Merge pull request SUNET#263 from sirosfoundation/feature/vc20-keymgmt

Feature/vc20 keymgmt

Author: masv3971

cmd/vc20-test-server/main.go

@@ -161,7 +161,7 @@ func handleIssue(w http.ResponseWriter, r *http.Request) {
 			ProofPurpose:       "assertionMethod",
 			Created:            time.Now().UTC(),
 		}
-		signedCred, err = suite.Sign(cred, key, opts)
+		signedCred, err = suite.Sign(r.Context(), cred, key, opts)
 	case "ecdsa-sd-2023":
 		suite := vc_ecdsa.NewSdSuite()
 		opts := &vc_ecdsa.SdSignOptions{

internal/issuer/apiv1/handlers_vc20.go

@@ -127,7 +127,7 @@ func (c *Client) MakeVC20(ctx context.Context, req *CreateVC20Request) (*CreateV
 	}
 
 	// Sign the credential
-	signedCred, err := c.signVC20Credential(cred, cryptosuite, req.MandatoryPointers)
+	signedCred, err := c.signVC20Credential(ctx, cred, cryptosuite, req.MandatoryPointers)
 	if err != nil {
 		return nil, fmt.Errorf("failed to sign credential: %w", err)
 	}
@@ -190,7 +190,7 @@ func (c *Client) buildVC20CredentialJSON(
 }
 
 // signVC20Credential signs a credential using the specified cryptosuite
-func (c *Client) signVC20Credential(cred *credential.RDFCredential, cryptosuite string, mandatoryPointers []string) (*credential.RDFCredential, error) {
+func (c *Client) signVC20Credential(ctx context.Context, cred *credential.RDFCredential, cryptosuite string, mandatoryPointers []string) (*credential.RDFCredential, error) {
 	// Get the verification method from config
 	verificationMethod := c.cfg.Issuer.JWTAttribute.Issuer + "#key-1"
 	if c.kid != "" {
@@ -204,7 +204,7 @@ func (c *Client) signVC20Credential(cred *credential.RDFCredential, cryptosuite
 			return nil, fmt.Errorf("ecdsa-rdfc-2019 requires ECDSA private key, got %T", c.privateKey)
 		}
 		suite := ecdsaSuite.NewSuite()
-		return suite.Sign(cred, key, &ecdsaSuite.SignOptions{
+		return suite.Sign(ctx, cred, key, &ecdsaSuite.SignOptions{
 			VerificationMethod: verificationMethod,
 			ProofPurpose:       "assertionMethod",
 			Created:            time.Now().UTC(),

pkg/didcomm/crypto/ecdh1pu.go

@@ -109,6 +109,15 @@ func (e *ECDH1PUKeyAgreement) GenerateEphemeralKey() error {
 // Returns the derived key and the ephemeral public key (for inclusion in JWE header).
 // Note: This method does NOT include the cc_tag. Use DeriveKeyWithTag for ECDH-1PU key commitment.
 func (e *ECDH1PUKeyAgreement) DeriveKey() ([]byte, jwk.Key, error) {
+	return e.DeriveKeyWithTag(nil)
+}
+
+// DeriveKeyWithTag derives the key using ECDH-1PU with optional key commitment (cc_tag).
+// If ccTag is nil or empty, uses standard Concat KDF.
+// If ccTag is provided, includes the content ciphertext authentication tag in the KDF
+// per draft-madden-jose-ecdh-1pu for key commitment.
+// Returns the derived key and the ephemeral public key.
+func (e *ECDH1PUKeyAgreement) DeriveKeyWithTag(ccTag []byte) ([]byte, jwk.Key, error) {
 	if e.SenderPrivateKey == nil {
 		return nil, nil, fmt.Errorf("%w: sender private key is required for ECDH-1PU encryption", ErrInvalidKey)
 	}
@@ -119,48 +128,22 @@ func (e *ECDH1PUKeyAgreement) DeriveKey() ([]byte, jwk.Key, error) {
 		}
 	}
 
