fix: address Copilot review comments

leifj · leifj · commit bf685f03821d · 2026-02-24T12:03:29.000+01:00
PR SUNET#263 Code Quality Fixes: - jws.go: Use %v instead of %s for non-string types in error messages - attachment.go: Use RawURLEncoding for base64url (no padding per DIDComm spec) - attachment.go: Fix AttachmentData comment to match implementation (multiple formats allowed) - packer.go: Return error when SignBeforeEncrypt=true but SignerKey=nil (was silent no-op) - route.go: Document BuildRoute fallback behavior and RoutingKey usage - ecdsa/suite.go: Add context parameter for HSM signer support - transport/doc.go: Update example to use SendRequest struct - message/doc.go: Fix WithTo example (variadic, not slice) - signer_test.go: Check rand.Read errors properly
diff --git a/pkg/didcomm/crypto/jws.go b/pkg/didcomm/crypto/jws.go
@@ -156,10 +156,10 @@ func determineSigningAlgorithm(key jwk.Key, hint string) (jwa.SignatureAlgorithm
 			if crv.String() == "secp256k1" {
 				return jwa.ES256K(), nil
 			}
-			return jwa.ES256(), fmt.Errorf("%w: unsupported curve %s", ErrUnsupportedAlgorithm, crv)
+			return jwa.ES256(), fmt.Errorf("%w: unsupported curve %v", ErrUnsupportedAlgorithm, crv)
 		}
 	default:
-		return jwa.EdDSA(), fmt.Errorf("%w: unsupported key type %s", ErrUnsupportedAlgorithm, kty)
+		return jwa.EdDSA(), fmt.Errorf("%w: unsupported key type %v", ErrUnsupportedAlgorithm, kty)
 	}
 }
 
diff --git a/pkg/didcomm/message/attachment.go b/pkg/didcomm/message/attachment.go
@@ -39,7 +39,8 @@ type Attachment struct {
 }
 
 // AttachmentData represents the actual attachment content.
-// Exactly one of JWS, Hash, Links, Base64, or JSON should be set.
+// At least one of JWS, Links, Base64, or JSON should be set.
+// Multiple formats are allowed per DIDComm spec.
 type AttachmentData struct {
 	// JWS is a JSON Web Signature wrapping the content.
 	// Provides integrity and optional authentication.
@@ -71,7 +72,7 @@ func (a *Attachment) Validate() error {
 // Works for Base64 and JSON encoded content.
 func (a *Attachment) GetBytes() ([]byte, error) {
 	if a.Data.Base64 != "" {
-		return base64.URLEncoding.DecodeString(a.Data.Base64)
+		return base64.RawURLEncoding.DecodeString(a.Data.Base64)
 	}
 	if a.Data.JSON != nil {
 		return json.Marshal(a.Data.JSON)
@@ -111,7 +112,7 @@ func (a *Attachment) GetJSON(v any) error {
 		return json.Unmarshal(data, v)
 	}
 	if a.Data.Base64 != "" {
-		data, err := base64.URLEncoding.DecodeString(a.Data.Base64)
+		data, err := base64.RawURLEncoding.DecodeString(a.Data.Base64)
 		if err != nil {
 			return err
 		}
@@ -144,13 +145,13 @@ func (d *AttachmentData) Validate() error {
 	return nil
 }
 
-// NewBase64Attachment creates an attachment with base64-encoded data.
+// NewBase64Attachment creates an attachment with base64url-encoded data (no padding).
 func NewBase64Attachment(id string, mediaType string, data []byte) Attachment {
 	return Attachment{
 		ID:        id,
 		MediaType: mediaType,
 		Data: AttachmentData{
-			Base64: base64.URLEncoding.EncodeToString(data),
+			Base64: base64.RawURLEncoding.EncodeToString(data),
 		},
 	}
 }
diff --git a/pkg/didcomm/message/doc.go b/pkg/didcomm/message/doc.go
@@ -20,7 +20,7 @@
 //
 //	msg := message.New(
 //	    message.WithType("https://example.com/protocols/1.0/hello"),
-//	    message.WithTo([]string{"did:example:bob"}),
+//	    message.WithTo("did:example:bob"),
 //	    message.WithFrom("did:example:alice"),
 //	    message.WithBody(map[string]any{"greeting": "Hello, Bob!"}),
 //	)
diff --git a/pkg/didcomm/packer.go b/pkg/didcomm/packer.go
@@ -75,7 +75,10 @@ func Pack(ctx context.Context, msg *message.Message, opts PackOptions) (*PackRes
 	}
 
