guile-fediverse

guile-fediverse/http-signature/ontology.scm

ontology.scm

;;;; Copyright (C) 2020 Julien Lepiller <julien@lepiller.eu>
;;;; 
;;;; This library is free software; you can redistribute it and/or
;;;; modify it under the terms of the GNU Lesser General Public
;;;; License as published by the Free Software Foundation; either
;;;; version 3 of the License, or (at your option) any later version.
;;;; 
;;;; This library is distributed in the hope that it will be useful,
;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
;;;; Lesser General Public License for more details.
;;;; 
;;;; You should have received a copy of the GNU Lesser General Public
;;;; License along with this library; if not, write to the Free Software
;;;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
;;;; 

(define-module (http-signature ontology)
  #:use-module (activitystreams activitystreams)
  #:use-module (ice-9 match)
  #:use-module (jsonld json)
  #:use-module (web uri)
  #:export (security-ontology))

(define sec:vocab "https://w3id.org/security#")

(define* (make-sec-type label #:key (uri (string-append sec:vocab label))
                        (comment "") (subclass-of '()))
  (make-as-type label #:uri uri #:comment comment #:subclass-of subclass-of))

(define* (make-sec-property label domain range
                           #:key (uri (string-append sec:vocab label))
                           (functional? #f) (subproperty-of '()) (comment ""))
  (make-as-property label domain range #:uri uri #:functional? functional?
                    #:subproperty-of subproperty-of #:comment comment))

(define date? (@@ (activitystreams ontology) date?))
(define iri? (@@ (activitystreams ontology) iri?))

;; Classes

(define sec:Digest
  (make-sec-type
    "Digest"
    #:comment
    "This class represents a message digest that may be used for data integrity
verification.  The digest algorithm used will determine the cryptographic
properties of the digest."))

(define sec:EncryptedMessage
  (make-sec-type
    "EncryptedMessage"
    #:comment
    "A class of messages that are obfuscated in some cryptographic manner.
These messages are incredibly difficult to decrypt without the proper
decryption key."))

(define sec:Signature
  (make-sec-type
    "Signature"
    #:comment
    "This class represents a digital signature on serialized data.  It is an
abstract class and should not be used other than for Semantic Web reasoning
purposes, such as by a reasoning agent."))

(define sec:GraphSignature2012
  (make-sec-type
    "GraphSignature2012"
    #:subclass-of (list sec:Signature)
    #:comment
    "A graph signature is used for digital signatures on RDF graphs.  The
default canonicalization mechanism is specified in the RDF Graph normalization
specification, which effectively deterministically names all unnamed nodes.
The default signature mechanism uses a SHA-256 digest and RSA to perform the
digital signature."))

(define sec:LinkedDataSignature2015
  (make-sec-type
    "LinkedDataSignature2015"
    #:subclass-of (list sec:Signature)
    #:comment
    "A Linked Data signature is used for digital signatures on RDF Datasets.
The default canonicalization mechanism is specified in the RDF Dataset
Normalization specification, which effectively deterministically names all
unnamed nodes.  The default signature mechanism uses a SHA-256 digest and RSA
to perform the digital signature.  This signature uses a algorithm for
producing the data that it signs and verifies that is different from other
Linked Data signatures."))

(define sec:LinkedDataSignature2016
  (make-sec-type
    "LinkedDataSignature2016"
    #:subclass-of (list sec:Signature)
    #:comment
    "A Linked Data signature is used for digital signatures on RDF Datasets.
The default canonicalization mechanism is specified in the RDF Dataset
Normalization specification, which effectively deterministically names all
unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA
to perform the digital signature."))

(define sec:Key
  (make-sec-type
    "Key"
    #:comment
    "This class represents a cryptographic key that may be used for encryption,
decryption, or digitally signing data."))

(define sec-types (list sec:Digest sec:EncryptedMessage sec:Signature
                        sec:GraphSignature2012 sec:LinkedDataSignature2015
                        sec:LinkedDataSignature2016 sec:Key))

(define sec:authenticationTag
  (make-sec-property
    "authenticationTag" "EncryptedMessage" string?
    #:comment
    "Not specified"))

(define sec:creator
  (make-sec-property
    "creator" "Signature" iri?
    #:comment
    "Not specified"))

(define sec:cipherAlgorithm
  (make-sec-property
    "cipherAlgorithm" "EncryptedMessage" string?
    #:comment
    "The cipher algorithm describes the mechanism used to encrypt a message.
It is typically a string expressing the cipher suite, the strength of the
cipher, and a block cipher mode."))

