signer
Signer service exposes HTTP API to create Verifiable Credentials, Verifiable Presentations, or add proofs to given VC or VP. It exposes additional endpoints for retrieving public keys necessary for proofs verification.
It is developed using the Goa v3 framework.
Proofs
The signer Services supports currently the following proofs for credentials:
1. Linked Data Proofs
can be created by using credential proof route:
{
"namespace" :"xyz",
"group" : "xyz",
"key":"test",
"format":"ldp_vc",
"credential":{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/security/suites/jws-2020/v1",
"https://schema.org"
],
"credentialSubject": {
"id":"did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoibE01NDNya2xwUUV3T2oyMFowRmdnMUhjMHlkZlhJRU05ckEzRzNSNXdFVSIsInkiOiJvVERYTVNuOWxlMGhrMC1pemFHRUF5OFBxT2pncWUtNWpVMldzbEZBcUw0In0",
"testdata": {"hello":"world", "testXY":"1234"}
},
"issuanceDate": "2022-06-02T17:24:05.032533+03:00",
"issuer": "https://example.com",
"type": "VerifiableCredential"
}
}
2. SD-JWT Proof
can be created by the following structure. !disclosure: can be used to control which date are disclosed.
{
"namespace" :"xyz",
"group" : "xyz",
"key":"test",
"format":"vc+sd-jwt",
"credential":{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/security/suites/jws-2020/v1",
"https://schema.org"
],
"credentialSubject": {
"id":"did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoibE01NDNya2xwUUV3T2oyMFowRmdnMUhjMHlkZlhJRU05ckEzRzNSNXdFVSIsInkiOiJvVERYTVNuOWxlMGhrMC1pemFHRUF5OFBxT2pncWUtNWpVMldzbEZBcUw0In0",
"!disclose:testdata": {"!disclose:hello":"world", "testXY":"1234"}
},
"issuanceDate": "2022-06-02T17:24:05.032533+03:00",
"issuer": "https://example.com",
"type": "VerifiableCredential"
}
}Swagger Docs
In the local docker-compose environment a live Swagger UI is exposed at http://localhost:8085/swagger-ui/.
High-level Overview
flowchart LR
A([client]) -- HTTP --> B[Signer API]
subgraph signer
B --HTTP--> C[Vault\nTransit API]
C --> D[(Vault)]
endFormats
The signer supports linked data proofs and optionally sd-jwt(experimental). Sd-JWT is not yet finally standardized, so the implementation is just an experimental demonstration how to do it. It support also just did:jwk as proof signature.
Crypto Engines
The current signer supports multiple crypto engines, which can be loaded from the internal image by setting the var ENGINE_PATH to the availble engine.
Public Keys
The service exposes two endpoints for getting public keys - one for getting a single key by name and the other for getting all possible public keys of the signer service.
The keys are returned in JWK format and are wrapped in a DID Verification Method envelope, so that the response can be used more easily during DID proofs verification process. Example key response:
{
"id": "key1",
"publicKeyJwk": {
"crv": "P-256",
"kid": "key1",
"kty": "EC",
"x": "RTx_2cyYcGVSIRP_826S32BiZxSgnzyXgRYmKP8N2l0",
"y": "unnPzMAnbByBMq2l9WWKsDFE-MDvX6hYhrESsjAaT50"
},
"type": "JsonWebKey2020"
}Dependencies and Vendor
The project uses Go modules for managing dependencies and we commit the vendor directory. When you add/change dependencies, be sure to clean and update the vendor directory before submitting your Merge Request for review.
go mod tidy
go mod vendorTests and Linters
To execute the units tests for the service go to the root project directory and run:
go test -race $(go list ./... | grep -v /integration)To run the linters go to the root project directory and run:
golangci-lint runIntegration Tests
Integration tests are inside the integration directory.
The only configuration option they need is the base URL of the signer service.
It must be specified in the SIGNER_ADDR environment variable.
The tests can be executed against different environments by setting the
value for SIGNER_ADDR.
SIGNER_ADDR=https://{{SIGNER_ADDRESS}} go testNote: these tests are not executed in the CI pipeline currently.