trustbloc · fqutishat · Oct 23, 2023 · Oct 23, 2023 · Oct 23, 2023 · Oct 23, 2023
diff --git a/go.mod b/go.mod
@@ -18,15 +18,13 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/multiformats/go-multibase v0.1.1
 	github.com/piprate/json-gold v0.5.1-0.20230111113000-6ddbe6e6f19f
-	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.8.2
 	github.com/tidwall/gjson v1.14.3
 	github.com/tidwall/sjson v1.1.4
 	github.com/trustbloc/bbs-signature-go v1.0.0
 	github.com/trustbloc/did-go v1.0.2-0.20230928194341-39d5462574c0
 	github.com/trustbloc/kms-go v1.0.1-0.20230928143453-638bd66bb721
 	github.com/xeipuuv/gojsonschema v1.2.0
-	golang.org/x/crypto v0.1.0
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
 )
 
@@ -46,13 +44,15 @@ require (
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/multiformats/go-base32 v0.1.0 // indirect
 	github.com/multiformats/go-base36 v0.1.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pquerna/cachecontrol v0.1.0 // indirect
 	github.com/teserakt-io/golang-ed25519 v0.0.0-20210104091850-3888c087a4c8 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	golang.org/x/crypto v0.1.0 // indirect
 	golang.org/x/sys v0.11.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

diff --git a/presexch/definition_test.go b/presexch/definition_test.go
@@ -1185,9 +1185,8 @@ func TestPresentationDefinition_CreateVP(t *testing.T) {
 
 		vp, err := pd.CreateVP([]*verifiable.Credential{vc}, lddl,
 			WithSDBBSProofCreator(&verifiable.BBSProofCreator{
-				ProofDerivation: bbs12381g2pub.New(),
-				VerificationMethodResolver: testsupport.NewSingleKeyResolver(
-					"did:example:123456#key1", srcPublicKey, "Bls12381G2Key2020"),
+				ProofDerivation:            bbs12381g2pub.New(),
+				VerificationMethodResolver: testsupport.NewSingleKeyResolver("did:example:123456#key1", srcPublicKey, "Bls12381G2Key2020", ""),
 			}),
 			WithSDCredentialOptions(
 				verifiable.WithJSONLDDocumentLoader(createTestJSONLDDocumentLoader(t)),
@@ -1310,8 +1309,7 @@ func TestPresentationDefinition_CreateVP(t *testing.T) {
 		vp, err := pd.CreateVP([]*verifiable.Credential{vc}, lddl,
 			WithSDCredentialOptions(
 				verifiable.WithJSONLDDocumentLoader(createTestJSONLDDocumentLoader(t)),
-				verifiable.WithProofChecker(defaults.NewDefaultProofChecker(testsupport.NewSingleKeyResolver(
-					"did:example:123456#key1", srcPublicKey, "Bls12381G2Key2020"))),
+				verifiable.WithProofChecker(defaults.NewDefaultProofChecker(testsupport.NewSingleKeyResolver("did:example:123456#key1", srcPublicKey, "Bls12381G2Key2020", ""))),
 			),
 		)
 		require.NoError(t, err)

diff --git a/presexch/example_v2_test.go b/presexch/example_v2_test.go
@@ -721,9 +721,8 @@ func ExamplePresentationDefinition_CreateVP_withFrame() {
 	signVCWithBBS(privKey, vc, loader)
 
 	bbsProofCreator := &verifiable.BBSProofCreator{
-		ProofDerivation: bbs12381g2pub.New(),
-		VerificationMethodResolver: testsupport.NewSingleKeyResolver(
-			"did:example:123456#key1", pubKeyBytes, "Bls12381G2Key2020"),
+		ProofDerivation:            bbs12381g2pub.New(),
+		VerificationMethodResolver: testsupport.NewSingleKeyResolver("did:example:123456#key1", pubKeyBytes, "Bls12381G2Key2020", ""),
 	}
 
 	vp, err := pd.CreateVP([]*verifiable.Credential{vc}, loader,

diff --git a/presexch/match_submission_requirements_test.go b/presexch/match_submission_requirements_test.go
@@ -240,9 +240,8 @@ func TestInstance_GetSubmissionRequirements(t *testing.T) {
 		matched, err := pd.MatchSubmissionRequirement([]*verifiable.Credential{vc}, lddl,
 			presexch.WithSelectiveDisclosureApply(),
 			presexch.WithSDBBSProofCreator(&verifiable.BBSProofCreator{
-				ProofDerivation: bbs12381g2pub.New(),
-				VerificationMethodResolver: testsupport.NewSingleKeyResolver(
-					"did:example:123456#key1", srcPublicKey, "Bls12381G2Key2020"),
+				ProofDerivation:            bbs12381g2pub.New(),
+				VerificationMethodResolver: testsupport.NewSingleKeyResolver("did:example:123456#key1", srcPublicKey, "Bls12381G2Key2020", ""),
 			}),
 			presexch.WithSDCredentialOptions(verifiable.WithJSONLDDocumentLoader(lddl)))
 		require.NoError(t, err)

diff --git a/proof/checker/checker.go b/proof/checker/checker.go
@@ -8,7 +8,9 @@ package checker
 
 import (
 	"fmt"
+	"strings"
 