 	// Step 1: Sign if requested
-	if opts.SignBeforeEncrypt && opts.SignerKey != nil {
+	if opts.SignBeforeEncrypt {
+		if opts.SignerKey == nil {
+			return nil, fmt.Errorf("SignBeforeEncrypt requires SignerKey to be set")
+		}
 		signedMsg, err := crypto.Sign(ctx, plaintext, opts.SignerKey, crypto.SignOptions{})
 		if err != nil {
 			return nil, fmt.Errorf("failed to sign message: %w", err)
diff --git a/pkg/didcomm/routing/route.go b/pkg/didcomm/routing/route.go
@@ -13,10 +13,13 @@ const DefaultMaxHops = 10
 // Hop represents a single hop in a routing path.
 type Hop struct {
 	// RecipientDID is the DID that should receive the message at this hop.
+	// This is used for encryption (Encrypter interface requires DIDs).
 	RecipientDID string
 
-	// RoutingKey is the key ID to use for encryption at this hop.
-	// If empty, the recipient's default key agreement key is used.
+	// RoutingKey is the original key ID from the service endpoint.
+	// May be a DID URL (e.g., did:example:mediator#key-1) or a DID.
+	// The Encrypter uses RecipientDID (extracted from RoutingKey if needed)
+	// since the encryption interface operates on DIDs, not key IDs.
 	RoutingKey string
 
 	// ServiceEndpoint is the endpoint URL for this hop (if known).
@@ -107,7 +110,10 @@ func (rb *RouteBuilder) buildRouteRecursive(ctx context.Context, did string, dep
 	// Resolve the DID's service endpoint
 	service, err := rb.resolver.ResolveDIDCommService(ctx, did)
 	if err != nil {
-		// If we can't resolve, assume direct delivery
+		// Fallback to direct delivery when service resolution fails.
+		// This allows sending to DIDs that don't publish DIDComm services,
+		// treating them as direct recipients. Callers should handle this
+		// by attempting direct delivery or reporting the missing endpoint.
 		return &Route{
 			FinalRecipient: did,
 			Hops: []Hop{
diff --git a/pkg/didcomm/transport/doc.go b/pkg/didcomm/transport/doc.go
@@ -14,7 +14,11 @@
 // Messages are sent as POST requests with appropriate content types.
 //
 //	client := transport.NewHTTPClient()
-//	response, err := client.Send(ctx, "https://example.com/didcomm", message)
+//	response, err := client.Send(ctx, transport.SendRequest{
+//		Endpoint:  "https://example.com/didcomm",
+//		Message:   packedMessage,
+//		MediaType: "application/didcomm-encrypted+json",
+//	})
 //
 // # Server Handler
 //
diff --git a/pkg/openid4vp/vc20_handler.go b/pkg/openid4vp/vc20_handler.go
@@ -921,7 +921,7 @@ func (h *VC20Handler) signECDSA2019(cred *credential.RDFCredential) (*credential
 	}
 
 	suite := ecdsaSuite.NewSuite()
-	return suite.Sign(cred, key, &ecdsaSuite.SignOptions{
+	return suite.Sign(context.Background(), cred, key, &ecdsaSuite.SignOptions{
 		VerificationMethod: h.signerConfig.VerificationMethod,
 		ProofPurpose:       "assertionMethod",
 		Created:            time.Now().UTC(),
diff --git a/pkg/openid4vp/vc20_handler_integration_test.go b/pkg/openid4vp/vc20_handler_integration_test.go
@@ -50,7 +50,7 @@ func TestVC20Handler_VerifyECDSA2019_Integration(t *testing.T) {
 	cred, err := credential.NewRDFCredentialFromJSON(credBytes, nil)
 	require.NoError(t, err)
 
-	signedCred, err := suite.Sign(cred, key, &ecdsaSuite.SignOptions{
+	signedCred, err := suite.Sign(t.Context(), cred, key, &ecdsaSuite.SignOptions{
 		VerificationMethod: "did:example:issuer#key-1",
 		Created:            time.Now(),
 		ProofPurpose:       "assertionMethod",
@@ -218,7 +218,7 @@ func TestVC20Handler_VP_Extraction(t *testing.T) {
 	cred, err := credential.NewRDFCredentialFromJSON(credBytes, nil)
 	require.NoError(t, err)
 
