Introduce x509 DID method with PKI validation.

auth/client/iam/client_test.go

@@ -460,7 +460,7 @@ type testKeyResolver struct {
 	key *ecdsa.PrivateKey
 }
 
-func (t testKeyResolver) ResolveKeyByID(keyID string, validAt *time.Time, relationType resolver.RelationType) (crypto.PublicKey, error) {
+func (t testKeyResolver) ResolveKeyByID(keyID string, metadata *resolver.ResolveMetadata, relationType resolver.RelationType) (crypto.PublicKey, error) {
 	return t.key.Public(), nil
 }
 

auth/services/oauth/authz_server.go

@@ -351,7 +351,10 @@ func (s *authzServer) validateIssuer(vContext *validationContext) error {
 	}
 
 	validationTime := vContext.jwtBearerToken.IssuedAt()
-	if _, err := s.keyResolver.ResolveKeyByID(vContext.kid, &validationTime, resolver.NutsSigningKeyType); err != nil {
+	metadata := &resolver.ResolveMetadata{
+		ResolveTime: &validationTime,
+	}
+	if _, err := s.keyResolver.ResolveKeyByID(vContext.kid, metadata, resolver.NutsSigningKeyType); err != nil {
 		return fmt.Errorf(errInvalidIssuerKeyFmt, err)
 	}
 

cmd/root.go

@@ -195,7 +195,7 @@ func CreateSystem(shutdownCallback context.CancelFunc) *core.System {
 	didStore := didstore.New(storageInstance.GetProvider(vdr.ModuleName))
 	eventManager := events.NewManager()
 	networkInstance := network.NewNetworkInstance(network.DefaultConfig(), didStore, cryptoInstance, eventManager, storageInstance.GetProvider(network.ModuleName), pkiInstance)
-	vdrInstance := vdr.NewVDR(cryptoInstance, networkInstance, didStore, eventManager, storageInstance)
+	vdrInstance := vdr.NewVDR(cryptoInstance, networkInstance, didStore, eventManager, storageInstance, pkiInstance)
 	credentialInstance := vcr.NewVCRInstance(cryptoInstance, vdrInstance, networkInstance, jsonld, eventManager, storageInstance, pkiInstance)
 	didmanInstance := didman.NewDidmanInstance(vdrInstance, credentialInstance, jsonld)
 	discoveryInstance := discovery.New(storageInstance, credentialInstance, vdrInstance, vdrInstance)

crypto/api/v1/api.go

@@ -194,7 +194,10 @@ func (w *Wrapper) resolvePublicKey(id *did.DIDURL) (key crypt.PublicKey, keyID s
 	if id.Fragment != "" {
 		// Assume it is a keyId
 		now := time.Now()
-		key, err = w.K.ResolveKeyByID(id.String(), &now, resolver.KeyAgreement)
+		metadata := &resolver.ResolveMetadata{
+			ResolveTime: &now,
+		}
+		key, err = w.K.ResolveKeyByID(id.String(), metadata, resolver.KeyAgreement)
 		if err != nil {
 			return nil, "", err
 		}

vcr/test.go

@@ -63,7 +63,9 @@ func NewTestVCRContext(t *testing.T, keyStore crypto.KeyStore) TestVCRContext {
 	storageEngine := storage.NewTestStorageEngine(t)
 	networkInstance := network.NewTestNetworkInstance(t)
 	eventManager := events.NewTestManager(t)
-	vdrInstance := vdr.NewVDR(keyStore, networkInstance, didStore, eventManager, storageEngine)
+	ctrl := gomock.NewController(t)
+	pkiMock := pki.NewMockValidator(ctrl)
+	vdrInstance := vdr.NewVDR(keyStore, networkInstance, didStore, eventManager, storageEngine, pkiMock)
 	err := vdrInstance.Configure(core.TestServerConfig())
 	require.NoError(t, err)
 	newInstance := NewVCRInstance(
@@ -103,7 +105,9 @@ func NewTestVCRInstance(t *testing.T) *vcr {
 		config.Datadir = testDirectory
 	})
 	_ = networkInstance.Configure(serverCfg)
-	vdrInstance := vdr.NewVDR(keyStore, networkInstance, didStore, eventManager, storageEngine)
+	ctrl := gomock.NewController(t)
+	pkiMock := pki.NewMockValidator(ctrl)
+	vdrInstance := vdr.NewVDR(keyStore, networkInstance, didStore, eventManager, storageEngine, pkiMock)
 	err := vdrInstance.Configure(serverCfg)
 	if err != nil {
 		t.Fatal(err)
@@ -132,7 +136,9 @@ func NewTestVCRInstanceInDir(t *testing.T, testDirectory string) *vcr {
 	storageEngine := storage.NewTestStorageEngineInDir(t, testDirectory)
 	networkInstance := network.NewTestNetworkInstance(t)
 	eventManager := events.NewTestManager(t)
-	vdrInstance := vdr.NewVDR(nil, networkInstance, didStore, eventManager, storageEngine)
+	ctrl := gomock.NewController(t)
+	pkiMock := pki.NewMockValidator(ctrl)
+	vdrInstance := vdr.NewVDR(nil, networkInstance, didStore, eventManager, storageEngine, pkiMock)
 	err := vdrInstance.Configure(core.TestServerConfig())
 	if err != nil {
 		t.Fatal(err)

