guile-fediverse

guile-fediverse/http-signature/vocabulary.scm

vocabulary.scm

;;;; Copyright (C) 2020 Julien Lepiller <julien@lepiller.eu>
;;;; 
;;;; This library is free software; you can redistribute it and/or
;;;; modify it under the terms of the GNU Lesser General Public
;;;; License as published by the Free Software Foundation; either
;;;; version 3 of the License, or (at your option) any later version.
;;;; 
;;;; This library is distributed in the hope that it will be useful,
;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
;;;; Lesser General Public License for more details.
;;;; 
;;;; You should have received a copy of the GNU Lesser General Public
;;;; License along with this library; if not, write to the Free Software
;;;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
;;;; 

(define-module (http-signature vocabulary)
  #:use-module (activitystreams ontology)
  #:use-module (activitystreams predicates)
  #:use-module (ice-9 match)
  #:use-module (jsonld json)
  #:use-module (web uri)
  #:export (security-ontology))

(define-public vocab "https://w3id.org/security#")

(define* (make-sec-type label #:key (uri (string-append vocab label))
                        (comment "") (subclass-of '()))
  (build-as-type label #:uri uri #:comment comment #:subclass-of subclass-of))

(define* (make-sec-property label domain range
                           #:key (uri (string-append vocab label))
                           (functional? #f) (subproperty-of '()) (comment ""))
  (build-as-property label domain range #:uri uri #:functional? functional?
                    #:subproperty-of subproperty-of #:comment comment))

;; Classes

(define-public Digest
  (make-sec-type
    "Digest"
    #:comment
    "This class represents a message digest that may be used for data integrity
verification.  The digest algorithm used will determine the cryptographic
properties of the digest."))

(define-public EncryptedMessage
  (make-sec-type
    "EncryptedMessage"
    #:comment
    "A class of messages that are obfuscated in some cryptographic manner.
These messages are incredibly difficult to decrypt without the proper
decryption key."))

(define-public Signature
  (make-sec-type
    "Signature"
    #:comment
    "This class represents a digital signature on serialized data.  It is an
abstract class and should not be used other than for Semantic Web reasoning
purposes, such as by a reasoning agent."))

(define-public GraphSignature2012
  (make-sec-type
    "GraphSignature2012"
    #:subclass-of (list Signature)
    #:comment
    "A graph signature is used for digital signatures on RDF graphs.  The
default canonicalization mechanism is specified in the RDF Graph normalization
specification, which effectively deterministically names all unnamed nodes.
The default signature mechanism uses a SHA-256 digest and RSA to perform the
digital signature."))

(define-public LinkedDataSignature2015
  (make-sec-type
    "LinkedDataSignature2015"
    #:subclass-of (list Signature)
    #:comment
    "A Linked Data signature is used for digital signatures on RDF Datasets.
The default canonicalization mechanism is specified in the RDF Dataset
Normalization specification, which effectively deterministically names all
unnamed nodes.  The default signature mechanism uses a SHA-256 digest and RSA
to perform the digital signature.  This signature uses a algorithm for
producing the data that it signs and verifies that is different from other
Linked Data signatures."))

(define-public LinkedDataSignature2016
  (make-sec-type
    "LinkedDataSignature2016"
    #:subclass-of (list Signature)
    #:comment
    "A Linked Data signature is used for digital signatures on RDF Datasets.
The default canonicalization mechanism is specified in the RDF Dataset
Normalization specification, which effectively deterministically names all
unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA
to perform the digital signature."))

(define-public Key
  (make-sec-type
    "Key"
    #:comment
    "This class represents a cryptographic key that may be used for encryption,
decryption, or digitally signing data."))

(define-public sec-types (list Digest EncryptedMessage Signature
                        GraphSignature2012 LinkedDataSignature2015
                        LinkedDataSignature2016 Key))

(define-public authenticationTag
  (make-sec-property
    "authenticationTag" "EncryptedMessage" string?
    #:comment
    "Not specified"))

(define-public creator
  (make-sec-property
    "creator" "Signature" uri?
    #:comment
    "Not specified"))

(define-public cipherAlgorithm
  (make-sec-property
    "cipherAlgorithm" "EncryptedMessage" string?
    #:comment
    "The cipher algorithm describes the mechanism used to encrypt a message.
It is typically a string expressing the cipher suite, the strength of the
cipher, and a block cipher mode."))

