SelfIssuedIdTokenValidatorTest {
 
     private static final String EXPECTED_OWN_DID = "did:web:provider";
     private static final String CONSUMER_DID = "did:web:consumer";
-    private final JwtValidatorImpl validator = new JwtValidatorImpl();
+    private final SelfIssuedIdTokenValidator validator = new SelfIssuedIdTokenValidator();
 
     @BeforeEach
     void setUp() {

extensions/common/iam/identity-trust/identity-trust-service/src/test/java/org/eclipse/edc/iam/identitytrust/verification/JwtVerifierImplTest.java → extensions/common/iam/identity-trust/identity-trust-service/src/test/java/org/eclipse/edc/iam/identitytrust/verification/SelfIssuedIdTokenVerifierTest.java

@@ -38,10 +38,10 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
-class JwtVerifierImplTest {
+class SelfIssuedIdTokenVerifierTest {
 
     private final DidResolverRegistry didResolverRegistry = mock();
-    private final JwtVerifierImpl verifier = new JwtVerifierImpl(didResolverRegistry);
+    private final SelfIssuedIdTokenVerifier verifier = new SelfIssuedIdTokenVerifier(didResolverRegistry);
     private ECKey didVerificationMethod;
 
     @BeforeEach

spi/common/identity-trust-spi/src/main/java/org/eclipse/edc/identitytrust/validation/VcValidationRule.java → spi/common/identity-trust-spi/src/main/java/org/eclipse/edc/identitytrust/validation/CredentialValidationRule.java

@@ -21,8 +21,11 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-public interface VcValidationRule extends Function<VerifiableCredential, Result<Void>> {
-    default VcValidationRule and(VcValidationRule other) {
+/**
+ * Interface for a rule that is being applied to a {@link VerifiableCredential}, and returns {@link Result#success()} or {@link Result#failure(String)}.
+ */
+public interface CredentialValidationRule extends Function<VerifiableCredential, Result<Void>> {
+    default CredentialValidationRule and(CredentialValidationRule other) {
         return t -> {
             var thisResult = this.apply(t);
             var otherResult = other.apply(t);