-
Notifications
You must be signed in to change notification settings - Fork 14
/
v2.yaml
778 lines (757 loc) · 28.1 KB
/
v2.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
openapi: "3.0.0"
info:
title: Nuts Verifiable Credential API spec
description: |
API specification for common operations on Verifiable credentials.
It allows the three roles, issuer, holer and verifier to issue, revoke, search, present and verify credentials.
version: 2.0.0
license:
name: GPLv3
servers:
- url: http://localhost:1323
paths:
/internal/vcr/v2/vc/{id}:
parameters:
- name: id
in: path
description: URL encoded ID.
required: true
example: "did:nuts:B8PUHs2AUHbFF1xLLK4eZjgErEcMXHxs68FteY7NDtCY#c4199b74-0c0a-4e09-a463-6927553e65f5"
schema:
type: string
get:
summary: "Resolves a verifiable credential"
description: >
Returns the resolved credential, whether its revocation/trust state.
error returns:
* 404 - Corresponding credential could not be found
* 500 - An error occurred while processing the request
operationId: "resolveVC"
tags:
- credential
responses:
"200":
description: Credential has been found and is returned.
content:
application/json:
schema:
$ref: '#/components/schemas/VerifiableCredential'
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/search:
post:
summary: "Searches for verifiable credentials that could be used for different use-cases."
description: >
The result contains a list of matching credentials. Only verified credentials are returned.
The search parameters define how the raw results are filtered.
error returns:
* 400 - Incorrect search query
* 500 - An error occurred while processing the request
operationId: "searchVCs"
requestBody:
required: true
description: >
Searching for VCs is done by passing a JSON-LD document as query.
Each field in the request body must be present in the VC in order for it to be passed as result.
Different JSON-LD contexts can be used allowing for different JSON formats. Consult the node documentation on the supported contexts.
The type of the credential must contain "VerifiableCredential" and the additional Nuts credential type that matches the credentialSubject context.
content:
application/json:
schema:
$ref: '#/components/schemas/SearchVCRequest'
examples:
NutsOrganizationCredential:
value: >
{
"query": {
"@context": ["https://www.w3.org/2018/credentials/v1","https://nuts.nl/credentials/v1"],
"type": ["VerifiableCredential", "NutsOrganizationCredential"],
"credentialSubject":{
"organization": {
"name": "Zorggroep de Nootjes",
"city": "Amandelmere"
}
}
}
}
NutsAuthorizationCredential:
value: >
{
"query": {
"@context": ["https://www.w3.org/2018/credentials/v1","https://nuts.nl/credentials/v1"],
"type": ["VerifiableCredential", "NutsAuthorizationCredential"],
"credentialSubject":{
"id": "did:nuts:123",
"purposeOfUse": "eOverdracht-receiver",
"resources": {
"path":"/Task/123"
},
"subject": "urn:oid:2.16.840.1.113883.2.4.6.3:123456782"
}
},
"searchOptions": {
"allowUntrustedIssuer": true
}
}
tags:
- credential
responses:
"200":
description: A list of matching credentials
content:
application/json:
schema:
$ref: '#/components/schemas/SearchVCResults'
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/issuer/vc:
post:
summary: Issues a new Verifiable Credential
description: |
Issues a new Verifiable Credential for provided type in the context.
error returns:
* 400 - One or more of the given parameters are invalid
* 412 - A private transaction is issued for a subject that does not have a NutsComm address
* 500 - An error occurred while processing the request
operationId: "issueVC"
tags:
- credential
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/IssueVCRequest'
responses:
"200":
description: "New VC has been created successfully. Returns the Verifiable Credential."
content:
application/json:
schema:
$ref: '#/components/schemas/VerifiableCredential'
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/issuer/vc/search:
get:
summary: "Searches for verifiable credentials issued by this node which matches the search params"
description: >
The SearchVCResult contains a list of matching credentials regardless of the validity.
