feat: Add did import api [DEV-3487] (#457)

* feat: Add key/import api * Update routes * Update description * Update auth middleware * Add salt and fix issues * feat: Add did import api * Update auth for routes * fix: Fix decryption bug * feat: Add import did and key validators * Make type as const
cheqd · Jan 4, 2024 · 75232f0 · 75232f0
1 parent d7256f4
commit 75232f0
Show file tree

Hide file tree

Showing 15 changed files with 354 additions and 72 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -64,6 +64,7 @@
 		"@veramo/did-resolver": "^5.5.3",
 		"@veramo/key-manager": "^5.5.3",
 		"@veramo/kms-local": "^5.5.3",
+		"@veramo/utils": "^5.5.3",
 		"@verida/account-node": "^2.3.9",
 		"@verida/client-ts": "^2.3.9",
 		"@verida/encryption-utils": "^2.2.3",

diff --git a/src/app.ts b/src/app.ts
@@ -161,12 +161,13 @@ class App {
 
 		// Keys API
 		app.post('/key/create', new KeyController().createKey);
-		app.post('/key/import', new KeyController().importKey);
+		app.post('/key/import', KeyController.importKeyValidator, new KeyController().importKey);
 		app.get('/key/read/:kid', new KeyController().getKey);
 
 		// DIDs API
 		app.post('/did/create', DIDController.createDIDValidator, new DIDController().createDid);
 		app.post('/did/update', DIDController.updateDIDValidator, new DIDController().updateDid);
+		app.post('/did/import', DIDController.importDIDValidator, new DIDController().importDid);
 		app.post('/did/deactivate/:did', DIDController.deactivateDIDValidator, new DIDController().deactivateDid);
 		app.get('/did/list', new DIDController().getDids);
 		app.get('/did/search/:did', new DIDController().resolveDidUrl);

diff --git a/src/controllers/did.ts b/src/controllers/did.ts
@@ -11,12 +11,13 @@ import {
 } from '@cheqd/sdk';
 import { StatusCodes } from 'http-status-codes';
 import { IdentityServiceStrategySetup } from '../services/identity/index.js';
-import { generateDidDoc, getQueryParams } from '../helpers/helpers.js';
+import { decryptPrivateKey, generateDidDoc, getQueryParams } from '../helpers/helpers.js';
 import { bases } from 'multiformats/basics';
 import { base64ToBytes } from 'did-jwt';
-import type { CreateDidRequestBody } from '../types/shared.js';
-
+import type { CreateDidRequestBody, KeyImportRequest } from '../types/shared.js';
 import { check, validationResult, param } from './validator/index.js';
+import type { IKey, RequireOnly } from '@veramo/core';
+import { extractPublicKeyHex } from '@veramo/utils';
 
 export class DIDController {
 	// ToDo: improve validation in a "bail" fashion
@@ -78,6 +79,26 @@ export class DIDController {
 
 	public static deactivateDIDValidator = [param('did').exists().isString().isDID().bail()];
 
+	public static importDIDValidator = [
+		check('did').isDID().bail(),
+		check('controllerKeyId').optional().isString().withMessage('controllerKeyId should be a string').bail(),
+		check('keys')
+			.isArray()
+			.withMessage('Keys should be an array of KeyImportRequest objects used in the DID-VerificationMethod')
+			.custom((value) => {
+				return value.every(
+					(item: KeyImportRequest) =>
+						item.privateKeyHex &&
+						typeof item.encrypted === 'boolean' &&
+						(item.encrypted === true ? item.ivHex && item.salt : true)
+				);
+			})
+			.withMessage(
+				'KeyImportRequest object is invalid, privateKeyHex is required, Property ivHex, salt is required when encrypted is set to true'
+			)
+			.bail(),
+	];
+
 	/**
 	 * @openapi
 	 *
@@ -324,6 +345,116 @@ export class DIDController {
 		}
 	}
 
