Merge pull request #135 from GLEIF-IT/feature/signed_headers_verification_in_presentations

Signed headers verification logic to the /presentations endpoint

Author: aydarng

.github/workflows/python-app-ci.yml

@@ -16,18 +16,28 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ macos-13, ubuntu-latest ]
+        os: [ macOS-15, ubuntu-latest ]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Python 3.12.2
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: 3.12.2
       - name: Install libsodium
         run: |
           if [ "${{ runner.os }}" == "macOS" ]; then
-            brew install libsodium
+            brew install libsodium pkg-config
+            SODIUM_PREFIX="$(brew --prefix libsodium)"
+            echo "SODIUM_PREFIX=$SODIUM_PREFIX" >> $GITHUB_ENV
+      
+            # Runtime discovery (this is the important part for pysodium import)
+            echo "DYLD_FALLBACK_LIBRARY_PATH=$SODIUM_PREFIX/lib:/usr/local/lib:/usr/lib" >> $GITHUB_ENV
+      
+            # Build-time helpers (safe to set; useful if anything compiles/links)
+            echo "PKG_CONFIG_PATH=$SODIUM_PREFIX/lib/pkgconfig:$PKG_CONFIG_PATH" >> $GITHUB_ENV
+            echo "LDFLAGS=-L$SODIUM_PREFIX/lib $LDFLAGS" >> $GITHUB_ENV
+            echo "CPPFLAGS=-I$SODIUM_PREFIX/include $CPPFLAGS" >> $GITHUB_ENV
           else
             sudo apt-get install -y libsodium-dev
           fi

docker-compose.yml

@@ -1,5 +1,5 @@
 services:
-  # witnesses:
+  #  witnesses:
   #   # container_name: witnesshost
   #   # hostname: witnesshost
   #   image: weboftrust/keri:latest
@@ -31,13 +31,11 @@ services:
     image: gleif/vlei-verifier:latest
     container_name: vlei-verifier
     hostname: vlei-verifier
-    # depends_on:
-    #   - vlei
-    #   - witnesses
     ports:
       - 7676:7676
     environment:
       - VERIFIER_CONFIG_FILE=verifier-config-public.json
+      - VERIFY_ROOT_OF_TRUST=True
     healthcheck:
       test:
           - CMD

scripts/keri/cf/verifier-config-public.json

@@ -1,26 +1,13 @@
 {
   "dt": "2022-01-20T12:57:59.823350+00:00",
   "iurls": [
-    "https://witness-dev01.rootsid.cloud/oobi/BHI7yViNOGWd1X0aKMgxLm4dUgbQDYoCFSJM2U8Hb3cx/controller",
-    "https://witness-dev02.rootsid.cloud/oobi/BOUZ4v-vPMP5KyZQP-d_8B30UHI4KWgXczBgWcRJnnYd/controller",
-    "https://witness-dev03.rootsid.cloud/oobi/BNY3LWk2BzX8wXmkXuvpYRVSdfynanwKQwD80KOG00VH/controller",
-    "http://wit1.rootsid.cloud:5501/oobi/BNZBr3xjR0Vtat_HxFJnfBwQcpDj3LGl4h_MCQdmyN-r/controller",
-    "http://wit2.rootsid.cloud:5503/oobi/BH_XYb3mBmRB1nBVl8XrKjtuQkcIWYKALY4ZWLVOZjKg/controller",
-    "http://wit3.rootsid.cloud:5505/oobi/BAPWdGXGfiFsi3sMvSCPDnoPnEhPp-ZWxK9RYrqCQTa_/controller",
     "https://william.witness.vlei.tech/oobi",
     "https://wesley.witness.vlei.tech/oobi",
     "https://whitney.witness.vlei.tech/oobi",
     "https://wilma.witness.vlei.tech/oobi",
     "https://wilbur.witness.vlei.tech/oobi"
   ],
   "durls": [
-    "http://schemas.rootsid.cloud/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy",
-    "http://schemas.rootsid.cloud/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi",
-    "http://schemas.rootsid.cloud/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E",
-    "http://schemas.rootsid.cloud/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw",
-    "http://schemas.rootsid.cloud/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY",
-    "http://schemas.rootsid.cloud/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g",
-    "http://schemas.rootsid.cloud/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao",
     "https://gleif-it.github.io/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy",
     "https://gleif-it.github.io/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi",
     "https://gleif-it.github.io/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E",

