baseid_vc/

data_integrity.rs

//! Data Integrity proof creation and verification.
//!
//! Implements the eddsa-rdfc-2022 cryptosuite for signing and verifying
//! W3C Verifiable Credentials with Data Integrity proofs.
//!
//! # Canonicalization
//!
//! This implementation uses RDFC-1.0 (RDF Dataset Canonicalization) via
//! the `baseid-jsonld` crate. The document and proof options are expanded
//! from JSON-LD into N-Quads and then canonicalized per the W3C RDFC-1.0
//! specification, producing deterministic output for hashing and signing.
//!
//! # References
//!
//! - [W3C Data Integrity](https://www.w3.org/TR/vc-data-integrity/)
//! - [eddsa-rdfc-2022](https://www.w3.org/TR/vc-di-eddsa/)
//! - [RDFC-1.0](https://www.w3.org/TR/rdf-canon/)

use baseid_core::error::CryptoError;
use baseid_core::types::SignatureAlgorithm;
use baseid_crypto::signer::{Signer, Verifier};
use serde_json::Value;
use sha2::{Digest, Sha256};

use crate::credential::VerifiableCredential;
use crate::proof::{Cryptosuite, DataIntegrityProof};

/// Sign a Verifiable Credential with a Data Integrity proof (eddsa-rdfc-2022).
///
/// Returns a new VerifiableCredential with the proof attached.
pub fn sign_credential_di(
    vc: &VerifiableCredential,
    signer: &dyn Signer,
    verification_method: &str,
) -> baseid_core::Result<VerifiableCredential> {
    // Verify signer uses Ed25519 (eddsa-rdfc-2022 is Ed25519-only)
    if signer.algorithm() != SignatureAlgorithm::EdDsa {
        return Err(CryptoError::UnsupportedAlgorithm.into());
    }

    // 1. Serialize VC without proof
    let mut vc_value = serde_json::to_value(vc).map_err(|_| CryptoError::SigningFailed)?;
    if let Some(obj) = vc_value.as_object_mut() {
        obj.remove("proof");
    }

    // 2. Create proof options (without proofValue)
    let created = current_timestamp();
    let proof_options = serde_json::json!({
        "type": "DataIntegrityProof",
        "cryptosuite": Cryptosuite::EddsaRdfc2022.as_str(),
        "created": created,
        "verificationMethod": verification_method,
        "proofPurpose": "assertionMethod",
    });

    // 3. Canonicalize document and proof options using RDFC-1.0
    let canonical_doc = canonicalize_document(&vc_value);
    let canonical_opts = canonicalize_document(&proof_options);

    // 4. Hash both: SHA-256(proof_options) || SHA-256(document)
    let opts_hash = Sha256::digest(canonical_opts.as_bytes());
    let doc_hash = Sha256::digest(canonical_doc.as_bytes());
    let mut to_sign = Vec::with_capacity(64);
    to_sign.extend_from_slice(&opts_hash);
    to_sign.extend_from_slice(&doc_hash);

    // 5. Sign the concatenated hashes
    let signature = signer
        .sign(&to_sign)
        .map_err(|_| CryptoError::SigningFailed)?;

    // 6. Encode signature as multibase base58btc
    let proof_value = multibase::encode(multibase::Base::Base58Btc, &signature);

    // 7. Build the signed VC with proof
    let proof = DataIntegrityProof {
        r#type: "DataIntegrityProof".to_string(),
        cryptosuite: Cryptosuite::EddsaRdfc2022.as_str().to_string(),
        created,
        verification_method: verification_method.to_string(),
        proof_purpose: "assertionMethod".to_string(),
        proof_value,
    };

    let mut signed_vc = vc.clone();
    signed_vc.proof = Some(serde_json::to_value(&proof).map_err(|_| CryptoError::SigningFailed)?);

    Ok(signed_vc)
}

/// Verify a Data Integrity proof on a Verifiable Credential.
///
/// Returns Ok(()) if the proof is valid, Err otherwise.
pub fn verify_credential_di(
    vc: &VerifiableCredential,
    verifier: &dyn Verifier,
) -> baseid_core::Result<()> {
    // 1. Extract and parse the proof
    let proof_value = vc.proof.as_ref().ok_or(CryptoError::VerificationFailed)?;
    let proof: DataIntegrityProof =
        serde_json::from_value(proof_value.clone()).map_err(|_| CryptoError::VerificationFailed)?;

    // 2. Verify cryptosuite
    if Cryptosuite::parse_str(&proof.cryptosuite).is_none() {
        return Err(CryptoError::UnsupportedAlgorithm.into());
    }

    // 3. Decode the multibase proof value
    let (_, signature_bytes) =
        multibase::decode(&proof.proof_value).map_err(|_| CryptoError::VerificationFailed)?;