(define sec:cipherData
  (make-sec-property
    "cipherData" "EncryptedMessage" string?
    #:comment
    "Cipher data an opaque blob of information that is used to specify an
encrypted message."))

(define sec:digestAlgorithm
  (make-sec-property
    "digestAlgorithm" "Digest" string?
    #:comment
    "The digest algorithm is used to specify the cryptographic function to use
when generating the data to be digitally signed.  Typically, data that is to be
signed goes through three steps: 1) canonicalization, 2) digest, and
3) signature.  This property is used to specify the algorithm that should be
used for step #2.  A signature class typically specifies a default digest
method, so this property is typically used to specify information for a
signature algorithm."))

(define sec:digestValue
  (make-sec-property
    "digestValue" "Digest" string?
    #:comment
    "The digest value is used to express the output of the digest algorithm
expressed in Base-16 (hexadecimal) format."))

(define sec:cipherKey
  (make-sec-property
    "cipherKey" "EncryptedMessage" string?
    #:comment
    "A cipher key is a symmetric key that is used to encrypt or decrypt a
piece of information.  The key itself may be expressed in clear text or
encrypted."))

(define sec:expires
  (make-sec-property
    "expires" "" string?
    #:comment
    "The expiration time is typically associated with a Key and specifies when
the validity of the key will expire.  It is considered a best practice to only
create keys that have very definite expiration periods.  This period is
typically set to between six months and two years.  An digital signature
created using an expired key MUST be marked as invalid by any software
attempting to verify the signature."))

(define sec:initializationVector
  (make-sec-property
    "initializationVector" "EncryptedMessage" string?
    #:comment
    "The initialization vector (IV) is a byte stream that is typically used to
initialize certain block cipher encryption schemes.  For a receiving
application to be able to decrypt a message, it must know the decryption key
and the initialization vector.  The value is typically base-64 encoded."))

(define sec:nonce
  (make-sec-property
    "nonce" "" string?
    #:comment
    "This property is used in conjunction with the input to the signature
hashing function in order to protect against replay attacks.  Typically,
receivers need to track all nonce values used within a certain time period
in order to ensure that an attacker cannot merely re-send a compromised
packet in order to execute a privileged request."))

(define sec:canonicalizationAlgorithm
  (make-sec-property
    "canonicalizationAlgorithm" "" (list iri? string?)
    #:comment
    "The canonicalization algorithm is used to transform the input data into a
form that can be passed to a cryptographic digest method.  The digest is then
digitally signed using a digital signature algorithm.  Canonicalization ensures
that a piece of software that is generating a digital signature is able to do
so on the same set of information in a deterministic manner."))

(define sec:owner
  (make-sec-property
    "owner" "Key" iri?
    #:comment
    "An owner is an entity that claims control over a particular resource.
Note that ownership is best validated as a two-way relationship where the
owner claims ownership over a particular resource, and the resource clearly
identifies its owner."))

(define sec:password
  (make-sec-property
    "password" "" string?
    #:comment
    "A secret that is used to generate a key that can be used to encrypt or
decrypt message.  It is typically a string value."))

(define sec:privateKeyPem
  (make-sec-property
    "privateKeyPem" "Key" string?
    #:comment
    "A private key PEM property is used to specify the PEM-encoded version of
the private key.  This encoding is compatible with almost every Secure Sockets
Layer library implementation and typically plugs directly into functions
intializing private keys."))

(define sec:publicKey
  (make-sec-property
    "publicKey" "EncryptedMessage" iri?
    #:comment
    "A public key property is used to specify a URL that contains information
about a public key."))

(define sec:publicKeyPem
  (make-sec-property
    "publicKeyPem" "Key" string?
    #:comment
    "A public key PEM property is used to specify the PEM-encoded version of
the public key.  This encoding is compatible with almost every Secure Sockets
Layer library implementation and typically plugs directly into functions
intializing public keys."))

(define sec:publicKeyService
  (make-sec-property
    "publicKeyService" "" string?
    #:comment
    "The publicKeyService property is used to express the REST URL that provides
public key management services as defined by the Web Key specification."))