-	// Extract raw keys for ECDH operations
-	ephemeralPriv, err := extractECDHPrivateKey(e.EphemeralPrivateKey)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to extract ephemeral private key: %w", err)
-	}
-
-	senderPriv, err := extractECDHPrivateKey(e.SenderPrivateKey)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to extract sender private key: %w", err)
-	}
-
-	recipientPub, err := extractECDHPublicKey(e.RecipientPublicKey)
+	// Compute the shared secret Z = Z_es || Z_ss
+	z, err := e.computeSharedSecret()
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to extract recipient public key: %w", err)
-	}
-
-	// Compute Z_es = ECDH(ephemeral_private, recipient_public)
-	zES, err := ephemeralPriv.ECDH(recipientPub)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to compute Z_es: %w", err)
-	}
-
-	// Compute Z_ss = ECDH(sender_private, recipient_public)
-	zSS, err := senderPriv.ECDH(recipientPub)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to compute Z_ss: %w", err)
+		return nil, nil, err
 	}
 
-	// Concatenate: Z = Z_es || Z_ss
-	z := append(zES, zSS...)
-
 	// Get the required key size for the content encryption algorithm
 	keySize, err := getKeyWrapKeySize(e.Algorithm)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	// Derive the key wrapping key using Concat KDF
-	// For ECDH-1PU+A256KW, we use the same KDF as ECDH-ES
-	derivedKey, err := concatKDF(z, e.Algorithm, e.APU, e.APV, keySize)
+	// Derive the key wrapping key using the appropriate KDF
+	derivedKey, err := e.deriveKeyFromZ(z, ccTag, keySize)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to derive key: %w", err)
+		return nil, nil, err
 	}
 
 	// Get ephemeral public key for inclusion in JWE header
@@ -172,70 +155,56 @@ func (e *ECDH1PUKeyAgreement) DeriveKey() ([]byte, jwk.Key, error) {
 	return derivedKey, ephemeralPubKey, nil
 }
 
-// DeriveKeyWithTag derives the key using ECDH-1PU with key commitment (cc_tag).
-// This includes the content ciphertext authentication tag in the KDF per draft-madden-jose-ecdh-1pu.
-// Returns the derived key and the ephemeral public key.
-func (e *ECDH1PUKeyAgreement) DeriveKeyWithTag(ccTag []byte) ([]byte, jwk.Key, error) {
-	if e.SenderPrivateKey == nil {
-		return nil, nil, fmt.Errorf("%w: sender private key is required for ECDH-1PU encryption", ErrInvalidKey)
-	}
-
-	if e.EphemeralPrivateKey == nil {
-		if err := e.GenerateEphemeralKey(); err != nil {
-			return nil, nil, err
-		}
-	}
-
+// computeSharedSecret computes Z = Z_es || Z_ss for ECDH-1PU encryption.
+func (e *ECDH1PUKeyAgreement) computeSharedSecret() ([]byte, error) {
 	// Extract raw keys for ECDH operations
 	ephemeralPriv, err := extractECDHPrivateKey(e.EphemeralPrivateKey)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to extract ephemeral private key: %w", err)
+		return nil, fmt.Errorf("failed to extract ephemeral private key: %w", err)
 	}
 
 	senderPriv, err := extractECDHPrivateKey(e.SenderPrivateKey)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to extract sender private key: %w", err)
+		return nil, fmt.Errorf("failed to extract sender private key: %w", err)
 	}
 
 	recipientPub, err := extractECDHPublicKey(e.RecipientPublicKey)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to extract recipient public key: %w", err)
+		return nil, fmt.Errorf("failed to extract recipient public key: %w", err)
 	}
 
 	// Compute Z_es = ECDH(ephemeral_private, recipient_public)
 	zES, err := ephemeralPriv.ECDH(recipientPub)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to compute Z_es: %w", err)
+		return nil, fmt.Errorf("failed to compute Z_es: %w", err)
 	}
 
