Extract from didkit repo

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/cd.yml

@@ -0,0 +1,40 @@
+name: CD
+
+on:
+  push:
+    branches: [ main ]
+  release:
+      types: [published, created, edited]
+  workflow_dispatch:
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - uses: docker/setup-buildx-action@v3
+    - uses: docker/metadata-action@v5
+      id: meta
+      with:
+        images: |
+          ghcr.io/spruceid/didkit-http
+        tags: |
+          type=ref,event=branch
+          type=sha,prefix={{date 'YYYYMMDDHHmmss'}}
+          type=raw,value=latest,enable={{is_default_branch}}
+    - uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - uses: docker/build-push-action@v5
+      with:
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max

.github/workflows/ci.yml

@@ -0,0 +1,95 @@
+name: ci
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+
+env:
+  CARGO_TERM_COLOR: always
+  SSI_REF: main
+  RUSTFLAGS: "-Dwarnings"
+
+defaults:
+  run:
+    working-directory: didkit-http
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        path: didkit-http
+        submodules: true
+
+    - name: Checkout SSI library
+      uses: actions/checkout@v4
+      with:
+        repository: spruceid/ssi
+        path: ssi
+        ref: ${{env.SSI_REF}}
+        submodules: true
+
+    - name: Rust Cache
+      uses: Swatinem/rust-cache@v2
+      with:
+        workspaces: |
+          didkit-http
+
+    - name: Build
+      run: cargo build
+    - name: Test
+      run: cargo test
+    - name: Clippy
+      run: cargo clippy
+
+  # vc_api_test_suites:
+  #   runs-on: ubuntu-latest
+  #   strategy:
+  #     matrix:
+  #       suite:
+  #         # - "vc-api-issuer-test-suite" # not updated to latest test suites config
+  #         # - "vc-api-verifier-test-suite" # not updated to latest test suites config
+  #         # - "vc-di-ecdsa-test-suite" # ssi lost support for ecdsa and they updated the ids
+  #         # - "vc-di-eddsa-test-suite" # ssi doesn't have support for eddsa-rdfc-2022 just yet
+  #         # - "vc-di-ed25519signature2020-test-suite" # ssi needs support for editing VC context
+  #         # - "did-key-test-suite" # not updated to latest test suites config
+  #         # - "vc-data-model-2.0-test-suite" # ssi doesn't yet have full support for VCDM 2
+  #         # - "vc-di-bbs-test-suite" # ssi doesn't yet have support for BBS
+  #   steps:
+  #   - uses: actions/checkout@v4
+  #     with:
+  #       path: didkit-http
+  #       submodules: true
+  #   - name: Checkout SSI library
+  #     uses: actions/checkout@v4
+  #     with:
+  #       repository: spruceid/ssi
+  #       path: ssi
+  #       ref: ${{env.SSI_REF}}
+  #   - name: Rust Cache
+  #     uses: Swatinem/rust-cache@v2
+  #     with:
+  #       workspaces: |
+  #         didkit-http
+  #       shared-key: "vc-api"
+  #   - uses: actions/setup-node@v4
+  #     with:
+  #       node-version: 18
+  #   - name: Start VC API
+  #     run: |
+  #       cargo build
+  #       DIDKIT_HTTP_ISSUER_KEYS='[{"kty":"OKP","crv":"Ed25519","x":"HvjBEw94RHAh9KkiD385aYZNxGkxIkwBcrLBY5Z7Koo","d":"1onWu34oC29Y09qCRl0aD2FOp5y5obTqHZxQQRT3-bs"}]' cargo run &
+  #   - name: Start HTTPS Proxy
+  #     run: npx local-ssl-proxy --source 9000 --target 3000 --hostname 127.0.0.1 &
+  #   - name: Setup Test Suite
+  #     run: |
+  #       cd tests/${{ matrix.suite }}
+  #       npm i
+  #       ln ../localConfig.cjs localConfig.cjs
+  #   - name: Run Test Suite
+  #     run: |
+  #       cd tests/${{ matrix.suite }}
+  #       npm test