    // 4. Reconstruct the proof options (without proofValue)
    let proof_options = serde_json::json!({
        "type": proof.r#type,
        "cryptosuite": proof.cryptosuite,
        "created": proof.created,
        "verificationMethod": proof.verification_method,
        "proofPurpose": proof.proof_purpose,
    });

    // 5. Serialize VC without proof
    let mut vc_value = serde_json::to_value(vc).map_err(|_| CryptoError::VerificationFailed)?;
    if let Some(obj) = vc_value.as_object_mut() {
        obj.remove("proof");
    }

    // 6. Canonicalize and hash using RDFC-1.0
    let canonical_doc = canonicalize_document(&vc_value);
    let canonical_opts = canonicalize_document(&proof_options);
    let opts_hash = Sha256::digest(canonical_opts.as_bytes());
    let doc_hash = Sha256::digest(canonical_doc.as_bytes());
    let mut to_verify = Vec::with_capacity(64);
    to_verify.extend_from_slice(&opts_hash);
    to_verify.extend_from_slice(&doc_hash);

    // 7. Verify the signature
    let valid = verifier
        .verify(&to_verify, &signature_bytes)
        .map_err(|_| CryptoError::VerificationFailed)?;
    if !valid {
        return Err(CryptoError::VerificationFailed.into());
    }

    Ok(())
}

/// Canonicalize a JSON value using RDFC-1.0 (via baseid-jsonld).
///
/// Expands the JSON-LD document and applies W3C RDFC-1.0 canonicalization,
/// producing deterministic canonical N-Quads that are then SHA-256 hashed.
fn canonicalize_document(value: &Value) -> String {
    baseid_jsonld::canonicalize_vc(value)
}

/// JCS (JSON Canonicalization Scheme, RFC 8785) canonicalization.
///
/// Produces a deterministic JSON string with:
/// - Object keys sorted lexicographically
/// - No whitespace
/// - Numbers in shortest representation
/// - Strings escaped per JSON spec
#[cfg(test)]
fn canonicalize_jcs(value: &Value) -> String {
    match value {
        Value::Object(map) => {
            let mut entries: Vec<(&String, &Value)> = map.iter().collect();
            entries.sort_by_key(|(k, _)| *k);
            let parts: Vec<String> = entries
                .iter()
                .map(|(k, v)| {
                    format!(
                        "{}:{}",
                        canonicalize_jcs(&Value::String((*k).clone())),
                        canonicalize_jcs(v)
                    )
                })
                .collect();
            format!("{{{}}}", parts.join(","))
        }
        Value::Array(arr) => {
            let parts: Vec<String> = arr.iter().map(canonicalize_jcs).collect();
            format!("[{}]", parts.join(","))
        }
        Value::String(_) | Value::Number(_) | Value::Bool(_) | Value::Null => {
            serde_json::to_string(value).unwrap_or_else(|_| "null".to_string())
        }
    }
}

/// Generate an RFC 3339 timestamp for the current time.
fn current_timestamp() -> String {
    let secs = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_secs();
    // Simple UTC timestamp (matching signing.rs pattern)
    let days = secs / 86400;
    let rem = secs % 86400;
    let hours = rem / 3600;
    let minutes = (rem % 3600) / 60;
    let seconds = rem % 60;
    // Approximate date calculation
    let (year, month, day) = epoch_days_to_ymd(days);
    format!(
        "{:04}-{:02}-{:02}T{:02}:{:02}:{:02}Z",
        year, month, day, hours, minutes, seconds
    )
}

fn epoch_days_to_ymd(days: u64) -> (u64, u64, u64) {
    // Simplified - matches the pattern used in signing.rs
    let y = 1970 + days / 365;
    let remaining = days - (y - 1970) * 365 - ((y - 1969) / 4);
    let m = remaining / 30 + 1;
    let d = remaining % 30 + 1;
    (y, m.min(12), d.min(28))
}

#[cfg(test)]
mod tests {
    use super::*;
    use baseid_core::types::KeyType;
    use baseid_crypto::KeyPair;

    use crate::credential::{Issuer, VerifiableCredential};

    fn sample_vc() -> VerifiableCredential {
        VerifiableCredential {
            context: vec!["https://www.w3.org/ns/credentials/v2".to_string()],
            id: Some("urn:uuid:test-123".to_string()),
            r#type: vec![
                "VerifiableCredential".to_string(),
                "TestCredential".to_string(),
            ],
            issuer: Issuer::Uri("did:key:z6MkIssuer".to_string()),
            valid_from: Some("2024-01-01T00:00:00Z".to_string()),
            valid_until: None,
            credential_subject: serde_json::json!({"id": "did:key:z6MkHolder", "name": "Alice", "score": 95}),
            credential_status: None,
            proof: None,
        }
    }

    fn test_keypair() -> KeyPair {
        KeyPair::generate(KeyType::Ed25519).unwrap()
    }