scripts/keri/cf/verifier-config-test.json

@@ -1,33 +1,18 @@
 {
   "dt": "2022-01-20T12:57:59.823350+00:00",
   "iurls": [
-    "https://witness-dev01.rootsid.cloud/oobi/BHI7yViNOGWd1X0aKMgxLm4dUgbQDYoCFSJM2U8Hb3cx/controller",
-    "https://witness-dev02.rootsid.cloud/oobi/BOUZ4v-vPMP5KyZQP-d_8B30UHI4KWgXczBgWcRJnnYd/controller",
-    "https://witness-dev03.rootsid.cloud/oobi/BNY3LWk2BzX8wXmkXuvpYRVSdfynanwKQwD80KOG00VH/controller",
-    "http://wit1.rootsid.cloud:5501/oobi/BNZBr3xjR0Vtat_HxFJnfBwQcpDj3LGl4h_MCQdmyN-r/controller",
-    "http://wit2.rootsid.cloud:5503/oobi/BH_XYb3mBmRB1nBVl8XrKjtuQkcIWYKALY4ZWLVOZjKg/controller",
-    "http://wit3.rootsid.cloud:5505/oobi/BAPWdGXGfiFsi3sMvSCPDnoPnEhPp-ZWxK9RYrqCQTa_/controller",
-    "https://william.witness.vlei.tech/oobi",
-    "https://wesley.witness.vlei.tech/oobi",
-    "https://whitney.witness.vlei.tech/oobi",
-    "https://wilma.witness.vlei.tech/oobi",
-    "https://wilbur.witness.vlei.tech/oobi"
+    "http://127.0.0.1:5642/oobi/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha/controller",
+    "http://127.0.0.1:5643/oobi/BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM/controller",
+    "http://127.0.0.1:5644/oobi/BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX/controller"
   ],
   "durls": [
-    "http://schemas.rootsid.cloud/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy",
-    "http://schemas.rootsid.cloud/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi",
-    "http://schemas.rootsid.cloud/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E",
-    "http://schemas.rootsid.cloud/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw",
-    "http://schemas.rootsid.cloud/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY",
-    "http://schemas.rootsid.cloud/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g",
-    "http://schemas.rootsid.cloud/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao",
-    "https://gleif-it.github.io/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy",
-    "https://gleif-it.github.io/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi",
-    "https://gleif-it.github.io/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E",
-    "https://gleif-it.github.io/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw",
-    "https://gleif-it.github.io/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY",
-    "https://gleif-it.github.io/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g",
-    "https://gleif-it.github.io/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
+    "http://127.0.0.1:7723/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy",
+    "http://127.0.0.1:7723/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi",
+    "http://127.0.0.1:7723/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E",
+    "http://127.0.0.1:7723/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw",
+    "http://127.0.0.1:7723/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY",
+    "http://127.0.0.1:7723/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g",
+    "http://127.0.0.1:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
   ],
   "trustedLeis": [],
   "allowedSchemas": [

setup.py

@@ -33,7 +33,7 @@
 
 setup(
     name='verifier',
-    version='0.1.3',  # also change in src/verifier/__init__.py
+    version='0.1.4',  # also change in src/verifier/__init__.py
     license='Apache Software License 2.0',
     description='Verifier: Proof of Concept vLEI Verifier',
     long_description="Verifier: Proof of Concept vLEI Verifier.",
@@ -74,8 +74,9 @@
     ],
     python_requires='>=3.12.2',
     install_requires=[
-        'keri==1.2.0-dev12',
+        'keri==1.2.6',
         'mnemonic>=0.20',
+        'pysodium>=0.7.17',
         'multicommand>=1.0.0',
         'falcon>=3.1.0',
         'http_sfv>=0.9.8',

src/verifier/__init__.py

@@ -1 +1 @@
-__version__ = '0.1.2'
+__version__ = '0.1.4'

src/verifier/core/observing.py

@@ -59,7 +59,7 @@ def _check_revocations(self):
                             if env.mode == "production":
                                 self.vdb.iss.rem(keys=(aid,))  
                                 self.vdb.iss.rem(keys=(state.said,))  
-                                self.vdb.acct.rem(keys=(aid,))  
+                                self.vdb.accts.rem(keys=(aid,))
                     continue
                 except Exception as e:
                     print(f"Error checking witness for credential {state.said}: {e}")
@@ -70,7 +70,7 @@ def _check_revocations(self):
                 if env.mode == "production":
                     self.vdb.iss.rem(keys=(aid,))
                     self.vdb.iss.rem(keys=(state.said,))
-                    self.vdb.acct.rem(keys=(aid,))
+                    self.vdb.accts.rem(keys=(aid,))
 