+	"github.com/tidwall/gjson"
 	"github.com/trustbloc/did-go/doc/ld/processor"
 	"github.com/trustbloc/did-go/doc/ld/proof"
 	"github.com/trustbloc/kms-go/doc/jose"
@@ -21,7 +23,7 @@ import (
 )
 
 type verificationMethodResolver interface {
-	ResolveVerificationMethod(verificationMethod string) (*vermethod.VerificationMethod, error)
+	ResolveVerificationMethod(verificationMethod string, issuer string) (*vermethod.VerificationMethod, error)
 }
 
 type signatureVerifier interface {
@@ -45,6 +47,15 @@ type jwtCheckDescriptor struct {
 	proofDescriptor proofdesc.JWTProofDescriptor
 }
 
+// nolint: gochecknoglobals
+var possibleIssuerPath = []string{
+	"vc.issuer.id",
+	"vc.issuer",
+	"issuer.id",
+	"issuer",
+	"iss",
+}
+
 // ProofCheckerBase basic implementation of proof checker.
 type ProofCheckerBase struct {
 	supportedLDProofs  []ldCheckDescriptor
@@ -121,7 +132,8 @@ func (c *ProofChecker) CheckLDProof(proof *proof.Proof, msg, signature []byte) e
 		return fmt.Errorf("proof missing public key id: %w", err)
 	}
 
-	vm, err := c.verificationMethodResolver.ResolveVerificationMethod(publicKeyID)
+	vm, err := c.verificationMethodResolver.ResolveVerificationMethod(publicKeyID,
+		strings.Split(publicKeyID, "#")[0])
 	if err != nil {
 		return fmt.Errorf("proof invalid public key id: %w", err)
 	}
@@ -170,7 +182,7 @@ func (c *ProofCheckerBase) GetLDPDigest(proof *proof.Proof, doc []byte) ([]byte,
 }
 
 // CheckJWTProof check jwt proof.
-func (c *ProofChecker) CheckJWTProof(headers jose.Headers, _, msg, signature []byte) error {
+func (c *ProofChecker) CheckJWTProof(headers jose.Headers, payload, msg, signature []byte) error {
 	keyID, ok := headers.KeyID()
 	if !ok {
 		return fmt.Errorf("missed kid in jwt header")
@@ -181,7 +193,7 @@ func (c *ProofChecker) CheckJWTProof(headers jose.Headers, _, msg, signature []b
 		return fmt.Errorf("missed alg in jwt header")
 	}
 
-	vm, err := c.verificationMethodResolver.ResolveVerificationMethod(keyID)
+	vm, err := c.verificationMethodResolver.ResolveVerificationMethod(keyID, c.FindIssuer(payload))
 	if err != nil {
 		return fmt.Errorf("invalid public key id: %w", err)
 	}
@@ -204,6 +216,19 @@ func (c *ProofChecker) CheckJWTProof(headers jose.Headers, _, msg, signature []b
 	return verifier.Verify(signature, msg, pubKey)
 }
 
+// FindIssuer finds issuer in payload.
+func (c *ProofChecker) FindIssuer(payload []byte) string {
+	parsed := gjson.ParseBytes(payload)
+
+	for _, p := range possibleIssuerPath {
+		if str := parsed.Get(p).Str; str != "" {
+			return str
+		}
+	}
+
+	return ""
+}
+
 func convertToPublicKey(
 	supportedMethods []proofdesc.SupportedVerificationMethod,
 	vm *vermethod.VerificationMethod) (*pubkey.PublicKey, error) {

diff --git a/proof/checker/checker_test.go b/proof/checker/checker_test.go
@@ -37,7 +37,7 @@ func TestProofChecker_AllLD(t *testing.T) {
 
 func TestProofChecker_CheckLDProof(t *testing.T) {
 	testable := checker.New(
-		testsupport.NewSingleKeyResolver("lookupId", []byte{}, "test"),
+		testsupport.NewSingleKeyResolver("lookupId", []byte{}, "test", ""),
 		checker.WithLDProofTypes(ed25519signature2018.New()))
 
