fix: correct erroneous DeviceDID to CanonicalDid

bordumb · bordumb · commit 47dd24d71a43 · 2026-03-31T22:05:38.000-07:00
diff --git a/crates/auths-id/src/attestation/create.rs b/crates/auths-id/src/attestation/create.rs
@@ -94,12 +94,15 @@ pub fn create_signed_attestation(
     #[allow(clippy::disallowed_methods)]
     // INVARIANT: identity_did is an IdentityDID which guarantees valid DID format
     let issuer_canonical = CanonicalDid::new_unchecked(identity_did.as_str());
+    #[allow(clippy::disallowed_methods)]
+    // INVARIANT: device_did is a validated DeviceDID from the caller
+    let subject_canonical = CanonicalDid::new_unchecked(device_did.as_str());
     let delegated_canonical = delegated_by.as_ref().map(|d| CanonicalDid::from(d.clone()));
     let data_to_canonicalize = CanonicalAttestationData {
         version: ATTESTATION_VERSION,
         rid,
         issuer: &issuer_canonical,
-        subject: device_did,
+        subject: &subject_canonical,
         device_public_key,
         payload: &payload,
         timestamp: &meta.timestamp,
@@ -161,7 +164,7 @@ pub fn create_signed_attestation(
     // Construct final attestation
     Ok(Attestation {
         version: ATTESTATION_VERSION,
-        subject: device_did.clone(),
+        subject: subject_canonical,
         issuer: issuer_canonical,
         rid: ResourceId::new(rid),
         payload: payload.clone(),
diff --git a/crates/auths-id/src/attestation/revoke.rs b/crates/auths-id/src/attestation/revoke.rs
@@ -88,7 +88,9 @@ pub fn create_signed_revocation(
     let revocation_issuer = CanonicalDid::new_unchecked(identity_did.as_str());
     Ok(Attestation {
         version: REVOCATION_VERSION,
-        subject: device_did.clone(),
+        #[allow(clippy::disallowed_methods)]
+        // INVARIANT: device_did is a validated DeviceDID from the caller
+        subject: CanonicalDid::new_unchecked(device_did.as_str()),
         issuer: revocation_issuer,
         rid: ResourceId::new(rid),
         payload: payload_arg.clone(),
diff --git a/crates/auths-id/src/policy/mod.rs b/crates/auths-id/src/policy/mod.rs
@@ -72,7 +72,7 @@ pub fn context_from_attestation(
     att: &Attestation,
     now: DateTime<Utc>,
 ) -> Result<EvalContext, DidParseError> {
-    let mut ctx = EvalContext::try_from_strings(now, &att.issuer, &att.subject.to_string())?;
+    let mut ctx = EvalContext::try_from_strings(now, &att.issuer, att.subject.as_ref())?;
 
     ctx = ctx.revoked(att.is_revoked());
 
diff --git a/crates/auths-id/src/storage/indexed.rs b/crates/auths-id/src/storage/indexed.rs
@@ -151,8 +151,11 @@ impl AttestationSource for IndexedAttestationStorage {
             return self.inner.discover_device_dids();
         }
 
-        // Collect unique device DIDs from the index
-        let mut dids: Vec<DeviceDID> = active.into_iter().map(|a| a.device_did.clone()).collect();
+        // Collect unique device DIDs from the index (filter to did:key: only)
+        let mut dids: Vec<DeviceDID> = active
+            .into_iter()
+            .filter_map(|a| DeviceDID::parse(a.device_did.as_str()).ok())
+            .collect();
         dids.sort_by(|a, b| a.as_str().cmp(b.as_str()));
         dids.dedup();
         Ok(dids)
diff --git a/crates/auths-id/src/testing/contracts/registry.rs b/crates/auths-id/src/testing/contracts/registry.rs
@@ -166,7 +166,7 @@ macro_rules! registry_backend_contract_tests {
                     loaded.is_some(),
                     "attestation should be present after store"
                 );
-                assert_eq!(loaded.unwrap().subject, did);
+                assert_eq!(loaded.unwrap().subject.as_str(), did.as_str());
             }
 