 	// Compute Z_ss = ECDH(sender_private, recipient_public)
 	zSS, err := senderPriv.ECDH(recipientPub)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to compute Z_ss: %w", err)
+		return nil, fmt.Errorf("failed to compute Z_ss: %w", err)
 	}
 
 	// Concatenate: Z = Z_es || Z_ss
-	z := append(zES, zSS...)
-
-	// Get the required key size for the content encryption algorithm
-	keySize, err := getKeyWrapKeySize(e.Algorithm)
-	if err != nil {
-		return nil, nil, err
-	}
+	return append(zES, zSS...), nil
+}
 
-	// Derive the key wrapping key using Concat KDF with cc_tag (key commitment)
-	derivedKey, err := concatKDF1PU(z, e.Algorithm, e.APU, e.APV, ccTag, keySize)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to derive key with tag: %w", err)
+// deriveKeyFromZ derives the key wrapping key from shared secret Z.
+// Uses concatKDF1PU if ccTag is provided, otherwise uses standard concatKDF.
+func (e *ECDH1PUKeyAgreement) deriveKeyFromZ(z, ccTag []byte, keySize int) ([]byte, error) {
+	if len(ccTag) > 0 {
+		derivedKey, err := concatKDF1PU(z, e.Algorithm, e.APU, e.APV, ccTag, keySize)
+		if err != nil {
+			return nil, fmt.Errorf("failed to derive key with tag: %w", err)
+		}
+		return derivedKey, nil
 	}
 
-	// Get ephemeral public key for inclusion in JWE header
-	ephemeralPubKey, err := e.EphemeralPrivateKey.PublicKey()
+	derivedKey, err := concatKDF(z, e.Algorithm, e.APU, e.APV, keySize)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to get ephemeral public key: %w", err)
+		return nil, fmt.Errorf("failed to derive key: %w", err)
 	}
-
-	return derivedKey, ephemeralPubKey, nil
+	return derivedKey, nil
 }
 
 // DeriveKeyForDecryption derives the key for decryption given the ephemeral public key.
@@ -281,19 +250,8 @@ func (e *ECDH1PUKeyAgreement) DeriveKeyForDecryption(ephemeralPubKey jwk.Key, se
 		return nil, err
 	}
 
-	// Derive the key wrapping key
-	// Use concatKDF1PU if CCTag is set (for ECDH-1PU key commitment)
-	var derivedKey []byte
-	if len(e.CCTag) > 0 {
-		derivedKey, err = concatKDF1PU(z, e.Algorithm, e.APU, e.APV, e.CCTag, keySize)
-	} else {
-		derivedKey, err = concatKDF(z, e.Algorithm, e.APU, e.APV, keySize)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("failed to derive key: %w", err)
-	}
-
-	return derivedKey, nil
+	// Derive the key wrapping key (uses CCTag if set for key commitment)
+	return e.deriveKeyFromZ(z, e.CCTag, keySize)
 }
 
 // generateECDHKey generates an ECDH key pair for the specified curve.

pkg/didcomm/crypto/jwe.go

@@ -491,7 +491,7 @@ func encryptA256CBCHS512(plaintext, cek, aad []byte) (ciphertext, tag, iv []byte
 
 	ciphertext = make([]byte, len(padded))
 	//nolint:gosec // RFC 7518 A256CBC-HS512 requires CBC mode - this is authenticated encryption with HMAC-SHA-512
-	mode := cipher.NewCBCEncrypter(block, iv) //NOSONAR go:S5542
+	mode := cipher.NewCBCEncrypter(block, iv) //NOSONAR
 	mode.CryptBlocks(ciphertext, padded)
 
