feat: Add StatusTracker to IdentityAssertion parsing and validation APIs (#943)

Author: scouten-adobe

cawg_identity/src/claim_aggregation/ica_signature_verifier.rs

@@ -12,6 +12,7 @@
 // each license.
 
 use async_trait::async_trait;
+use c2pa_status_tracker::{log_item, StatusTracker};
 use coset::{CoseSign1, RegisteredLabelWithPrivate, TaggedCborSerializable};
 
 use crate::{
@@ -45,13 +46,34 @@ impl SignatureVerifier for IcaSignatureVerifier {
 
     async fn check_signature(
         &self,
-        _signer_payload: &SignerPayload,
+        signer_payload: &SignerPayload,
         signature: &[u8],
+        status_tracker: &mut StatusTracker,
     ) -> Result<Self::Output, ValidationError<Self::Error>> {
+        if signer_payload.sig_type != super::CAWG_ICA_SIG_TYPE {
+            // TO DO: Where would we get assertion label?
+            log_item!(
+                "NEED TO FIND LABEL".to_owned(),
+                "unsupported signature type",
+                "X509SignatureVerifier::check_signature"
+            )
+            .validation_status("cawg.identity.sig_type.unknown")
+            .failure_no_throw(
+                status_tracker,
+                ValidationError::<IcaValidationError>::UnknownSignatureType(
+                    signer_payload.sig_type.clone(),
+                ),
+            );
+
+            return Err(ValidationError::UnknownSignatureType(
+                signer_payload.sig_type.clone(),
+            ));
+        }
+
         // The signature should be a `CoseSign1` object.
         let sign1 = CoseSign1::from_tagged_slice(signature)?;
 
-        // Identify the signature
+        // Identify the signature.
         let _ssi_alg = if let Some(ref alg) = sign1.protected.header.alg {
             match alg {
                 // TEMPORARY: Require EdDSA algorithm.

cawg_identity/src/claim_aggregation/mod.rs

@@ -29,3 +29,5 @@ mod ica_validation_error;
 pub use ica_validation_error::IcaValidationError;
 
 pub(crate) mod w3c_vc;
+
+const CAWG_ICA_SIG_TYPE: &str = "cawg.identity_claims_aggregation";

cawg_identity/src/identity_assertion/assertion.rs

@@ -17,6 +17,7 @@ use std::{
 };
 
 use c2pa::{Manifest, Reader};
+use c2pa_status_tracker::{log_item, StatusTracker};
 use serde::{Deserialize, Serialize};
 use serde_bytes::ByteBuf;
 
@@ -63,14 +64,31 @@ impl IdentityAssertion {
     /// Iterator returns a [`Result`] because each assertion may fail to parse.
     ///
     /// Aside from CBOR parsing, no further validation is performed.
-    pub fn from_manifest(
-        manifest: &Manifest,
-    ) -> impl Iterator<Item = Result<Self, c2pa::Error>> + use<'_> {
+    pub fn from_manifest<'a>(
+        manifest: &'a Manifest,
+        status_tracker: &'a mut StatusTracker,
+    ) -> impl Iterator<Item = Result<Self, c2pa::Error>> + use<'a> {
         manifest
             .assertions()
             .iter()
             .filter(|a| a.label().starts_with("cawg.identity"))
-            .map(|a| a.to_assertion())
+            .map(|a| (a.label().to_owned(), a.to_assertion()))
+            .inspect(|(label, r)| {
+                if let Err(err) = r {
+                    // TO DO: a.label() is probably wrong (not a full JUMBF URI)
+                    log_item!(
+                        label.clone(),
+                        "invalid CBOR",
+                        "IdentityAssertion::from_manifest"
+                    )
+                    .validation_status("cawg.identity.cbor.invalid")
+                    .failure_no_throw(
+                        status_tracker,
+                        c2pa::Error::AssertionSpecificError(err.to_string()),
+                    );
+                }
+            })
+            .map(move |(_label, r)| r)
     }
 
     /// Create a summary report from this `IdentityAssertion`.
@@ -83,25 +101,28 @@ impl IdentityAssertion {
     pub async fn to_summary<SV: SignatureVerifier>(
         &self,
         manifest: &Manifest,
+        status_tracker: &mut StatusTracker,
         verifier: &SV,
     ) -> impl Serialize
     where
         <SV as SignatureVerifier>::Output: 'static,
     {
-        self.to_summary_impl(manifest, verifier).await
+        self.to_summary_impl(manifest, status_tracker, verifier)
+            .await
     }
 
     pub(crate) async fn to_summary_impl<SV: SignatureVerifier>(
         &self,
         manifest: &Manifest,
+        status_tracker: &mut StatusTracker,
         verifier: &SV,
     ) -> IdentityAssertionReport<
         <<SV as SignatureVerifier>::Output as ToCredentialSummary>::CredentialSummary,
     >
     where
         <SV as SignatureVerifier>::Output: 'static,
     {
-        match self.validate(manifest, verifier).await {
+        match self.validate(manifest, status_tracker, verifier).await {
             Ok(named_actor) => {
                 let summary = named_actor.to_summary();
 