.gitignore

@@ -0,0 +1,4 @@
+/target
+Cargo.lock
+__pycache__/
+*~

.gitmodules

@@ -0,0 +1,24 @@
+[submodule "tests/vc-di-ecdsa-test-suite"]
+	path = tests/vc-di-ecdsa-test-suite
+	url = https://github.com/w3c/vc-di-ecdsa-test-suite.git
+[submodule "tests/vc-di-eddsa-test-suite"]
+	path = tests/vc-di-eddsa-test-suite
+	url = https://github.com/w3c/vc-di-eddsa-test-suite.git
+[submodule "tests/vc-di-ed25519signature2020-test-suite"]
+	path = tests/vc-di-ed25519signature2020-test-suite
+	url = https://github.com/w3c/vc-di-ed25519signature2020-test-suite.git
+[submodule "tests/vc-api-issuer-test-suite"]
+	path = tests/vc-api-issuer-test-suite
+	url = https://github.com/w3c-ccg/vc-api-issuer-test-suite.git
+[submodule "tests/vc-api-verifier-test-suite"]
+	path = tests/vc-api-verifier-test-suite
+	url = https://github.com/w3c-ccg/vc-api-verifier-test-suite.git
+[submodule "tests/did-key-test-suite"]
+	path = tests/did-key-test-suite
+	url = https://github.com/w3c-ccg/did-key-test-suite.git
+[submodule "tests/vc-data-model-2.0-test-suite"]
+	path = tests/vc-data-model-2.0-test-suite
+	url = https://github.com/w3c/vc-data-model-2.0-test-suite.git
+[submodule "tests/vc-di-bbs-test-suite"]
+	path = tests/vc-di-bbs-test-suite
+	url = https://github.com/w3c/vc-di-bbs-test-suite.git

Cargo.toml

@@ -0,0 +1,34 @@
+[package]
+name = "didkit-http"
+version = "0.4.0"
+authors = ["Spruce Systems, Inc."]
+edition = "2021"
+description = "HTTP server for Verifiable Credentials and Decentralized Identifiers."
+keywords = ["ssi", "did", "vc", "http", "api"]
+license = "MIT OR Apache-2.0"
+homepage = "https://github.com/spruceid/didkit-http"
+repository = "https://github.com/spruceid/didkit-http"
+
+exclude = ["/tests"]
+
+[dependencies]
+ssi = { version = "0.8.0", path = "../ssi" }
+
+anyhow = "1.0.70"
+axum = { version = "0.7.5", features = ["macros"] }
+axum-extra = { version = "0.9.3", features = ["typed-header"] }
+figment = { version = "0.10.8", features = ["env", "toml"] }
+tokio = { version = "1.0", features = ["macros", "rt-multi-thread"] }
+tower = "0.4.13"
+tower-http = { version = "0.5.2", features = ["trace", "limit"] }
+tracing = "0.1.37"
+tracing-subscriber = "0.3.16"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+serde_with = { version = "2.1.0", features = ["json"] }
+serde_urlencoded = "0.7"
+url = { version = "2.3.1", features = ["serde"] }
+percent-encoding = "2.2.0"
+
+[dev-dependencies]
+test-log = "0.2.16"

Dockerfile

@@ -0,0 +1,28 @@
+FROM clux/muslrust:stable AS chef
+USER root
+RUN cargo install cargo-chef
+WORKDIR /app
+
+FROM chef AS planner
+COPY ./defaults.toml ./
+COPY ./Cargo.toml ./
+COPY ./src/ ./src/
+RUN sed -i -e 's/path .*,//g' ./Cargo.toml
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM chef AS builder
+COPY --from=planner /app/recipe.json recipe.json
+RUN cargo chef cook --release --target x86_64-unknown-linux-musl --recipe-path recipe.json
+COPY --from=planner /app/ ./
+RUN cargo build --release --target x86_64-unknown-linux-musl --bin didkit-http
+
+FROM alpine AS runtime
+RUN addgroup -S didkit-http && adduser -S didkit-http -G didkit-http
+COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/didkit-http /usr/local/bin/didkit-http
+USER didkit-http
+EXPOSE 3000
+ENV DIDKIT_HTTP_HTTP_ADDRESS=[0,0,0,0]
+CMD ["didkit-http"]
+HEALTHCHECK --interval=5s --timeout=3s \
+  CMD wget --no-verbose --tries=1 --spider http://localhost:3000/healthz || exit 1
+LABEL org.opencontainers.image.source https://github.com/spruceid/didkit-http

