feat(rust/signed-doc): Comment and Proposal Document Validation (#207)

* wip(rust/signed_doc): add comment document type

* wip(rust/signed_doc): add comment document validation

* chore(docs): fix spelling

* fix(rust/signed-doc): signed docs implement Clone

* add proposal document validation

* refactor

* wip

* add full template validation

* wip

* replace trait with Fn

* wip

* wip

* wip

* make signed doc signature validation async

* make a separate trait

* make all validation async

* fix

* refactor

* add more rules

* add section rule

* cleanup

* refactor

* added new Section struct

* wip

* add utils mod

* wip

* fix signature test

* refactor

* finilize validation logic

* fix spelling

* fix clippy lints

* fix

---------

Co-authored-by: Mr-Leshiy <[email protected]>

Author: saibatizoku

rust/signed_doc/Cargo.toml

@@ -11,24 +11,26 @@ license.workspace = true
 workspace = true
 
 [dependencies]
-rbac-registration = { version = "0.0.4", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250220-00" }
 catalyst-types = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250220-00" }
 anyhow = "1.0.95"
 serde = { version = "1.0.217", features = ["derive"] }
 serde_json = "1.0.134"
 coset = "0.3.8"
 minicbor = { version = "0.25.1", features = ["half"] }
 brotli = "7.0.0"
-ed25519-dalek = { version = "2.1.1", features = ["pem", "rand_core"] }
+ed25519-dalek = { version = "2.1.1" }
 hex = "0.4.3"
 strum = { version = "0.26.3", features = ["derive"] }
-clap = { version = "4.5.23", features = ["derive", "env"] }
-
+clap = { version = "4.5.23",  features = ["derive", "env"] }
+jsonschema = "0.28.3"
+jsonpath-rust = "0.7.5"
+futures = "0.3.31"
 
 [dev-dependencies]
 base64-url = "3.0.0"
 rand = "0.8.5"
-
+tokio = { version = "1.42.0", features = [ "macros" ] }
+ed25519-dalek = { version = "2.1.1", features = ["rand_core"] }
 
 [[bin]]
 name = "signed-docs"

rust/signed_doc/examples/mk_signed_doc.rs

@@ -8,9 +8,10 @@ use std::{
     path::PathBuf,
 };
 
-use catalyst_signed_doc::{Builder, CatalystSignedDocument, IdUri, Metadata, SimplePublicKeyType};
+use anyhow::Context;
+use catalyst_signed_doc::{Builder, CatalystSignedDocument, IdUri, Metadata};
 use clap::Parser;
-use ed25519_dalek::pkcs8::{DecodePrivateKey, DecodePublicKey};
+use ed25519_dalek::pkcs8::DecodePrivateKey;
 
 fn main() {
     if let Err(err) = Cli::parse().exec() {
@@ -51,16 +52,6 @@ enum Cli {
         /// Hex-formatted COSE SIGN Bytes
         cose_sign_hex: String,
     },
-    /// Validates a signature by Key ID and verifying key
-    Verify {
-        /// Path to the formed (could be empty, without any signatures) COSE document
-        /// This exact file would be modified and new signature would be added
-        path: PathBuf,
-        /// Path to the verifying key in PEM format
-        pk: PathBuf,
-        /// Signer kid
-        kid: IdUri,
-    },
 }
 
 impl Cli {
@@ -87,7 +78,7 @@ impl Cli {
                     .map_err(|e| anyhow::anyhow!("Failed to load SK FILE: {e}"))?;
                 let cose_bytes = read_bytes_from_file(&doc)?;
                 let signed_doc = signed_doc_from_bytes(cose_bytes.as_slice())?;
-                let builder = signed_doc.into_builder();
+                let builder = signed_doc.into_builder()?;
                 let new_signed_doc = builder.add_signature(sk.to_bytes(), kid)?.build()?;
                 save_signed_doc(new_signed_doc, &doc)?;
             },
@@ -99,22 +90,6 @@ impl Cli {
                 let cose_bytes = hex::decode(&cose_sign_hex)?;
                 inspect_signed_doc(&cose_bytes)?;
             },
-            Self::Verify { path, pk, kid } => {
-                let pk = load_public_key_from_file(&pk)
-                    .map_err(|e| anyhow::anyhow!("Failed to load PK FILE {pk:?}: {e}"))?;
-                let cose_bytes = read_bytes_from_file(&path)?;
-                let signed_doc = signed_doc_from_bytes(cose_bytes.as_slice())?;
-                signed_doc
-                    .verify(|k| {
-                        if k.to_string() == kid.to_string() {
-                            SimplePublicKeyType::Ed25519(pk)
-                        } else {
-                            SimplePublicKeyType::Undefined
-                        }
-                    })
-                    .map_err(|e| anyhow::anyhow!("Catalyst Document Verification failed: {e}"))?;
-                println!("Catalyst Signed Document is Verified.");
-            },
         }
         println!("Done");
         Ok(())
@@ -142,15 +117,13 @@ fn inspect_signed_doc(cose_bytes: &[u8]) -> anyhow::Result<()> {
 
