Added public and private key claims verification. Added iam-identity extension. Deleted iam-claims extension.

Author: ortegi

commons/src/main/java/org/eclipse/edc/heleade/commons/verify/claims/Claims.java

@@ -26,6 +26,12 @@
 import java.util.Objects;
 
 
+/**
+ * The Claims class provides methods for verifying participant claims and signatures.
+ * These methods are intended for use cases where participants' submitted claims
+ * need validation against trusted claims (FC) or their authenticity needs to be proven
+ * via digital signatures.
+ */
 public class Claims {
 
     /**
@@ -37,24 +43,19 @@ public class Claims {
      * @param participantClaims       the map containing the claims provided by the participant
      * @return true if the signature is valid
      */
-    public static boolean verifySignature(ObjectMapper mapper,  String pem, String participantSignedClaims, Map<String, Object> participantClaims) {
+    public static boolean verifySignature(ObjectMapper mapper,  String pem, String participantSignedClaims, String participantClaims) {
         try {
-            pem = pem.replaceAll("-+[A-Z ]+-+", "")
-                    .replaceAll("\\s", "");
-
-            byte[] decoded = Base64.getDecoder().decode(pem);
-
-
+            byte[] decoded = Base64.getMimeDecoder().decode(pem);
             X509EncodedKeySpec keySpec = new X509EncodedKeySpec(decoded);
             KeyFactory keyFactory = KeyFactory.getInstance("Ed25519");
 
             PublicKey publicKey = keyFactory.generatePublic(keySpec);
 
-            String claimsString = mapper.writeValueAsString(participantClaims);
+
 
             Signature signature = Signature.getInstance("Ed25519");
             signature.initVerify(publicKey);
-            signature.update(claimsString.getBytes(StandardCharsets.UTF_8));
+            signature.update(participantClaims.getBytes(StandardCharsets.UTF_8));
 
             byte[] signedBytes = Base64.getDecoder().decode(participantSignedClaims);
 

consumers/consumer-base/resources/configuration/consumer-base-configuration.properties

@@ -29,7 +29,7 @@ web.http.public.path=/public
 
 # claims
 edc.participant.claims=deployment/assets/consumer/creds.json
-
+edc.participant.private.key=deployment/assets/consumer/ed25519_private.pem
 # identity hub
 #edc.participant.id=did:web:localhost%3A7083
 #edc.management.context.enabled=true

consumers/consumer/build.gradle.kts

@@ -30,7 +30,6 @@ dependencies {
     implementation(libs.edc.dsp)
     implementation(libs.edc.http)
     implementation(libs.edc.configuration.filesystem)
-    //implementation(libs.edc.iam.mock)
     implementation(libs.edc.management.api)
     implementation(libs.edc.transfer.data.plane.signaling)
     implementation(libs.edc.validator.data.address.http.data)
@@ -55,6 +54,6 @@ dependencies {
     implementation(libs.edc.auth.configuration)
 
     implementation(project(":providers:content-based-catalog-dispatcher"))
-    implementation(project(":providers:iam-claims"));
+    implementation(project(":iam-identity"));
     implementation(project(":commons"))
 }

deployment/assets/consumer/creds.json

@@ -1,12 +1,4 @@
 {
   "location": "eu",
-   "entity_type": "public",
-   "legal_name": "Official Consumer",
-   "ip_connector": "219.208.53.217",
-   "lei_code": "0202",
-  "num_employees": "4000",
-  "membership": {
-    "level": "SILVER",
-    "branch": "operator"
-  }
+   "entity_type": "public"
 }

deployment/assets/provider/creds.json

@@ -1,11 +1,4 @@
 {
   "location": "eu",
-  "entity_type": "private",
-  "legal_name": "Official Provider",
-  "ip_connector": "219.208.53.217",
-  "lei_code": "0202",
-  "membership": {
-    "level": "SILVER",
-    "branch": "operator"
-  }
+  "entity_type": "public"
 }

federated-catalog/resources/configuration/fc-configuration.properties

@@ -38,4 +38,5 @@ edc.dataplane.api.public.baseurl=http://localhost:39291/public
 # Configuración de la base de datos MongoDB
 org.eclipse.edc.heleade.federated.catalog.extension.store.mongodb.uri = mongodb://localhost:27017/
 org.eclipse.edc.heleade.federated.catalog.extension.store.mongodb.db = federatedcatalogdb
-#edc.participant.claims=deployment/assets/consumer/creds.json
+edc.participant.claims=deployment/assets/consumer/creds.json
+edc.participant.private.key=deployment/assets/consumer/ed25519_private.pem

federated-catalog/src/main/java/org/eclipse/edc/heleade/federated/catalog/extension/api/verification/VerificationApiController.java

