New Error Handling

Author: vitorpamplona

lib/shc.js

@@ -5,6 +5,18 @@ import { resolveKey, addCachedKeys } from './resolver';
 
 const URI_SCHEMA = 'shc';
 
+const NOT_SUPPORTED = "not_supported";                  // QR Standard not supported by this algorithm
+const INVALID_ENCODING = "invalid_encoding";            // could not decode Base45 for DCC, Base10 for SHC
+const INVALID_COMPRESSION = "invalid_compression";      // could not decompress the byte array
+const INVALID_SIGNING_FORMAT = "invalid_signing_format";// invalid COSE, JOSE, W3C VC Payload
+const KID_NOT_INCLUDED = "kid_not_included";            // unable to resolve the issuer ID
+const ISSUER_NOT_TRUSTED = "issuer_not_trusted";        // issuer is not found in the registry
+const TERMINATED_KEYS = "terminated_keys";              // issuer was terminated by the registry
+const EXPIRED_KEYS = "expired_keys";                    // keys expired
+const REVOKED_KEYS = "revoked_keys";                    // keys were revoked by the issuer
+const INVALID_SIGNATURE = "invalid_signature";          // signature doesn't match
+const VERIFIED = "verified";                            // Verified content.
+
 /*
  * I am not sure if I should build this by hand. 
  */
@@ -34,60 +46,71 @@ export async function sign(payload, privateKey) {
   const fields = { zip: 'DEF' };
   const body = pako.deflateRaw(bodyString);
 
-  const signed = await JWS.createSign({ format: 'compact', fields }, signingKey)
+  return await JWS.createSign({ format: 'compact', fields }, signingKey)
     .update(Buffer.from(body))
     .final();
-
-  return signed;
 }
 
-async function jwsParts(token) {
+function jwsParse(token) {
     let [headerEnc, bodyEnc, signatureEnc] = token.split(".");
-    const header = JSON.parse(base64url.decode(headerEnc));
+    const headerRaw = base64url.decode(headerEnc);
     const signature = base64url.decode(signatureEnc);
-    let bodyRaw = base64url.toBuffer(bodyEnc);
-    if (header.zip == 'DEF') {
-        bodyRaw = Buffer.from(pako.inflateRaw(bodyRaw));
-    }
-    let body = JSON.parse(bodyRaw.toString());
-    return { header, body, signature };
+    const bodyRaw = base64url.toBuffer(bodyEnc);
+    return { headerRaw, bodyRaw, signature };
 }
 
-async function getVerificationKeyForJws(jws) {
-    let parsedJwsUnsafe = await jwsParts(jws);
-    let kid = parsedJwsUnsafe.header.kid;
-    let iss = parsedJwsUnsafe.body.iss;
-    return await resolveKey(iss, kid);
+function jwsInflate(jwsRaw) {
+    jwsRaw.header = JSON.parse(jwsRaw.headerRaw)
+    if (jwsRaw.header.zip == 'DEF') {
+        jwsRaw.body = JSON.parse(Buffer.from(pako.inflateRaw(jwsRaw.bodyRaw)).toString());
+    }
+    return jwsRaw;
 }
 
-async function verifyAndReturnPayload(jws, publicKeyArray) {
+export async function verify(jws, publicKeyArray) {
   if (publicKeyArray) {
     addCachedKeys(publicKeyArray);
   }
+  
+  let rawPayload;
+  try {
+    rawPayload = jwsParse(jws);
+  } catch (err) {
+    console.log(err);
+    return { status: INVALID_SIGNING_FORMAT}
+  }
 
-  let issuer = await getVerificationKeyForJws(jws); 
+  try {
+    rawPayload = jwsInflate(rawPayload);
+  } catch (err) {
+    console.log(err);
+    return { status: INVALID_COMPRESSION, raw: rawPayload }
+  }
 