 fn save_signed_doc(signed_doc: CatalystSignedDocument, path: &PathBuf) -> anyhow::Result<()> {
     let mut bytes: Vec<u8> = Vec::new();
-    minicbor::encode(signed_doc, &mut bytes)
-        .map_err(|e| anyhow::anyhow!("Failed to encode document: {e}"))?;
+    minicbor::encode(signed_doc, &mut bytes).context("Failed to encode document")?;
 
     write_bytes_to_file(&bytes, path)
 }
 
 fn signed_doc_from_bytes(cose_bytes: &[u8]) -> anyhow::Result<CatalystSignedDocument> {
-    CatalystSignedDocument::try_from(cose_bytes)
-        .map_err(|e| anyhow::anyhow!("Invalid Catalyst Document: {e}"))
+    minicbor::decode(cose_bytes).context("Invalid Catalyst Document")
 }
 
 fn load_json_from_file<T>(path: &PathBuf) -> anyhow::Result<T>
@@ -163,17 +136,11 @@ where T: for<'de> serde::Deserialize<'de> {
 fn write_bytes_to_file(bytes: &[u8], output: &PathBuf) -> anyhow::Result<()> {
     File::create(output)?
         .write_all(bytes)
-        .map_err(|e| anyhow::anyhow!("Failed to write to file {output:?}: {e}"))
+        .context(format!("Failed to write to file {output:?}"))
 }
 
 fn load_secret_key_from_file(sk_path: &PathBuf) -> anyhow::Result<ed25519_dalek::SigningKey> {
     let sk_str = read_to_string(sk_path)?;
     let sk = ed25519_dalek::SigningKey::from_pkcs8_pem(&sk_str)?;
     Ok(sk)
 }
-
-fn load_public_key_from_file(pk_path: &PathBuf) -> anyhow::Result<ed25519_dalek::VerifyingKey> {
-    let pk_str = read_to_string(pk_path)?;
-    let pk = ed25519_dalek::VerifyingKey::from_public_key_pem(&pk_str)?;
-    Ok(pk)
-}

rust/signed_doc/src/builder.rs

@@ -1,8 +1,11 @@
 //! Catalyst Signed Document Builder.
-use catalyst_types::id_uri::IdUri;
+use catalyst_types::{id_uri::IdUri, problem_report::ProblemReport};
 use ed25519_dalek::{ed25519::signature::Signer, SecretKey};
 
-use crate::{CatalystSignedDocument, Content, InnerCatalystSignedDocument, Metadata, Signatures};
+use crate::{
+    CatalystSignedDocument, Content, InnerCatalystSignedDocument, Metadata, Signatures,
+    PROBLEM_REPORT_CTX,
+};
 
 /// Catalyst Signed Document Builder.
 #[derive(Debug, Default, Clone)]
@@ -29,6 +32,15 @@ impl Builder {
         self
     }
 
+    /// Set document metadata in JSON format
+    ///
+    /// # Errors
+    /// - Fails if it is invalid metadata JSON object.
+    pub fn with_json_metadata(mut self, json: serde_json::Value) -> anyhow::Result<Self> {
+        self.metadata = Some(serde_json::from_value(json)?);
+        Ok(self)
+    }
+
     /// Set decoded (original) document content bytes
     #[must_use]
     pub fn with_decoded_content(mut self, content: Vec<u8>) -> Self {
@@ -68,7 +80,7 @@ impl Builder {
         let sk = ed25519_dalek::SigningKey::from_bytes(&sk);
         let protected_header = coset::HeaderBuilder::new()
             .key_id(kid.to_string().into_bytes())
-            .algorithm(metadata.algorithm().into());
+            .algorithm(metadata.algorithm()?.into());
         let mut signature = coset::CoseSignatureBuilder::new()
             .protected(protected_header.build())
             .build();
@@ -94,17 +106,14 @@ impl Builder {
             anyhow::bail!("Failed to build Catalyst Signed Document, missing document's content");
         };
         let signatures = self.signatures;
+        let content = Content::from_decoded(content, metadata.content_type()?)?;
 
-        let content = Content::from_decoded(
-            content,
-            metadata.content_type(),
-            metadata.content_encoding(),
-        )?;
-
+        let empty_report = ProblemReport::new(PROBLEM_REPORT_CTX);
         Ok(InnerCatalystSignedDocument {
             metadata,
             content,
             signatures,
+            report: empty_report,
         }
         .into())
     }

rust/signed_doc/src/content.rs

@@ -1,93 +1,92 @@
 //! Catalyst Signed Document Content Payload
 
+use catalyst_types::problem_report::ProblemReport;
+
 use crate::metadata::{ContentEncoding, ContentType};
 
