• Home
• org.eclipse.edc
• verifiable-credentials-spi
• 0.9.0
• source code
• VerifiableCredentialValidationService.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.eclipse.edc.iam.verifiablecredentials.spi.VerifiableCredentialValidationService Maven / Gradle / Ivy

/*
 *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
 *
 *  This program and the accompanying materials are made available under the
 *  terms of the Apache License, Version 2.0 which is available at
 *  https://www.apache.org/licenses/LICENSE-2.0
 *
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Contributors:
 *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
 *
 */

package org.eclipse.edc.iam.verifiablecredentials.spi;

import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiablePresentation;
import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiablePresentationContainer;
import org.eclipse.edc.iam.verifiablecredentials.spi.validation.CredentialValidationRule;
import org.eclipse.edc.iam.verifiablecredentials.spi.validation.TrustedIssuerRegistry;
import org.eclipse.edc.spi.result.Result;

import java.util.Collection;
import java.util.List;

/**
 * Aggregate service to perform all necessary validation of a list of {@link VerifiablePresentation} objects (typically,
 * when performing any sort of presentation request, the response contains an array of presentations).
 * 

 * This should include cryptographic verification of the presentations and all {@link org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredential} objects contained
 * therein, as well as basic rule validation of the credentials, such as checking the validity period, revocation status, etc.
 * 

 * Implementations may choose to only support one format (LDP or JWT).
 */
public interface VerifiableCredentialValidationService {

    /**
     * Performs the validation of a list of {@link VerifiablePresentation} objects. Note that the result is only successful, if all presentations
     * are validated successfully.
     * 

     * Implementors must check at least the following:
     * 

     *     
Cryptographic integrity of the presentation and all credentials. Note that this may involve remote calls, e.g. when resolving DIDs
     *     
Dtructural integrity, e.g. JWT VPs must contain a {@code vp} claim
     *     
Validity: the credentials must already be valid (e.g. {@code nbf} claim of a JWT-VC) and may not be expired
     *     
Subject-IDs: the subject ID of every credential must match the {@code holder} field of the presentation
     *     
Revocation: if a credential contains a {@code credentialStatus} object, the revocation status is checked. See {@link RevocationListService} for details.
     *     
Valid issuer: the issuer of every credential is checked against a list of trusted issuers ({@link TrustedIssuerRegistry}).
     * 
     *
     * @param presentations         A list of {@link VerifiablePresentation} objects. Empty lists are interpreted as valid
     * @param additionalValidations An optional list of additional validation rules that are applied on the credentials. May be empty, never null.
     * @return {@link Result#success()} if (and only if) every presentation and every credential are determined to be valid.
     */
    default Result validate(List presentations, CredentialValidationRule... additionalValidations) {
        return validate(presentations, List.of(additionalValidations));
    }

    /**
     * Performs the validation of a list of {@link VerifiablePresentation} objects. Note that the result is only successful, if all presentations
     * are validated successfully.
     * 

     * Implementors must check at least the following:
     * 

     *     
Cryptographic integrity of the presentation and all credentials. Note that this may involve remote calls, e.g. when resolving DIDs
     *     
Dtructural integrity, e.g. JWT VPs must contain a {@code vp} claim
     *     
Validity: the credentials must already be valid (e.g. {@code nbf} claim of a JWT-VC) and may not be expired
     *     
Subject-IDs: the subject ID of every credential must match the {@code holder} field of the presentation
     *     
Revocation: if a credential contains a {@code credentialStatus} object, the revocation status is checked. See {@link RevocationListService} for details.
     *     
Valid issuer: the issuer of every credential is checked against a list of trusted issuers ({@link TrustedIssuerRegistry}).
     * 
     *
     * @param presentations         A list of {@link VerifiablePresentation} objects. Empty lists are interpreted as valid
     * @param additionalValidations An optional list of additional validation rules that are applied on the credentials. May be empty, never null.
     * @return {@link Result#success()} if (and only if) every presentation and every credential are determined to be valid.
     */
    Result validate(List presentations, Collection additionalValidations);
}