The entry may contain a revocation which means the credential has been revoked.
error returns:
* 400 - Invalid search parameters
* 500 - An error occurred while processing the request
operationId: "searchIssuedVCs"
parameters:
- name: credentialType
in: query
description: The type of the credential
example: NutsOrganizationCredential
required: true
schema:
type: string
- name: issuer
in: query
description: the DID of the issuer
example: did:nuts:123
required: true
schema:
type: string
- name: subject
in: query
description: the URI which indicates the subject (usually a DID)
example: did:nuts:456
required: false
schema:
type: string
tags:
- credential
responses:
"200":
description: A list of matching credentials
content:
application/json:
schema:
$ref: '#/components/schemas/SearchVCResults'
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/issuer/vc/{id}:
parameters:
- name: id
in: path
description: URL encoded ID.
required: true
example: "did:nuts:B8PUHs2AUHbFF1xLLK4eZjgErEcMXHxs68FteY7NDtCY#c4199b74-0c0a-4e09-a463-6927553e65f5"
schema:
type: string
delete:
summary: "Revoke an issued credential"
description: |
Revoke a credential.
error returns:
* 400 - Credential can't be revoked. Most likely due to a missing private key.
* 404 - Credential is not found
* 409 - Credential has already been revoked
* 500 - An error occurred while processing the request
operationId: "revokeVC"
tags:
- credential
responses:
"200":
description: Revocation has been processed locally. It has also been published to the network.
content:
application/json:
schema:
$ref: '#/components/schemas/Revocation'
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/verifier/vc:
post:
summary: Verifies a Verifiable Credential
description: |
Verifies a Verifiable Credential. It checks:
* The signature
* Expiration
* Rrevocation status
* If the issuer is trusted
* If the issuer was not deactivated at time of issuing
error returns:
* 400 - One or more of the given parameters are invalid
* 500 - An error occurred while processing the request
operationId: "verifyVC"
tags:
- credential
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VCVerificationRequest'
responses:
"200":
description: "The verification result"
content:
application/json:
schema:
$ref: '#/components/schemas/VCVerificationResult'
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/verifier/vp:
post:
summary: Verifies a Verifiable Presentation
description: |
Verifies a Verifiable Presentation. It checks:
* Signature of the verifiable presentation and the verifiable credentials
* Expiration
* Revocation status
* If the issuers of the verifiable credentials are trusted
* If the issuers of the verifiable credentials were not deactivated at time of issuing
If the verification can be performed successfully (regardless whether checks failed), HTTP status 200 is returned.
Callers MUST observe the "validity" field of the verification result to check whether the VP is valid.
error returns:
* 400 - A parameter or the format of the verifiable presentation is invalid
* 500 - An error occurred while processing the request
operationId: "verifyVP"
tags:
- credential
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VPVerificationRequest'
responses:
"200":
description: "The verification result"
content:
application/json:
schema:
$ref: '#/components/schemas/VPVerificationResult'
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/verifier/trust:
post:
summary: Mark all the VCs of given type and issuer as 'trusted'.
description: |
The added trust is persisted and may be removed with a delete operation.
error returns:
* 400 - Invalid paramters
* 500 - An error occurred while processing the request
operationId: "trustIssuer"
tags:
- credential
requestBody:
required: true
description: a issuer/credentialType combination
content:
application/json:
schema:
$ref: "#/components/schemas/CredentialIssuer"
responses:
"204":
description: The change was accepted.
default:
$ref: '../common/error_response.yaml'
delete:
summary: Remove trust in an issuer/credentialType combination
description: |
The removed trust is persisted.
error returns:
* 400 - Invalid paramters
* 500 - An error occurred while processing the request
operationId: "untrustIssuer"
tags:
- credential
requestBody:
required: true
description: a issuer/credentialType combination
content:
application/json:
schema:
$ref: "#/components/schemas/CredentialIssuer"
responses:
"204":
description: The change was accepted.