-  const verified = await JWS.createVerify(await JWK.asKey(issuer.didDocument)).verify(jws)
+  if (!rawPayload.body.iss || !rawPayload.header.kid) return { status: KID_NOT_INCLUDED, contents: rawPayload.body, raw: rawPayload }
 
-  let body = verified.payload;
-  if ((verified.header).zip === 'DEF') {
-      body = Buffer.from(pako.inflateRaw(body));
-  }
+  let issuer = await resolveKey(rawPayload.body.iss, rawPayload.header.kid);
 
-  return {
-    credential: JSON.parse(body.toString()),
-    issuer: issuer, 
-    raw: await jwsParts(jws)
-  };
-}
+  if (!issuer) return { status: ISSUER_NOT_TRUSTED, contents: rawPayload.body, raw: rawPayload }
+
+  switch (issuer.status) {
+    case "revoked": return    { status: REVOKED_KEYS, contents: rawPayload.body, issuer: issuer, raw: rawPayload }
+    case "terminated": return { status: TERMINATED_KEYS, contents: rawPayload.body, issuer: issuer, raw: rawPayload }
+    case "expired": return    { status: EXPIRED_KEYS, contents: rawPayload.body, issuer: issuer, raw: rawPayload }
+  }
 
-export async function verify(jws, pubkeyKey) {
   try {
-    await verifyAndReturnPayload(jws, pubkeyKey);
-    return true;
+    const verified = await JWS.createVerify(await JWK.asKey(issuer.didDocument)).verify(jws)
+
+    let body = verified.payload;
+    if ((verified.header).zip === 'DEF') {
+        body = Buffer.from(pako.inflateRaw(body));
+    }
+
+    return { status: VERIFIED, contents: JSON.parse(body.toString()), issuer: issuer,  raw: rawPayload };
   } catch (err) {
     console.log(err);
-    return false;
+    return { status: INVALID_SIGNATURE, contents: rawPayload.body, issuer: issuer, raw: rawPayload }
   }
 }
 
@@ -122,24 +145,31 @@ export async function unpack(uri) {
     } 
   } 
 
-  return await fromBase10(data);
+  try {
+    return await fromBase10(data);
+  } catch (err) {
+    console.log(err);
+    return undefined
+  }
 }
 
 export async function pack(payload) {
   return URI_SCHEMA + ':/' + await toBase10(payload);
 }
 
 export async function debug(uri) {
-  return await jwsParts(await unpack(uri));
+  return jwsInflate(jwsParse(await unpack(uri)));
 }
 
 export async function unpackAndVerify(uri, publicKeyArray) {
-  try {
-    return await verifyAndReturnPayload(await unpack(uri), publicKeyArray);
-  } catch (err) {
-    console.log(err);
-    return undefined;
+  const jws = await unpack(uri);
+
+  if (!jws) { 
+    return { status: INVALID_ENCODING, qr: uri };
   }
+
+  const verified = await verify(jws, publicKeyArray);
+  return {...verified, qr: uri};
 }
 export async function signAndPack(payload, publicKeyPem, privateKeyP8) {
   return await pack(await sign(payload, publicKeyPem, privateKeyP8));

test/sign-verify.spec.js

@@ -110,13 +110,13 @@ describe('JWS Crypto', function() {
 
   it('should verify the package', async function() {
     const result = await verify(SIGNED_TEST_PAYLOAD);
-    expect(result).to.be.true;
+    expect(result.status).to.be.eq("verified");
   });
 
   it('should sign and verify the package', async function() {
     const signed = await sign(await makeJWT(TEST_PAYLOAD, "https://pcf.pw"), PRIVATE_KEY);
     const result = await verify(signed);
-    expect(result).to.be.true;
+    expect(result.status).to.be.eq("verified");
   });
 });
 