@@ -98,11 +98,13 @@ public JsonObject verify(String body) {
         String id = compactedBody.getString("participantId");
         String participantSignedClaims = compactedBody.getString("signedClaims");
         Map<String, Object> participantClaims = getMapFromJsonObject(compactedBody.getJsonObject("claims"));
+        JsonObject participantClaimsJson = compactedBody.getJsonObject("claims");
+        String claimsString = participantClaimsJson.toString();
 
         // check the signature
         ParticipantNode participantNode = targetNodeDirectory.getParticipantNode(id);
-        String pem = participantNode.security().get("pem");
-        boolean verifySignatureSuccess = verifySignature(typeManager.getMapper(), pem, participantSignedClaims, participantClaims);
+        String pem = participantNode.security().get("https://w3id.org/edc/v0.0.1/ns/pem");
+        boolean verifySignatureSuccess = verifySignature(typeManager.getMapper(), pem, participantSignedClaims, claimsString);
         JsonObjectBuilder builder = Json.createObjectBuilder();
         builder.add("verifySignatureSuccess", verifySignatureSuccess);
 

providers/iam-claims/README.md iam-identity/README.mdproviders/iam-claims/README.md renamed to iam-identity/README.md

@@ -1,11 +1,40 @@
-## IAM CLAIMS
+## I AM - IDENTITY
 
 
-This extension generates and verifies the participant token and includes the participant claims inside it.
+This extension generates and verifies the participant token and includes the participant claims && participant 
+signed claims, these claims are signed with the participant private key. 
+----------------
+## In participant onboarding, participant needs:
 
-When the extension is initialized, it loads participant claims.
+- One private key → used only to sign
+- One public key → shared with participant registry to verify signatures
 
-By default, the claims are read from a local file, but this behavior can be replaced with other sources in the future.
+This works in the following way:
+
+Participant(Consumer) 1:
+
+- Signs data with their private key
+Sends (claims + signature) to provider
+
+Participant (Provider) 2:
+- Looks up participant 1’s public key in participant registry.
+- Verifies the signature
+- Verifies the claims were created by participant 1
+- Verifies that claims were not modified
+-----
+
+How to generate key pair
+
+
+
+
+``
+openssl genpkey -algorithm Ed25519 -out ed25519_private.pem
+``
+
+``
+openssl pkey -in ed25519_private.pem -pubout -out ed25519_public.pem
+``
 