+	/**
+	 * @openapi
+	 *
+	 * /did/import:
+	 *   post:
+	 *     tags: [ DID ]
+	 *     summary: Import a DID Document.
+	 *     description: This endpoint imports a decentralized identifier associated with the user's account for custodian-mode clients.
+	 *     requestBody:
+	 *       content:
+	 *         application/x-www-form-urlencoded:
+	 *           schema:
+	 *             $ref: '#/components/schemas/DidImportRequest'
+	 *         application/json:
+	 *           schema:
+	 *             $ref: '#/components/schemas/DidImportRequest'
+	 *     responses:
+	 *       200:
+	 *         description: The request was successful.
+	 *         content:
+	 *           application/json:
+	 *             schema:
+	 *               $ref: '#/components/schemas/DidResult'
+	 *       400:
+	 *         description: A problem with the input fields has occurred. Additional state information plus metadata may be available in the response body.
+	 *         content:
+	 *           application/json:
+	 *             schema:
+	 *               $ref: '#/components/schemas/InvalidRequest'
+	 *             example:
+	 *               error: InvalidRequest
+	 *       401:
+	 *         $ref: '#/components/schemas/UnauthorizedError'
+	 *       500:
+	 *         description: An internal error has occurred. Additional state information plus metadata may be available in the response body.
+	 *         content:
+	 *           application/json:
+	 *             schema:
+	 *               $ref: '#/components/schemas/InvalidRequest'
+	 *             example:
+	 *               error: Internal Error
+	 */
+	public async importDid(request: Request, response: Response) {
+		// validate request
+		const result = validationResult(request);
+
+		// handle error
+		if (!result.isEmpty()) {
+			return response.status(StatusCodes.BAD_REQUEST).json({ error: result.array().pop()?.msg });
+		}
+
+		try {
+			const { did, controllerKeyId, keys } = request.body;
+			const { didDocument } = await new IdentityServiceStrategySetup().agent.resolveDid(did);
+			if (!didDocument || !didDocument.verificationMethod || didDocument.verificationMethod.length === 0) {
+				return response.status(StatusCodes.BAD_REQUEST).json({
+					error: `Invalid request: Invalid did document for ${did}`,
+				});
+			}
+			const publicKeyHexs: string[] = [
+				...new Set(
+					didDocument.verificationMethod.map((vm) => extractPublicKeyHex(vm)).filter((pk) => pk) || []
+				),
+			];
+
+			const keysToImport: RequireOnly<IKey, 'privateKeyHex' | 'type'>[] = [];
+			if (keys && keys.length === publicKeyHexs.length) {
+				// import keys
+				keysToImport.push(
+					...(await Promise.all(
+						keys.map(async (key: any) => {
+							const { type, encrypted, ivHex, salt } = key;
+							let { privateKeyHex } = key;
+							if (encrypted) {
+								if (ivHex && salt) {
+									privateKeyHex = toString(
+										await decryptPrivateKey(privateKeyHex, ivHex, salt),
+										'hex'
+									);
+								} else {
+									throw new Error(
+										`Invalid request: Property ivHex, salt is required when encrypted is set to true`
+									);
+								}
+							}
+
+							return {
+								type: type || 'Ed25519',
+								privateKeyHex,
+							};
+						})
+					))
+				);
+			} else if (keys) {
+				return response.status(StatusCodes.BAD_REQUEST).json({
+					error: `Invalid request: Provide all the required keys`,
+				});
+			}
+
+			const identifier = await new IdentityServiceStrategySetup(
+				response.locals.customer.customerId
+			).agent.importDid(did, keys, controllerKeyId, response.locals.customer);
+			return response.status(StatusCodes.OK).json(identifier);
+		} catch (error) {
+			return response.status(StatusCodes.INTERNAL_SERVER_ERROR).json({
+				error: `Internal error: ${(error as Error)?.message || error}`,
+			});
+		}
+	}
+
 	/**
 	 * @openapi
 	 *

diff --git a/src/controllers/key.ts b/src/controllers/key.ts
@@ -3,8 +3,19 @@ import { StatusCodes } from 'http-status-codes';
 import { IdentityServiceStrategySetup } from '../services/identity/index.js';
 import { decryptPrivateKey } from '../helpers/helpers.js';
 import { toString } from 'uint8arrays';
+import { check } from 'express-validator';
 