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/verifier/{credentialType}/trusted:
get:
summary: "List all trusted issuers for a given credential type"
description: |
List all trusted issuers for a given credential type.
error returns:
* 400 - Malformed credential type
* 404 - Unkown credential type
operationId: "listTrusted"
tags:
- credential
parameters:
- name: credentialType
in: path
description: URL encoded Verifiable Credential Type.
required: true
example: "NutsOrganizationCredential"
schema:
type: string
responses:
"200":
description: List of trusted issuers is returned.
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/DID'
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/verifier/{credentialType}/untrusted:
get:
summary: "List all untrusted issuers for a given credential type"
description: |
List all untrusted issuers for a given credential type.
error returns:
* 400 - Malformed credential type
* 404 - Unkown credential type
operationId: "listUntrusted"
tags:
- credential
parameters:
- name: credentialType
in: path
description: URL encoded Verifiable Credential Type.
required: true
example: "NutsOrganizationCredential"
schema:
type: string
responses:
"200":
description: List of untrusted issuers is returned.
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/DID'
default:
$ref: '../common/error_response.yaml'
/internal/vcr/v2/holder/vp:
post:
summary: Create a new Verifiable Presentation for a set of Verifiable Credentials.
description: |
Given a list of VCs, create a new presentation.
error returns:
* 400 - Invalid paramters
* 500 - An error occurred while processing the request
operationId: createVP
tags:
- credential
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/CreateVPRequest"
responses:
"200":
description: The verifiable presentation.
content:
application/json:
schema:
$ref: "#/components/schemas/VerifiablePresentation"
components:
schemas:
IssueVCRequest:
type: object
description: A request for issuing a new Verifiable Credential.
required:
- type
- issuer
- credentialSubject
properties:
"@context":
description: |
The resolvable context of the credentialSubject as URI. If omitted, the "https://nuts.nl/credentials/v1" context is used.
Note: it is not needed to provide the "https://www.w3.org/2018/credentials/v1" context here.
type: string
example: "http://schema.org"
default: "https://nuts.nl/credentials/v1"
type:
description: Type definition for the credential.
type: string
example: "NutsOrganizationCredential"
issuer:
description: DID according to Nuts specification.
type: string
example: "did:nuts:B8PUHs2AUHbFF1xLLK4eZjgErEcMXHxs68FteY7NDtCY"
expirationDate:
description: rfc3339 time string until when the credential is valid.
type: string
example: "2012-01-02T12:00:00Z"
publishToNetwork:
description: |
If set, the node publishes this credential to the network. This is the default behaviour.
When set to false, the caller is responsible for distributing the VC to a holder. When the issuer is
also the holder, it then can be used to directly create a presentation (self issued).
Note: a not published credential can still be publicaly revoked.
type: boolean
default: true
visibility:
description: |
When publishToNetwork is true, the credential can be published publicly or privately to the holder.
This field is mandatory if publishToNetwork is true to prevent accidents. It defaults to "private".
type: string
enum: [ public, private ]
default: private
credentialSubject:
$ref: '#/components/schemas/CredentialSubject'
VerifiableCredential:
type: object
description: A credential according to the W3C and Nuts specs.
required:
- "@context"
- type
- issuer
- issuanceDate
- credentialSubject
- proof
properties:
"@context":
description: "List of URIs of JSON-LD contexts of the VC."
type: array
items:
type: string
id:
description: Credential ID. An URI wich uniquely identifies the credential e.g. the issuers DID concatenated with an uuid.
example: "did:nuts:123#B8PUHs2AUHbFF1xLLK4eZjgErEcMXHxs68FteY7NDtCY"
type: string
type:
description: A single string or array of strings. The value(s) indicate the type of credential. It should contain `VerifiableCredential`. Each type should be defined in the @context.
type: object
issuer:
$ref: '#/components/schemas/DID'
issuanceDate:
description: rfc3339 time string when the credential was issued.
type: string
example: "2012-01-02T12:00:00Z"
expirationDate:
description: rfc3339 time string untill when the credential is valid.
type: string
example: "2012-01-02T12:00:00Z"
credentialSubject:
$ref: '#/components/schemas/CredentialSubject'
proof:
description: one or multiple cryptographic proofs
type: object
SearchVCRequest:
type: object
description: request body for searching VCs
required:
- query
properties:
searchOptions:
$ref: "#/components/schemas/SearchOptions"
query:
type: object
description: A partial VerifiableCredential in JSON-LD format. Each field will be used to match credentials against. All fields MUST be present.