vcr/verifier/signature_verifier.go

@@ -22,6 +22,7 @@ import (
 	crypt "crypto"
 	"errors"
 	"fmt"
+	"github.com/nuts-foundation/nuts-node/vdr/didx509"
 	"strings"
 	"time"
 
@@ -41,6 +42,8 @@ type signatureVerifier struct {
 	jsonldManager jsonld.JSONLD
 }
 
+var ExtractProtectedHeaders = didx509.ExtractProtectedHeaders
+
 // VerifySignature checks if the signature on a VP is valid at a given time
 func (sv *signatureVerifier) VerifySignature(credentialToVerify vc.VerifiableCredential, validateAt *time.Time) error {
 	switch credentialToVerify.Format() {
@@ -102,7 +105,10 @@ func (sv *signatureVerifier) jsonldProof(documentToVerify any, issuer string, at
 	}
 
 	// find key
-	signingKey, err := sv.keyResolver.ResolveKeyByID(ldProof.VerificationMethod.String(), at, resolver.NutsSigningKeyType)
+	metadata := &resolver.ResolveMetadata{
+		ResolveTime: at,
+	}
+	signingKey, err := sv.keyResolver.ResolveKeyByID(ldProof.VerificationMethod.String(), metadata, resolver.NutsSigningKeyType)
 	if err != nil {
 		return fmt.Errorf("unable to resolve valid signing key: %w", err)
 	}
@@ -119,7 +125,15 @@ func (sv *signatureVerifier) jwtSignature(jwtDocumentToVerify string, issuer str
 	var keyID string
 	_, err := crypto.ParseJWT(jwtDocumentToVerify, func(kid string) (crypt.PublicKey, error) {
 		keyID = kid
-		return sv.resolveSigningKey(kid, issuer, at)
+		metadata := &resolver.ResolveMetadata{
+			ResolveTime: at,
+		}
+		headers, err := ExtractProtectedHeaders(jwtDocumentToVerify)
+		if err != nil {
+			return nil, err
+		}
+		metadata.JwtProtectedHeaders = headers
+		return sv.resolveSigningKey(kid, issuer, metadata)
 	}, jwt.WithClock(jwt.ClockFunc(func() time.Time {
 		if at == nil {
 			return time.Now()
@@ -135,7 +149,7 @@ func (sv *signatureVerifier) jwtSignature(jwtDocumentToVerify string, issuer str
 	return nil
 }
 
-func (sv *signatureVerifier) resolveSigningKey(kid string, issuer string, at *time.Time) (crypt.PublicKey, error) {
+func (sv *signatureVerifier) resolveSigningKey(kid string, issuer string, metadata *resolver.ResolveMetadata) (crypt.PublicKey, error) {
 	// Compatibility: VC data model v1 puts key discovery out of scope and does not require the `kid` header.
 	// When `kid` isn't present use the JWT issuer as `kid`, then it is at least compatible with DID methods that contain a single verification method (did:jwk).
 	if kid == "" {
@@ -144,5 +158,5 @@ func (sv *signatureVerifier) resolveSigningKey(kid string, issuer string, at *ti
 	if strings.HasPrefix(kid, "did:jwk:") && !strings.Contains(kid, "#") {
 		kid += "#0"
 	}
-	return sv.keyResolver.ResolveKeyByID(kid, at, resolver.NutsSigningKeyType)
+	return sv.keyResolver.ResolveKeyByID(kid, metadata, resolver.NutsSigningKeyType)
 }