 export class KeyController {
+	public static importKeyValidator = [
+		check('privateKeyHex').isString().withMessage('privateKeyHex is required').bail(),
+		check('encrypted')
+			.isBoolean()
+			.withMessage('encrypted is required')
+			.custom((value, { req }) => (value === true ? req.ivHex && req.salt : true))
+			.withMessage('Property ivHex, salt is required when encrypted is set to true')
+			.bail(),
+	];
+
 	/**
 	 * @openapi
 	 *

diff --git a/src/helpers/helpers.ts b/src/helpers/helpers.ts
@@ -217,7 +217,7 @@ export async function decryptPrivateKey(encryptedPrivateKeyHex: string, ivHex: s
 		throw new Error('Missing encryption secret');
 	}
 	// derive key from passphrase
-	const derivedKey = await deriveSymmetricKeyFromSecret(salt, process.env.ENCRYPTION_SECRET);
+	const derivedKey = await deriveSymmetricKeyFromSecret(process.env.ENCRYPTION_SECRET, salt);
 
 	// unwrap encrypted key with iv
 	const encryptedKey = Buffer.from(encryptedPrivateKeyHex, 'hex');

diff --git a/src/middleware/auth/routes/did-auth.ts b/src/middleware/auth/routes/did-auth.ts
@@ -13,6 +13,8 @@ export class DidAuthHandler extends BaseAuthHandler {
 		this.registerRoute('/did/update', 'POST', 'update:did:mainnet');
 		this.registerRoute('/did/deactivate', 'POST', 'deactivate:did:testnet');
 		this.registerRoute('/did/deactivate', 'POST', 'deactivate:did:mainnet');
+		this.registerRoute('/did/import', 'POST', 'import:did:testnet');
+		this.registerRoute('/did/import', 'POST', 'import:did:mainnet');
 		// Unauthorized routes
 		this.registerRoute('/did/search/(.*)', 'GET', '', { allowUnauthorized: true, skipNamespace: true });
 	}

diff --git a/src/services/identity/abstract.ts b/src/services/identity/abstract.ts
@@ -5,6 +5,7 @@ import type {
 	DIDDocument,
 	DIDResolutionResult,
 	IIdentifier,
+	IKey,
 	IVerifyResult,
 	ManagedKeyInfo,
 	PresentationPayload,
@@ -78,8 +79,8 @@ export abstract class AbstractIdentityService implements IIdentityService {
 
 	importDid(
 		did: string,
-		privateKeyHex: string,
-		publicKeyHex: string,
+		keys: Pick<IKey, 'privateKeyHex' | 'type'>[],
+		controllerKeyId: string,
 		customer: CustomerEntity
 	): Promise<IIdentifier> {
 		throw new Error(`Not supported`);

diff --git a/src/services/identity/agent.ts b/src/services/identity/agent.ts
@@ -7,11 +7,11 @@ import {
 	ICreateVerifiablePresentationArgs,
 	IDIDManager,
 	IIdentifier,
+	IKey,
 	IKeyManager,
 	IResolver,
 	IVerifyResult,
 	MinimalImportableIdentifier,
-	MinimalImportableKey,
 	PresentationPayload,
 	TAgent,
 	VerifiableCredential,
@@ -244,21 +244,24 @@ export class Veramo {
 	async importDid(
 		agent: TAgent<IDIDManager>,
 		did: string,
-		privateKeyHex: string,
-		publicKeyHex: string
+		keys: Pick<IKey, 'privateKeyHex' | 'type'>[],
+		controllerKeyId: string | undefined
 	): Promise<IIdentifier> {
 		const [kms] = await agent.keyManagerGetKeyManagementSystems();
 