SearchVCResults:
type: object
description: result of a Search operation.
required:
- verifiableCredentials
properties:
verifiableCredentials:
type: array
items:
$ref: "#/components/schemas/SearchVCResult"
SearchVCResult:
type: object
description: result of a Search operation.
required:
- verifiableCredential
properties:
revocation:
$ref: "#/components/schemas/Revocation"
verifiableCredential:
$ref: "#/components/schemas/VerifiableCredential"
SearchOptions:
type: object
properties:
allowUntrustedIssuer:
description: If set to true, VCs from an untrusted issuer are returned.
type: boolean
default: false
Revocation:
type: object
description: Credential revocation record
required:
- issuer
- subject
- date
properties:
issuer:
$ref: '#/components/schemas/DID'
subject:
type: string
description: subject refers to the credential identifier that is revoked (not the credential subject)
reason:
type: string
description: reason describes why the VC has been revoked
date:
type: string
description: date is a rfc3339 formatted datetime.
proof:
type: object
description: Proof contains the cryptographic proof(s).
DID:
type: string
description: DID according to Nuts specification
example: "did:nuts:B8PUHs2AUHbFF1xLLK4eZjgErEcMXHxs68FteY7NDtCY"
CredentialSubject:
type: object
description: Subject of a Verifiable Credential identifying the holder and expressing claims.
VCVerificationRequest:
required:
- verifiableCredential
properties:
verifiableCredential:
$ref: "#/components/schemas/VerifiableCredential"
verificationOptions:
$ref: "#/components/schemas/VCVerificationOptions"
VCVerificationOptions:
type: object
properties:
allowUntrustedIssuer:
description: If set to true, an untrusted credential issuer is alowed.
type: boolean
default: false
VCVerificationResult:
description: Contains the verifiable credential verification result.
type: object
required:
- validity
properties:
validity:
type: boolean
description: Indicates the validity of the signature, issuer and revocation state.
message:
type: string
description: Indicates what went wrong
CreateVPRequest:
type: object
description: A request for creating a new Verifiable Presentation for a set of Verifiable Credentials.
required:
- verifiableCredentials
properties:
verifiableCredentials:
type: array
items:
$ref: "#/components/schemas/VerifiableCredential"
signerDID:
description: |
Specifies the DID of the signing party that must be used to create the digital signature.
If not specified, it is derived from the given Verifiable Credentials' subjectCredential ID.
It can only be derived if all given Verifiable Credentials have the same, single subjectCredential.
type: string
format: uri
proofPurpose:
type: string
description: |
The specific intent for the proof, the reason why an entity created it. Acts as a safeguard to prevent the
proof from being misused for a purpose other than the one it was intended for.
challenge:
type: string
description: |
A random or pseudo-random value used by some authentication protocols to mitigate replay attacks.
domain:
type: string
description: |
A string value that specifies the operational domain of a digital proof. This could be an Internet domain
name like example.com, an ad-hoc value such as mycorp-level3-access, or a very specific transaction value
like 8zF6T$mqP. A signer could include a domain in its digital proof to restrict its use to particular
target, identified by the specified domain.
expires:
type: string
description: Date and time at which proof will expire. If omitted, the proof does not have an end date.
example: '2021-12-20T09:00:00Z'
VPVerificationRequest:
required:
- verifiablePresentation
properties:
verifiablePresentation:
$ref: "#/components/schemas/VerifiablePresentation"
validAt:
type: string
description: Date and time at which the VP should be valid. If not supplied, the current date/time is used.
