baseid_did/methods/

peer.rs

//! `did:peer` method implementation.
//!
//! Supports numalgo 0 (inception key), 2 (multiple keys + services),
//! 3 (short form hash), and 4 (long form + short form).
//!
//! Reference: <https://identity.foundation/peer-did-method-spec/>

use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
use sha2::{Digest, Sha256};

use baseid_core::error::DidError;
use baseid_crypto::PublicKey;

use crate::document::{
    DidDocument, Service, ServiceEndpoint, VerificationMethod, VerificationRelationship,
};
use crate::resolution::{DidResolver, ResolutionMetadata, ResolutionResult};

const DID_CONTEXT: &str = "https://www.w3.org/ns/did/v1";
const MULTIKEY_CONTEXT: &str = "https://w3id.org/security/multikey/v1";

/// Resolver for `did:peer` method.
pub struct DidPeerResolver;

impl DidResolver for DidPeerResolver {
    fn method(&self) -> &str {
        "peer"
    }

    async fn resolve(&self, did: &str) -> baseid_core::Result<ResolutionResult> {
        if !did.starts_with("did:peer:") {
            return Err(DidError::UnsupportedMethod.into());
        }

        let method_id = &did["did:peer:".len()..];
        if method_id.is_empty() {
            return Err(DidError::InvalidDid.into());
        }

        let numalgo = method_id.chars().next().unwrap();
        let document = match numalgo {
            '0' => resolve_numalgo_0(did, &method_id[1..])?,
            '2' => resolve_numalgo_2(did, &method_id[1..])?,
            '3' => {
                // Numalgo 3 requires prior exchange — return minimal doc
                return Err(DidError::NotFound.into());
            }
            '4' => resolve_numalgo_4(did, &method_id[1..])?,
            _ => return Err(DidError::InvalidDid.into()),
        };

        Ok(ResolutionResult {
            document: Some(document),
            metadata: ResolutionMetadata {
                content_type: Some("application/did+ld+json".to_string()),
                error: None,
            },
        })
    }
}

impl DidPeerResolver {
    /// Create a did:peer:0 from a single public key (like did:key).
    pub fn create_peer_0(public_key: &PublicKey) -> baseid_core::Result<DidDocument> {
        let multibase = public_key.to_multibase();
        let did = format!("did:peer:0{multibase}");
        resolve_numalgo_0(&did, &multibase)
    }

    /// Create a did:peer:2 from keys and optional services.
    ///
    /// Each key entry is (purpose_char, public_key). Purpose chars:
    /// - 'V' = authentication
    /// - 'E' = keyAgreement
    /// - 'A' = assertionMethod
    ///
    /// Services are JSON values with abbreviated keys.
    pub fn create_peer_2(
        keys: &[(char, &PublicKey)],
        services: &[serde_json::Value],
    ) -> baseid_core::Result<(String, DidDocument)> {
        let mut did = "did:peer:2".to_string();

        for (purpose, key) in keys {
            let multibase = key.to_multibase();
            did.push('.');
            did.push(*purpose);
            did.push_str(&multibase);
        }

        for svc in services {
            let json_str = serde_json::to_string(&abbreviate_service(svc))
                .map_err(|_| DidError::InvalidDid)?;
            let encoded = URL_SAFE_NO_PAD.encode(json_str.as_bytes());
            did.push_str(".S");
            did.push_str(&encoded);
        }

        let method_id = &did["did:peer:2".len()..];
        let doc = resolve_numalgo_2(&did, method_id)?;
        Ok((did, doc))
    }

    /// Create a did:peer:3 from a did:peer:2 (short hash form).
    pub fn create_peer_3(peer2_did: &str) -> baseid_core::Result<String> {
        if !peer2_did.starts_with("did:peer:2") {
            return Err(DidError::InvalidDid.into());
        }
        let method_id = &peer2_did["did:peer:2".len()..];
        let hash = Sha256::digest(method_id.as_bytes());
        // Multihash: SHA-256 = 0x12, length = 0x20
        let mut multihash = vec![0x12, 0x20];
        multihash.extend_from_slice(&hash);
        let multibase = format!("z{}", bs58::encode(&multihash).into_string());
        Ok(format!("did:peer:3{multibase}"))
    }

