fix: harden go credential proofs

Author: ramtamilselvan

sdk/go/credential/proof.go

@@ -0,0 +1,113 @@
+package credential
+
+import (
+	"crypto/hmac"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"sort"
+	"time"
+
+	"golang.org/x/crypto/sha3"
+)
+
+// ComputeCredentialSubjectMerkleRoot returns the deterministic root covered by
+// a credential proof. The subject ID and each attribute are committed as
+// independent leaves so claim tampering changes the root.
+func ComputeCredentialSubjectMerkleRoot(subject CredentialSubject) (string, error) {
+	leaves := make([][]byte, 0, len(subject.Attributes)+1)
+
+	idLeaf, err := hashSubjectLeaf("id", subject.ID)
+	if err != nil {
+		return "", err
+	}
+	leaves = append(leaves, idLeaf)
+
+	keys := make([]string, 0, len(subject.Attributes))
+	for key := range subject.Attributes {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+
+	for _, key := range keys {
+		leaf, err := hashSubjectLeaf(key, subject.Attributes[key])
+		if err != nil {
+			return "", err
+		}
+		leaves = append(leaves, leaf)
+	}
+
+	root := computeMerkleRoot(leaves)
+	return hex.EncodeToString(root), nil
+}
+
+// BuildCredentialProofPayload builds the canonical bytes signed by issuer
+// proof keys.
+func BuildCredentialProofPayload(cred *VerifiableCredential, subjectMerkleRoot string) ([]byte, error) {
+	if cred == nil {
+		return nil, fmt.Errorf("credential: nil credential")
+	}
+	payload := map[string]interface{}{
+		"credentialSchema":  cred.SchemaID,
+		"expirationDate":    formatProofTime(cred.ExpirationDate),
+		"id":                cred.ID,
+		"issuanceDate":      formatProofTime(cred.IssuanceDate),
+		"issuer":            cred.Issuer,
+		"subjectMerkleRoot": subjectMerkleRoot,
+		"type":              cred.Type,
+	}
+	return json.Marshal(payload)
+}
+
+// ComputeCredentialProofValue computes the issuer-key MAC over a proof payload.
+func ComputeCredentialProofValue(signingKey string, payload []byte) string {
+	mac := hmac.New(sha3.New256, []byte(signingKey))
+	mac.Write(payload)
+	return hex.EncodeToString(mac.Sum(nil))
+}
+
+func hashSubjectLeaf(key string, value interface{}) ([]byte, error) {
+	payload, err := json.Marshal(map[string]interface{}{key: value})
+	if err != nil {
+		return nil, fmt.Errorf("credential: subject leaf %q is not serializable: %w", key, err)
+	}
+	return sha3256(payload), nil
+}
+
+func computeMerkleRoot(leaves [][]byte) []byte {
+	layer := make([][]byte, len(leaves))
+	copy(layer, leaves)
+
+	for len(layer) > 1 {
+		next := make([][]byte, 0, (len(layer)+1)/2)
+		for i := 0; i < len(layer); i += 2 {
+			if i+1 >= len(layer) {
+				next = append(next, layer[i])
+				continue
+			}
+			next = append(next, hashMerklePair(layer[i], layer[i+1]))
+		}
+		layer = next
+	}
+	return layer[0]
+}
+
+func hashMerklePair(left, right []byte) []byte {
+	if string(left) <= string(right) {
+		return sha3256(append(append([]byte{}, left...), right...))
+	}
+	return sha3256(append(append([]byte{}, right...), left...))
+}
+
+func sha3256(data []byte) []byte {
+	h := sha3.New256()
+	h.Write(data)
+	return h.Sum(nil)
+}
+
+func formatProofTime(t time.Time) string {
+	if t.IsZero() {
+		return ""
+	}
+	return t.UTC().Format(time.RFC3339Nano)
+}

sdk/go/credential/types.go

@@ -86,6 +86,8 @@ type Proof struct {
 	ProofPurpose string `json:"proofPurpose"`
 	// ProofValue is the encoded proof value.
 	ProofValue string `json:"proofValue"`
+	// MerkleRoot commits to the credential subject covered by the proof.
+	MerkleRoot string `json:"merkleRoot,omitempty"`
 }
 