(define-public cipherData
  (make-sec-property
    "cipherData" "EncryptedMessage" string?
    #:comment
    "Cipher data an opaque blob of information that is used to specify an
encrypted message."))

(define-public digestAlgorithm
  (make-sec-property
    "digestAlgorithm" "Digest" string?
    #:comment
    "The digest algorithm is used to specify the cryptographic function to use
when generating the data to be digitally signed.  Typically, data that is to be
signed goes through three steps: 1) canonicalization, 2) digest, and
3) signature.  This property is used to specify the algorithm that should be
used for step #2.  A signature class typically specifies a default digest
method, so this property is typically used to specify information for a
signature algorithm."))

(define-public digestValue
  (make-sec-property
    "digestValue" "Digest" string?
    #:comment
    "The digest value is used to express the output of the digest algorithm
expressed in Base-16 (hexadecimal) format."))

(define-public cipherKey
  (make-sec-property
    "cipherKey" "EncryptedMessage" string?
    #:comment
    "A cipher key is a symmetric key that is used to encrypt or decrypt a
piece of information.  The key itself may be expressed in clear text or
encrypted."))

(define-public expires
  (make-sec-property
    "expires" "" string?
    #:comment
    "The expiration time is typically associated with a Key and specifies when
the validity of the key will expire.  It is considered a best practice to only
create keys that have very definite expiration periods.  This period is
typically set to between six months and two years.  An digital signature
created using an expired key MUST be marked as invalid by any software
attempting to verify the signature."))

(define-public initializationVector
  (make-sec-property
    "initializationVector" "EncryptedMessage" string?
    #:comment
    "The initialization vector (IV) is a byte stream that is typically used to
initialize certain block cipher encryption schemes.  For a receiving
application to be able to decrypt a message, it must know the decryption key
and the initialization vector.  The value is typically base-64 encoded."))

(define-public nonce
  (make-sec-property
    "nonce" "" string?
    #:comment
    "This property is used in conjunction with the input to the signature
hashing function in order to protect against replay attacks.  Typically,
receivers need to track all nonce values used within a certain time period
in order to ensure that an attacker cannot merely re-send a compromised
packet in order to execute a privileged request."))

(define-public canonicalizationAlgorithm
  (make-sec-property
    "canonicalizationAlgorithm" "" (list uri? string?)
    #:comment
    "The canonicalization algorithm is used to transform the input data into a
form that can be passed to a cryptographic digest method.  The digest is then
digitally signed using a digital signature algorithm.  Canonicalization ensures
that a piece of software that is generating a digital signature is able to do
so on the same set of information in a deterministic manner."))

(define-public owner
  (make-sec-property
    "owner" "Key" uri?
    #:comment
    "An owner is an entity that claims control over a particular resource.
Note that ownership is best validated as a two-way relationship where the
owner claims ownership over a particular resource, and the resource clearly
identifies its owner."))

(define-public password
  (make-sec-property
    "password" "" string?
    #:comment
    "A secret that is used to generate a key that can be used to encrypt or
decrypt message.  It is typically a string value."))

(define-public privateKeyPem
  (make-sec-property
    "privateKeyPem" "Key" string?
    #:comment
    "A private key PEM property is used to specify the PEM-encoded version of
the private key.  This encoding is compatible with almost every Secure Sockets
Layer library implementation and typically plugs directly into functions
intializing private keys."))

(define-public publicKey
  (make-sec-property
    "publicKey" "EncryptedMessage" uri?
    #:comment
    "A public key property is used to specify a URL that contains information
about a public key."))

(define-public publicKeyPem
  (make-sec-property
    "publicKeyPem" "Key" string?
    #:comment
    "A public key PEM property is used to specify the PEM-encoded version of
the public key.  This encoding is compatible with almost every Secure Sockets
Layer library implementation and typically plugs directly into functions
intializing public keys."))

(define-public publicKeyService
  (make-sec-property
    "publicKeyService" "" string?
    #:comment
    "The publicKeyService property is used to express the REST URL that provides
public key management services as defined by the Web Key specification."))

