refactor: remove usage of secp256r1 and demos (#1043)

Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
hyperledger · May 15, 2024 · 998a13a · 998a13a
1 parent 975730a
commit 998a13a
Show file tree

Hide file tree

Showing 14 changed files with 33 additions and 1,409 deletions.
diff --git a/build.sbt b/build.sbt
@@ -85,8 +85,6 @@ lazy val V = new {
   val zioPreludeVersion = "1.0.0-RC24"
 
   val apollo = "1.2.14"
-  val bouncyCastle = "1.78.1"
-
   val jsonSchemaValidator = "1.3.2" // scala-steward:off //TODO 1.3.2 need to fix:
   // [error] 	org.hyperledger.identus.pollux.core.model.schema.AnoncredSchemaTypeSpec
   // [error] 	org.hyperledger.identus.pollux.core.model.schema.CredentialSchemaSpec

diff --git a/...est/scala/org/hyperledger/identus/pollux/core/service/PresentationServiceSpecHelper.scala b/...est/scala/org/hyperledger/identus/pollux/core/service/PresentationServiceSpecHelper.scala
@@ -11,9 +11,8 @@ import org.hyperledger.identus.pollux.core.repository.*
 import org.hyperledger.identus.pollux.core.service.serdes.*
 import org.hyperledger.identus.pollux.vc.jwt.*
 import org.hyperledger.identus.shared.models.{WalletAccessContext, WalletId}
+import org.hyperledger.identus.shared.crypto.KmpSecp256k1KeyOps
 import zio.*
-
-import java.security.*
 import java.time.Instant
 import java.util.UUID
 
@@ -42,16 +41,16 @@ trait PresentationServiceSpecHelper {
     CredentialRepositoryInMemory.layer
   ) ++ defaultWalletLayer
 
-  def createIssuer(did: DID) = {
-    val keyGen = KeyPairGenerator.getInstance("EC")
-    keyGen.initialize(Curve.P_256.toECParameterSpec)
-    val keyPair = keyGen.generateKeyPair()
-    val privateKey = keyPair.getPrivate
-    val publicKey = keyPair.getPublic
+  def createIssuer(did: DID): Issuer = {
+
+    val keyPair = KmpSecp256k1KeyOps.generateKeyPair
+    val javaSKey = keyPair.privateKey.toJavaPrivateKey
+    val javaPKey = keyPair.publicKey.toJavaPublicKey
+
     Issuer(
       did = did,
-      signer = ES256Signer(privateKey),
-      publicKey = publicKey
+      signer = ES256KSigner(javaSKey),
+      publicKey = javaPKey
     )
   }
 

diff --git a/pollux/vc-jwt/src/main/scala/io/iohk/atala/pollux/vc/jwt/DidJWT.scala b/pollux/vc-jwt/src/main/scala/io/iohk/atala/pollux/vc/jwt/DidJWT.scala
@@ -29,19 +29,6 @@ trait Signer {
 
 }
 
-class ES256Signer(privateKey: PrivateKey) extends Signer {
-  val algorithm: JwtECDSAAlgorithm = JwtAlgorithm.ES256
-  private val provider = BouncyCastleProviderSingleton.getInstance
-  Security.addProvider(provider)
-
-  override def encode(claim: Json): JWT = JWT(JwtCirce.encode(claim, privateKey, algorithm))
-
-  override def generateProofForJson(payload: Json, pk: PublicKey): Task[Proof] = {
-    EddsaJcs2022ProofGenerator.generateProof(payload, privateKey, pk)
-  }
-
-}
-
 // works with java 7, 8, 11 & bouncycastle provider
 // https://connect2id.com/products/nimbus-jose-jwt/jca-algorithm-support#alg-support-table
 class ES256KSigner(privateKey: PrivateKey) extends Signer {

diff --git a/pollux/vc-jwt/src/main/scala/io/iohk/atala/pollux/vc/jwt/JWTVerification.scala b/pollux/vc-jwt/src/main/scala/io/iohk/atala/pollux/vc/jwt/JWTVerification.scala
@@ -22,7 +22,7 @@ object JWTVerification {
   // https://github.com/decentralized-identity/did-jwt/blob/8b3655097a1382934cabdf774d580e6731a636b1/src/JWT.ts#L146
   val SUPPORT_PUBLIC_KEY_TYPES: Map[String, Set[String]] = Map(
     "ES256K" -> Set("EcdsaSecp256k1VerificationKey2019", "JsonWebKey2020"),
-    "ES256" -> Set("ES256") // TODO: Only use valid type (added just for compatibility in the Demo code)
+    // Add support for other key types here
   )
 
   def validateAlgorithm(jwt: JWT): Validation[String, Unit] = {

diff --git a/pollux/vc-jwt/src/main/scala/io/iohk/atala/pollux/vc/jwt/VerifiableCredentialPayload.scala b/pollux/vc-jwt/src/main/scala/io/iohk/atala/pollux/vc/jwt/VerifiableCredentialPayload.scala
@@ -17,6 +17,8 @@ import java.security.PublicKey
 import java.time.temporal.TemporalAmount
 import java.time.{Clock, Instant, OffsetDateTime, ZoneId}
 import scala.util.Try
+import com.nimbusds.jwt.SignedJWT
+import scala.util.Failure
 
 opaque type DID = String
 object DID {
@@ -711,9 +713,15 @@ object JwtCredential {
   def encodeJwt(payload: JwtCredentialPayload, issuer: Issuer): JWT = issuer.signer.encode(payload.asJson)
 
   def decodeJwt(jwt: JWT, publicKey: PublicKey): Try[JwtCredentialPayload] = {
-    JwtCirce
-      .decodeRaw(jwt.value, publicKey, options = JwtOptions(expiration = false, notBefore = false))
-      .flatMap(decode[JwtCredentialPayload](_).toTry)
+    val signedJWT = SignedJWT.parse(jwt.value)
+    val verifier = JWTVerification.toECDSAVerifier(publicKey)
+
+    val isSignatureValid = signedJWT.verify(verifier)
+
+    if isSignatureValid then
+      val claimsSet = signedJWT.getJWTClaimsSet.toString
+      decode[JwtCredentialPayload](claimsSet).toTry
+    else Failure(Exception(s"Invalid JWT signature for: ${JWT.value}"))
   }
 
   def decodeJwt(jwt: JWT): IO[String, JwtCredentialPayload] = {
@@ -731,7 +739,9 @@ object JwtCredential {
   }
 
   def validateEncodedJwt(jwt: JWT, publicKey: PublicKey): Boolean =
-    JwtCirce.isValid(jwt.value, publicKey, JwtOptions(expiration = false, notBefore = false))
+    val signedJWT = SignedJWT.parse(jwt.value)
+    val verifier = JWTVerification.toECDSAVerifier(publicKey)
+    signedJWT.verify(verifier)
 
   def validateEncodedJWT(
       jwt: JWT,

diff --git a/pollux/vc-jwt/src/main/scala/io/iohk/atala/pollux/vc/jwt/demos/CredentialDemo.scala b/pollux/vc-jwt/src/main/scala/io/iohk/atala/pollux/vc/jwt/demos/CredentialDemo.scala