example: '2021-12-20T09:00:00Z'
verifyCredentials:
type: boolean
description: Indicates whether the Verifiable Credentials within the VP must be verified, default true.
default: true
VPVerificationResult:
description: Contains the verifiable presentation verification result.
type: object
required:
- validity
properties:
validity:
type: boolean
description: Indicates the validity of the signature, issuer and revocation state.
message:
type: string
description: Indicates what went wrong
credentials:
description: If the VP is valid, it will contain the credentials inside the VP.
type: array
items:
$ref: '#/components/schemas/VerifiableCredential'
VerifiablePresentation:
type: object
description: Verifiable Presentation
title: Verifiable Presentation Model
required:
- "@context"
- type
properties:
"@context":
description: |
An ordered set where the first item is a URI https://www.w3.org/2018/credentials/v1. It is used to define
terms and help to express specific identifiers in a compact manner.
uniqueItems: true
example: [
"https://www.w3.org/2018/credentials/v1"
]
type: array
items:
type: string
id:
type: string
description: URI that is used to unambiguously refer to an object, such as a person, product, or organization.
example: https://example.edu/credentials/1872,
format: uri
type:
description: A single string or array of strings. Values indicate the type of object. It should contain `VerifiablePresentation`. Each type must be defined in the @context.
example: "VerifiablePresentation"
type: object
verifiableCredential:
description: |
VerifiableCredential is composed of a list containing one or more verifiable credentials, in a
cryptographically verifiable format.
type: array
items:
$ref: '#/components/schemas/VerifiableCredential'
holder:
type: string
description: "URI of the entity that is generating the presentation."
format: uri
example: "did:nuts:123"
proof:
$ref: "#/components/schemas/EmbeddedProof"
EmbeddedProof:
title: Embedded Proof
type: object
description: |
Cryptographic proofs that can be used to detect tampering and verify the authorship of a
credential or presentation. An embedded proof is a mechanism where the proof is included in
the data, such as a Linked Data Signature.
required:
- type
- created
- proofPurpose
- verificationMethod
- jws
properties:
type:
type: string
description: Type of the object or the datatype of the typed value. Currently only supported value is "JsonWebSignature2020".
example: JsonWebSignature2020.
created:
type: string
description: Date and time at which proof has been created.
example: '2021-12-20T09:00:00Z'
proofPurpose:
type: string
description: |
It expresses the purpose of the proof and ensures the information is protected by the
signature.
example: assertionMethod
challenge:
type: string
description: |
A random or pseudo-random value, provided by the verifier, used by some authentication protocols to
mitigate replay attacks.
domain:
type: string
description: |
A string value that specifies the operational domain of a digital proof. This could be an Internet domain
name like example.com, an ad-hoc value such as mycorp-level3-access, or a very specific transaction value
like 8zF6T$mqP. A signer could include a domain in its digital proof to restrict its use to particular
target, identified by the specified domain.
nonce:
type: string
description: |
A unique string value generated by the holder, MUST only be used once for a particular domain
and window of time. This value can be used to mitigate replay attacks.
verificationMethod:
type: string
description: |
Specifies the public key that can be used to verify the digital signature.
Dereferencing a public key URL reveals information about the controller of the key,
which can be checked against the issuer of the credential.
example: did:nuts:123#key-5
jws:
type: string
description: JSON Web Signature
example: eyJhbGciOiJFUzI1NksifQ.eyJzdWIiOiJFQlNJIDIwMTkifQ.oggE3ft3kJYPGGa9eBibpbjgeJXw4fLbVMouVoM2NfcDxsl_UUUIarsS1VpBoYEs7s9cBlc4uC0EbnJCHfVJIw
CredentialIssuer:
type: object
required:
- issuer
- credentialType
properties:
issuer:
description: the DID of an issuer
example: "did:nuts:B8PUHs2AUHbFF1xLLK4eZjgErEcMXHxs68FteY7NDtCY"
type: string
credentialType:
description: a credential type
example: NutsOrganizationCredential
type: string