README.md

@@ -0,0 +1,36 @@
+# DIDKit HTTP
+
+Implementation of the [Verifiable Credentials API](https://w3c-ccg.github.io/vc-api/)
+using DIDKit.
+
+## Usage
+
+The Docker image is available at
+https://github.com/spruceid/didkit/pkgs/container/didkit-http.
+
+### Configuration
+
+Refer to the [defaults configuration file](./defaults.toml).
+
+To provide overrides you can either:
+- use a configuration file named `didkit-http.toml` which follows the structure
+  as the defaults files; or
+- use environment variables, which are prefixed with `DIDKIT_HTTP_` and follow
+  the same names, with a separating `_` between sections.
+
+## Security Considerations
+
+Spruce does not use DIDKit HTTP in any production environments except with a reverse proxy, and does not recommend them for production use-cases without a holistic review of security levels.  The following is not an exhaustive list, but should be considered in any such review.
+
+### Authorization
+
+DIDKit HTTP does not implement any endpoint authorization or access control. Any client can request a signature/proof creation from the server's key(s) using the issue credential/presentation endpoints. To limit access to some or all of DIDKit HTTP's endpoints, a deployment should place DIDKit HTTP behind a reverse proxy with appropriate settings.
+
+### Denial of Service
+
+DIDKit HTTP does not implement complete protection against resource exhaustion. Clients may be able to overwhelm the server with excessively slow and/or concurrent requests. To protect against resource exhaustion, deployments should use a reverse proxy with rate limiting, load balancing across multiple DIDKit HTTP instances, and/or other protections.
+
+[did-http]: https://w3c-ccg.github.io/did-resolution/#bindings-https
+[vc-api]: https://w3c-ccg.github.io/vc-api/
+[vc-http-api-0.0.1]: https://github.com/w3c-ccg/vc-api/pull/72
+[did-resolution-https-binding]: https://w3c-ccg.github.io/did-resolution/#bindings-https

defaults.toml

@@ -0,0 +1,11 @@
+[default.http]
+# DIDKIT_HTTP_HTTP_PORT
+port = 3000
+# DIDKIT_HTTP_HTTP_ADDRESS
+address = [127, 0, 0, 1]
+# DIDKIT_HTTP_HTTP_BODYSIZELIMIT
+bodysizelimit = 2097152 # 2MiB
+
+[default.issuer]
+# DIDKIT_HTTP_ISSUER_KEYS
+# keys = '[<JWK>, <JWK>]'

src/config.rs

@@ -0,0 +1,29 @@
+use serde::Deserialize;
+use serde_with::{json::JsonString, serde_as};
+use ssi::JWK;
+
+#[derive(Deserialize, Debug, Clone, Hash, PartialEq, Eq)]
+pub struct Config {
+    pub http: Http,
+    pub issuer: Issuer,
+}
+
+#[derive(Deserialize, Debug, Clone, Hash, PartialEq, Eq)]
+pub struct Http {
+    pub port: u16,
+    pub address: [u8; 4],
+    #[serde(rename = "bodysizelimit")]
+    pub body_size_limit: usize,
+}
+
+// #[derive(Deserialize, Debug, Clone, Hash, PartialEq, Eq)]
+// pub struct Resolver {
+//     pub fallback: Option<Url>,
+// }
+
+#[serde_as]
+#[derive(Deserialize, Debug, Clone, Hash, PartialEq, Eq)]
+pub struct Issuer {
+    #[serde_as(as = "Option<JsonString>")]
+    pub keys: Option<Vec<JWK>>,
+}