 /// Decompressed Document Content type bytes.
-#[derive(Debug, Clone, PartialEq)]
+#[derive(Debug, Clone, PartialEq, Default)]
 pub struct Content {
-    /// Content data bytes
-    data: Vec<u8>,
-    /// Content type
-    content_type: ContentType,
-    /// Content encoding
-    content_encoding: Option<ContentEncoding>,
+    /// Original Decompressed Document's data bytes
+    data: Option<Vec<u8>>,
 }
 
 impl Content {
     /// Creates a new `Content` value, from the encoded data.
     /// verifies a Document's content, that it is correctly encoded and it corresponds and
     /// parsed to the specified type
-    ///
-    /// # Errors
-    /// Returns an error if content is not correctly encoded
     pub(crate) fn from_encoded(
-        mut data: Vec<u8>, content_type: ContentType, content_encoding: Option<ContentEncoding>,
-    ) -> anyhow::Result<Self> {
-        if let Some(encoding) = content_encoding {
-            data = encoding
-                .decode(&data)
-                .map_err(|e| anyhow::anyhow!("Failed to decode {encoding} content: {e}"))?;
+        mut data: Vec<u8>, content_type: Option<ContentType>,
+        content_encoding: Option<ContentEncoding>, report: &ProblemReport,
+    ) -> Self {
+        if let Some(content_encoding) = content_encoding {
+            if let Ok(decoded_data) = content_encoding.decode(&data) {
+                data = decoded_data;
+            } else {
+                report.invalid_value(
+                    "payload",
+                    &hex::encode(&data),
+                    &format!("Invalid Document content, should {content_encoding} encodable"),
+                    "Invalid Document content type.",
+                );
+                return Self::default();
+            }
+        }
+        if let Some(content_type) = content_type {
+            if content_type.validate(&data).is_err() {
+                report.invalid_value(
+                    "payload",
+                    &hex::encode(&data),
+                    &format!("Invalid Document content type, should {content_type} encodable"),
+                    "Invalid Document content type.",
+                );
+                return Self::default();
+            }
         }
-        content_type.validate(&data)?;
 
-        Ok(Self {
-            data,
-            content_type,
-            content_encoding,
-        })
+        Self { data: Some(data) }
     }
 
     /// Creates a new `Content` value, from the decoded (original) data.
     /// verifies that it corresponds and parsed to the specified type.
     ///
     /// # Errors
     /// Returns an error if content is not correctly encoded
-    pub(crate) fn from_decoded(
-        data: Vec<u8>, content_type: ContentType, content_encoding: Option<ContentEncoding>,
-    ) -> anyhow::Result<Self> {
+    pub(crate) fn from_decoded(data: Vec<u8>, content_type: ContentType) -> anyhow::Result<Self> {
         content_type.validate(&data)?;
-        Ok(Self {
-            data,
-            content_type,
-            content_encoding,
-        })
-    }
-
-    /// Return `true` if Document's content type is Json
-    #[must_use]
-    pub fn is_json(&self) -> bool {
-        matches!(self.content_type, ContentType::Json)
+        Ok(Self { data: Some(data) })
     }
 
-    /// Return `true` if Document's content type is Json
-    #[must_use]
-    pub fn is_cbor(&self) -> bool {
-        matches!(self.content_type, ContentType::Cbor)
-    }
-
-    /// Return an decoded (original) content bytes,
-    /// by the corresponding `content_encoding` provided field.
-    #[must_use]
-    pub fn decoded_bytes(&self) -> &[u8] {
-        &self.data
+    /// Return an decoded (original) content bytes.
+    ///
+    /// # Errors
+    ///  - Missing Document content
+    pub fn decoded_bytes(&self) -> anyhow::Result<&[u8]> {
+        self.data
+            .as_deref()
+            .ok_or(anyhow::anyhow!("Missing Document content"))
     }
 
     /// Return an encoded content bytes,
-    /// by the corresponding `content_encoding` provided field
-    pub(crate) fn encoded_bytes(&self) -> anyhow::Result<Vec<u8>> {
-        if let Some(encoding) = self.content_encoding {
-            let data = encoding
-                .encode(&self.data)
-                .map_err(|e| anyhow::anyhow!("Failed to encode {encoding} content: {e}"))?;
-            Ok(data)
-        } else {
-            Ok(self.data.clone())
-        }
+    /// by the provided `content_encoding` provided field.
+    ///
+    /// # Errors
+    ///  - Missing Document content
+    ///  - Failed to encode content.
+    pub(crate) fn encoded_bytes(
+        &self, content_encoding: ContentEncoding,
+    ) -> anyhow::Result<Vec<u8>> {
+        let content = self.decoded_bytes()?;
+        let data = content_encoding
+            .encode(content)
+            .map_err(|e| anyhow::anyhow!("Failed to encode {content_encoding} content: {e}"))?;
+        Ok(data)
     }
 
-    /// Return content byte size
+    /// Return content byte size.
+    /// If content is empty returns `0`.
     #[must_use]
     pub fn size(&self) -> usize {
-        self.data.len()
+        self.data.as_ref().map(Vec::len).unwrap_or_default()
     }
 }