             #[test]
diff --git a/crates/auths-id/src/testing/fakes/attestation.rs b/crates/auths-id/src/testing/fakes/attestation.rs
@@ -65,7 +65,7 @@ impl AttestationSource for FakeAttestationSource {
         let guard = self.attestations.lock().unwrap();
         Ok(guard
             .iter()
-            .filter(|a| a.subject == *device_did)
+            .filter(|a| a.subject.as_str() == device_did.as_str())
             .cloned()
             .collect())
     }
@@ -76,8 +76,10 @@ impl AttestationSource for FakeAttestationSource {
 
     fn discover_device_dids(&self) -> Result<Vec<DeviceDID>, StorageError> {
         let guard = self.attestations.lock().unwrap();
-        let dids: std::collections::HashSet<DeviceDID> =
-            guard.iter().map(|a| a.subject.clone()).collect();
+        let dids: std::collections::HashSet<DeviceDID> = guard
+            .iter()
+            .filter_map(|a| DeviceDID::parse(a.subject.as_str()).ok())
+            .collect();
         Ok(dids.into_iter().collect())
     }
 }
diff --git a/crates/auths-id/src/testing/fakes/registry.rs b/crates/auths-id/src/testing/fakes/registry.rs
@@ -17,8 +17,8 @@ use crate::storage::registry::schemas::{RegistryMetadata, TipInfo};
 struct FakeState {
     events: HashMap<String, Vec<Event>>,
     key_states: HashMap<String, KeyState>,
-    attestations: HashMap<DeviceDID, Attestation>,
-    attestation_history: HashMap<DeviceDID, Vec<Attestation>>,
+    attestations: HashMap<CanonicalDid, Attestation>,
+    attestation_history: HashMap<CanonicalDid, Vec<Attestation>>,
     org_members: HashMap<(String, String), Attestation>,
 }
 
@@ -205,7 +205,10 @@ impl RegistryBackend for FakeRegistryBackend {
 
     fn load_attestation(&self, did: &DeviceDID) -> Result<Option<Attestation>, RegistryError> {
         let state = self.state.lock().unwrap();
-        Ok(state.attestations.get(did).cloned())
+        #[allow(clippy::disallowed_methods)]
+        // INVARIANT: did.as_str() is a valid DID string from DeviceDID
+        let canonical = CanonicalDid::new_unchecked(did.as_str());
+        Ok(state.attestations.get(&canonical).cloned())
     }
 
     fn visit_attestation_history(
@@ -214,7 +217,10 @@ impl RegistryBackend for FakeRegistryBackend {
         visitor: &mut dyn FnMut(&Attestation) -> ControlFlow<()>,
     ) -> Result<(), RegistryError> {
         let state = self.state.lock().unwrap();
-        if let Some(history) = state.attestation_history.get(did) {
+        #[allow(clippy::disallowed_methods)]
+        // INVARIANT: did.as_str() is a valid DID string from DeviceDID
+        let canonical = CanonicalDid::new_unchecked(did.as_str());
+        if let Some(history) = state.attestation_history.get(&canonical) {
             for att in history {
                 if visitor(att).is_break() {
                     break;
@@ -229,8 +235,10 @@ impl RegistryBackend for FakeRegistryBackend {
         visitor: &mut dyn FnMut(&DeviceDID) -> ControlFlow<()>,
     ) -> Result<(), RegistryError> {
         let state = self.state.lock().unwrap();
-        for did in state.attestations.keys() {
-            if visitor(did).is_break() {
+        for canonical_did in state.attestations.keys() {
+            if let Ok(device_did) = DeviceDID::parse(canonical_did.as_str())
+                && visitor(&device_did).is_break()
+            {
                 break;
             }
         }
diff --git a/crates/auths-id/src/testing/fixtures.rs b/crates/auths-id/src/testing/fixtures.rs
@@ -82,7 +82,7 @@ pub fn test_attestation(device_did: &DeviceDID, issuer: &str) -> Attestation {
         version: 1,
         rid: ResourceId::new("test-rid"),
         issuer,
-        subject: device_did.clone(),
+        subject: device_did.clone().into(),
         device_public_key: Ed25519PublicKey::from_bytes([0u8; 32]),
         identity_signature: Ed25519Signature::empty(),
         device_signature: Ed25519Signature::empty(),
diff --git a/crates/auths-index/src/index.rs b/crates/auths-index/src/index.rs
@@ -2,7 +2,7 @@ use crate::error::Result;
 use crate::schema;
 use auths_verifier::core::{CommitOid, ResourceId};
 use auths_verifier::keri::{Prefix, Said};
-use auths_verifier::types::{CanonicalDid, DeviceDID, IdentityDID};
+use auths_verifier::types::{CanonicalDid, IdentityDID};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use sqlite::Connection;
@@ -16,8 +16,8 @@ pub struct IndexedAttestation {
     pub rid: ResourceId,
     /// DID of the issuer (controller)
     pub issuer_did: IdentityDID,
-    /// DID of the device this attestation is for
-    pub device_did: DeviceDID,
+    /// DID of the attestation subject (device or identity).
+    pub device_did: CanonicalDid,
     /// Git ref path (e.g., refs/auths/devices/nodes/...)
     pub git_ref: String,
     /// Git commit OID for loading full attestation (None when OID is not yet known)
@@ -281,7 +281,7 @@ impl AttestationIndex {
         let issuer_did = IdentityDID::new_unchecked(issuer_did);
         #[allow(clippy::disallowed_methods)]
         // INVARIANT: device_did was validated on insert via upsert_attestation and stored in SQLite
-        let device_did = DeviceDID::new_unchecked(device_did);
+        let device_did = CanonicalDid::new_unchecked(device_did);
 