(define-public revoked
  (make-sec-property
    "revoked" "" date?
    #:comment
    "The revocation time is typically associated with a Key that has been
marked as invalid as of the date and time associated with the property.  Key
revocations are often used when a key is compromised, such as the theft of the
private key, or during the course of best-practice key rotation schedules."))

(define-public signature
  (make-sec-property
    ;; XXX: not correct, there is no defined domain
    "signature" "Object" "Signature"
    #:comment
    "The signature property is used to associate a signature with a graph of
information.  The signature property is typically not included in the
canonicalized graph that is then digested, and digitally signed."))

(define-public signatureValue
  (make-sec-property
    "signatureValue" "Signature" string?
    #:comment
    "The signature value is used to express the output of the signature
algorithm expressed in base-64 format."))

(define-public signatureAlgorithm
  (make-sec-property
    "signatureAlgorithm" "Signature" string?
    #:comment
    "The signature algorithm is used to specify the cryptographic signature
function to use when digitally signing the digest data.  Typically, text to be
signed goes through three steps: 1) canonicalization, 2) digest, and
3) signature.  This property is used to specify the algorithm that should be
used for step #3.  A signature class typically specifies a default signature
algorithm, so this property rarely needs to be used in practice when
specifying digital signatures."))

(define sec-properties
  (list cipherAlgorithm cipherData digestAlgorithm digestValue
        cipherKey expires initializationVector nonce
        canonicalizationAlgorithm owner password
        privateKeyPem publicKey publicKeyPem publicKeyService
        revoked signature signatureValue signatureAlgorithm))

(define security-ontology
  (make-ontology '("https://w3id.org/security/v1") sec-types sec-properties))


