Skip to content

Latest commit

 

History

History
310 lines (232 loc) · 13.3 KB

README.md

File metadata and controls

310 lines (232 loc) · 13.3 KB

Procivis Procivis

The Procivis One Open Core library is a subset of our Procivis One Core including specific services and protocols.

Table of contents

Background

Decentralized digital identities and credentials is an approach to identity that relocates digital credentials from the possession and control of centralized authorities to the digital wallet of the credentials holder. This architecture eliminates the need for the user to "phone home" to use their credentials as well as the verifier to communicate to the issuer via back-channels, keeping the wallet holder's interactions private between only those parties directly involved in each interaction.

Project affiliation

The Procivis One Open Core was developed with funding from the U.S. Department of Homeland Security's (DHS) Silicon Valley Innovation Program (SVIP) and provides cryptographic and metadata management tools for issuers, holders, and verifiers:

See the section on repository structure for a description of how these functions are divided and the different ways in which this library can be used.

Description of the providers

Credential formatter provider

Format and parse digital credentials according to W3C Verifiable Credentials Data Model v2.0, for issuing, presenting, and verifying.

The following proofs are supported:

Securing mechanism Supported representations Supported proof/signature types
W3C Data Integrity Proofs (embedded) JSON-LD in Compacted Document Form
W3C VC-JOSE-COSE (enveloping)

* CRYSTALS-DILITHIUM is a post-quantum resistant signature scheme, selected by NIST for Post-Quantum Cryptography Standardization. Support for the recently published FIPS-204 is planned for the near future.

When provided with the necessary ingredients (e.g. public keys, authentication function for signing, cryptographic operations for calculating hash comparisons, etc.), this module can sign and verify proofs. These ingredients can be delivered by the other providers, or they can be provided independently.

Additionally, the provider can be used for other data models. For the technologies supported by the complete Procivis One solution, see our docs.

Crypto provider

  • Sign and verify raw bytes, including necessary hashing, using the curves listed above

Key algorithm provider

  • Generate cryptographic key pairs for use with the following algorithms
    • EdDSA
    • ECDSA
    • BBS+
    • ML-DSA
  • Serialize keys, converting to and from different structures (multibase, jwk, bytes, DER)

Key storage provider

Store and safely use keys via:

  • Azure Key Vault hardware security module (HSM)
  • Internal encrypted database

Revocation provider

Manage credential status with the following revocation methods:

For issuers: suspend, reactivate and revoke credentials.

For holders and verifiers: check the status of credentials.

DID method provider

Uses W3C Decentralized Identifiers (DIDs) v1.0-based architecture and data model to manage identifiers

  • Create DIDs and publish metadata
  • Resolve DIDs directly or with the supported Universal DID resolver
    • Retrieve metadata, returning DID Documents and associated public keys
  • Update DIDs (if supported by the method)

Exchange protocol provider

Exchange credentials and presentations:

Additional features

  • Selective disclosure: holders control information using
    • JSON-LD credentials signed with BBS+
    • SD-JWT credentials
  • Caching for mobile devices: In-memory caching for mobile devices with intermittent internet connectivity
    • DID documents for metadata retrieval (DID method provider)
    • Status lists for credentials issued with W3C Bitstring Status List v1.0 (Revocation method provider)
    • JSON-LD contexts for credential structures and calculation of proofs (Credential format provider)
  • Schemas
    • Structure credentials for issuance with customizable credential schemas
    • Structure verification requests with customizable credential and proof schemas
  • Interoperability
    • We actively support standards-based interoperability
    • We are participating in interop testing soon, and will update this section as results come in

Getting started

Prerequisites

A stable version of Rust ≥ 1.75 is recommended.

Install

cargo install --git https://github.com/procivis/one-open-core

Usage

Repository structure

The library consists of three crates:

  • Providers
    • Credential formatter provider
    • Key algorithm provider
    • Key storage provider
    • Revocation provider
    • DID method provider
    • Exchange protocol provider
  • Crypto: This provider is delimited in its own directory to enable future certification of the cryptographic components of this library, e.g. in the NIST Cryptographic Module Validation Program (CMVP).
    • Crypto provider
  • Core
    • Services

The Providers (including Crypto provider) are modular implementations of the complete range of functionality. Developers can use providers — or implementations of individual technologies from within a provider — for modular functionality.

The Core is a service layer that offers developer APIs for orchestrating the whole suite of providers for simplified workflows in issuing, holding, or verifying. Services return provider implementations.

Providers and Crypto

The Providers and Crypto crates contain the actual implementations of technologies, in a modular format. Implementations or providers can be used modularly. The library can be extended (e.g. with a new DID method or key signing algorithm) by adding additional implementations in the relevant provider.

See the docs for details on each provider and related implementations.

See the examples for a few iterations of using the providers.

Provider structure

Each provider is structured in a similar pattern, each containing some subset of:

  • imp: Implements the functionality. Within this directory, each technology (e.g. each credential format, each key algorithm, each DID method) is implemented within its own directory.
  • error: Enumerates errors of the provider.
  • mod: Provides the traits used in the implementation.
  • model: structs and enums of the provider.
  • provider: The provider implementation.

Some providers may include additional elements of implementation.

There are additional modules in the Providers crate containing, for example, shared resources such as DTOs as well as utilities such as bitstring list handling and key verification of DIDs.

Core

The Core provides developer APIs for simple and easy-to-use functionalities of the library and its supported technologies. As an orchestration layer, it provides the simplest access to related functions with the least amount of effort. Services currently available:

To get started, initialize the core:

/// `None` initializes the Core with the default configuration
let core = OneOpenCore::new(None).unwrap();

Then start using the services, e.g.:

let key_pair = core
    .signature_service
    .get_key_pair(&KeyAlgorithmType::Es256)
    .expect("Key pair creation failed");

Examples

Some examples of using the Core are provided in the /examples directory of the repository. More examples will be added in the future. Examples include:

Documentation

See the library documentation for details on this repository. The library documentation provides further descriptions of crates, modules, and traits.

See the Procivis One documentation for:

Acknowledgement

This work is funded in part by the U.S Department of Homeland Security Science and Technology Directorate (DHS S&T) Silicon Valley Innovation Program (SVIP) under contract 70RSAT24T00000012. Any opinions contained herein are those of the performer and do not necessarily reflect those of DHS.

License

Some rights reserved. This library is published under the Apache License Version 2.0.

Procivis AG Procivis AG

© Procivis AG, https://www.procivis.ch.