feat: Add support for multiple-status entries in VC (#95)

Multiple credentialStatus entries may be added to the VC so that both revocation and suspension may be supported for the VC.

Signed-off-by: Bob Stasyszyn <bob.stasyszyn@gendigital.com>

Author: bstasyszyn

presexch/definition_test.go

@@ -3569,7 +3569,7 @@ type credentialProto struct {
 	Issuer         *verifiable.Issuer
 	Issued         *utiltime.TimeWrapper
 	Expired        *utiltime.TimeWrapper
-	Status         *verifiable.TypedID
+	Status         []*verifiable.TypedID
 	Schemas        []verifiable.TypedID
 	Evidence       verifiable.Evidence
 	TermsOfUse     []verifiable.TypedID

status/api/api.go

@@ -16,6 +16,7 @@ type Validator interface {
 	ValidateStatus(vcStatus *verifiable.TypedID) error
 	GetStatusVCURI(vcStatus *verifiable.TypedID) (string, error)
 	GetStatusListIndex(vcStatus *verifiable.TypedID) (int, error)
+	GetStatusPurpose(vcStatus *verifiable.TypedID) (string, error)
 }
 
 // ValidatorGetter provides the matching Validator for a given credential status type.

status/status.go

@@ -18,8 +18,17 @@ import (
 )
 
 const (
-	// RevokedMessage is the Client.VerifyStatus error message when the given verifiable.Credential is revoked.
-	RevokedMessage = "revoked"
+	// StatusPurposeRevocation is the purpose of the status list entry for revocation.
+	StatusPurposeRevocation = "revocation"
+	// StatusPurposeSuspension is the purpose of the status list entry for suspension.
+	StatusPurposeSuspension = "suspension"
+)
+
+var (
+	// ErrRevoked is the Client.VerifyStatus error when the given verifiable.Credential is revoked.
+	ErrRevoked = errors.New("revoked")
+	// ErrSuspended is the Client.VerifyStatus error when the given verifiable.Credential is suspended.
+	ErrSuspended = errors.New("suspended")
 )
 
 // Client verifies revocation status for Verifiable Credentials.
@@ -28,31 +37,45 @@ type Client struct {
 	Resolver        api.StatusListVCURIResolver
 }
 
-// VerifyStatus verifies the revocation status on the given Verifiable Credential, returning the errorstring "revoked"
-// if the given credential's status is revoked, nil if the credential is not revoked, and a different error if
-// verification fails.
+// VerifyStatus verifies the revocation status on the given Verifiable Credential, returning the errorstring:
+// - "revoked" if the given credential's status is revoked
+// - "suspended" if the given credential's status is suspended
+// - nil if the credential is not revoked or suspended, and a different error if verification fails.
 func (c *Client) VerifyStatus(credential *verifiable.Credential) error { //nolint:gocyclo
 	contents := credential.Contents()
-	if contents.Status == nil {
+	if len(contents.Status) == 0 {
 		return errors.New("vc missing status list field")
 	}
 
-	validator, err := c.ValidatorGetter(contents.Status.Type)
+	for _, status := range contents.Status {
+		if err := c.verifyStatus(credential, status); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (c *Client) verifyStatus( //nolint:gocyclo,funlen
+	credential *verifiable.Credential,
+	status *verifiable.TypedID,
+) error {
+	validator, err := c.ValidatorGetter(status.Type)
 	if err != nil {
 		return err
 	}
 
-	err = validator.ValidateStatus(contents.Status)
+	err = validator.ValidateStatus(status)
 	if err != nil {
 		return err
 	}
 
-	statusListIndex, err := validator.GetStatusListIndex(contents.Status)
+	statusListIndex, err := validator.GetStatusListIndex(status)
 	if err != nil {
 		return err
 	}
 
-	statusVCURL, err := validator.GetStatusVCURI(contents.Status)
+	statusVCURL, err := validator.GetStatusVCURI(status)
 	if err != nil {
 		return err
 	}
@@ -63,7 +86,8 @@ func (c *Client) VerifyStatus(credential *verifiable.Credential) error { //nolin
 	}
 
 	statusListVCC := statusListVC.Contents()
-	if statusListVCC.Issuer == nil || contents.Issuer == nil || statusListVCC.Issuer.ID != contents.Issuer.ID {
+	if statusListVCC.Issuer == nil || credential.Contents().Issuer == nil ||
+		statusListVCC.Issuer.ID != credential.Contents().Issuer.ID {
 		return errors.New("issuer of the credential does not match status list vc issuer")
 	}
 