1	;;;; Copyright (C) 2020 Julien Lepiller <julien@lepiller.eu>
2	;;;;
3	;;;; This library is free software; you can redistribute it and/or
4	;;;; modify it under the terms of the GNU Lesser General Public
5	;;;; License as published by the Free Software Foundation; either
6	;;;; version 3 of the License, or (at your option) any later version.
7	;;;;
8	;;;; This library is distributed in the hope that it will be useful,
9	;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
10	;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11	;;;; Lesser General Public License for more details.
12	;;;;
13	;;;; You should have received a copy of the GNU Lesser General Public
14	;;;; License along with this library; if not, write to the Free Software
15	;;;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
16	;;;;
17
18	(define-module (http-signature vocabulary)
19	#:use-module (activitystreams ontology)
20	#:use-module (activitystreams predicates)
21	#:use-module (ice-9 match)
22	#:use-module (jsonld json)
23	#:use-module (web uri)
24	#:export (security-ontology))
25
26	(define-public vocab "https://w3id.org/security#")
27
28	(define* (make-sec-type label #:key (uri (string-append vocab label))
29	(comment "") (subclass-of '()))
30	(build-as-type label #:uri uri #:comment comment #:subclass-of subclass-of))
31
32	(define* (make-sec-property label domain range
33	#:key (uri (string-append vocab label))
34	(functional? #f) (subproperty-of '()) (comment ""))
35	(build-as-property label domain range #:uri uri #:functional? functional?
36	#:subproperty-of subproperty-of #:comment comment))
37
38	;; Classes
39
40	(define-public Digest
41	(make-sec-type
42	"Digest"
43	#:comment
44	"This class represents a message digest that may be used for data integrity
45	verification. The digest algorithm used will determine the cryptographic
46	properties of the digest."))
47
48	(define-public EncryptedMessage
49	(make-sec-type
50	"EncryptedMessage"
51	#:comment
52	"A class of messages that are obfuscated in some cryptographic manner.
53	These messages are incredibly difficult to decrypt without the proper
54	decryption key."))
55
56	(define-public Signature
57	(make-sec-type
58	"Signature"
59	#:comment
60	"This class represents a digital signature on serialized data. It is an
61	abstract class and should not be used other than for Semantic Web reasoning
62	purposes, such as by a reasoning agent."))
63
64	(define-public GraphSignature2012
65	(make-sec-type
66	"GraphSignature2012"
67	#:subclass-of (list Signature)
68	#:comment
69	"A graph signature is used for digital signatures on RDF graphs. The
70	default canonicalization mechanism is specified in the RDF Graph normalization
71	specification, which effectively deterministically names all unnamed nodes.
72	The default signature mechanism uses a SHA-256 digest and RSA to perform the
73	digital signature."))
74
75	(define-public LinkedDataSignature2015
76	(make-sec-type
77	"LinkedDataSignature2015"
78	#:subclass-of (list Signature)
79	#:comment
80	"A Linked Data signature is used for digital signatures on RDF Datasets.
81	The default canonicalization mechanism is specified in the RDF Dataset
82	Normalization specification, which effectively deterministically names all
83	unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA
84	to perform the digital signature. This signature uses a algorithm for
85	producing the data that it signs and verifies that is different from other
86	Linked Data signatures."))
87
88	(define-public LinkedDataSignature2016
89	(make-sec-type
90	"LinkedDataSignature2016"
91	#:subclass-of (list Signature)
92	#:comment
93	"A Linked Data signature is used for digital signatures on RDF Datasets.
94	The default canonicalization mechanism is specified in the RDF Dataset
95	Normalization specification, which effectively deterministically names all
96	unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA
97	to perform the digital signature."))
98
99	(define-public Key
100	(make-sec-type
101	"Key"
102	#:comment
103	"This class represents a cryptographic key that may be used for encryption,
104	decryption, or digitally signing data."))
105
106	(define-public sec-types (list Digest EncryptedMessage Signature
107	GraphSignature2012 LinkedDataSignature2015
108	LinkedDataSignature2016 Key))
109
110	(define-public authenticationTag
111	(make-sec-property
112	"authenticationTag" "EncryptedMessage" string?
113	#:comment
114	"Not specified"))
115
116	(define-public creator
117	(make-sec-property
118	"creator" "Signature" uri?
119	#:comment
120	"Not specified"))
121
122	(define-public cipherAlgorithm
123	(make-sec-property
124	"cipherAlgorithm" "EncryptedMessage" string?
125	#:comment
126	"The cipher algorithm describes the mechanism used to encrypt a message.
127	It is typically a string expressing the cipher suite, the strength of the
128	cipher, and a block cipher mode."))
129
130	(define-public cipherData
131	(make-sec-property
132	"cipherData" "EncryptedMessage" string?
133	#:comment
134	"Cipher data an opaque blob of information that is used to specify an
135	encrypted message."))
136
137	(define-public digestAlgorithm
138	(make-sec-property
139	"digestAlgorithm" "Digest" string?
140	#:comment
141	"The digest algorithm is used to specify the cryptographic function to use
142	when generating the data to be digitally signed. Typically, data that is to be
143	signed goes through three steps: 1) canonicalization, 2) digest, and
144	3) signature. This property is used to specify the algorithm that should be
145	used for step #2. A signature class typically specifies a default digest
146	method, so this property is typically used to specify information for a
147	signature algorithm."))
148
149	(define-public digestValue
150	(make-sec-property
151	"digestValue" "Digest" string?
152	#:comment
153	"The digest value is used to express the output of the digest algorithm
154	expressed in Base-16 (hexadecimal) format."))
155
156	(define-public cipherKey
157	(make-sec-property
158	"cipherKey" "EncryptedMessage" string?