(define sec:revoked
  (make-sec-property
    "revoked" "" date?
    #:comment
    "The revocation time is typically associated with a Key that has been
marked as invalid as of the date and time associated with the property.  Key
revocations are often used when a key is compromised, such as the theft of the
private key, or during the course of best-practice key rotation schedules."))

(define sec:signature
  (make-sec-property
    ;; XXX: not correct, there is no defined domain
    "signature" "Object" "Signature"
    #:comment
    "The signature property is used to associate a signature with a graph of
information.  The signature property is typically not included in the
canonicalized graph that is then digested, and digitally signed."))

(define sec:signatureValue
  (make-sec-property
    "signatureValue" "Signature" string?
    #:comment
    "The signature value is used to express the output of the signature
algorithm expressed in base-64 format."))

(define sec:signatureAlgorithm
  (make-sec-property
    "signatureAlgorithm" "Signature" string?
    #:comment
    "The signature algorithm is used to specify the cryptographic signature
function to use when digitally signing the digest data.  Typically, text to be
signed goes through three steps: 1) canonicalization, 2) digest, and
3) signature.  This property is used to specify the algorithm that should be
used for step #3.  A signature class typically specifies a default signature
algorithm, so this property rarely needs to be used in practice when
specifying digital signatures."))

(define sec-properties
  (list sec:cipherAlgorithm sec:cipherData sec:digestAlgorithm sec:digestValue
        sec:cipherKey sec:expires sec:initializationVector sec:nonce
        sec:canonicalizationAlgorithm sec:owner sec:password
        sec:privateKeyPem sec:publicKey sec:publicKeyPem sec:publicKeyService
        sec:revoked sec:signature sec:signatureValue sec:signatureAlgorithm))

(define security-ontology (append sec-types sec-properties))