         Ok(IndexedAttestation {
             rid: ResourceId::new(rid),
@@ -479,7 +479,7 @@ mod tests {
         #[allow(clippy::disallowed_methods)] // INVARIANT: test-only hardcoded DID string literal
         let issuer_did = IdentityDID::new_unchecked("did:key:issuer123");
         #[allow(clippy::disallowed_methods)] // INVARIANT: test-only DID string from caller
-        let device_did = DeviceDID::new_unchecked(device);
+        let device_did = CanonicalDid::new_unchecked(device);
 
         IndexedAttestation {
             rid: ResourceId::new(rid),
diff --git a/crates/auths-index/src/rebuild.rs b/crates/auths-index/src/rebuild.rs
@@ -1,7 +1,7 @@
 use crate::error::Result;
 use crate::index::{AttestationIndex, IndexedAttestation};
 use auths_verifier::core::{CommitOid, ResourceId};
-use auths_verifier::types::{DeviceDID, IdentityDID};
+use auths_verifier::types::{CanonicalDid, IdentityDID};
 use chrono::Utc;
 use git2::Repository;
 use std::path::Path;
@@ -123,7 +123,7 @@ fn extract_attestation_from_ref(
     let issuer_did = IdentityDID::new_unchecked(&issuer_did);
     #[allow(clippy::disallowed_methods)]
     // INVARIANT: device_did extracted from attestation JSON stored in a signed Git commit
-    let device_did = DeviceDID::new_unchecked(&device_did);
+    let device_did = CanonicalDid::new_unchecked(&device_did);
 
     Ok(IndexedAttestation {
         rid: ResourceId::new(rid),
diff --git a/crates/auths-radicle/src/attestation.rs b/crates/auths-radicle/src/attestation.rs
@@ -13,7 +13,6 @@
 