 
 

src/verifier/core/utils.py

@@ -270,7 +270,7 @@ def process_signature_headers(headers, req):
             or "SIGNIFY-TIMESTAMP" not in headers
     ):
         raise SignatureHeaderError(
-            json.dumps({"msg": "Incorrect Headers"}), 401
+            "Incorrect Signature Headers"
         )
 
     siginput = headers["SIGNATURE-INPUT"]
@@ -282,7 +282,7 @@ def process_signature_headers(headers, req):
 
     if not inputs:
         raise SignatureHeaderError(
-            json.dumps({"msg": "Incorrect Headers"}), 401
+            "Incorrect Signature Headers"
         )
 
     for inputage in inputs:
@@ -325,6 +325,7 @@ def process_signature_headers(headers, req):
 
         sig = cig.qb64
         return sig, ser
+    return None
 
 
 def verify_signed_headers(hby, aid, signature, encoded_data) -> tuple[SignatureVerificationStatus, str]:

src/verifier/core/verifying.py

@@ -358,7 +358,7 @@ def on_put(self, req, rep, said):
         found = False
         presentation_type: PresentationType = "CREDENTIAL"
         saids = []
-
+        aid = None
         if not self.vry.cues:
             while self.hby.kvy.cues:
                 msg = self.hby.kvy.cues.popleft()
@@ -374,6 +374,11 @@ def on_put(self, req, rep, said):
             if "creder" in msg:
                 creder = msg["creder"]
                 if creder.said == said:
+                    creder_attrs = creder.sad['a']
+                    if 'i' in creder_attrs:
+                        aid = creder_attrs['i']
+                    else:
+                        aid = creder.sad['i']
                     found = True
                     break
 
@@ -401,7 +406,26 @@ def on_put(self, req, rep, said):
                 ).encode("utf-8")
                 return
 
-
+            # Signed headers verification
+            env = VerifierEnvironment.resolve_env()
+            if env.mode == "production":
+                headers = req.headers
+                try:
+                    sign, data = process_signature_headers(headers, req)
+                except SignatureHeaderError as e:
+                    rep.status = falcon.HTTP_BAD_REQUEST
+                    rep.data = json.dumps(dict(msg=str(e))).encode("utf-8")
+                    return
+                encoded_data = data.encode("utf-8")
+                verification_status, verification_message = verify_signed_headers(self.hby, aid, sign, encoded_data)
+                if verification_status == SignatureVerificationStatus.UNAUTHORIZED:
+                    rep.status = falcon.HTTP_UNAUTHORIZED
+                    rep.data = json.dumps(dict(msg=verification_message)).encode("utf-8")
+                    return
+                if verification_status == SignatureVerificationStatus.BAD_SIGNATURE:
+                    rep.status = falcon.HTTP_BAD_REQUEST
+                    rep.data = json.dumps(dict(msg=verification_message)).encode("utf-8")
+                    return
 
             saider = coring.Saider(qb64=said)
             cred_attrs = creder.sad["a"]
@@ -453,7 +477,7 @@ def on_put(self, req, rep, said):
                     dict(
                         creds=json.dumps(creds),
                         aid=aid,
-                        msg=f"{said} for {aid} as {type} is {cred_state.state}",
+                        msg=info,
                     )
                 ).encode("utf-8")
             else:

tests/core/test_verifying.py

@@ -557,4 +557,4 @@ def test_ecr_newschema(seeder):
         # ecr auth cred is verified to be a valid credential
         assert result.status == falcon.HTTP_202
 
-        assert result.json.get('msg') == f"{cred_value} for {hab.pre} as issuee is Credential cryptographically valid"
+        assert result.json.get('msg') == f"Credential {cred_value} presented for {hab.pre} is cryptographically valid"