1	;;;; Copyright (C) 2020 Julien Lepiller <julien@lepiller.eu>
2	;;;;
3	;;;; This library is free software; you can redistribute it and/or
4	;;;; modify it under the terms of the GNU Lesser General Public
5	;;;; License as published by the Free Software Foundation; either
6	;;;; version 3 of the License, or (at your option) any later version.
7	;;;;
8	;;;; This library is distributed in the hope that it will be useful,
9	;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
10	;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11	;;;; Lesser General Public License for more details.
12	;;;;
13	;;;; You should have received a copy of the GNU Lesser General Public
14	;;;; License along with this library; if not, write to the Free Software
15	;;;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
16	;;;;
17
18	(define-module (http-signature ontology)
19	#:use-module (activitystreams activitystreams)
20	#:use-module (ice-9 match)
21	#:use-module (jsonld json)
22	#:use-module (web uri)
23	#:export (security-ontology))
24
25	(define sec:vocab "https://w3id.org/security#")
26
27	(define* (make-sec-type label #:key (uri (string-append sec:vocab label))
28	(comment "") (subclass-of '()))
29	(make-as-type label #:uri uri #:comment comment #:subclass-of subclass-of))
30
31	(define* (make-sec-property label domain range
32	#:key (uri (string-append sec:vocab label))
33	(functional? #f) (subproperty-of '()) (comment ""))
34	(make-as-property label domain range #:uri uri #:functional? functional?
35	#:subproperty-of subproperty-of #:comment comment))
36
37	(define date? (@@ (activitystreams ontology) date?))
38	(define iri? (@@ (activitystreams ontology) iri?))
39
40	;; Classes
41
42	(define sec:Digest
43	(make-sec-type
44	"Digest"
45	#:comment
46	"This class represents a message digest that may be used for data integrity
47	verification. The digest algorithm used will determine the cryptographic
48	properties of the digest."))
49
50	(define sec:EncryptedMessage
51	(make-sec-type
52	"EncryptedMessage"
53	#:comment
54	"A class of messages that are obfuscated in some cryptographic manner.
55	These messages are incredibly difficult to decrypt without the proper
56	decryption key."))
57
58	(define sec:Signature
59	(make-sec-type
60	"Signature"
61	#:comment
62	"This class represents a digital signature on serialized data. It is an
63	abstract class and should not be used other than for Semantic Web reasoning
64	purposes, such as by a reasoning agent."))
65
66	(define sec:GraphSignature2012
67	(make-sec-type
68	"GraphSignature2012"
69	#:subclass-of (list sec:Signature)
70	#:comment
71	"A graph signature is used for digital signatures on RDF graphs. The
72	default canonicalization mechanism is specified in the RDF Graph normalization
73	specification, which effectively deterministically names all unnamed nodes.
74	The default signature mechanism uses a SHA-256 digest and RSA to perform the
75	digital signature."))
76
77	(define sec:LinkedDataSignature2015
78	(make-sec-type
79	"LinkedDataSignature2015"
80	#:subclass-of (list sec:Signature)
81	#:comment
82	"A Linked Data signature is used for digital signatures on RDF Datasets.
83	The default canonicalization mechanism is specified in the RDF Dataset
84	Normalization specification, which effectively deterministically names all
85	unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA
86	to perform the digital signature. This signature uses a algorithm for
87	producing the data that it signs and verifies that is different from other
88	Linked Data signatures."))
89
90	(define sec:LinkedDataSignature2016
91	(make-sec-type
92	"LinkedDataSignature2016"
93	#:subclass-of (list sec:Signature)
94	#:comment
95	"A Linked Data signature is used for digital signatures on RDF Datasets.
96	The default canonicalization mechanism is specified in the RDF Dataset
97	Normalization specification, which effectively deterministically names all
98	unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA
99	to perform the digital signature."))
100
101	(define sec:Key
102	(make-sec-type
103	"Key"
104	#:comment
105	"This class represents a cryptographic key that may be used for encryption,
106	decryption, or digitally signing data."))
107
108	(define sec-types (list sec:Digest sec:EncryptedMessage sec:Signature
109	sec:GraphSignature2012 sec:LinkedDataSignature2015
110	sec:LinkedDataSignature2016 sec:Key))
111
112	(define sec:authenticationTag
113	(make-sec-property
114	"authenticationTag" "EncryptedMessage" string?
115	#:comment
116	"Not specified"))
117
118	(define sec:creator
119	(make-sec-property
120	"creator" "Signature" iri?
121	#:comment
122	"Not specified"))
123
124	(define sec:cipherAlgorithm
125	(make-sec-property
126	"cipherAlgorithm" "EncryptedMessage" string?
127	#:comment
128	"The cipher algorithm describes the mechanism used to encrypt a message.
129	It is typically a string expressing the cipher suite, the strength of the
130	cipher, and a block cipher mode."))
131
132	(define sec:cipherData
133	(make-sec-property
134	"cipherData" "EncryptedMessage" string?
135	#:comment
136	"Cipher data an opaque blob of information that is used to specify an
137	encrypted message."))
138
139	(define sec:digestAlgorithm
140	(make-sec-property
141	"digestAlgorithm" "Digest" string?
142	#:comment
143	"The digest algorithm is used to specify the cryptographic function to use
144	when generating the data to be digitally signed. Typically, data that is to be
145	signed goes through three steps: 1) canonicalization, 2) digest, and
146	3) signature. This property is used to specify the algorithm that should be
147	used for step #2. A signature class typically specifies a default digest
148	method, so this property is typically used to specify information for a
149	signature algorithm."))
150
151	(define sec:digestValue
152	(make-sec-property
153	"digestValue" "Digest" string?
154	#:comment
155	"The digest value is used to express the output of the digest algorithm
156	expressed in Base-16 (hexadecimal) format."))
157
158	(define sec:cipherKey