@@ -85,7 +109,19 @@ func (c *Client) VerifyStatus(credential *verifiable.Credential) error { //nolin
 	}
 
 	if bitSet {
-		return errors.New(RevokedMessage)
+		purpose, err := validator.GetStatusPurpose(status)
+		if err != nil {
+			return err
+		}
+
+		switch purpose {
+		case StatusPurposeRevocation:
+			return ErrRevoked
+		case StatusPurposeSuspension:
+			return ErrSuspended
+		default:
+			return fmt.Errorf("unsupported status purpose: %s", purpose)
+		}
 	}
 
 	return nil

status/status_test.go

@@ -30,7 +30,7 @@ import (
 const issuerID = "issuer-id"
 
 func TestClient_VerifyStatus(t *testing.T) {
-	t.Run("success", func(t *testing.T) {
+	t.Run("single status -> success", func(t *testing.T) {
 		client := Client{
 			ValidatorGetter: validator.GetValidator,
 			Resolver:        resolver.NewResolver(http.DefaultClient, &vdr.VDRegistry{}, ""),
@@ -47,7 +47,7 @@ func TestClient_VerifyStatus(t *testing.T) {
 			Issuer: &verifiable.Issuer{
 				ID: issuerID,
 			},
-			Status: &verifiable.TypedID{
+			Status: []*verifiable.TypedID{{
 				ID:   "foo-bar",
 				Type: statuslist2021.StatusList2021Type,
 				CustomFields: map[string]interface{}{
@@ -56,7 +56,7 @@ func TestClient_VerifyStatus(t *testing.T) {
 					statuslist2021.StatusListIndex:      "0",
 				},
 			},
-		}))
+			}}))
 		require.NoError(t, err)
 
 		// status: revoked
@@ -65,18 +65,114 @@ func TestClient_VerifyStatus(t *testing.T) {
 				ID: issuerID,
 			},
 
-			Status: &verifiable.TypedID{
+			Status: []*verifiable.TypedID{{
 				ID:   "foo-bar",
 				Type: statuslist2021.StatusList2021Type,
 				CustomFields: map[string]interface{}{
-					statuslist2021.StatusPurpose:        "foo",
+					statuslist2021.StatusPurpose:        StatusPurposeRevocation,
 					statuslist2021.StatusListCredential: statusServer.URL,
 					statuslist2021.StatusListIndex:      "1",
 				},
 			},
-		}))
-		require.Error(t, err)
-		require.Contains(t, err.Error(), RevokedMessage)
+			}}))
+		require.ErrorIs(t, err, ErrRevoked)
+	})
+
+	t.Run("multi status -> success", func(t *testing.T) {
+		client := Client{
+			ValidatorGetter: validator.GetValidator,
+			Resolver:        resolver.NewResolver(http.DefaultClient, &vdr.VDRegistry{}, ""),
+		}
+
+		statusServer := httptest.NewServer(mockStatusResponseHandler(t, mockStatusVC(t, issuerID, isRevoked{false, true})))
+
+		defer func() {
+			statusServer.Close()
+		}()
+
+		err := client.VerifyStatus(createTestCredential(t, verifiable.CredentialContents{
+			Issuer: &verifiable.Issuer{
+				ID: issuerID,
+			},
+			Status: []*verifiable.TypedID{
+				{
+					ID:   "id1",
+					Type: statuslist2021.StatusList2021Type,
+					CustomFields: map[string]interface{}{
+						statuslist2021.StatusPurpose:        StatusPurposeRevocation,
+						statuslist2021.StatusListCredential: statusServer.URL + "/revoked",
+						statuslist2021.StatusListIndex:      "0",
+					},
+				},
+				{
+					ID:   "id2",
+					Type: statuslist2021.StatusList2021Type,
+					CustomFields: map[string]interface{}{
+						statuslist2021.StatusPurpose:        StatusPurposeSuspension,
+						statuslist2021.StatusListCredential: statusServer.URL + "/suspended",
+						statuslist2021.StatusListIndex:      "0",
+					},
+				},
+			}}))
+		require.NoError(t, err)
+
+		t.Run("revoked", func(t *testing.T) {
+			err = client.VerifyStatus(createTestCredential(t, verifiable.CredentialContents{
+				Issuer: &verifiable.Issuer{
+					ID: issuerID,
+				},
+
+				Status: []*verifiable.TypedID{
+					{
+						ID:   "id1",
+						Type: statuslist2021.StatusList2021Type,
+						CustomFields: map[string]interface{}{
+							statuslist2021.StatusPurpose:        StatusPurposeRevocation,
+							statuslist2021.StatusListCredential: statusServer.URL + "/revoked",
+							statuslist2021.StatusListIndex:      "1",
+						},
+					},
+					{
+						ID:   "id2",
+						Type: statuslist2021.StatusList2021Type,
+						CustomFields: map[string]interface{}{
+							statuslist2021.StatusPurpose:        StatusPurposeSuspension,
+							statuslist2021.StatusListCredential: statusServer.URL + "/suspended",
+							statuslist2021.StatusListIndex:      "0",
+						},
+					},
+				}}))
+			require.ErrorIs(t, err, ErrRevoked)
+		})
+
+		t.Run("suspended", func(t *testing.T) {
+			err = client.VerifyStatus(createTestCredential(t, verifiable.CredentialContents{
+				Issuer: &verifiable.Issuer{
+					ID: issuerID,
+				},
+
+				Status: []*verifiable.TypedID{
+					{
+						ID:   "id1",
+						Type: statuslist2021.StatusList2021Type,
+						CustomFields: map[string]interface{}{
+							statuslist2021.StatusPurpose:        StatusPurposeRevocation,
+							statuslist2021.StatusListCredential: statusServer.URL + "/revoked",
+							statuslist2021.StatusListIndex:      "0",
+						},
+					},
+					{
+						ID:   "id2",
+						Type: statuslist2021.StatusList2021Type,
+						CustomFields: map[string]interface{}{
+							statuslist2021.StatusPurpose:        StatusPurposeSuspension,
+							statuslist2021.StatusListCredential: statusServer.URL + "/suspended",
+							statuslist2021.StatusListIndex:      "1",
+						},
+					},
+				}}))
+			require.ErrorIs(t, err, ErrSuspended)
+		})
 	})
 
