Merge pull request #66 from talwinder50/issue-48

Validate peer DID identifier
hyperledger-archives · Aug 12, 2019 · 6be39fe · 6be39fe
2 parents 4406b2c + 4608b6a
commit 6be39fe
Show file tree

Hide file tree

Showing 2 changed files with 118 additions and 14 deletions.
diff --git a/pkg/didmethod/peer/did.go b/pkg/didmethod/peer/did.go
@@ -7,8 +7,9 @@ package peer
 
 import (
 	"crypto"
-	"encoding/base64"
+	"encoding/hex"
 	"encoding/json"
+	"regexp"
 	"strings"
 
 	"github.com/hyperledger/aries-framework-go/pkg/doc/did"
@@ -30,7 +31,61 @@ func newDid(doc *did.Doc) (string, error) {
 	if doc.PublicKey == nil || doc.Authentication == nil {
 		return "", errors.New("the genesis version must include public keys and authentication")
 	}
+	numBasis, err := numBasis(doc)
+	if err != nil {
+		return "", err
+	}
+	messageIdentifier := []string{peerPrefix, numAlgo, encAlgo, "-", numBasis}
+	peerDID := strings.Join(messageIdentifier, "")
+
+	return peerDID, nil
+}
+
+/*
+ validateDID checks the format of the doc's DID and checks that the DID's 'namestring' matches against its numeric basis as per the
+ Namestring Generation Method: https://openssi.github.io/peer-did-method-spec/index.html#namestring-generation-method
+ Note: this check should be done only on the resolved variant of the genesis version of Peer DID documents.
+*/
+func validateDID(doc *did.Doc) error {
+
+	peerDid := doc.ID
+
+	matched, _ := regexp.MatchString(`did:peer:11-([a-fA-F0-9]){64}`, peerDid)
+	if !matched {
+		return errors.Errorf("did doesnt follow matching regex")
+	}
+
+	//extracting numbasis from the validated did
+	splitDid := strings.FieldsFunc(peerDid, func(r rune) bool { return r == '-' })
+	extractedNumBasis := splitDid[1]
+
+	// genesis version(no did) of the peer DID doc
+	genesisDoc := &did.Doc{
+		Context:        doc.Context,
+		ID:             "",
+		PublicKey:      doc.PublicKey,
+		Service:        doc.Service,
+		Authentication: doc.Authentication,
+		Created:        doc.Created,
+		Updated:        doc.Updated,
+		Proof:          doc.Proof,
+	}
+
+	//calculate the numbasis of the genesis version of the peer DID doc
+	numBas, err := numBasis(genesisDoc)
+	if err != nil {
+		return err
+	}
 
+	if !(numBas == extractedNumBasis) {
+		return errors.New("hash of the doc doesnt match the computed hash")
+	}
+	return nil
+}
+
+/* numBasis is numeric basis. The spec requires a 256-bit (encoded using 64 hexadecimal digits) numBasis generated from a hash of the initial content of a DID doc i.e genesis doc.
+   Reference : https://dhh1128.github.io/peer-did-method-spec/#matching-regex */
+func numBasis(doc *did.Doc) (string, error) {
 	docBytes, err := json.Marshal(doc)
 	if err != nil {
 		return "", err
@@ -40,11 +95,9 @@ func newDid(doc *did.Doc) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	numBasis := base64.URLEncoding.EncodeToString(hash)
-	messageIdentifier := []string{peerPrefix, numAlgo, encAlgo, "-", numBasis}
-	peerDID := strings.Join(messageIdentifier, "")
+	numBasis := hex.EncodeToString(hash)
 
-	return peerDID, nil
+	return numBasis, nil
 }
 
 // computeHash will compute the hash for the supplied bytes

diff --git a/pkg/didmethod/peer/did_test.go b/pkg/didmethod/peer/did_test.go
@@ -15,18 +15,16 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestNewDid(t *testing.T) {
-	storedDoc, err := GenerateGenesisDoc()
-	require.NoError(t, err)
+func TestNewDID(t *testing.T) {
+	storedDoc := genesisDoc()
 	require.NotNil(t, storedDoc)
-
 	peerDID, err := newDid(storedDoc)
 	require.NoError(t, err)
 	require.NotNil(t, peerDID)
 	assert.Contains(t, peerDID, "did:peer:11")
 }
 
-func TestNewDidError(t *testing.T) {
+func TestNewDIDError(t *testing.T) {
 	storedDoc := &did.Doc{ID: "did:peer:11"}
 	_, err := newDid(storedDoc)
 	require.Error(t, err)
@@ -38,16 +36,52 @@ func TestComputeHash(t *testing.T) {
 	assert.Nil(t, err)
 	assert.NotNil(t, hash)
 }
-
 func TestComputeHashError(t *testing.T) {
 	hash, err := computeHash([]byte(""))
 	assert.NotNil(t, err)
 	assert.Contains(t, err.Error(), "empty bytes")
 	assert.Nil(t, hash)
 }
+func TestValidateDid(t *testing.T) {
+	peerDoc, err := peerDidDoc()
+	require.NoError(t, err)
+	require.NotNil(t, peerDoc)
+	err = validateDID(peerDoc)
+	require.NoError(t, err)
+}
+func TestValidateDIDError(t *testing.T) {
+	peerDoc := invalidPeerDIDDoc()
+	require.NotNil(t, peerDoc)
+	err := validateDID(peerDoc)
+	require.Error(t, err)
+	require.Equal(t, "did doesnt follow matching regex", err.Error())
+}
+func TestValidateErrorHashString(t *testing.T) {
+	peerDoc := &did.Doc{ID: "did:peer:11-479cbc07c3f991725836a3aa2a581ca2029198aa420b9d99bc0e131d9f3e2cbe"}
+	err := validateDID(peerDoc)
+	require.Error(t, err)
+	require.Equal(t, "hash of the doc doesnt match the computed hash", err.Error())
+}
 
-// GenerateGenesisDoc creates the doc without an id
-func GenerateGenesisDoc() (*did.Doc, error) {
+func TestValidateDIDRegex(t *testing.T) {
+	did1 := &did.Doc{ID: "did:peer:22"}
+	err := validateDID(did1)
+	require.Error(t, err)
+	require.Equal(t, err.Error(), "did doesnt follow matching regex")
+
+	did2 := &did.Doc{ID: "did:sidetree:22"}
+	err = validateDID(did2)
+	require.Error(t, err)
+	require.Equal(t, err.Error(), "did doesnt follow matching regex")
+
+	did3 := &did.Doc{ID: "did:peer:1-*&$*|||"}
+	err = validateDID(did3)
+	require.Error(t, err)
+	require.Equal(t, err.Error(), "did doesnt follow matching regex")
+}
+
+// genesisDoc creates the doc without an id
+func genesisDoc() *did.Doc {
 
 	pk := []did.PublicKey{
 		{
@@ -81,5 +115,22 @@ func GenerateGenesisDoc() (*did.Doc, error) {
 		Created:        &time.Time{},
 	}
 	return &did.Doc{Context: doc.Context, PublicKey: doc.PublicKey, Authentication: doc.Authentication,
-		Created: doc.Created}, nil
+		Created: doc.Created}
+}
+
+func peerDidDoc() (*did.Doc, error) {
+	doc := genesisDoc()
+	did, err := newDid(doc)
+	if err != nil {
+		return nil, err
+	}
+	doc.ID = did
+	return doc, nil
+}
+
+func invalidPeerDIDDoc() *did.Doc {
+	doc := genesisDoc()
+	doc.ID = "did:peer:11-"
+
+	return doc
 }