 		if (!did.match(DefaultDidUrlPattern)) {
 			throw new Error('Invalid DID');
 		}
 
-		const key: MinimalImportableKey = { kms: kms, kid: publicKeyHex, type: 'Ed25519', privateKeyHex, publicKeyHex };
-
 		const identifier: IIdentifier = await agent.didManagerImport({
-			keys: [key],
+			keys: keys.map((key) => {
+				return {
+					...key,
+					kms,
+				};
+			}),
 			did,
-			controllerKeyId: key.kid,
+			controllerKeyId,
 		} as MinimalImportableIdentifier);
 
 		return identifier;

diff --git a/src/services/identity/index.ts b/src/services/identity/index.ts
@@ -9,6 +9,7 @@ import type {
 	DIDDocument,
 	DIDResolutionResult,
 	IIdentifier,
+	IKey,
 	IVerifyResult,
 	ManagedKeyInfo,
 	PresentationPayload,
@@ -74,7 +75,12 @@ export interface IIdentityService {
 	resolveDid(did: string): Promise<DIDResolutionResult>;
 	resolve(didUrl: string): Promise<Response>;
 	getDid(did: string, customer: CustomerEntity): Promise<any>;
-	importDid(did: string, privateKeyHex: string, publicKeyHex: string, customer: CustomerEntity): Promise<IIdentifier>;
+	importDid(
+		did: string,
+		keys: Pick<IKey, 'privateKeyHex' | 'type'>[],
+		controllerKeyId: string | undefined,
+		customer: CustomerEntity
+	): Promise<IIdentifier>;
 	createResource(network: string, payload: ResourcePayload, customer: CustomerEntity): Promise<any>;
 	createCredential(
 		credential: CredentialPayload,

diff --git a/src/services/identity/local.ts b/src/services/identity/local.ts
@@ -1,5 +1,5 @@
 import * as dotenv from 'dotenv';
-import type { IIdentifier, CredentialPayload, VerifiableCredential, IVerifyResult } from '@veramo/core';
+import type { IIdentifier, CredentialPayload, VerifiableCredential, IVerifyResult, TKeyType } from '@veramo/core';
 import { MemoryPrivateKeyStore } from '@veramo/key-manager';
 import { KeyManagementSystem } from '@veramo/kms-local';
 import {
@@ -122,11 +122,17 @@ export class LocalIdentityService extends DefaultIdentityService {
 		try {
 			return await this.getDid(ISSUER_DID);
 		} catch {
+			const key = {
+				kid: ISSUER_PUBLIC_KEY_HEX,
+				type: 'Ed25519' as const,
+				privateKeyHex: ISSUER_PRIVATE_KEY_HEX,
+				publicKeyHex: ISSUER_PUBLIC_KEY_HEX,
+			};
 			const identifier: IIdentifier = await Veramo.instance.importDid(
 				this.initAgent(),
 				ISSUER_DID,
-				ISSUER_PRIVATE_KEY_HEX,
-				ISSUER_PUBLIC_KEY_HEX
+				[key],
+				key.kid
 			);
 			return identifier;
 		}

diff --git a/src/services/identity/postgres.ts b/src/services/identity/postgres.ts
@@ -2,6 +2,7 @@ import type {
 	CredentialPayload,
 	DIDDocument,
 	IIdentifier,
+	IKey,
 	IVerifyResult,
 	PresentationPayload,
 	VerifiableCredential,
@@ -289,16 +290,15 @@ export class PostgresIdentityService extends DefaultIdentityService {
 
 	async importDid(
 		did: string,
-		privateKeyHex: string,
-		publicKeyHex: string,
+		keys: Pick<IKey, 'privateKeyHex' | 'type'>[],
+		controllerKeyId: string | undefined,
 		customer: CustomerEntity
 	): Promise<IIdentifier> {
 		if (!did.match(DefaultDidUrlPattern)) {
 			throw new Error('Invalid DID');
 		}
-
 		// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-		const identifier: IIdentifier = await Veramo.instance.importDid(this.agent!, did, privateKeyHex, publicKeyHex);
+		const identifier: IIdentifier = await Veramo.instance.importDid(this.agent!, did, keys, controllerKeyId);
 		await IdentifierService.instance.update(identifier.did, customer);
 		return identifier;
 	}