    /// Create a did:peer:4 from a DID document (long form + short form).
    pub fn create_peer_4(doc: &DidDocument) -> baseid_core::Result<(String, String)> {
        // Serialize doc without id
        let mut doc_json = serde_json::to_value(doc).map_err(|_| DidError::InvalidDid)?;
        if let Some(obj) = doc_json.as_object_mut() {
            obj.remove("id");
        }
        let doc_bytes = serde_json::to_vec(&doc_json).map_err(|_| DidError::InvalidDid)?;

        // Multicodec for JSON: 0x0200
        let mut encoded = vec![0x02, 0x00];
        encoded.extend_from_slice(&doc_bytes);
        let encoded_multibase = format!("z{}", bs58::encode(&encoded).into_string());

        // Hash for short form
        let hash = Sha256::digest(&encoded);
        let mut multihash = vec![0x12, 0x20];
        multihash.extend_from_slice(&hash);
        let hash_multibase = format!("z{}", bs58::encode(&multihash).into_string());

        let long_form = format!("did:peer:4{hash_multibase}:{encoded_multibase}");
        let short_form = format!("did:peer:4{hash_multibase}");

        Ok((long_form, short_form))
    }
}

// ── Numalgo 0: Inception Key ─────────────────────────────────

fn resolve_numalgo_0(did: &str, multibase_key: &str) -> baseid_core::Result<DidDocument> {
    let _public_key =
        PublicKey::from_multibase(multibase_key).map_err(|_| DidError::ResolutionFailed)?;

    let vm_id = format!("{did}#{multibase_key}");
    let vm = VerificationMethod {
        id: vm_id.clone(),
        r#type: "Multikey".to_string(),
        controller: did.to_string(),
        public_key_jwk: None,
        public_key_multibase: Some(multibase_key.to_string()),
    };

    Ok(DidDocument {
        id: did.to_string(),
        context: vec![DID_CONTEXT.to_string(), MULTIKEY_CONTEXT.to_string()],
        verification_method: vec![vm],
        authentication: vec![VerificationRelationship::Reference(vm_id.clone())],
        assertion_method: vec![VerificationRelationship::Reference(vm_id)],
        key_agreement: vec![],
        service: vec![],
    })
}

// ── Numalgo 2: Multiple Keys + Services ──────────────────────

fn resolve_numalgo_2(did: &str, elements_str: &str) -> baseid_core::Result<DidDocument> {
    let mut verification_methods = Vec::new();
    let mut authentication = Vec::new();
    let mut assertion_method = Vec::new();
    let mut key_agreement = Vec::new();
    let mut services = Vec::new();
    let mut key_index = 1u32;
    let mut svc_index = 0u32;

    // Split on '.' (skip empty elements from leading '.')
    let elements: Vec<&str> = elements_str.split('.').filter(|s| !s.is_empty()).collect();

    for element in &elements {
        if element.is_empty() {
            continue;
        }

        let purpose = element.chars().next().unwrap();
        let value = &element[1..];

        if purpose == 'S' {
            // Service: base64url-decoded JSON
            let decoded = URL_SAFE_NO_PAD
                .decode(value.as_bytes())
                .map_err(|_| DidError::ResolutionFailed)?;
            let svc_json: serde_json::Value =
                serde_json::from_slice(&decoded).map_err(|_| DidError::ResolutionFailed)?;
            let expanded = expand_service(&svc_json);

            let svc_id = if svc_index == 0 {
                format!("{did}#service")
            } else {
                format!("{did}#service-{svc_index}")
            };
            svc_index += 1;

            let svc_type = expanded
                .get("type")
                .and_then(|v| v.as_str())
                .unwrap_or("DIDCommMessaging")
                .to_string();
            let endpoint = expanded
                .get("serviceEndpoint")
                .and_then(|v| v.as_str())
                .unwrap_or("")
                .to_string();

            services.push(Service {
                id: svc_id,
                r#type: svc_type,
                service_endpoint: ServiceEndpoint::Uri(endpoint),
            });
        } else {
            // Key: purpose char + multibase-encoded key
            let vm_id = format!("{did}#key-{key_index}");
            key_index += 1;

            let vm = VerificationMethod {
                id: vm_id.clone(),
                r#type: "Multikey".to_string(),
                controller: did.to_string(),
                public_key_jwk: None,
                public_key_multibase: Some(value.to_string()),
            };
            verification_methods.push(vm);

            let rel = VerificationRelationship::Reference(vm_id);
            match purpose {
                'V' => authentication.push(rel),
                'E' => key_agreement.push(rel),
                'A' => assertion_method.push(rel),
                'I' | 'D' => { /* capabilityInvocation / capabilityDelegation */ }
                _ => {}
            }
        }
    }