@@ -120,13 +141,15 @@ impl IdentityAssertion {
     /// Summarize all of the identity assertions found for a [`Manifest`].
     pub async fn summarize_all<SV: SignatureVerifier>(
         manifest: &Manifest,
+        status_tracker: &mut StatusTracker,
         verifier: &SV,
     ) -> impl Serialize {
-        Self::summarize_all_impl(manifest, verifier).await
+        Self::summarize_all_impl(manifest, status_tracker, verifier).await
     }
 
     pub(crate) async fn summarize_all_impl<SV: SignatureVerifier>(
         manifest: &Manifest,
+        status_tracker: &mut StatusTracker,
         verifier: &SV,
     ) -> IdentityAssertionsForManifest<
         <<SV as SignatureVerifier>::Output as ToCredentialSummary>::CredentialSummary,
@@ -139,9 +162,16 @@ impl IdentityAssertion {
             >,
         > = vec![];
 
-        for assertion in Self::from_manifest(manifest) {
+        let assertion_results: Vec<Result<IdentityAssertion, c2pa::Error>> =
+            Self::from_manifest(manifest, status_tracker).collect();
+
+        for assertion in assertion_results {
             let report = match assertion {
-                Ok(assertion) => assertion.to_summary_impl(manifest, verifier).await,
+                Ok(assertion) => {
+                    assertion
+                        .to_summary_impl(manifest, status_tracker, verifier)
+                        .await
+                }
                 Err(_) => {
                     todo!("Handle assertion failed to parse case");
                 }
@@ -163,6 +193,7 @@ impl IdentityAssertion {
     #[cfg(feature = "v1_api")]
     pub async fn summarize_manifest_store<SV: SignatureVerifier>(
         store: &c2pa::ManifestStore,
+        status_tracker: &mut StatusTracker,
         verifier: &SV,
     ) -> impl Serialize {
         // NOTE: We can't write this using .map(...).collect() because there are async
@@ -175,7 +206,7 @@ impl IdentityAssertion {
         > = BTreeMap::new();
 
         for (id, manifest) in store.manifests() {
-            let report = Self::summarize_all_impl(manifest, verifier).await;
+            let report = Self::summarize_all_impl(manifest, status_tracker, verifier).await;
             reports.insert(id.clone(), report);
         }
 
@@ -189,6 +220,7 @@ impl IdentityAssertion {
     /// Summarize all of the identity assertions found for a [`Reader`].
     pub async fn summarize_from_reader<SV: SignatureVerifier>(
         reader: &Reader,
+        status_tracker: &mut StatusTracker,
         verifier: &SV,
     ) -> impl Serialize {
         // NOTE: We can't write this using .map(...).collect() because there are async
@@ -201,7 +233,7 @@ impl IdentityAssertion {
         > = BTreeMap::new();
 
         for (id, manifest) in reader.manifests() {
-            let report = Self::summarize_all_impl(manifest, verifier).await;
+            let report = Self::summarize_all_impl(manifest, status_tracker, verifier).await;
             reports.insert(id.clone(), report);
         }
 
@@ -222,25 +254,55 @@ impl IdentityAssertion {
     pub async fn validate<SV: SignatureVerifier>(
         &self,
         manifest: &Manifest,
+        status_tracker: &mut StatusTracker,
         verifier: &SV,
     ) -> Result<SV::Output, ValidationError<SV::Error>> {
-        self.check_padding()?;
+        // TO DO: Create new status tracker here and pass it through
+        // the rest of this code. Then we can rewrite the log with
+        // assertion label at the end of this process.
+
+        // UPDATED TO DO: Hold off until Gavin lands the post-validate branch.
+        // Then we'll get the assertion label handed to us nicely.
+        self.check_padding(status_tracker)?;
 
-        self.signer_payload.check_against_manifest(manifest)?;
+        self.signer_payload
+            .check_against_manifest(manifest, status_tracker)?;
 
         verifier
-            .check_signature(&self.signer_payload, &self.signature)
+            .check_signature(&self.signer_payload, &self.signature, status_tracker)
             .await
     }
 
-    fn check_padding<E>(&self) -> Result<(), ValidationError<E>> {
+    fn check_padding<E: Debug>(
+        &self,
+        status_tracker: &mut StatusTracker,
+    ) -> Result<(), ValidationError<E>> {
         if !self.pad1.iter().all(|b| *b == 0) {
-            return Err(ValidationError::InvalidPadding);
+            // TO DO: Where would we get assertion label?
+            log_item!(
+                "NEED TO FIND LABEL".to_owned(),
+                "invalid value in pad fields",
+                "SignerPayload::check_padding"
+            )
+            .validation_status("cawg.identity.pad.invalid")
+            .failure(status_tracker, ValidationError::<E>::InvalidPadding)?;
+
+            // We'll only get to this line if `pad1` is invalid and the status tracker is
+            // configured to continue through recoverable errors. In that case, we want to
+            // avoid logging a second "invalid padding" warning if `pad2` is also invalid.
+            return Ok(());
         }
 
         if let Some(pad2) = self.pad2.as_ref() {
             if !pad2.iter().all(|b| *b == 0) {
-                return Err(ValidationError::InvalidPadding);
+                // TO DO: Where would we get assertion label?
+                log_item!(
+                    "NEED TO FIND LABEL".to_owned(),
+                    "invalid value in pad fields",
+                    "SignerPayload::check_padding"
+                )
+                .validation_status("cawg.identity.pad.invalid")
+                .failure(status_tracker, ValidationError::<E>::InvalidPadding)?;
             }
         }
 

cawg_identity/src/identity_assertion/signature_verifier.rs

@@ -11,7 +11,10 @@
 // specific language governing permissions and limitations under
 // each license.
 
