-
Notifications
You must be signed in to change notification settings - Fork 0
fix(notary): validate claim response formats #405
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -155,7 +155,6 @@ impl SubjectAccessConfig { | |
| profile, | ||
| &claim_ids, | ||
| &allowed_claim_ids, | ||
| &allowed_formats, | ||
| self.token_policy.max_credential_validity_seconds, | ||
| )?; | ||
| } | ||
|
|
@@ -771,7 +770,6 @@ pub(super) fn validate_subject_access_profile( | |
| profile: &CredentialProfileConfig, | ||
| claim_ids: &HashSet<&str>, | ||
| allowed_claim_ids: &HashSet<&str>, | ||
| allowed_formats: &HashSet<&str>, | ||
| max_credential_validity_seconds: u64, | ||
| ) -> Result<(), EvidenceConfigError> { | ||
| if profile.validity_seconds <= 0 { | ||
|
|
@@ -791,12 +789,6 @@ pub(super) fn validate_subject_access_profile( | |
| "credential profile '{profile_id}' validity_seconds must not exceed the subject-access ceiling" | ||
| )); | ||
| } | ||
| if !allowed_formats.contains(profile.format.as_str()) { | ||
| return invalid_subject_access(format!( | ||
| "credential profile '{profile_id}' uses unallowed format '{}'", | ||
| profile.format | ||
| )); | ||
| } | ||
| if profile.holder_binding.mode != "did" { | ||
| return invalid_subject_access(format!( | ||
| "credential profile '{profile_id}' holder_binding.mode must be did" | ||
|
|
@@ -867,12 +859,9 @@ pub(super) fn validate_subject_access_allow_lists_are_supported( | |
| let supported_by_claim = allowed_claims | ||
| .iter() | ||
| .any(|claim| claim.formats.iter().any(|candidate| candidate == format)); | ||
| let supported_by_profile = allowed_profiles | ||
| .iter() | ||
| .any(|profile| profile.format == *format); | ||
| if !supported_by_claim && !supported_by_profile { | ||
| if !supported_by_claim { | ||
|
Comment on lines
859
to
+862
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
When Useful? React with 👍 / 👎. |
||
| return invalid_subject_access(format!( | ||
| "allowed_formats entry '{format}' is not supported by any allowed claim or profile" | ||
| "allowed_formats entry '{format}' is not supported by any allowed claim" | ||
| )); | ||
| } | ||
| } | ||
|
|
@@ -1046,12 +1035,9 @@ pub(super) fn validate_delegated_attestation_allow_lists_are_supported( | |
| let supported_by_claim = allowed_claims | ||
| .iter() | ||
| .any(|claim| claim.formats.iter().any(|candidate| candidate == format)); | ||
| let supported_by_profile = allowed_profiles | ||
| .iter() | ||
| .any(|profile| profile.format == *format); | ||
| if !supported_by_claim && !supported_by_profile { | ||
| if !supported_by_claim { | ||
|
Comment on lines
1035
to
+1038
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
For delegated relationships that list Useful? React with 👍 / 👎. |
||
| return invalid_subject_access(format!( | ||
| "subject_access.delegation allowed_formats entry '{format}' is not supported by any allowed claim or profile" | ||
| "subject_access.delegation allowed_formats entry '{format}' is not supported by any allowed claim" | ||
| )); | ||
| } | ||
| } | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After this loop rejects
application/dc+sd-jwtfor every claim, credential-enabled deployments still expose it as an enabled format becauseruntime/catalog.rsinsertsFORMAT_SD_JWT_VCwhenever credential profiles exist, andapi/request.rsfeeds all enabled ids into evaluation content negotiation. A caller sendingAccept: application/dc+sd-jwt, application/vnd.registry-notary.claim-result+json;q=0.5will have negotiation select SD-JWT and then fail withFormatUnsupported, even though the canonical evaluation response is acceptable; the catalog/negotiation path needs to exclude credential-only formats for evaluation responses.Useful? React with 👍 / 👎.