 	// Compute HMAC-SHA-512 tag
@@ -634,7 +634,7 @@ func wrapKeyAES(cek, wrappingKey []byte) ([]byte, error) {
 			copy(b[:8], a)
 			copy(b[8:], r[i])
 			//nolint:gosec // RFC 3394 AES Key Wrap - this is a key-wrapping primitive with integrity check
-			block.Encrypt(b, b) //NOSONAR go:S5542
+			block.Encrypt(b, b) //NOSONAR
 
 			// A = MSB(64, B) ^ t where t = (n*j)+i
 			t := uint64(n*j + i)
@@ -945,7 +945,7 @@ func decryptA256CBCHS512(ctx context.Context, msg *EncryptedMessage, header *JWE
 	}
 
 	//nolint:gosec // RFC 7518 A256CBC-HS512 - HMAC authentication verified above before decryption
-	mode := cipher.NewCBCDecrypter(block, iv) //NOSONAR go:S5542
+	mode := cipher.NewCBCDecrypter(block, iv) //NOSONAR
 	plaintext := make([]byte, len(ciphertext))
 	mode.CryptBlocks(plaintext, ciphertext)
 
@@ -1125,7 +1125,7 @@ func unwrapKeyAES(wrappedKey, wrappingKey []byte) ([]byte, error) {
 			copy(b[:8], a)
 			copy(b[8:], r[i])
 			//nolint:gosec // RFC 3394 AES Key Unwrap - integrity check validates after unwrap
-			block.Decrypt(b, b) //NOSONAR go:S5542
+			block.Decrypt(b, b) //NOSONAR
 
 			// A = MSB(64, B)
 			copy(a, b[:8])

pkg/didcomm/crypto/jws.go

@@ -156,10 +156,10 @@ func determineSigningAlgorithm(key jwk.Key, hint string) (jwa.SignatureAlgorithm
 			if crv.String() == "secp256k1" {
 				return jwa.ES256K(), nil
 			}
-			return jwa.ES256(), fmt.Errorf("%w: unsupported curve %s", ErrUnsupportedAlgorithm, crv)
+			return jwa.ES256(), fmt.Errorf("%w: unsupported curve %v", ErrUnsupportedAlgorithm, crv)
 		}
 	default:
-		return jwa.EdDSA(), fmt.Errorf("%w: unsupported key type %s", ErrUnsupportedAlgorithm, kty)
+		return jwa.EdDSA(), fmt.Errorf("%w: unsupported key type %v", ErrUnsupportedAlgorithm, kty)
 	}
 }
 

pkg/didcomm/mediator_integration_test.go

@@ -9,10 +9,12 @@
 // - Trust ping through a mediator
 //
 // To run integration tests:
-//   go test -tags "didcomm vc20 integration" ./pkg/didcomm/...
+//
+//	go test -tags "didcomm vc20 integration" ./pkg/didcomm/...
 //
 // For live mediator tests (when available):
-//   go test -tags "didcomm vc20 integration live" ./pkg/didcomm/...
+//
+//	go test -tags "didcomm vc20 integration live" ./pkg/didcomm/...
 package didcomm_test
 
 import (
@@ -49,9 +51,9 @@ const (
 	testRoutingKeySfx = "#routing-key-1"
 
 	// Test error format strings
-	errBuildRoute   = "Failed to build route: %v"
-	errCreatePing   = "Failed to create ping: %v"
-	errHandlePing   = "Failed to handle ping: %v"
+	errBuildRoute = "Failed to build route: %v"
+	errCreatePing = "Failed to create ping: %v"
+	errHandlePing = "Failed to handle ping: %v"
 )
 
 // =============================================================================
@@ -266,8 +268,14 @@ func TestTrustPingThroughMockMediator(t *testing.T) {
 	defer mediator.Close()
 
