guile-fediverse

guile-fediverse/http-signature/ontology.scm

ontology.scm

;;;; Copyright (C) 2020 Julien Lepiller <julien@lepiller.eu>
;;;; 
;;;; This library is free software; you can redistribute it and/or
;;;; modify it under the terms of the GNU Lesser General Public
;;;; License as published by the Free Software Foundation; either
;;;; version 3 of the License, or (at your option) any later version.
;;;; 
;;;; This library is distributed in the hope that it will be useful,
;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
;;;; Lesser General Public License for more details.
;;;; 
;;;; You should have received a copy of the GNU Lesser General Public
;;;; License along with this library; if not, write to the Free Software
;;;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
;;;; 

(define-module (http-signatures ontology)
  #:use-module (activitystreams activitystreams)
  #:use-module (ice-9 match)
  #:use-module (jsonld json)
  #:use-module (web uri)
  #:export (security-ontology))

(define sec:vocab "https://w3id.org/security#")

(define* (make-sec-type label #:key (uri (string-append sec:vocab label))
                        (comment "") (subclass-of '()))
  (make-as-type label #:uri uri #:comment comment #:subclass-of subclass-of))

(define* (make-as-property label domain range
                           #:key (uri (string-append as:vocab label))
                           (functional? #f) (subproperty-of '()) (comment ""))
  (make-as-property label domain range #:uri uri #:functional? functional?
                    #:subproperty-of subproperty-of #:comment comment))

;; Classes

(define sec:Digest
  (make-sec-type
    "Digest"
    #:comment
    "This class represents a message digest that may be used for data integrity
verification.  The digest algorithm used will determine the cryptographic
properties of the digest."))

(define sec:EncryptedMessage
  (make-sec-type
    "EncryptedMessage"
    #:comment
    "A class of messages that are obfuscated in some cryptographic manner.
These messages are incredibly difficult to decrypt without the proper
decryption key."))

(define sec:Signature
  (make-sec-type
    "Signature"
    #:comment
    "This class represents a digital signature on serialized data.  It is an
abstract class and should not be used other than for Semantic Web reasoning
purposes, such as by a reasoning agent."))

(define sec:GraphSignature2012
  (make-sec-type
    "GraphSignature2012"
    #:subclass-of (list sec:Signature)
    #:comment
    "A graph signature is used for digital signatures on RDF graphs.  The
default canonicalization mechanism is specified in the RDF Graph normalization
specification, which effectively deterministically names all unnamed nodes.
The default signature mechanism uses a SHA-256 digest and RSA to perform the
digital signature."))

(define sec:LinkedDataSignature2015
  (make-sec-type
    "LinkedDataSignature2015"
    #:subclass-of (list sec:Signature)
    #:comment
    "A Linked Data signature is used for digital signatures on RDF Datasets.
The default canonicalization mechanism is specified in the RDF Dataset
Normalization specification, which effectively deterministically names all
unnamed nodes.  The default signature mechanism uses a SHA-256 digest and RSA
to perform the digital signature.  This signature uses a algorithm for
producing the data that it signs and verifies that is different from other
Linked Data signatures."))

(define sec:LinkedDataSignature2016
  (make-sec-type
    "LinkedDataSignature2016"
    #:subclass-of (list sec:Signature)
    #:comment
    "A Linked Data signature is used for digital signatures on RDF Datasets.
The default canonicalization mechanism is specified in the RDF Dataset
Normalization specification, which effectively deterministically names all
unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA
to perform the digital signature."))

(define sec:Key
  (make-sec-type
    "Key"
    #:comment
    "This class represents a cryptographic key that may be used for encryption,
decryption, or digitally signing data."))

(define sec-types (list sec:Digest sec:EncryptedMessage sec:Signature
                        sec:GraphSignature2012 sec:LinkedDataSignature2015
                        sec:LinkedDataSignature2016 sec:Key))

(define sec:authenticationTag
  (make-sec-property
    "authenticationTag" "EncryptedMessage" string?
    #:coment
    "Not specified"))

(define sec:creator
  (make-sec-property
    "creator" "Signature" iri?
    #:coment
    "Not specified"))

(define sec:cipherAlgorithm
  (make-sec-property
    "cipherAlgorithm" "EncryptedMessage" string?
    #:comment
    "The cipher algorithm describes the mechanism used to encrypt a message.
It is typically a string expressing the cipher suite, the strength of the
cipher, and a block cipher mode."))