159	#:comment
160	"A cipher key is a symmetric key that is used to encrypt or decrypt a
161	piece of information. The key itself may be expressed in clear text or
162	encrypted."))
163
164	(define-public expires
165	(make-sec-property
166	"expires" "" string?
167	#:comment
168	"The expiration time is typically associated with a Key and specifies when
169	the validity of the key will expire. It is considered a best practice to only
170	create keys that have very definite expiration periods. This period is
171	typically set to between six months and two years. An digital signature
172	created using an expired key MUST be marked as invalid by any software
173	attempting to verify the signature."))
174
175	(define-public initializationVector
176	(make-sec-property
177	"initializationVector" "EncryptedMessage" string?
178	#:comment
179	"The initialization vector (IV) is a byte stream that is typically used to
180	initialize certain block cipher encryption schemes. For a receiving
181	application to be able to decrypt a message, it must know the decryption key
182	and the initialization vector. The value is typically base-64 encoded."))
183
184	(define-public nonce
185	(make-sec-property
186	"nonce" "" string?
187	#:comment
188	"This property is used in conjunction with the input to the signature
189	hashing function in order to protect against replay attacks. Typically,
190	receivers need to track all nonce values used within a certain time period
191	in order to ensure that an attacker cannot merely re-send a compromised
192	packet in order to execute a privileged request."))
193
194	(define-public canonicalizationAlgorithm
195	(make-sec-property
196	"canonicalizationAlgorithm" "" (list uri? string?)
197	#:comment
198	"The canonicalization algorithm is used to transform the input data into a
199	form that can be passed to a cryptographic digest method. The digest is then
200	digitally signed using a digital signature algorithm. Canonicalization ensures
201	that a piece of software that is generating a digital signature is able to do
202	so on the same set of information in a deterministic manner."))
203
204	(define-public owner
205	(make-sec-property
206	"owner" "Key" uri?
207	#:comment
208	"An owner is an entity that claims control over a particular resource.
209	Note that ownership is best validated as a two-way relationship where the
210	owner claims ownership over a particular resource, and the resource clearly
211	identifies its owner."))
212
213	(define-public password
214	(make-sec-property
215	"password" "" string?
216	#:comment
217	"A secret that is used to generate a key that can be used to encrypt or
218	decrypt message. It is typically a string value."))
219
220	(define-public privateKeyPem
221	(make-sec-property
222	"privateKeyPem" "Key" string?
223	#:comment
224	"A private key PEM property is used to specify the PEM-encoded version of
225	the private key. This encoding is compatible with almost every Secure Sockets
226	Layer library implementation and typically plugs directly into functions
227	intializing private keys."))
228
229	(define-public publicKey
230	(make-sec-property
231	"publicKey" "EncryptedMessage" uri?
232	#:comment
233	"A public key property is used to specify a URL that contains information
234	about a public key."))
235
236	(define-public publicKeyPem
237	(make-sec-property
238	"publicKeyPem" "Key" string?
239	#:comment
240	"A public key PEM property is used to specify the PEM-encoded version of
241	the public key. This encoding is compatible with almost every Secure Sockets
242	Layer library implementation and typically plugs directly into functions
243	intializing public keys."))
244
245	(define-public publicKeyService
246	(make-sec-property
247	"publicKeyService" "" string?
248	#:comment
249	"The publicKeyService property is used to express the REST URL that provides
250	public key management services as defined by the Web Key specification."))
251
252	(define-public revoked
253	(make-sec-property
254	"revoked" "" date?
255	#:comment
256	"The revocation time is typically associated with a Key that has been
257	marked as invalid as of the date and time associated with the property. Key
258	revocations are often used when a key is compromised, such as the theft of the
259	private key, or during the course of best-practice key rotation schedules."))
260
261	(define-public signature
262	(make-sec-property
263	;; XXX: not correct, there is no defined domain
264	"signature" "Object" "Signature"
265	#:comment
266	"The signature property is used to associate a signature with a graph of
267	information. The signature property is typically not included in the
268	canonicalized graph that is then digested, and digitally signed."))
269
270	(define-public signatureValue
271	(make-sec-property
272	"signatureValue" "Signature" string?
273	#:comment
274	"The signature value is used to express the output of the signature
275	algorithm expressed in base-64 format."))
276
277	(define-public signatureAlgorithm
278	(make-sec-property
279	"signatureAlgorithm" "Signature" string?
280	#:comment
281	"The signature algorithm is used to specify the cryptographic signature
282	function to use when digitally signing the digest data. Typically, text to be
283	signed goes through three steps: 1) canonicalization, 2) digest, and
284	3) signature. This property is used to specify the algorithm that should be
285	used for step #3. A signature class typically specifies a default signature
286	algorithm, so this property rarely needs to be used in practice when
287	specifying digital signatures."))
288
289	(define sec-properties
290	(list cipherAlgorithm cipherData digestAlgorithm digestValue
291	cipherKey expires initializationVector nonce
292	canonicalizationAlgorithm owner password
293	privateKeyPem publicKey publicKeyPem publicKeyService
294	revoked signature signatureValue signatureAlgorithm))
295
296	(define security-ontology
297	(make-ontology '("https://w3id.org/security/v1") sec-types sec-properties))
298