@@ -132,21 +132,23 @@ describe('Sign And Pack, UnpackAndverify', function() {
   it('should pack And unpack', async function() {
     const packed = await signAndPack(await makeJWT(TEST_PAYLOAD, "https://pcf.pw"), GENERATED_PRIVATE_KEY);
     const result = await unpackAndVerify(packed, CACHED_KEYS);
-    expect(result.credential.vc).to.eql(TEST_PAYLOAD);
-    expect(result.credential.iss).to.eql("https://pcf.pw");
-    expect(result.credential.nbf).to.be.undefined;
-    expect(result.credential.exp).to.be.undefined;
+    expect(result.status).to.be.eq("verified");
+    expect(result.contents.vc).to.eql(TEST_PAYLOAD);
+    expect(result.contents.iss).to.eql("https://pcf.pw");
+    expect(result.contents.nbf).to.be.undefined;
+    expect(result.contents.exp).to.be.undefined;
   });
 
   it('should pack And unpack with dates', async function() {
     let nbf = new Date(2021, 11, 02);
     let exp = new Date(2022, 11, 02);
     const packed = await signAndPack(await makeJWT(TEST_PAYLOAD, "https://pcf.pw", nbf, exp), GENERATED_PRIVATE_KEY);
     const result = await unpackAndVerify(packed, CACHED_KEYS);
-    expect(result.credential.vc).to.eql(TEST_PAYLOAD);
-    expect(result.credential.iss).to.eql("https://pcf.pw");
-    expect(new Date(result.credential.nbf*1000)).to.eql(nbf);
-    expect(new Date(result.credential.exp*1000)).to.eql(exp);
+    expect(result.status).to.be.eq("verified");
+    expect(result.contents.vc).to.eql(TEST_PAYLOAD);
+    expect(result.contents.iss).to.eql("https://pcf.pw");
+    expect(new Date(result.contents.nbf*1000)).to.eql(nbf);
+    expect(new Date(result.contents.exp*1000)).to.eql(exp);
   });
 });
 
@@ -248,7 +250,7 @@ const EXAMPLE2_OBJECT = {
 describe('Testing SmartCard Examples', function() {
   it('should verify example 1', async function() {
     const result = await verify(EXAMPLE1_SIGNED);
-    expect(result).to.be.true;
+    expect(result.status).to.be.eq("verified");
   });
   it('should pack example 1', async function() {
     const packed = await pack(EXAMPLE1_SIGNED);
@@ -260,7 +262,7 @@ describe('Testing SmartCard Examples', function() {
   });
   it('should unpack and verify example 2', async function() {
     const json = await unpackAndVerify(EXAMPLE2_PACKED);
-    expect(json.credential).to.eql(EXAMPLE2_OBJECT);
+    expect(json.contents).to.eql(EXAMPLE2_OBJECT);
     expect(json.issuer).to.eql({ 
       displayName: { en: 'Untrusted Issuer: spec.smarthealth.cards/examples/issuer' },
       entityType: 'issuer',
@@ -309,23 +311,19 @@ const GENERATED_PUBLIC_KEY = {
     } 
 
 const CACHED_KEYS = {
-  "https://pcf.pw": {
-    keys: [GENERATED_PUBLIC_KEY]
-  }
+  "https://pcf.pw": { keys: [GENERATED_PUBLIC_KEY] }
 }
 
 describe('JWS Crypto w/ New Keys', function() {
   it('should sign and verify the package', async function() {
     const signed = await sign(await makeJWT(TEST_PAYLOAD, "https://pcf.pw"), GENERATED_PRIVATE_KEY);
     const result = await verify(signed, CACHED_KEYS);
-    expect(result).to.be.true;
+    expect(result.status).to.be.eq("verified");
   });
-});
 
-describe('JWS Crypto w/ New Keys', function() {
   it('should sign and verify the package w/ Not Before Date', async function() {
     const signed = await sign(await makeJWT(TEST_PAYLOAD, "https://pcf.pw", new Date()), GENERATED_PRIVATE_KEY);
     const result = await verify(signed, CACHED_KEYS);
-    expect(result).to.be.true;
+    expect(result.status).to.be.eq("verified");
   });
 });