    Ok(DidDocument {
        id: did.to_string(),
        context: vec![DID_CONTEXT.to_string(), MULTIKEY_CONTEXT.to_string()],
        verification_method: verification_methods,
        authentication,
        assertion_method,
        key_agreement,
        service: services,
    })
}

// ── Numalgo 4: Long Form + Short Form ────────────────────────

fn resolve_numalgo_4(did: &str, rest: &str) -> baseid_core::Result<DidDocument> {
    // Split on ':' — first part is hash, second is encoded document
    let parts: Vec<&str> = rest.splitn(2, ':').collect();
    if parts.len() != 2 {
        // Short form — requires stored long form
        return Err(DidError::NotFound.into());
    }

    let hash_multibase = parts[0];
    let encoded_multibase = parts[1];

    // Decode the encoded document
    if !encoded_multibase.starts_with('z') {
        return Err(DidError::InvalidDid.into());
    }
    let encoded_bytes = bs58::decode(&encoded_multibase[1..])
        .into_vec()
        .map_err(|_| DidError::InvalidDid)?;

    // Strip multicodec JSON prefix (0x02, 0x00)
    if encoded_bytes.len() < 2 || encoded_bytes[0] != 0x02 || encoded_bytes[1] != 0x00 {
        return Err(DidError::InvalidDid.into());
    }
    let doc_bytes = &encoded_bytes[2..];

    // Verify hash
    let computed_hash = Sha256::digest(&encoded_bytes);
    let mut expected_multihash = vec![0x12, 0x20];
    expected_multihash.extend_from_slice(&computed_hash);
    let expected_multibase = format!("z{}", bs58::encode(&expected_multihash).into_string());

    if hash_multibase != expected_multibase {
        return Err(DidError::ResolutionFailed.into());
    }

    // Parse as JSON value first (the stored doc has `id` removed), inject `id`,
    // then deserialize to DidDocument.
    let mut doc_json: serde_json::Value =
        serde_json::from_slice(doc_bytes).map_err(|_| DidError::ResolutionFailed)?;

    if let Some(obj) = doc_json.as_object_mut() {
        obj.insert("id".to_string(), serde_json::Value::String(did.to_string()));
    }

    let doc: DidDocument =
        serde_json::from_value(doc_json).map_err(|_| DidError::ResolutionFailed)?;

    Ok(doc)
}

// ── Service Abbreviation ─────────────────────────────────────

fn abbreviate_service(svc: &serde_json::Value) -> serde_json::Value {
    let mut result = serde_json::Map::new();
    if let Some(obj) = svc.as_object() {
        for (k, v) in obj {
            let key = match k.as_str() {
                "type" => "t",
                "serviceEndpoint" => "s",
                "routingKeys" => "r",
                "accept" => "a",
                other => other,
            };
            let val = if k == "type" {
                match v.as_str() {
                    Some("DIDCommMessaging") => serde_json::Value::String("dm".to_string()),
                    _ => v.clone(),
                }
            } else {
                v.clone()
            };
            result.insert(key.to_string(), val);
        }
    }
    serde_json::Value::Object(result)
}

fn expand_service(svc: &serde_json::Value) -> serde_json::Value {
    let mut result = serde_json::Map::new();
    if let Some(obj) = svc.as_object() {
        for (k, v) in obj {
            let key = match k.as_str() {
                "t" => "type",
                "s" => "serviceEndpoint",
                "r" => "routingKeys",
                "a" => "accept",
                other => other,
            };
            let val = if key == "type" {
                match v.as_str() {
                    Some("dm") => serde_json::Value::String("DIDCommMessaging".to_string()),
                    _ => v.clone(),
                }
            } else {
                v.clone()
            };
            result.insert(key.to_string(), val);
        }
    }
    serde_json::Value::Object(result)
}

// ── bs58 encoding (inline, no external dep) ──────────────────

mod bs58 {
    const ALPHABET: &[u8; 58] = b"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";

    pub struct Encoder(Vec<u8>);

    pub fn encode(data: &[u8]) -> Encoder {
        Encoder(data.to_vec())
    }

    impl Encoder {
        pub fn into_string(self) -> String {
            let mut result = Vec::new();
            let mut data = self.0;