 // VerifiablePresentation represents a W3C Verifiable Presentation.

sdk/go/credential/types_test.go

@@ -47,11 +47,12 @@ func TestVerifiableCredentialJSON(t *testing.T) {
 			},
 		},
 		Proof: &Proof{
-			Type:               "BbsBlsSignature2020",
+			Type:               "ZeroIDCredentialProof2026",
 			Created:            now,
-			VerificationMethod: "did:zero:0x1111#key-1",
+			VerificationMethod: "did:zero:0x1111111111111111111111111111111111111111#key-1",
 			ProofPurpose:       "assertionMethod",
 			ProofValue:         "z3abc123",
+			MerkleRoot:         "abc123",
 		},
 		Status:   StatusActive,
 		SchemaID: "https://schema.zeroid.io/identity/v1",
@@ -79,8 +80,11 @@ func TestVerifiableCredentialJSON(t *testing.T) {
 	if decoded.Proof == nil {
 		t.Fatal("Proof should not be nil")
 	}
-	if decoded.Proof.Type != "BbsBlsSignature2020" {
-		t.Errorf("Proof.Type = %q, want %q", decoded.Proof.Type, "BbsBlsSignature2020")
+	if decoded.Proof.Type != "ZeroIDCredentialProof2026" {
+		t.Errorf("Proof.Type = %q, want %q", decoded.Proof.Type, "ZeroIDCredentialProof2026")
+	}
+	if decoded.Proof.MerkleRoot != cred.Proof.MerkleRoot {
+		t.Errorf("Proof.MerkleRoot = %q, want %q", decoded.Proof.MerkleRoot, cred.Proof.MerkleRoot)
 	}
 	if decoded.SchemaID != cred.SchemaID {
 		t.Errorf("SchemaID = %q, want %q", decoded.SchemaID, cred.SchemaID)
@@ -200,11 +204,12 @@ func TestCredentialSubjectJSON(t *testing.T) {
 func TestProofJSON(t *testing.T) {
 	now := time.Now().Truncate(time.Second)
 	p := Proof{
-		Type:               "BbsBlsSignature2020",
+		Type:               "ZeroIDCredentialProof2026",
 		Created:            now,
 		VerificationMethod: "did:zero:0xabc#key-1",
 		ProofPurpose:       "assertionMethod",
 		ProofValue:         "z3signature",
+		MerkleRoot:         "abc123",
 	}
 
 	data, err := json.Marshal(p)
@@ -226,4 +231,7 @@ func TestProofJSON(t *testing.T) {
 	if decoded.ProofPurpose != p.ProofPurpose {
 		t.Errorf("ProofPurpose = %q, want %q", decoded.ProofPurpose, p.ProofPurpose)
 	}
+	if decoded.MerkleRoot != p.MerkleRoot {
+		t.Errorf("MerkleRoot = %q, want %q", decoded.MerkleRoot, p.MerkleRoot)
+	}
 }

sdk/go/credential/verifier.go

@@ -1,8 +1,10 @@
 package credential
 
 import (
+	"crypto/subtle"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 )
 
@@ -20,6 +22,10 @@ var (
 	ErrIssuerNotApproved = errors.New("credential: issuer not approved")
 	// ErrNoProof is returned when a credential has no proof.
 	ErrNoProof = errors.New("credential: no proof")
+	// ErrInvalidProof is returned when a credential proof is malformed or invalid.
+	ErrInvalidProof = errors.New("credential: invalid proof")
+	// ErrIssuerKeyNotTrusted is returned when no trusted proof key is configured for the issuer.
+	ErrIssuerKeyNotTrusted = errors.New("credential: issuer proof key not trusted")
 	// ErrSchemaNotFound is returned when the credential schema is not found.
 	ErrSchemaNotFound = errors.New("credential: schema not found")
 )
@@ -49,17 +55,36 @@ type VerificationResult struct {
 // Verifier verifies verifiable credentials against on-chain status,
 // expiry, and issuer authorization.
 type Verifier struct {
-	schemas SchemaRegistry
-	issuers IssuerRegistry
-	now     func() time.Time
+	schemas           SchemaRegistry
+	issuers           IssuerRegistry
+	trustedIssuerKeys map[string]string
+	now               func() time.Time
 }
 