    #[test]
    fn sign_verify_roundtrip_ed25519() {
        let kp = test_keypair();
        let vc = sample_vc();
        let signed = sign_credential_di(&vc, &kp, "did:key:z6MkIssuer#key-1").unwrap();
        assert!(signed.proof.is_some());
        verify_credential_di(&signed, &kp.public).unwrap();
    }

    #[test]
    fn proof_structure() {
        let kp = test_keypair();
        let vc = sample_vc();
        let signed = sign_credential_di(&vc, &kp, "did:key:z6MkIssuer#key-1").unwrap();
        let proof: DataIntegrityProof = serde_json::from_value(signed.proof.unwrap()).unwrap();
        assert_eq!(proof.r#type, "DataIntegrityProof");
        assert_eq!(proof.cryptosuite, "eddsa-rdfc-2022");
        assert_eq!(proof.proof_purpose, "assertionMethod");
        assert_eq!(proof.verification_method, "did:key:z6MkIssuer#key-1");
    }

    #[test]
    fn proof_value_is_multibase() {
        let kp = test_keypair();
        let vc = sample_vc();
        let signed = sign_credential_di(&vc, &kp, "did:key:z6MkIssuer#key-1").unwrap();
        let proof: DataIntegrityProof = serde_json::from_value(signed.proof.unwrap()).unwrap();
        assert!(
            proof.proof_value.starts_with('z'),
            "Should be base58btc multibase (z prefix)"
        );
        // Decode should succeed
        let (base, _) = multibase::decode(&proof.proof_value).unwrap();
        assert_eq!(base, multibase::Base::Base58Btc);
    }

    #[test]
    fn wrong_key_rejected() {
        let signer = test_keypair();
        let wrong_verifier = test_keypair(); // Different key
        let vc = sample_vc();
        let signed = sign_credential_di(&vc, &signer, "did:key:z6MkIssuer#key-1").unwrap();
        let result = verify_credential_di(&signed, &wrong_verifier.public);
        assert!(result.is_err());
    }

    #[test]
    fn tampered_credential_rejected() {
        let kp = test_keypair();
        let vc = sample_vc();
        let mut signed = sign_credential_di(&vc, &kp, "did:key:z6MkIssuer#key-1").unwrap();
        // Tamper with a claim
        signed.credential_subject = serde_json::json!({"id": "did:key:z6MkEvil", "name": "Eve"});
        let result = verify_credential_di(&signed, &kp.public);
        assert!(result.is_err());
    }

    #[test]
    fn tampered_proof_rejected() {
        let kp = test_keypair();
        let vc = sample_vc();
        let mut signed = sign_credential_di(&vc, &kp, "did:key:z6MkIssuer#key-1").unwrap();
        // Tamper with proof value
        if let Some(proof) = signed.proof.as_mut() {
            proof["proofValue"] = serde_json::Value::String("zINVALID".to_string());
        }
        let result = verify_credential_di(&signed, &kp.public);
        assert!(result.is_err());
    }

    #[test]
    fn canonicalization_determinism() {
        let a = serde_json::json!({"z": 1, "a": 2, "m": 3});
        let b = serde_json::json!({"a": 2, "m": 3, "z": 1});
        assert_eq!(canonicalize_jcs(&a), canonicalize_jcs(&b));
    }

    #[test]
    fn canonicalization_nested() {
        let val = serde_json::json!({"b": {"z": 1, "a": 2}, "a": [3, 1, 2]});
        let canonical = canonicalize_jcs(&val);
        assert_eq!(canonical, "{\"a\":[3,1,2],\"b\":{\"a\":2,\"z\":1}}");
    }

    #[test]
    fn proof_created_timestamp() {
        let kp = test_keypair();
        let vc = sample_vc();
        let signed = sign_credential_di(&vc, &kp, "did:key:z6MkIssuer#key-1").unwrap();
        let proof: DataIntegrityProof = serde_json::from_value(signed.proof.unwrap()).unwrap();
        // Should be a reasonable ISO 8601 timestamp
        assert!(proof.created.contains('T'));
        assert!(proof.created.ends_with('Z'));
        assert!(proof.created.starts_with("20"));
    }

    #[test]
    fn no_proof_verification_fails() {
        let kp = test_keypair();
        let vc = sample_vc(); // No proof
        let result = verify_credential_di(&vc, &kp.public);
        assert!(result.is_err());
    }

    #[test]
    fn credential_unchanged_after_signing() {
        let kp = test_keypair();
        let vc = sample_vc();
        let signed = sign_credential_di(&vc, &kp, "did:key:z6MkIssuer#key-1").unwrap();
        // Core fields should be preserved
        assert_eq!(signed.context, vc.context);
        assert_eq!(signed.r#type, vc.r#type);
        assert_eq!(signed.credential_subject, vc.credential_subject);
        assert_eq!(signed.valid_from, vc.valid_from);
    }
}