 #### Configuration
 
@@ -30,13 +59,14 @@ Here’s an example structure:
 {
   "location": "eu",
   "entityType": "public",
-  "membership": {
-    "level": "SILVER",
-    "branch": "operator"
-  }
 }
 ```
 
+To specify the path containing the private key.
+
+``
+edc.participant.private.key=<path-to-pem-file>
+``
 ### Reminder
 When creating a participant—especially a consumer:
 
@@ -55,15 +85,11 @@ Example:
     "id": "search-service",
     "supportedProtocols": [],
     "claims": {
-    "membership": {
-    "level": "SILVER",
-    "branch": "operator"
-    },
-    "location": "eu"
+    "location": "eu",
+    "entityType": "public"
     },
-    "attributes": {
-    "role": "consumer with claims",
-    "description": "consumer node"
+     "security": {
+        "pem": "MCowBQYDK2VwAyEA/UfM1mYj4c3y7P7AXigfjl08PXISX/0ixait4gflOQU="
     },
     "@context": {
     "@vocab": "https://w3id.org/edc/v0.0.1/ns/"
@@ -74,13 +100,13 @@ Example:
 
 #### Important:
 
-Since the Identity Hub was overly complex and not functioning correctly, 
-we decided not to use it. Instead, 
-this extension implements the IdentityService interface, 
-with a small modification to include claims in the generated token so 
+Since the Identity Hub was overly complex and not functioning correctly,
+we decided not to use it. Instead,
+this extension implements the IdentityService interface,
+with a small modification to include claims in the generated token so
 they are available to the participant agent.
 Because the Identity Service component in EDC is not well documented,
-much of this understanding 
-comes from community issues and discussions on Discord. 
-In the future, we can—and should—expand this implementation to 
+much of this understanding
+comes from community issues and discussions on Discord.
+In the future, we can—and should—expand this implementation to
 further improve identity handling.

providers/iam-claims/build.gradle.kts iam-identity/build.gradle.ktsproviders/iam-claims/build.gradle.kts renamed to iam-identity/build.gradle.kts

@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2023 Fraunhofer Institute for Software and Systems Engineering
+ *  Copyright (c) 2025 Universidad de Alicante
  *
  *  This program and the accompanying materials are made available under the
  *  terms of the Apache License, Version 2.0 which is available at
@@ -8,10 +8,9 @@
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Contributors:
- *       Fraunhofer Institute for Software and Systems Engineering - initial API and implementation
+ *       MO - Universidad de Alicante - initial implementation
  *
  */
-
 plugins {
     `java-library`
     id("application")

iam-identity/src/main/java/org/eclipse/edc/identity/extension/FileParticipantIdentityLoader.java

@@ -0,0 +1,145 @@
+/*
+ *  Copyright (c) 2025 Universidad de Alicante
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       MO - Universidad de Alicante - initial implementation
+ *
+ */
+
+package org.eclipse.edc.identity.extension;
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.eclipse.edc.spi.monitor.Monitor;
+
+import java.io.File;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.Map;
+
+/**
+ * Implementation of the {@link ParticipantIdentityLoader} interface that provides
+ * mechanisms for loading claims and private keys from files, as well as signing
+ * claims using a private key.
+ * This implementation primarily works with JSON-encoded claims files and PEM-encoded
+ * private keys in PKCS #8 format. It also provides logging for diagnostics and error handling.
+ */
+public class FileParticipantIdentityLoader implements  ParticipantIdentityLoader {
+    /**
+     * An instance of {@link ObjectMapper} used for serializing and deserializing JSON data.
+     * It is a core dependency for converting objects to JSON and vice versa during
+     * various operations like loading claims, signing claims, or processing file contents
+     * related to participant identity.
+     */
+    private final ObjectMapper mapper;
+    /**
+     * Provides a logging mechanism for the {@link FileParticipantIdentityLoader} class.
+     * This monitor is used to log warnings, errors, and other relevant information
+     * during operations such as file loading, private key parsing, and claims signing.
+     * It ensures proper observability and aids in debugging any issues that arise
+     * in the identity loader process.
+     */
+    private final Monitor monitor;
+
+
+    /**
+     * Constructs a new instance of FileParticipantIdentityLoader.
+     *
+     * @param monitor the monitor instance used for logging and diagnostics
+     * @param mapper  the object mapper used for JSON serialization and deserialization
+     */
+    public FileParticipantIdentityLoader(Monitor monitor, ObjectMapper mapper) {
+        this.monitor = monitor;
+        this.mapper = mapper;
+    }
+
+    /**
+     * Loads a set of claims from a file located at the specified path.
+     * The file is expected to contain a JSON representation of the claims.
+     * If an error occurs while reading or parsing the file, a warning is logged,
+     * and an empty map is returned.
+     *
+     * @param path the file system path to the claims file
+     * @return a map representing the loaded claims, or an empty map if an error occurs
+     */
+    @Override
+    public Map<String, Object> loadClaims(String path) {
+        var file = new File(path);
+        try {
+            monitor.debug("Trying to load claims from: " + file.getAbsolutePath());
+            return mapper.readValue(file, new TypeReference<Map<String, Object>>() {});
+        } catch (Exception e) {
+            monitor.warning("Error reading claims file: " + file.getAbsolutePath(), e);
+            return Map.of();
+        }
+    }
+
+    /**
+     * Loads a private key from a PEM-encoded file located at the specified path.
+     * The key is expected to be in PKCS #8 format and encoded for the Ed25519 algorithm.
+     * If an error occurs (e.g., the file is not found, the content is invalid, or an unsupported
+     * algorithm is specified), the method logs the error and returns {@code null}.
+     *
+     * @param path the file system path to the PEM-encoded private key
+     * @return the {@link PrivateKey} instance if the key is successfully loaded, or {@code null} if an error occurs
+     */
+    @Override
+    public PrivateKey loadPrivateKey(String path) {
+        Path filePath = Paths.get(path);
+        try {
+
+            String content = new String(Files.readAllBytes(filePath));
+            String pem = content
+                    .replaceAll("-+[A-Z ]+-+", "")
+                    .replaceAll("\\s", "");
+
+            byte[] keyBytes = Base64.getDecoder().decode(pem);
+            PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes);
+
+            KeyFactory keyFactory = KeyFactory.getInstance("Ed25519");
+            return keyFactory.generatePrivate(spec);
+        } catch (Exception e) {
+            monitor.severe(String.format("Error loading private key from %s", filePath));
+            return null;
+        }
+    }
+
+    /**
+     * Signs the provided claims using the provided private key and returns the signed claims as a Base64-encoded string.
+     * If an error occurs during the signing process, a warning is logged, and the method returns {@code null}.
+     *
+     * @param claims     the claims to be signed, represented as a map of key-value pairs
+     * @param privateKey the private key used to sign the claims
+     * @param monitor    the monitor used for logging warnings or errors
+     * @return the signed claims as a Base64-encoded string, or {@code null} if an error occurs during signing
+     */
+    public String signClaims(Map<String, Object> claims, PrivateKey privateKey, Monitor monitor) {
+        try {
+            String claimsString = mapper.writeValueAsString(claims);
+
+            Signature signature = Signature.getInstance("Ed25519");
+            signature.initSign(privateKey);
+            signature.update(claimsString.getBytes(StandardCharsets.UTF_8));
+
+            byte[] signedBytes = signature.sign();
+            return Base64.getEncoder().encodeToString(signedBytes);
+        } catch (Exception e) {
+            monitor.warning("Claims could not be signed: " + e.getMessage(), e);
+            return null;
+        }
+    }
+
+}