            // Count leading zeros
            let leading_zeros = data.iter().take_while(|&&b| b == 0).count();

            // Convert to base58
            while !data.is_empty() {
                let mut remainder = 0u32;
                let mut new_data = Vec::new();
                for &byte in &data {
                    let acc = (remainder << 8) | byte as u32;
                    let digit = acc / 58;
                    remainder = acc % 58;
                    if !new_data.is_empty() || digit > 0 {
                        new_data.push(digit as u8);
                    }
                }
                result.push(ALPHABET[remainder as usize]);
                data = new_data;
            }

            // Add leading '1's for leading zeros
            result.extend(std::iter::repeat_n(b'1', leading_zeros));

            result.reverse();
            String::from_utf8(result).unwrap_or_default()
        }
    }

    pub struct Decoder(String);

    pub fn decode(s: &str) -> Decoder {
        Decoder(s.to_string())
    }

    impl Decoder {
        pub fn into_vec(self) -> Result<Vec<u8>, String> {
            let mut result: Vec<u8> = Vec::new();
            let leading_ones = self.0.bytes().take_while(|&b| b == b'1').count();

            for ch in self.0.bytes() {
                let pos = ALPHABET
                    .iter()
                    .position(|&a| a == ch)
                    .ok_or_else(|| format!("invalid base58 char: {}", ch as char))?;
                let mut carry = pos as u32;
                for byte in result.iter_mut().rev() {
                    carry += *byte as u32 * 58;
                    *byte = (carry & 0xff) as u8;
                    carry >>= 8;
                }
                while carry > 0 {
                    result.insert(0, (carry & 0xff) as u8);
                    carry >>= 8;
                }
            }

            // Prepend zeros for leading '1's
            let mut final_result = vec![0u8; leading_ones];
            final_result.extend(result);
            Ok(final_result)
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use baseid_core::types::KeyType;
    use baseid_crypto::KeyPair;
    use serde_json::json;

    #[test]
    fn peer_0_create_and_resolve() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let doc = DidPeerResolver::create_peer_0(&kp.public).unwrap();
        assert!(doc.id.starts_with("did:peer:0z6Mk"));
        assert_eq!(doc.verification_method.len(), 1);
        assert_eq!(doc.authentication.len(), 1);
    }

    #[tokio::test]
    async fn peer_0_resolve_roundtrip() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let doc = DidPeerResolver::create_peer_0(&kp.public).unwrap();
        let resolver = DidPeerResolver;
        let result = resolver.resolve(&doc.id).await.unwrap();
        let resolved = result.document.unwrap();
        assert_eq!(resolved.id, doc.id);
        assert_eq!(resolved.verification_method.len(), 1);
    }

    #[test]
    fn peer_2_create_with_keys_and_service() {
        let auth_kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let enc_kp = KeyPair::generate(KeyType::P256).unwrap();

        let service = json!({
            "type": "DIDCommMessaging",
            "serviceEndpoint": "https://example.com/didcomm",
            "routingKeys": [],
            "accept": ["didcomm/v2"]
        });

        let (did, doc) = DidPeerResolver::create_peer_2(
            &[('V', &auth_kp.public), ('E', &enc_kp.public)],
            &[service],
        )
        .unwrap();

        assert!(did.starts_with("did:peer:2.V"));
        assert!(did.contains(".E"));
        assert!(did.contains(".S"));
        assert_eq!(doc.verification_method.len(), 2);
        assert_eq!(doc.authentication.len(), 1);
        assert_eq!(doc.key_agreement.len(), 1);
        assert_eq!(doc.service.len(), 1);
        assert_eq!(doc.service[0].r#type, "DIDCommMessaging");
    }

    #[tokio::test]
    async fn peer_2_resolve_roundtrip() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let svc = json!({"type": "DIDCommMessaging", "serviceEndpoint": "https://example.com"});
        let (did, _) = DidPeerResolver::create_peer_2(&[('V', &kp.public)], &[svc]).unwrap();

        let resolver = DidPeerResolver;
        let result = resolver.resolve(&did).await.unwrap();
        let doc = result.document.unwrap();
        assert_eq!(doc.verification_method.len(), 1);
        assert_eq!(doc.service.len(), 1);
    }