(define sec:cipherData
  (make-sec-property
    "cipherData" "EncryptedMessage" string?
    #:comment
    "Cipher data an opaque blob of information that is used to specify an
encrypted message."))

(define sec:digestAlgorithm
  (make-sec-property
    "digestAlgorithm" "Digest" string?
    #:comment
    "The digest algorithm is used to specify the cryptographic function to use
when generating the data to be digitally signed.  Typically, data that is to be
signed goes through three steps: 1) canonicalization, 2) digest, and
3) signature.  This property is used to specify the algorithm that should be
used for step #2.  A signature class typically specifies a default digest
method, so this property is typically used to specify information for a
signature algorithm."))

(define sec:digestValue
  (make-sec-property
    "digestValue" "Digest" string?
    #:comment
    "The digest value is used to express the output of the digest algorithm
expressed in Base-16 (hexadecimal) format."))

(define sec:cipherKey
  (make-sec-property
    "cipherKey" "EncryptedMessage" string?
    #:comment
    "A cipher key is a symmetric key that is used to encrypt or decrypt a
piece of information.  The key itself may be expressed in clear text or
encrypted."))

(define sec:expires
  (make-sec-property
    "expires" "" string?
    #:comment
    "The expiration time is typically associated with a Key and specifies when
the validity of the key will expire.  It is considered a best practice to only
create keys that have very definite expiration periods.  This period is
typically set to between six months and two years.  An digital signature
created using an expired key MUST be marked as invalid by any software
attempting to verify the signature."))

(define sec:initializationVector
  (make-sec-property
    "initializationVector" "EncryptedMessage" string?
    #:comment
    "The initialization vector (IV) is a byte stream that is typically used to
initialize certain block cipher encryption schemes.  For a receiving
application to be able to decrypt a message, it must know the decryption key
and the initialization vector.  The value is typically base-64 encoded."))

(define sec:nonce
  (make-sec-property
    "nonce" "" string?
    #:comment
    "This property is used in conjunction with the input to the signature
hashing function in order to protect against replay attacks.  Typically,
receivers need to track all nonce values used within a certain time period
in order to ensure that an attacker cannot merely re-send a compromised
packet in order to execute a privileged request."))

(define sec:canonicalizationAlgorithm
  (make-sec-property
    "canonicalizationAlgorithm" "" (list iri? string?)
    #:comment
    "The canonicalization algorithm is used to transform the input data into a
form that can be passed to a cryptographic digest method.  The digest is then
digitally signed using a digital signature algorithm.  Canonicalization ensures
that a piece of software that is generating a digital signature is able to do
so on the same set of information in a deterministic manner."))

(define sec:owner
  (make-sec-property
    "owner" "Key" iri?
    #:comment
    "An owner is an entity that claims control over a particular resource.
Note that ownership is best validated as a two-way relationship where the
owner claims ownership over a particular resource, and the resource clearly
identifies its owner."))

(define sec:password
  (make-sec-property
    "password" "" string?
    #:comment
    "A secret that is used to generate a key that can be used to encrypt or
decrypt message.  It is typically a string value."))

(define sec:privateKeyPem
  (make-sec-property
    "privateKeyPem" "Key" string?
    #:comment
    "A private key PEM property is used to specify the PEM-encoded version of
the private key.  This encoding is compatible with almost every Secure Sockets
Layer library implementation and typically plugs directly into functions
intializing private keys."))

(define sec:publicKey
  (make-sec-property
    "publicKey" "EncryptedMessage" iri?
    #:comment
    "A public key property is used to specify a URL that contains information
about a public key."))

(define sec:publicKeyPem
  (make-sec-property
    "publicKeyPem" "Key" string?
    #:comment
    "A public key PEM property is used to specify the PEM-encoded version of
the public key.  This encoding is compatible with almost every Secure Sockets
Layer library implementation and typically plugs directly into functions
intializing public keys."))

(define sec:publicKeyService
  (make-sec-property
    "publicKeyService" "" string?
    #:comment
    "The publicKeyService property is used to express the REST URL that provides
public key management services as defined by the Web Key specification."))

