inherence-verifier 0.1.0

Reference verifier for Inherence receipts (verification protocol v1).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

# inherence-verifier

Reference verifier for Inherence receipts — implements verification protocol v1 (see [`spec/receipts/v1/SPEC.md`](https://github.com/Inherencelabs/inherence-verifier-rs/blob/main/spec/SPEC.md) — published alongside this crate).

This is the Rust core. The same logic is also distributed as:

- **[`@inherencelabs/verifier`](https://github.com/Inherencelabs/inherence-verifier-js)** — WASM bindings for JavaScript/TypeScript (Node + browser)
- **[`inherence-verifier`](https://github.com/Inherencelabs/inherence-verifier-py)** — PyO3 bindings for Python

All three pass the same 22-vector conformance suite. A bug in one is a bug in all three.

## What this crate is

A standalone library that verifies Inherence receipts offline. Given:
- a receipt (a signed JWT)
- a pinned authority public key
- a pinned set of acceptable Groth16 verifying keys

…it returns `VALID` or `INVALID:{failure_code}` with no network I/O.

## What this crate is NOT

This crate contains **no** policy-compilation logic, **no** proving logic, and **no** circuit-construction logic. Those run behind the hosted gate that issues receipts; they are not necessary to verify a receipt and they're not in this dependency tree.

## Install

```toml
[dependencies]
inherence-verifier = "0.1"
```

## Usage

```rust
use inherence_verifier::{verify_receipt, VerifyConfig};

let cfg = VerifyConfig::new()
    .pin_authority_jwk(&authority_jwk_json)?
    .pin_vk(&vk_hash_hex, vk_bytes);

match verify_receipt(&jwt, &cfg) {
    Ok(())  => println!("VALID"),
    Err(e) => println!("INVALID: {} ({})", e.code(), e),
}
```

The failure codes come from a fixed [controlled vocabulary](https://github.com/Inherencelabs/inherence-verifier-rs/blob/main/src/error.rs):
`schema_violation`, `signature_invalid`, `wrong_signer`, `expired`, `not_yet_valid`, `wrong_issuer`, `wrong_audience`, `principal_signature_invalid:principal`, `principal_signature_invalid:agent`, `state_invalid`, `decision_bit_mismatch`, `unknown_vk`, `internal_inconsistency`, `proof_invalid`.

## Verifying keys

VKs are content-addressed. Fetch them from `https://vk.inherencelabs.com/v1/keys/{vk_hash}` — the URL contains no customer identifier. The verifier's `pin_vk(vk_hash, bytes)` re-hashes the bytes and refuses to use them if the hash doesn't match.

## Test

```sh
cargo test --test vectors
```

Runs the 22 conformance vectors. A passing run is sufficient to claim v1 conformance.

## License

Apache-2.0.