-	signedCred, err := suite.Sign(cred, key, &ecdsaSuite.SignOptions{
+	signedCred, err := suite.Sign(t.Context(), cred, key, &ecdsaSuite.SignOptions{
 		VerificationMethod: "did:example:issuer#key-1",
 		Created:            time.Now(),
 		ProofPurpose:       "assertionMethod",
@@ -283,7 +283,7 @@ func TestVC20Handler_TimeValidation(t *testing.T) {
 		cred, err := credential.NewRDFCredentialFromJSON(credBytes, nil)
 		require.NoError(t, err)
 
-		signedCred, err := suite.Sign(cred, key, &ecdsaSuite.SignOptions{
+		signedCred, err := suite.Sign(t.Context(), cred, key, &ecdsaSuite.SignOptions{
 			VerificationMethod: "did:example:issuer#key-1",
 			Created:            time.Now(),
 			ProofPurpose:       "assertionMethod",
@@ -323,7 +323,7 @@ func TestVC20Handler_TimeValidation(t *testing.T) {
 		cred, err := credential.NewRDFCredentialFromJSON(credBytes, nil)
 		require.NoError(t, err)
 
-		signedCred, err := suite.Sign(cred, key, &ecdsaSuite.SignOptions{
+		signedCred, err := suite.Sign(t.Context(), cred, key, &ecdsaSuite.SignOptions{
 			VerificationMethod: "did:example:issuer#key-1",
 			Created:            time.Now().Add(-time.Hour * 24 * 30),
 			ProofPurpose:       "assertionMethod",
diff --git a/pkg/openid4vp/vc20_vp_builder.go b/pkg/openid4vp/vc20_vp_builder.go
@@ -3,6 +3,7 @@
 package openid4vp
 
 import (
+	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/ed25519"
@@ -223,7 +224,7 @@ func (b *VPBuilder) signWithECDSA(vpBytes []byte, privateKey crypto.PrivateKey,
 
 	// Sign
 	suite := ecdsaSuite.NewSuite()
-	signedVP, err := suite.Sign(vpCred, ecKey, signOpts)
+	signedVP, err := suite.Sign(context.Background(), vpCred, ecKey, signOpts)
 	if err != nil {
 		return nil, fmt.Errorf("ECDSA signing failed: %w", err)
 	}
diff --git a/pkg/vc20/crypto/ecdsa/suite.go b/pkg/vc20/crypto/ecdsa/suite.go
@@ -41,18 +41,18 @@ type SignOptions struct {
 }
 
 // Sign signs a credential using ecdsa-rdfc-2019
-func (s *Suite) Sign(cred *credential.RDFCredential, key *ecdsa.PrivateKey, opts *SignOptions) (*credential.RDFCredential, error) {
+func (s *Suite) Sign(ctx context.Context, cred *credential.RDFCredential, key *ecdsa.PrivateKey, opts *SignOptions) (*credential.RDFCredential, error) {
 	if key == nil {
 		return nil, fmt.Errorf("private key is nil")
 	}
 	// Wrap the raw key and delegate to SignWithSigner
 	wrapper := vccrypto.NewECDSAKeyWrapper(key)
-	return s.SignWithSigner(cred, wrapper, opts)
+	return s.SignWithSigner(ctx, cred, wrapper, opts)
 }
 
 // SignWithSigner signs a credential using ecdsa-rdfc-2019 with a VCSigner.
-// This method supports both raw keys (via wrappers) and HSM-based keys (via pki.RawSigner).
-func (s *Suite) SignWithSigner(cred *credential.RDFCredential, signer vccrypto.VCSigner, opts *SignOptions) (*credential.RDFCredential, error) {
+// This method supports both raw keys (via wrappers) and HSM-backed keys (via pki.RawSigner).
+func (s *Suite) SignWithSigner(ctx context.Context, cred *credential.RDFCredential, signer vccrypto.VCSigner, opts *SignOptions) (*credential.RDFCredential, error) {
 	if cred == nil {
 		return nil, fmt.Errorf("credential is nil")
 	}
@@ -130,7 +130,7 @@ func (s *Suite) SignWithSigner(cred *credential.RDFCredential, signer vccrypto.V
 	combined := append(proofHashBytes[:], docHashBytes[:]...)
 