(define sec:revoked
  (make-sec-property
    "revoked" "" date?
    #:comment
    "The revocation time is typically associated with a Key that has been
marked as invalid as of the date and time associated with the property.  Key
revocations are often used when a key is compromised, such as the theft of the
private key, or during the course of best-practice key rotation schedules."))

(define sec:signature
  (make-sec-property
    ;; XXX: not correct, there is no defined domain
    "signature" "Object" "Signature"
    #:comment
    "The signature property is used to associate a signature with a graph of
information.  The signature property is typically not included in the
canonicalized graph that is then digested, and digitally signed."))

(define sec:signatureValue
  (make-sec-property
    "signatureValue" "Signature" string?
    #:comment
    "The signature value is used to express the output of the signature
algorithm expressed in base-64 format."))

(define sec:signatureAlgorithm
  (make-sec-property
    "signatureAlgorithm" "Signature" string?
    #:comment
    "The signature algorithm is used to specify the cryptographic signature
function to use when digitally signing the digest data.  Typically, text to be
signed goes through three steps: 1) canonicalization, 2) digest, and
3) signature.  This property is used to specify the algorithm that should be
used for step #3.  A signature class typically specifies a default signature
algorithm, so this property rarely needs to be used in practice when
specifying digital signatures."))

(define sec-properties
  (list sec:cipherAlgorithm sec:cipherData sec:digestAlgorithm sec:digestValue
        sec:cipherKey sec:expires sec:initializationVector sec:nonce
        sec:canonicalizationAlgorithm sec:owner sec:password
        sec:privateKeyPem sec:publicKey sec:publicKeyPem sec:publicKeyService
        sec:revoked sec:signature sec:signatureValue sec:signatureAlgorithm))

(define (security-ontology (append sec-types sec-properties)))