159	(make-sec-property
160	"cipherKey" "EncryptedMessage" string?
161	#:comment
162	"A cipher key is a symmetric key that is used to encrypt or decrypt a
163	piece of information. The key itself may be expressed in clear text or
164	encrypted."))
165
166	(define sec:expires
167	(make-sec-property
168	"expires" "" string?
169	#:comment
170	"The expiration time is typically associated with a Key and specifies when
171	the validity of the key will expire. It is considered a best practice to only
172	create keys that have very definite expiration periods. This period is
173	typically set to between six months and two years. An digital signature
174	created using an expired key MUST be marked as invalid by any software
175	attempting to verify the signature."))
176
177	(define sec:initializationVector
178	(make-sec-property
179	"initializationVector" "EncryptedMessage" string?
180	#:comment
181	"The initialization vector (IV) is a byte stream that is typically used to
182	initialize certain block cipher encryption schemes. For a receiving
183	application to be able to decrypt a message, it must know the decryption key
184	and the initialization vector. The value is typically base-64 encoded."))
185
186	(define sec:nonce
187	(make-sec-property
188	"nonce" "" string?
189	#:comment
190	"This property is used in conjunction with the input to the signature
191	hashing function in order to protect against replay attacks. Typically,
192	receivers need to track all nonce values used within a certain time period
193	in order to ensure that an attacker cannot merely re-send a compromised
194	packet in order to execute a privileged request."))
195
196	(define sec:canonicalizationAlgorithm
197	(make-sec-property
198	"canonicalizationAlgorithm" "" (list iri? string?)
199	#:comment
200	"The canonicalization algorithm is used to transform the input data into a
201	form that can be passed to a cryptographic digest method. The digest is then
202	digitally signed using a digital signature algorithm. Canonicalization ensures
203	that a piece of software that is generating a digital signature is able to do
204	so on the same set of information in a deterministic manner."))
205
206	(define sec:owner
207	(make-sec-property
208	"owner" "Key" iri?
209	#:comment
210	"An owner is an entity that claims control over a particular resource.
211	Note that ownership is best validated as a two-way relationship where the
212	owner claims ownership over a particular resource, and the resource clearly
213	identifies its owner."))
214
215	(define sec:password
216	(make-sec-property
217	"password" "" string?
218	#:comment
219	"A secret that is used to generate a key that can be used to encrypt or
220	decrypt message. It is typically a string value."))
221
222	(define sec:privateKeyPem
223	(make-sec-property
224	"privateKeyPem" "Key" string?
225	#:comment
226	"A private key PEM property is used to specify the PEM-encoded version of
227	the private key. This encoding is compatible with almost every Secure Sockets
228	Layer library implementation and typically plugs directly into functions
229	intializing private keys."))
230
231	(define sec:publicKey
232	(make-sec-property
233	"publicKey" "EncryptedMessage" iri?
234	#:comment
235	"A public key property is used to specify a URL that contains information
236	about a public key."))
237
238	(define sec:publicKeyPem
239	(make-sec-property
240	"publicKeyPem" "Key" string?
241	#:comment
242	"A public key PEM property is used to specify the PEM-encoded version of
243	the public key. This encoding is compatible with almost every Secure Sockets
244	Layer library implementation and typically plugs directly into functions
245	intializing public keys."))
246
247	(define sec:publicKeyService
248	(make-sec-property
249	"publicKeyService" "" string?
250	#:comment
251	"The publicKeyService property is used to express the REST URL that provides
252	public key management services as defined by the Web Key specification."))
253
254	(define sec:revoked
255	(make-sec-property
256	"revoked" "" date?
257	#:comment
258	"The revocation time is typically associated with a Key that has been
259	marked as invalid as of the date and time associated with the property. Key
260	revocations are often used when a key is compromised, such as the theft of the
261	private key, or during the course of best-practice key rotation schedules."))
262
263	(define sec:signature
264	(make-sec-property
265	;; XXX: not correct, there is no defined domain
266	"signature" "Object" "Signature"
267	#:comment
268	"The signature property is used to associate a signature with a graph of
269	information. The signature property is typically not included in the
270	canonicalized graph that is then digested, and digitally signed."))
271
272	(define sec:signatureValue
273	(make-sec-property
274	"signatureValue" "Signature" string?
275	#:comment
276	"The signature value is used to express the output of the signature
277	algorithm expressed in base-64 format."))
278
279	(define sec:signatureAlgorithm
280	(make-sec-property
281	"signatureAlgorithm" "Signature" string?
282	#:comment
283	"The signature algorithm is used to specify the cryptographic signature
284	function to use when digitally signing the digest data. Typically, text to be
285	signed goes through three steps: 1) canonicalization, 2) digest, and
286	3) signature. This property is used to specify the algorithm that should be
287	used for step #3. A signature class typically specifies a default signature
288	algorithm, so this property rarely needs to be used in practice when
289	specifying digital signatures."))
290
291	(define sec-properties
292	(list sec:cipherAlgorithm sec:cipherData sec:digestAlgorithm sec:digestValue
293	sec:cipherKey sec:expires sec:initializationVector sec:nonce
294	sec:canonicalizationAlgorithm sec:owner sec:password
295	sec:privateKeyPem sec:publicKey sec:publicKeyPem sec:publicKeyService
296	sec:revoked sec:signature sec:signatureValue sec:signatureAlgorithm))
297
298	(define security-ontology (append sec-types sec-properties))
299