    #[test]
    fn peer_2_service_abbreviation() {
        let svc = json!({"type": "DIDCommMessaging", "serviceEndpoint": "https://x.com", "accept": ["didcomm/v2"]});
        let abbreviated = abbreviate_service(&svc);
        assert_eq!(abbreviated["t"], "dm");
        assert_eq!(abbreviated["s"], "https://x.com");
        assert_eq!(abbreviated["a"], json!(["didcomm/v2"]));

        let expanded = expand_service(&abbreviated);
        assert_eq!(expanded["type"], "DIDCommMessaging");
        assert_eq!(expanded["serviceEndpoint"], "https://x.com");
    }

    #[test]
    fn peer_3_from_peer_2() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let (peer2, _) = DidPeerResolver::create_peer_2(&[('V', &kp.public)], &[]).unwrap();
        let peer3 = DidPeerResolver::create_peer_3(&peer2).unwrap();
        assert!(peer3.starts_with("did:peer:3z"));
        // Different peer:2 should produce different peer:3
        let kp2 = KeyPair::generate(KeyType::Ed25519).unwrap();
        let (peer2b, _) = DidPeerResolver::create_peer_2(&[('V', &kp2.public)], &[]).unwrap();
        let peer3b = DidPeerResolver::create_peer_3(&peer2b).unwrap();
        assert_ne!(peer3, peer3b);
    }

    #[test]
    fn peer_4_create_and_resolve() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let multibase = kp.public.to_multibase();
        let doc = DidDocument {
            id: String::new(),
            context: vec![DID_CONTEXT.to_string()],
            verification_method: vec![VerificationMethod {
                id: "#key-1".to_string(),
                r#type: "Multikey".to_string(),
                controller: String::new(),
                public_key_jwk: None,
                public_key_multibase: Some(multibase),
            }],
            authentication: vec![VerificationRelationship::Reference("#key-1".to_string())],
            assertion_method: vec![],
            key_agreement: vec![],
            service: vec![],
        };

        let (long_form, short_form) = DidPeerResolver::create_peer_4(&doc).unwrap();
        assert!(long_form.starts_with("did:peer:4z"));
        assert!(long_form.contains(':'));
        assert!(short_form.starts_with("did:peer:4z"));
        // Short form has no colon after 4z...
        assert!(!short_form[10..].contains(':'));
    }

    #[tokio::test]
    async fn peer_4_resolve_long_form() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let multibase = kp.public.to_multibase();
        let doc = DidDocument {
            id: String::new(),
            context: vec![DID_CONTEXT.to_string()],
            verification_method: vec![VerificationMethod {
                id: "#key-1".to_string(),
                r#type: "Multikey".to_string(),
                controller: String::new(),
                public_key_jwk: None,
                public_key_multibase: Some(multibase),
            }],
            authentication: vec![],
            assertion_method: vec![],
            key_agreement: vec![],
            service: vec![],
        };

        let (long_form, _) = DidPeerResolver::create_peer_4(&doc).unwrap();
        let resolver = DidPeerResolver;
        let result = resolver.resolve(&long_form).await.unwrap();
        let resolved = result.document.unwrap();
        assert_eq!(resolved.verification_method.len(), 1);
    }

    #[tokio::test]
    async fn peer_4_short_form_requires_stored() {
        let resolver = DidPeerResolver;
        let result = resolver.resolve("did:peer:4zQmSomeShortFormHash").await;
        // Short form without stored long form should return NotFound
        assert!(result.is_err());
    }

    #[tokio::test]
    async fn reject_invalid_peer_did() {
        let resolver = DidPeerResolver;
        assert!(resolver.resolve("did:peer:9invalid").await.is_err());
        assert!(resolver.resolve("did:peer:").await.is_err());
        assert!(resolver.resolve("did:key:z6Mk123").await.is_err());
    }

    #[test]
    fn peer_2_multiple_services() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let svc1 = json!({"type": "DIDCommMessaging", "serviceEndpoint": "https://a.com"});
        let svc2 = json!({"type": "LinkedDomains", "serviceEndpoint": "https://b.com"});
        let (_, doc) = DidPeerResolver::create_peer_2(&[('V', &kp.public)], &[svc1, svc2]).unwrap();
        assert_eq!(doc.service.len(), 2);
        assert_eq!(doc.service[0].id, format!("{}#service", doc.id));
        assert_eq!(doc.service[1].id, format!("{}#service-1", doc.id));
    }
}