 	err := testable.CheckLDProof(&proof.Proof{}, nil, nil)
@@ -62,7 +62,7 @@ func TestProofChecker_CheckLDProof(t *testing.T) {
 
 func TestProofChecker_CheckJWTProof(t *testing.T) {
 	testable := checker.New(
-		testsupport.NewSingleKeyResolver("lookupId", []byte{}, "test"),
+		testsupport.NewSingleKeyResolver("lookupId", []byte{}, "test", ""),
 		checker.WithJWTAlg(eddsa.New()))
 
 	err := testable.CheckJWTProof(jose.Headers{jose.HeaderAlgorithm: "talg"}, nil, nil, nil)
@@ -84,6 +84,17 @@ func TestProofChecker_CheckJWTProof(t *testing.T) {
 	require.ErrorContains(t, err, "can't verifiy with \"test\" verification method")
 }
 
+func TestProofCheckerIssuer(t *testing.T) {
+	testable := checker.New(
+		testsupport.NewSingleKeyResolver("lookupId", []byte{}, "test", "awesome"),
+		checker.WithJWTAlg(eddsa.New()))
+
+	err := testable.CheckJWTProof(jose.Headers{jose.HeaderKeyID: "tid", jose.HeaderAlgorithm: "EdDSA"},
+		[]byte(`{"vc":{"issuer" : "abcd"}}`),
+		nil, nil)
+	require.ErrorContains(t, err, "invalid public key id: invalid issuer. expected awesome got abcd")
+}
+
 func TestEmbeddedVMProofChecker_CheckJWTProof(t *testing.T) {
 	testable := checker.NewEmbeddedVMProofChecker(
 		&vermethod.VerificationMethod{Type: "test"},
@@ -98,3 +109,37 @@ func TestEmbeddedVMProofChecker_CheckJWTProof(t *testing.T) {
 	err = testable.CheckJWTProof(jose.Headers{jose.HeaderAlgorithm: "EdDSA"}, nil, nil, nil)
 	require.ErrorContains(t, err, "can't verifiy with \"test\" verification method")
 }
+
+func TestFindIssuerInPayload(t *testing.T) {
+	c := checker.ProofChecker{}
+
+	t.Run("$.vc.issuer.id", func(t *testing.T) {
+		result := c.FindIssuer([]byte(`{"iss": "123", "issuer": "abcd", "vc":{"issuer":{"id":"did:example:123"}}}`))
+		require.Equal(t, "did:example:123", result)
+	})
+
+	t.Run("$.vc.issuer", func(t *testing.T) {
+		result := c.FindIssuer([]byte(`{"iss": "123", "issuer": "abcd", "vc":{"issuer":"did:example:123"}}`))
+		require.Equal(t, "did:example:123", result)
+	})
+
+	t.Run("$.issuer.id", func(t *testing.T) {
+		result := c.FindIssuer([]byte(`{"iss": "123", "issuer": {"id" : "abcd"}}`))
+		require.Equal(t, "abcd", result)
+	})
+
+	t.Run("$.issuer", func(t *testing.T) {
+		result := c.FindIssuer([]byte(`{"iss": "123", "issuer": "abcd"}`))
+		require.Equal(t, "abcd", result)
+	})
+
+	t.Run("$.iss", func(t *testing.T) {
+		result := c.FindIssuer([]byte(`{"iss": "123"}`))
+		require.Equal(t, "123", result)
+	})
+
+	t.Run("none", func(t *testing.T) {
+		result := c.FindIssuer([]byte(`{"a": "123"}`))
+		require.Equal(t, "", result)
+	})
+}
diff --git a/proof/defaults/all.go b/proof/defaults/all.go
@@ -29,7 +29,7 @@ import (
 )
 
 type verificationMethodResolver interface {
-	ResolveVerificationMethod(verificationMethod string) (*vermethod.VerificationMethod, error)
+	ResolveVerificationMethod(verificationMethod string, issuer string) (*vermethod.VerificationMethod, error)
 }
 
 // NewDefaultProofChecker creates proof checker with all available validation algorithms.

diff --git a/proof/testsupport/sigver_pair.go b/proof/testsupport/sigver_pair.go
@@ -55,6 +55,7 @@ const (
 // VMResolver mock verification method resolver.
 type VMResolver struct {
 	mockedVerificationMethods []mockedVerificationMethod
+	expectedIssuer            string
 }
 
 type mockedVerificationMethod struct {
@@ -68,8 +69,9 @@ type cryptographicSigner interface {
 }
 