+use std::fmt::Debug;
+
 use async_trait::async_trait;
+use c2pa_status_tracker::StatusTracker;
 use serde::Serialize;
 
 use crate::{SignerPayload, ValidationError};
@@ -36,7 +39,7 @@ pub trait SignatureVerifier: Sync {
     /// included in the `SignatureError` variant of [`ValidationError`].
     ///
     /// [`ValidationError`]: crate::ValidationError
-    type Error;
+    type Error: Debug;
 
     /// Verify the signature, returning an instance of [`Output`] if the
     /// signature is valid.
@@ -46,6 +49,7 @@ pub trait SignatureVerifier: Sync {
         &self,
         signer_payload: &SignerPayload,
         signature: &[u8],
+        status_tracker: &mut StatusTracker,
     ) -> Result<Self::Output, ValidationError<Self::Error>>;
 }
 
@@ -69,7 +73,7 @@ pub trait SignatureVerifier {
     /// included in the `SignatureError` variant of [`ValidationError`].
     ///
     /// [`ValidationError`]: crate::ValidationError
-    type Error;
+    type Error: Debug;
 
     /// Verify the signature, returning an instance of [`Output`] if the
     /// signature is valid.
@@ -79,6 +83,7 @@ pub trait SignatureVerifier {
         &self,
         signer_payload: &SignerPayload,
         signature: &[u8],
+        status_tracker: &mut StatusTracker,
     ) -> Result<Self::Output, ValidationError<Self::Error>>;
 }
 

cawg_identity/src/identity_assertion/signer_payload.rs

@@ -14,6 +14,7 @@
 use std::{collections::HashSet, fmt::Debug, sync::LazyLock};
 
 use c2pa::{HashedUri, Manifest};
+use c2pa_status_tracker::{log_item, StatusTracker};
 use regex::Regex;
 use serde::{Deserialize, Serialize};
 
@@ -41,9 +42,10 @@ pub struct SignerPayload {
 }
 
 impl SignerPayload {
-    pub(super) fn check_against_manifest<E>(
+    pub(super) fn check_against_manifest<E: Debug>(
         &self,
         manifest: &Manifest,
+        status_tracker: &mut StatusTracker,
     ) -> Result<(), ValidationError<E>> {
         // All assertions mentioned in referenced_assertions also need to be referenced
         // in the claim.
@@ -81,9 +83,17 @@ impl SignerPayload {
                 //     ));
                 // }
             } else {
-                return Err(ValidationError::AssertionNotInClaim(
-                    ref_assertion.url().to_owned(),
-                ));
+                // TO DO: Where would we get assertion label?
+                log_item!(
+                    "NEED TO FIND LABEL".to_owned(),
+                    "referenced assertion not in claim",
+                    "SignerPayload::check_against_manifest"
+                )
+                .validation_status("cawg.identity.assertion.mismatch")
+                .failure(
+                    status_tracker,
+                    ValidationError::<E>::AssertionNotInClaim(ref_assertion.url().to_owned()),
+                )?;
             }
         }
 
@@ -101,7 +111,14 @@ impl SignerPayload {
                 false
             }
         }) {
-            return Err(ValidationError::NoHardBindingAssertion);
+            // TO DO: Where would we get assertion label?
+            log_item!(
+                "NEED TO FIND LABEL".to_owned(),
+                "no hard binding assertion",
+                "SignerPayload::check_against_manifest"
+            )
+            .validation_status("cawg.identity.hard_binding_missing")
+            .failure(status_tracker, ValidationError::<E>::NoHardBindingAssertion)?;
         }
 
         // Make sure no assertion references are duplicated.
@@ -110,8 +127,19 @@ impl SignerPayload {
         for label in &ref_assertion_labels {
             let label = label.clone();
             if labels.contains(&label) {
-                return Err(ValidationError::DuplicateAssertionReference(label));
+                // TO DO: Where would we get assertion label?
+                log_item!(
+                    "NEED TO FIND LABEL".to_owned(),
+                    "multiple references to same assertion",
+                    "SignerPayload::check_against_manifest"
+                )
+                .validation_status("cawg.identity.assertion.duplicate")
+                .failure(
+                    status_tracker,
+                    ValidationError::<E>::DuplicateAssertionReference(label.clone()),
+                )?;
             }
+
             labels.insert(label);
         }