 	// Generate key pairs for sender and recipient
-	senderPub, senderPriv, _ := ed25519.GenerateKey(rand.Reader)
-	recipientPub, recipientPriv, _ := ed25519.GenerateKey(rand.Reader)
+	senderPub, senderPriv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatalf("Failed to generate sender Ed25519 key: %v", err)
+	}
+	recipientPub, recipientPriv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatalf("Failed to generate recipient Ed25519 key: %v", err)
+	}
 	_ = senderPub
 	_ = senderPriv
 	_ = recipientPub

pkg/didcomm/message/attachment.go

@@ -39,7 +39,9 @@ type Attachment struct {
 }
 
 // AttachmentData represents the actual attachment content.
-// Exactly one of JWS, Hash, Links, Base64, or JSON should be set.
+// At least one of JWS, Links, Base64, or JSON should be set.
+// Multiple formats are allowed per DIDComm spec.
+// Additional validation rules are enforced by AttachmentData.Validate.
 type AttachmentData struct {
 	// JWS is a JSON Web Signature wrapping the content.
 	// Provides integrity and optional authentication.
@@ -71,7 +73,8 @@ func (a *Attachment) Validate() error {
 // Works for Base64 and JSON encoded content.
 func (a *Attachment) GetBytes() ([]byte, error) {
 	if a.Data.Base64 != "" {
-		return base64.URLEncoding.DecodeString(a.Data.Base64)
+		// Use tolerant decoder to support both padded and unpadded encodings
+		return a.DecodeBase64()
 	}
 	if a.Data.JSON != nil {
 		return json.Marshal(a.Data.JSON)
@@ -111,7 +114,8 @@ func (a *Attachment) GetJSON(v any) error {
 		return json.Unmarshal(data, v)
 	}
 	if a.Data.Base64 != "" {
-		data, err := base64.URLEncoding.DecodeString(a.Data.Base64)
+		// Use tolerant decoder for better interop
+		data, err := a.DecodeBase64()
 		if err != nil {
 			return err
 		}
@@ -120,7 +124,8 @@ func (a *Attachment) GetJSON(v any) error {
 	return fmt.Errorf("no JSON data available")
 }
 
-// Validate checks that exactly one data format is specified.
+// Validate checks that at least one data format is specified.
+// DIDComm allows multiple formats, so we only check for minimum presence.
 func (d *AttachmentData) Validate() error {
 	count := 0
 	if d.JWS != nil {
@@ -144,13 +149,13 @@ func (d *AttachmentData) Validate() error {
 	return nil
 }
 
-// NewBase64Attachment creates an attachment with base64-encoded data.
+// NewBase64Attachment creates an attachment with base64url-encoded data (no padding).
 func NewBase64Attachment(id string, mediaType string, data []byte) Attachment {
 	return Attachment{
 		ID:        id,
 		MediaType: mediaType,
 		Data: AttachmentData{
-			Base64: base64.URLEncoding.EncodeToString(data),
+			Base64: base64.RawURLEncoding.EncodeToString(data),
 		},
 	}
 }

pkg/didcomm/message/doc.go

@@ -20,7 +20,7 @@
 //
 //	msg := message.New(
 //	    message.WithType("https://example.com/protocols/1.0/hello"),
-//	    message.WithTo([]string{"did:example:bob"}),
+//	    message.WithTo("did:example:bob"),
 //	    message.WithFrom("did:example:alice"),
 //	    message.WithBody(map[string]any{"greeting": "Hello, Bob!"}),
 //	)

pkg/didcomm/packer.go

@@ -75,7 +75,10 @@ func Pack(ctx context.Context, msg *message.Message, opts PackOptions) (*PackRes
 	}
 
 	// Step 1: Sign if requested
-	if opts.SignBeforeEncrypt && opts.SignerKey != nil {
+	if opts.SignBeforeEncrypt {
+		if opts.SignerKey == nil {
+			return nil, fmt.Errorf("SignBeforeEncrypt requires SignerKey to be set")
+		}
 		signedMsg, err := crypto.Sign(ctx, plaintext, opts.SignerKey, crypto.SignOptions{})
 		if err != nil {
 			return nil, fmt.Errorf("failed to sign message: %w", err)