 	// 5. Sign using the VCSigner
-	signature, err := signer.SignDigest(context.Background(), combined)
+	signature, err := signer.SignDigest(ctx, combined)
 	if err != nil {
 		return nil, fmt.Errorf("failed to sign: %w", err)
 	}
diff --git a/pkg/vc20/crypto/ecdsa/suite_test.go b/pkg/vc20/crypto/ecdsa/suite_test.go
@@ -4,6 +4,7 @@
 package ecdsa
 
 import (
+	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -52,7 +53,7 @@ func TestSignAndVerify(t *testing.T) {
 		Created:            time.Now().UTC(),
 	}
 
-	signedCred, err := suite.Sign(cred, key, opts)
+	signedCred, err := suite.Sign(context.Background(), cred, key, opts)
 	if err != nil {
 		t.Fatalf("Failed to sign credential: %v", err)
 	}
diff --git a/pkg/vc20/crypto/signer_test.go b/pkg/vc20/crypto/signer_test.go
@@ -39,7 +39,9 @@ func TestECDSAKeyWrapper_SignDigest(t *testing.T) {
 
 	// Test SignDigest
 	digest := make([]byte, 32) // SHA-256 digest size
-	rand.Read(digest)
+	if _, err := rand.Read(digest); err != nil {
+		t.Fatalf("rand.Read() error = %v", err)
+	}
 
 	signature, err := wrapper.SignDigest(context.Background(), digest)
 	if err != nil {
@@ -89,7 +91,9 @@ func TestECDSAKeyWrapper_DifferentCurves(t *testing.T) {
 			}
 
 			digest := make([]byte, 64) // Large enough for any curve
-			rand.Read(digest)
+			if _, err := rand.Read(digest); err != nil {
+				t.Fatalf("rand.Read() error = %v", err)
+			}
 