1	;;;; Copyright (C) 2020 Julien Lepiller <julien@lepiller.eu>
2	;;;;
3	;;;; This library is free software; you can redistribute it and/or
4	;;;; modify it under the terms of the GNU Lesser General Public
5	;;;; License as published by the Free Software Foundation; either
6	;;;; version 3 of the License, or (at your option) any later version.
7	;;;;
8	;;;; This library is distributed in the hope that it will be useful,
9	;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
10	;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11	;;;; Lesser General Public License for more details.
12	;;;;
13	;;;; You should have received a copy of the GNU Lesser General Public
14	;;;; License along with this library; if not, write to the Free Software
15	;;;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
16	;;;;
17
18	(define-module (http-signatures ontology)
19	#:use-module (activitystreams activitystreams)
20	#:use-module (ice-9 match)
21	#:use-module (jsonld json)
22	#:use-module (web uri)
23	#:export (security-ontology))
24
25	(define sec:vocab "https://w3id.org/security#")
26
27	(define* (make-sec-type label #:key (uri (string-append sec:vocab label))
28	(comment "") (subclass-of '()))
29	(make-as-type label #:uri uri #:comment comment #:subclass-of subclass-of))
30
31	(define* (make-as-property label domain range
32	#:key (uri (string-append as:vocab label))
33	(functional? #f) (subproperty-of '()) (comment ""))
34	(make-as-property label domain range #:uri uri #:functional? functional?
35	#:subproperty-of subproperty-of #:comment comment))
36
37	;; Classes
38
39	(define sec:Digest
40	(make-sec-type
41	"Digest"
42	#:comment
43	"This class represents a message digest that may be used for data integrity
44	verification. The digest algorithm used will determine the cryptographic
45	properties of the digest."))
46
47	(define sec:EncryptedMessage
48	(make-sec-type
49	"EncryptedMessage"
50	#:comment
51	"A class of messages that are obfuscated in some cryptographic manner.
52	These messages are incredibly difficult to decrypt without the proper
53	decryption key."))
54
55	(define sec:Signature
56	(make-sec-type
57	"Signature"
58	#:comment
59	"This class represents a digital signature on serialized data. It is an
60	abstract class and should not be used other than for Semantic Web reasoning
61	purposes, such as by a reasoning agent."))
62
63	(define sec:GraphSignature2012
64	(make-sec-type
65	"GraphSignature2012"
66	#:subclass-of (list sec:Signature)
67	#:comment
68	"A graph signature is used for digital signatures on RDF graphs. The
69	default canonicalization mechanism is specified in the RDF Graph normalization
70	specification, which effectively deterministically names all unnamed nodes.
71	The default signature mechanism uses a SHA-256 digest and RSA to perform the
72	digital signature."))
73
74	(define sec:LinkedDataSignature2015
75	(make-sec-type
76	"LinkedDataSignature2015"
77	#:subclass-of (list sec:Signature)
78	#:comment
79	"A Linked Data signature is used for digital signatures on RDF Datasets.
80	The default canonicalization mechanism is specified in the RDF Dataset
81	Normalization specification, which effectively deterministically names all
82	unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA
83	to perform the digital signature. This signature uses a algorithm for
84	producing the data that it signs and verifies that is different from other
85	Linked Data signatures."))
86
87	(define sec:LinkedDataSignature2016
88	(make-sec-type
89	"LinkedDataSignature2016"
90	#:subclass-of (list sec:Signature)
91	#:comment
92	"A Linked Data signature is used for digital signatures on RDF Datasets.
93	The default canonicalization mechanism is specified in the RDF Dataset
94	Normalization specification, which effectively deterministically names all
95	unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA
96	to perform the digital signature."))
97
98	(define sec:Key
99	(make-sec-type
100	"Key"
101	#:comment
102	"This class represents a cryptographic key that may be used for encryption,
103	decryption, or digitally signing data."))
104
105	(define sec-types (list sec:Digest sec:EncryptedMessage sec:Signature
106	sec:GraphSignature2012 sec:LinkedDataSignature2015
107	sec:LinkedDataSignature2016 sec:Key))
108
109	(define sec:authenticationTag
110	(make-sec-property
111	"authenticationTag" "EncryptedMessage" string?
112	#:coment
113	"Not specified"))
114
115	(define sec:creator
116	(make-sec-property
117	"creator" "Signature" iri?
118	#:coment
119	"Not specified"))
120
121	(define sec:cipherAlgorithm
122	(make-sec-property
123	"cipherAlgorithm" "EncryptedMessage" string?
124	#:comment
125	"The cipher algorithm describes the mechanism used to encrypt a message.
126	It is typically a string expressing the cipher suite, the strength of the
127	cipher, and a block cipher mode."))
128
129	(define sec:cipherData
130	(make-sec-property
131	"cipherData" "EncryptedMessage" string?
132	#:comment
133	"Cipher data an opaque blob of information that is used to specify an
134	encrypted message."))
135
136	(define sec:digestAlgorithm
137	(make-sec-property
138	"digestAlgorithm" "Digest" string?
139	#:comment
140	"The digest algorithm is used to specify the cryptographic function to use
141	when generating the data to be digitally signed. Typically, data that is to be
142	signed goes through three steps: 1) canonicalization, 2) digest, and
143	3) signature. This property is used to specify the algorithm that should be
144	used for step #2. A signature class typically specifies a default digest
145	method, so this property is typically used to specify information for a
146	signature algorithm."))
147
148	(define sec:digestValue
149	(make-sec-property
150	"digestValue" "Digest" string?
151	#:comment
152	"The digest value is used to express the output of the digest algorithm
153	expressed in Base-16 (hexadecimal) format."))
154
155	(define sec:cipherKey
156	(make-sec-property
157	"cipherKey" "EncryptedMessage" string?