 // NewSingleKeyResolver creates vm resolver with single key embedded.
-func NewSingleKeyResolver(lookupID string, keyBytes []byte, keyType string) *VMResolver {
+func NewSingleKeyResolver(lookupID string, keyBytes []byte, keyType string, issuer string) *VMResolver {
 	return &VMResolver{
+		expectedIssuer: issuer,
 		mockedVerificationMethods: []mockedVerificationMethod{{
 			lookupID:                lookupID,
 			verificationMethodValue: &vermethod.VerificationMethod{Type: keyType, Value: keyBytes},
@@ -78,8 +80,9 @@ func NewSingleKeyResolver(lookupID string, keyBytes []byte, keyType string) *VMR
 }
 
 // NewSingleJWKResolver creates vm resolver with single jwk embedded.
-func NewSingleJWKResolver(lookupID string, j *jwk.JWK, keyType string) *VMResolver {
+func NewSingleJWKResolver(lookupID string, j *jwk.JWK, keyType string, issuer string) *VMResolver {
 	return &VMResolver{
+		expectedIssuer: issuer,
 		mockedVerificationMethods: []mockedVerificationMethod{{
 			lookupID:                lookupID,
 			verificationMethodValue: &vermethod.VerificationMethod{Type: keyType, JWK: j},
@@ -88,7 +91,14 @@ func NewSingleJWKResolver(lookupID string, j *jwk.JWK, keyType string) *VMResolv
 }
 
 // ResolveVerificationMethod resolves verification method.
-func (r *VMResolver) ResolveVerificationMethod(verificationMethod string) (*vermethod.VerificationMethod, error) {
+func (r *VMResolver) ResolveVerificationMethod(
+	verificationMethod string,
+	issuer string,
+) (*vermethod.VerificationMethod, error) {
+	if r.expectedIssuer != "" && r.expectedIssuer != issuer {
+		return nil, fmt.Errorf("invalid issuer. expected %v got %v",
+			r.expectedIssuer, issuer)
+	}
 	for _, mocked := range r.mockedVerificationMethods {
 		if mocked.lookupID == AnyPubKeyID || mocked.lookupID == verificationMethod {
 			return mocked.verificationMethodValue, nil

diff --git a/verifiable/bbs_selective_disclosure.go b/verifiable/bbs_selective_disclosure.go
@@ -30,7 +30,10 @@ type bbsProofDerivation interface {
 }
 
 type verificationMethodResolver interface {
-	ResolveVerificationMethod(verificationMethod string) (*vermethod.VerificationMethod, error)
+	ResolveVerificationMethod(
+		verificationMethod string,
+		issuer string,
+	) (*vermethod.VerificationMethod, error)
 }
 
 // BBSProofCreator used to create bbs proof during selective disclosure.
@@ -138,7 +141,7 @@ func getPublicKeyAndSignature(blsSignatureMap map[string]interface{},
 		return nil, nil, fmt.Errorf("get public KID from BBS+ signature: %w", err)
 	}
 
-	vm, err := resolver.ResolveVerificationMethod(publicKeyID)
+	vm, err := resolver.ResolveVerificationMethod(publicKeyID, "")
 	if err != nil {
 		return nil, nil, fmt.Errorf("resolve public key of BBS+ signature: %w", err)
 	}

diff --git a/verifiable/credential_bbs_test.go b/verifiable/credential_bbs_test.go
@@ -143,8 +143,7 @@ func TestCredential_GenerateBBSSelectiveDisclosure(t *testing.T) {
 		anotherPubKeyBytes, err = anotherPubKey.Marshal()
 		require.NoError(t, err)
 
-		bbsAnotherKeyFetcher := testsupport.NewSingleKeyResolver(
-			"did:example:123456#key1", anotherPubKeyBytes, "Bls12381G2Key2020")
+		bbsAnotherKeyFetcher := testsupport.NewSingleKeyResolver("did:example:123456#key1", anotherPubKeyBytes, "Bls12381G2Key2020", "")
 
 		vcWithSelectiveDisclosure, err = vc.GenerateBBSSelectiveDisclosure(revealDoc, nonce,
 			&BBSProofCreator{
@@ -239,8 +238,7 @@ func signVCWithBBS(t *testing.T, privKey *bbs12381g2pub.PrivateKey, pubKeyBytes
 	require.NoError(t, err)
 	require.NotEmpty(t, vcSignedBytes)
 
-	bbsKeyFetcher := testsupport.NewSingleKeyResolver(
-		"did:example:123456#key1", pubKeyBytes, "Bls12381G2Key2020")
+	bbsKeyFetcher := testsupport.NewSingleKeyResolver("did:example:123456#key1", pubKeyBytes, "Bls12381G2Key2020", "")
 
 	vcVerified, err := parseTestCredential(t, vcSignedBytes,
 		WithProofChecker(defaults.NewDefaultProofChecker(bbsKeyFetcher)),