Bring up to v2 verification standards, most significantly, adding authenticity checks to verify the issuer address from the transaction checks out with those on the issuer id page. We want to ensure that the tx was issued when the issuing key was valid.
Exceptional cases handled:
tx signing key not on issuer id page
tx signing key was revoked, expired, or not yet created
Added more test cases to: cert-walletTests/CertificateValidationRequestTests.swift
tampered v2 certificate: changed existing field should break hash and fail
authenticity failure: certificate issued after issuer revoked key should fail
valid v2 certificate with legacy (v1) issuer format should pass
There is a lot of code duplication in that test class, but I'm having issues getting the test expectations cleanly refactored. I did some cleanup to make this easier in the future.
Opened issue #32 to track detection of unmapped JSON-LD fields. This will be doable; just need to find the right way to pass the fallback context to swift ld libraries during normalization.
Note I changed assertion id (uid) to extract just the guid to allow for the following cases:
it's a url, like we had in v1
it has a urn:uuid prefix, which v2 allows (but also allows urls). The prefix is used for unhosted assertions.
Bring up to v2 verification standards, most significantly, adding authenticity checks to verify the issuer address from the transaction checks out with those on the issuer id page. We want to ensure that the tx was issued when the issuing key was valid.
Exceptional cases handled:
Added more test cases to: cert-walletTests/CertificateValidationRequestTests.swift
There is a lot of code duplication in that test class, but I'm having issues getting the test expectations cleanly refactored. I did some cleanup to make this easier in the future.
Opened issue #32 to track detection of unmapped JSON-LD fields. This will be doable; just need to find the right way to pass the fallback context to swift ld libraries during normalization.
Note I changed assertion id (uid) to extract just the guid to allow for the following cases:
urn:uuid
prefix, which v2 allows (but also allows urls). The prefix is used for unhosted assertions.