158	#:comment
159	"A cipher key is a symmetric key that is used to encrypt or decrypt a
160	piece of information. The key itself may be expressed in clear text or
161	encrypted."))
162
163	(define sec:expires
164	(make-sec-property
165	"expires" "" string?
166	#:comment
167	"The expiration time is typically associated with a Key and specifies when
168	the validity of the key will expire. It is considered a best practice to only
169	create keys that have very definite expiration periods. This period is
170	typically set to between six months and two years. An digital signature
171	created using an expired key MUST be marked as invalid by any software
172	attempting to verify the signature."))
173
174	(define sec:initializationVector
175	(make-sec-property
176	"initializationVector" "EncryptedMessage" string?
177	#:comment
178	"The initialization vector (IV) is a byte stream that is typically used to
179	initialize certain block cipher encryption schemes. For a receiving
180	application to be able to decrypt a message, it must know the decryption key
181	and the initialization vector. The value is typically base-64 encoded."))
182
183	(define sec:nonce
184	(make-sec-property
185	"nonce" "" string?
186	#:comment
187	"This property is used in conjunction with the input to the signature
188	hashing function in order to protect against replay attacks. Typically,
189	receivers need to track all nonce values used within a certain time period
190	in order to ensure that an attacker cannot merely re-send a compromised
191	packet in order to execute a privileged request."))
192
193	(define sec:canonicalizationAlgorithm
194	(make-sec-property
195	"canonicalizationAlgorithm" "" (list iri? string?)
196	#:comment
197	"The canonicalization algorithm is used to transform the input data into a
198	form that can be passed to a cryptographic digest method. The digest is then
199	digitally signed using a digital signature algorithm. Canonicalization ensures
200	that a piece of software that is generating a digital signature is able to do
201	so on the same set of information in a deterministic manner."))
202
203	(define sec:owner
204	(make-sec-property
205	"owner" "Key" iri?
206	#:comment
207	"An owner is an entity that claims control over a particular resource.
208	Note that ownership is best validated as a two-way relationship where the
209	owner claims ownership over a particular resource, and the resource clearly
210	identifies its owner."))
211
212	(define sec:password
213	(make-sec-property
214	"password" "" string?
215	#:comment
216	"A secret that is used to generate a key that can be used to encrypt or
217	decrypt message. It is typically a string value."))
218
219	(define sec:privateKeyPem
220	(make-sec-property
221	"privateKeyPem" "Key" string?
222	#:comment
223	"A private key PEM property is used to specify the PEM-encoded version of
224	the private key. This encoding is compatible with almost every Secure Sockets
225	Layer library implementation and typically plugs directly into functions
226	intializing private keys."))
227
228	(define sec:publicKey
229	(make-sec-property
230	"publicKey" "EncryptedMessage" iri?
231	#:comment
232	"A public key property is used to specify a URL that contains information
233	about a public key."))
234
235	(define sec:publicKeyPem
236	(make-sec-property
237	"publicKeyPem" "Key" string?
238	#:comment
239	"A public key PEM property is used to specify the PEM-encoded version of
240	the public key. This encoding is compatible with almost every Secure Sockets
241	Layer library implementation and typically plugs directly into functions
242	intializing public keys."))
243
244	(define sec:publicKeyService
245	(make-sec-property
246	"publicKeyService" "" string?
247	#:comment
248	"The publicKeyService property is used to express the REST URL that provides
249	public key management services as defined by the Web Key specification."))
250
251	(define sec:revoked
252	(make-sec-property
253	"revoked" "" date?
254	#:comment
255	"The revocation time is typically associated with a Key that has been
256	marked as invalid as of the date and time associated with the property. Key
257	revocations are often used when a key is compromised, such as the theft of the
258	private key, or during the course of best-practice key rotation schedules."))
259
260	(define sec:signature
261	(make-sec-property
262	;; XXX: not correct, there is no defined domain
263	"signature" "Object" "Signature"
264	#:comment
265	"The signature property is used to associate a signature with a graph of
266	information. The signature property is typically not included in the
267	canonicalized graph that is then digested, and digitally signed."))
268
269	(define sec:signatureValue
270	(make-sec-property
271	"signatureValue" "Signature" string?
272	#:comment
273	"The signature value is used to express the output of the signature
274	algorithm expressed in base-64 format."))
275
276	(define sec:signatureAlgorithm
277	(make-sec-property
278	"signatureAlgorithm" "Signature" string?
279	#:comment
280	"The signature algorithm is used to specify the cryptographic signature
281	function to use when digitally signing the digest data. Typically, text to be
282	signed goes through three steps: 1) canonicalization, 2) digest, and
283	3) signature. This property is used to specify the algorithm that should be
284	used for step #3. A signature class typically specifies a default signature
285	algorithm, so this property rarely needs to be used in practice when
286	specifying digital signatures."))
287
288	(define sec-properties
289	(list sec:cipherAlgorithm sec:cipherData sec:digestAlgorithm sec:digestValue
290	sec:cipherKey sec:expires sec:initializationVector sec:nonce
291	sec:canonicalizationAlgorithm sec:owner sec:password
292	sec:privateKeyPem sec:publicKey sec:publicKeyPem sec:publicKeyService
293	sec:revoked sec:signature sec:signatureValue sec:signatureAlgorithm))
294
295	(define (security-ontology (append sec-types sec-properties)))
296