Implement semantic VC verification rules

KendallWeihe commented 2 months ago

This work should hold off until the ticket here is closed https://github.com/TBD54566975/web5-rs/issues/150

Currently we verify VC's only on the cryptographic signature, but we have a set of semantic verifications which must be true for verification to pass. For inspiration, see all the set of if conditions in web5-js linked here.

nitro-neal commented 1 month ago

for reference:

Verifies the integrity and authenticity of a Verifiable Credential (VC) encoded as a JSON Web Token (JWT).
This function performs several crucial validation steps to ensure the trustworthiness of the provided VC:
- Parses and validates the structure of the JWT.
- Ensures the presence of critical header elements alg and kid in the JWT header.
- Resolves the Decentralized Identifier (DID) and retrieves the associated DID Document.
- Validates the DID and establishes a set of valid verification method IDs.
- Identifies the correct Verification Method from the DID Document based on the kid parameter.
- Verifies the JWT's signature using the public key associated with the Verification Method.
If any of these steps fail, the function will throw a [Error] with a message indicating the nature of the failure:
- exp MUST represent the expirationDate property, encoded as a UNIX timestamp (NumericDate).
- iss MUST represent the issuer property of a verifiable credential or the holder property of a verifiable presentation.
- nbf MUST represent issuanceDate, encoded as a UNIX timestamp (NumericDate).
- jti MUST represent the id property of the verifiable credential or verifiable presentation.
- sub MUST represent the id property contained in the credentialSubject.
Once the verifications are successful, when recreating the VC data model object, this function will:
- If exp is present, the UNIX timestamp MUST be converted to an [XMLSCHEMA11-2] date-time, and MUST be used to set the value of the expirationDate property of credentialSubject of the new JSON object.
- If iss is present, the value MUST be used to set the issuer property of the new credential JSON object or the holder property of the new presentation JSON object.
- If nbf is present, the UNIX timestamp MUST be converted to an [XMLSCHEMA11-2] date-time, and MUST be used to set the value of the issuanceDate property of the new JSON object.
- If sub is present, the value MUST be used to set the value of the id property of credentialSubject of the new credential JSON object.
- If jti is present, the value MUST be used to set the value of the id property of the new JSON object.

KendallWeihe commented 1 month ago

Completed in #182

TBD54566975 / web5-rs

Implement semantic VC verification rules #151