 			signature, err := wrapper.SignDigest(context.Background(), digest)
 			if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -156,10 +156,10 @@ func determineSigningAlgorithm(key jwk.Key, hint string) (jwa.SignatureAlgorithm`
`156`	`156`	`if crv.String() == "secp256k1" {`
`157`	`157`	`return jwa.ES256K(), nil`
`158`	`158`	`}`
`159`		`- return jwa.ES256(), fmt.Errorf("%w: unsupported curve %s", ErrUnsupportedAlgorithm, crv)`
	`159`	`+ return jwa.ES256(), fmt.Errorf("%w: unsupported curve %v", ErrUnsupportedAlgorithm, crv)`
`160`	`160`	`}`
`161`	`161`	`default:`
`162`		`- return jwa.EdDSA(), fmt.Errorf("%w: unsupported key type %s", ErrUnsupportedAlgorithm, kty)`
	`162`	`+ return jwa.EdDSA(), fmt.Errorf("%w: unsupported key type %v", ErrUnsupportedAlgorithm, kty)`
`163`	`163`	`}`
`164`	`164`	`}`
`165`	`165`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,8 @@ type Attachment struct {`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`// AttachmentData represents the actual attachment content.`
`42`		`-// Exactly one of JWS, Hash, Links, Base64, or JSON should be set.`
	`42`	`+// At least one of JWS, Links, Base64, or JSON should be set.`
	`43`	`+// Multiple formats are allowed per DIDComm spec.`
`43`	`44`	`type AttachmentData struct {`
`44`	`45`	`// JWS is a JSON Web Signature wrapping the content.`
`45`	`46`	`// Provides integrity and optional authentication.`
`@@ -71,7 +72,7 @@ func (a *Attachment) Validate() error {`
`71`	`72`	`// Works for Base64 and JSON encoded content.`
`72`	`73`	`func (a *Attachment) GetBytes() ([]byte, error) {`
`73`	`74`	`if a.Data.Base64 != "" {`
`74`		`- return base64.URLEncoding.DecodeString(a.Data.Base64)`
	`75`	`+ return base64.RawURLEncoding.DecodeString(a.Data.Base64)`
`75`	`76`	`}`
`76`	`77`	`if a.Data.JSON != nil {`
`77`	`78`	`return json.Marshal(a.Data.JSON)`
`@@ -111,7 +112,7 @@ func (a *Attachment) GetJSON(v any) error {`
`111`	`112`	`return json.Unmarshal(data, v)`
`112`	`113`	`}`
`113`	`114`	`if a.Data.Base64 != "" {`
`114`		`- data, err := base64.URLEncoding.DecodeString(a.Data.Base64)`
	`115`	`+ data, err := base64.RawURLEncoding.DecodeString(a.Data.Base64)`
`115`	`116`	`if err != nil {`
`116`	`117`	`return err`
`117`	`118`	`}`
`@@ -144,13 +145,13 @@ func (d *AttachmentData) Validate() error {`
`144`	`145`	`return nil`
`145`	`146`	`}`
`146`	`147`
`147`		`-// NewBase64Attachment creates an attachment with base64-encoded data.`
	`148`	`+// NewBase64Attachment creates an attachment with base64url-encoded data (no padding).`
`148`	`149`	`func NewBase64Attachment(id string, mediaType string, data []byte) Attachment {`
`149`	`150`	`return Attachment{`
`150`	`151`	`ID: id,`
`151`	`152`	`MediaType: mediaType,`
`152`	`153`	`Data: AttachmentData{`
`153`		`- Base64: base64.URLEncoding.EncodeToString(data),`
	`154`	`+ Base64: base64.RawURLEncoding.EncodeToString(data),`
`154`	`155`	`},`
`155`	`156`	`}`
`156`	`157`	`}`
Original file line number	Diff line number	Diff line change
`@@ -921,7 +921,7 @@ func (h VC20Handler) signECDSA2019(cred credential.RDFCredential) (*credential`
`921`	`921`	`}`
`922`	`922`
`923`	`923`	`suite := ecdsaSuite.NewSuite()`
`924`		`- return suite.Sign(cred, key, &ecdsaSuite.SignOptions{`
	`924`	`+ return suite.Sign(context.Background(), cred, key, &ecdsaSuite.SignOptions{`
`925`	`925`	`VerificationMethod: h.signerConfig.VerificationMethod,`
`926`	`926`	`ProofPurpose: "assertionMethod",`
`927`	`927`	`Created: time.Now().UTC(),`
Original file line number	Diff line number	Diff line change
`@@ -41,18 +41,18 @@ type SignOptions struct {`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`// Sign signs a credential using ecdsa-rdfc-2019`
`44`		`-func (s Suite) Sign(cred credential.RDFCredential, key ecdsa.PrivateKey, opts SignOptions) (*credential.RDFCredential, error) {`
	`44`	`+func (s Suite) Sign(ctx context.Context, cred credential.RDFCredential, key ecdsa.PrivateKey, opts SignOptions) (*credential.RDFCredential, error) {`
`45`	`45`	`if key == nil {`
`46`	`46`	`return nil, fmt.Errorf("private key is nil")`
`47`	`47`	`}`
`48`	`48`	`// Wrap the raw key and delegate to SignWithSigner`
`49`	`49`	`wrapper := vccrypto.NewECDSAKeyWrapper(key)`
`50`		`- return s.SignWithSigner(cred, wrapper, opts)`
	`50`	`+ return s.SignWithSigner(ctx, cred, wrapper, opts)`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`// SignWithSigner signs a credential using ecdsa-rdfc-2019 with a VCSigner.`
`54`		`-// This method supports both raw keys (via wrappers) and HSM-based keys (via pki.RawSigner).`
`55`		`-func (s Suite) SignWithSigner(cred credential.RDFCredential, signer vccrypto.VCSigner, opts SignOptions) (credential.RDFCredential, error) {`
	`54`	`+// This method supports both raw keys (via wrappers) and HSM-backed keys (via pki.RawSigner).`
	`55`	`+func (s Suite) SignWithSigner(ctx context.Context, cred credential.RDFCredential, signer vccrypto.VCSigner, opts SignOptions) (credential.RDFCredential, error) {`
`56`	`56`	`if cred == nil {`
`57`	`57`	`return nil, fmt.Errorf("credential is nil")`
`58`	`58`	`}`
`@@ -130,7 +130,7 @@ func (s Suite) SignWithSigner(cred credential.RDFCredential, signer vccrypto.V`
`130`	`130`	`combined := append(proofHashBytes[:], docHashBytes[:]...)`
`131`	`131`
`132`	`132`	`// 5. Sign using the VCSigner`
`133`		`- signature, err := signer.SignDigest(context.Background(), combined)`
	`133`	`+ signature, err := signer.SignDigest(ctx, combined)`
`134`	`134`	`if err != nil {`
`135`	`135`	`return nil, fmt.Errorf("failed to sign: %w", err)`
`136`	`136`	`}`