 	t.Run("fail", func(t *testing.T) {
@@ -96,7 +192,7 @@ func TestClient_VerifyStatus(t *testing.T) {
 				},
 			}
 			err := client.VerifyStatus(createTestCredential(t, verifiable.CredentialContents{
-				Status: &verifiable.TypedID{},
+				Status: []*verifiable.TypedID{{}},
 			}))
 			require.Error(t, err)
 			require.ErrorIs(t, err, expectErr)
@@ -113,7 +209,7 @@ func TestClient_VerifyStatus(t *testing.T) {
 				},
 			}
 			err := client.VerifyStatus(createTestCredential(t, verifiable.CredentialContents{
-				Status: &verifiable.TypedID{},
+				Status: []*verifiable.TypedID{{}},
 			}))
 			require.Error(t, err)
 			require.ErrorIs(t, err, expectErr)
@@ -130,7 +226,7 @@ func TestClient_VerifyStatus(t *testing.T) {
 				},
 			}
 			err := client.VerifyStatus(createTestCredential(t, verifiable.CredentialContents{
-				Status: &verifiable.TypedID{},
+				Status: []*verifiable.TypedID{{}},
 			}))
 			require.Error(t, err)
 			require.ErrorIs(t, err, expectErr)
@@ -147,7 +243,7 @@ func TestClient_VerifyStatus(t *testing.T) {
 				},
 			}
 			err := client.VerifyStatus(createTestCredential(t, verifiable.CredentialContents{
-				Status: &verifiable.TypedID{},
+				Status: []*verifiable.TypedID{{}},
 			}))
 			require.Error(t, err)
 			require.ErrorIs(t, err, expectErr)
@@ -165,7 +261,7 @@ func TestClient_VerifyStatus(t *testing.T) {
 				},
 			}
 			err := client.VerifyStatus(createTestCredential(t, verifiable.CredentialContents{
-				Status: &verifiable.TypedID{},
+				Status: []*verifiable.TypedID{{}},
 			}))
 			require.Error(t, err)
 			require.ErrorIs(t, err, expectErr)
@@ -188,7 +284,7 @@ func TestClient_VerifyStatus(t *testing.T) {
 				Issuer: &verifiable.Issuer{
 					ID: "foo",
 				},
-				Status: &verifiable.TypedID{},
+				Status: []*verifiable.TypedID{{}},
 			}))
 			require.Error(t, err)
 			require.Contains(t, err.Error(), "issuer of the credential does not match status list vc issuer")
@@ -216,7 +312,7 @@ func TestClient_VerifyStatus(t *testing.T) {
 				},
 			}
 			err := client.VerifyStatus(createTestCredential(t, verifiable.CredentialContents{
-				Status: &verifiable.TypedID{},
+				Status: []*verifiable.TypedID{{}},
 				Issuer: &verifiable.Issuer{
 					ID: issuerID,
 				},
@@ -233,6 +329,8 @@ type mockValidator struct {
 	GetStatusVCURIErr     error
 	GetStatusListIndexVal int
 	GetStatusListIndexErr error
+	GetStatusPurposeVal   string
+	GetStatusPurposeErr   error
 }
 
 func (m *mockValidator) ValidateStatus(*verifiable.TypedID) error {
@@ -247,6 +345,10 @@ func (m *mockValidator) GetStatusListIndex(*verifiable.TypedID) (int, error) {
 	return m.GetStatusListIndexVal, m.GetStatusListIndexErr
 }
 
+func (m *mockValidator) GetStatusPurpose(vcStatus *verifiable.TypedID) (string, error) {
+	return m.GetStatusPurposeVal, m.GetStatusPurposeErr
+}
+
 type mockResolver struct {
 	Cred *verifiable.Credential
 	Err  error

status/validator/statuslist2021/statuslist2021.go

@@ -92,3 +92,13 @@ func (v *Validator) GetStatusListIndex(vcStatus *verifiable.TypedID) (int, error
 
 	return idx, nil
 }
+
+// GetStatusPurpose returns the purpose of the status list. For example, "revocation", "suspension".
+func (v *Validator) GetStatusPurpose(vcStatus *verifiable.TypedID) (string, error) {
+	statusPurpose, ok := vcStatus.CustomFields[StatusPurpose].(string)
+	if !ok {
+		return "", fmt.Errorf("%s must be a string", StatusPurpose)
+	}
+
+	return statusPurpose, nil
+}