 // NewVerifier creates a new credential verifier with the given registries.
 func NewVerifier(schemas SchemaRegistry, issuers IssuerRegistry) *Verifier {
 	return &Verifier{
-		schemas: schemas,
-		issuers: issuers,
-		now:     time.Now,
+		schemas:           schemas,
+		issuers:           issuers,
+		trustedIssuerKeys: make(map[string]string),
+		now:               time.Now,
+	}
+}
+
+// NewVerifierWithTrustedIssuerKeys creates a verifier with issuer-scoped proof keys.
+func NewVerifierWithTrustedIssuerKeys(schemas SchemaRegistry, issuers IssuerRegistry, keys map[string]string) *Verifier {
+	v := NewVerifier(schemas, issuers)
+	v.SetTrustedIssuerKeys(keys)
+	return v
+}
+
+// SetTrustedIssuerKeys replaces the issuer DID to proof-key mapping used to
+// authenticate credential proofs. Keys are copied so callers can safely mutate
+// their input map after configuration.
+func (v *Verifier) SetTrustedIssuerKeys(keys map[string]string) {
+	v.trustedIssuerKeys = make(map[string]string, len(keys))
+	for issuer, key := range keys {
+		v.trustedIssuerKeys[issuer] = key
 	}
 }
 
@@ -145,9 +170,63 @@ func (v *Verifier) checkProof(cred *VerifiableCredential, result *VerificationRe
 		result.Valid = false
 		result.Checks["proof"] = false
 		result.Errors = append(result.Errors, ErrNoProof.Error())
-	} else {
-		result.Checks["proof"] = true
+		return
+	}
+
+	proofErrors := make([]string, 0)
+	proof := cred.Proof
+
+	if proof.Type != "ZeroIDCredentialProof2026" {
+		proofErrors = append(proofErrors, "credential: unsupported proof type")
+	}
+	if proof.ProofPurpose != "assertionMethod" {
+		proofErrors = append(proofErrors, "credential: unsupported proof purpose")
+	}
+	if proof.Created.IsZero() {
+		proofErrors = append(proofErrors, "credential: missing proof creation time")
+	}
+	if proof.VerificationMethod == "" {
+		proofErrors = append(proofErrors, "credential: missing verification method")
+	} else if !strings.HasPrefix(proof.VerificationMethod, cred.Issuer+"#") {
+		proofErrors = append(proofErrors, "credential: verification method is not controlled by issuer")
+	}
+	if proof.ProofValue == "" {
+		proofErrors = append(proofErrors, "credential: missing proof value")
 	}
+	if proof.MerkleRoot == "" {
+		proofErrors = append(proofErrors, "credential: missing subject Merkle root")
+	}
+
+	subjectRoot, err := ComputeCredentialSubjectMerkleRoot(cred.CredentialSubject)
+	if err != nil {
+		proofErrors = append(proofErrors, err.Error())
+	} else if proof.MerkleRoot != "" && proof.MerkleRoot != subjectRoot {
+		proofErrors = append(proofErrors, "credential: subject does not match proof root")
+	}
+
+	issuerKey := v.trustedIssuerKeys[cred.Issuer]
+	if issuerKey == "" {
+		proofErrors = append(proofErrors, ErrIssuerKeyNotTrusted.Error())
+	} else if proof.ProofValue != "" && proof.MerkleRoot != "" {
+		payload, err := BuildCredentialProofPayload(cred, proof.MerkleRoot)
+		if err != nil {
+			proofErrors = append(proofErrors, err.Error())
+		} else {
+			expected := ComputeCredentialProofValue(issuerKey, payload)
+			if subtle.ConstantTimeCompare([]byte(proof.ProofValue), []byte(expected)) != 1 {
+				proofErrors = append(proofErrors, "credential: proof signature is invalid")
+			}
+		}
+	}
+
+	if len(proofErrors) > 0 {
+		result.Valid = false
+		result.Checks["proof"] = false
+		result.Errors = append(result.Errors, proofErrors...)
+		return
+	}
+
+	result.Checks["proof"] = true
 }
 
 func (v *Verifier) checkIssuer(cred *VerifiableCredential, result *VerificationResult) error {