 use auths_verifier::core::{Attestation, Ed25519PublicKey, Ed25519Signature, ResourceId};
 use auths_verifier::types::CanonicalDid;
-use auths_verifier::types::DeviceDID;
 use radicle_core::{Did, RepoId};
 use radicle_crypto::PublicKey;
 #[cfg(feature = "std")]
@@ -228,7 +227,7 @@ impl TryFrom<RadAttestation> for Attestation {
         // INVARIANT: rad.canonical_payload.did is a validated radicle Did
         let issuer = CanonicalDid::new_unchecked(rad.canonical_payload.did.to_string());
         #[allow(clippy::disallowed_methods)] // INVARIANT: rad.device_did is a validated radicle Did
-        let subject = DeviceDID::new_unchecked(rad.device_did.to_string());
+        let subject = CanonicalDid::new_unchecked(rad.device_did.to_string());
         Ok(Attestation {
             version: 1,
             rid: ResourceId::new(rad.canonical_payload.rid.to_string()),
@@ -505,7 +504,7 @@ mod tests {
             version: 1,
             rid: ResourceId::new("rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5"),
             issuer: CanonicalDid::new_unchecked("did:keri:EXq5abc"),
-            subject: DeviceDID::new_unchecked(device_did.to_string()),
+            subject: CanonicalDid::new_unchecked(device_did.to_string()),
             device_public_key: Ed25519PublicKey::from_bytes(device_pk_bytes),
             identity_signature: Ed25519Signature::from_bytes([0xCD; 64]),
             device_signature: Ed25519Signature::from_bytes([0xEF; 64]),
diff --git a/crates/auths-radicle/src/verify.rs b/crates/auths-radicle/src/verify.rs
@@ -589,13 +589,12 @@ mod tests {
         capabilities: Vec<String>,
     ) -> Attestation {
         use auths_verifier::core::{Ed25519PublicKey, Ed25519Signature, ResourceId};
-        use auths_verifier::types::DeviceDID;
 
         Attestation {
             version: 1,
             rid: ResourceId::new("test"),
             issuer: CanonicalDid::new_unchecked(issuer.to_string()),
-            subject: DeviceDID::new_unchecked(device_did.to_string()),
+            subject: CanonicalDid::new_unchecked(device_did.to_string()),
             device_public_key: Ed25519PublicKey::from_bytes([0u8; 32]),
             identity_signature: Ed25519Signature::empty(),
             device_signature: Ed25519Signature::empty(),
diff --git a/crates/auths-sdk/src/workflows/allowed_signers.rs b/crates/auths-sdk/src/workflows/allowed_signers.rs
@@ -477,7 +477,10 @@ fn principal_from_attestation(att: &auths_verifier::core::Attestation) -> Signer
     {
         return SignerPrincipal::Email(addr);
     }
-    SignerPrincipal::DeviceDid(att.subject.clone())
+    #[allow(clippy::disallowed_methods)]
+    // INVARIANT: att.subject is a validated CanonicalDid from a deserialized attestation
+    let device_did = DeviceDID::new_unchecked(att.subject.as_str());
+    SignerPrincipal::DeviceDid(device_did)
 }
 
 fn parse_entry_line(
diff --git a/crates/auths-sdk/src/workflows/ci/machine_identity.rs b/crates/auths-sdk/src/workflows/ci/machine_identity.rs
@@ -272,7 +272,9 @@ pub fn sign_commit_with_identity(
         version: 1,
         rid: ResourceId::new(rid),
         issuer: issuer.clone(),
-        subject: subject.clone(),
+        #[allow(clippy::disallowed_methods)]
+        // INVARIANT: subject is a validated DeviceDID parsed on line 255
+        subject: CanonicalDid::new_unchecked(subject.as_str()),
         device_public_key: device_pk,
         identity_signature: Ed25519Signature::empty(),
         device_signature: Ed25519Signature::empty(),
diff --git a/crates/auths-storage/src/git/adapter.rs b/crates/auths-storage/src/git/adapter.rs
diff --git a/crates/auths-storage/src/git/standalone_export.rs b/crates/auths-storage/src/git/standalone_export.rs
diff --git a/crates/auths-verifier/src/core.rs b/crates/auths-verifier/src/core.rs
diff --git a/crates/auths-verifier/src/testing.rs b/crates/auths-verifier/src/testing.rs
diff --git a/crates/auths-verifier/src/verify.rs b/crates/auths-verifier/src/verify.rs
diff --git a/crates/auths-verifier/tests/cases/serialization_pinning.rs b/crates/auths-verifier/tests/cases/serialization_pinning.rs

Original file line number	Diff line number	Diff line change
`@@ -166,7 +166,7 @@ macro_rules! registry_backend_contract_tests {`
`166`	`166`	`loaded.is_some(),`
`167`	`167`	`"attestation should be present after store"`
`168`	`168`	`);`
`169`		`- assert_eq!(loaded.unwrap().subject, did);`
	`169`	`+ assert_eq!(loaded.unwrap().subject.as_str(), did.as_str());`
`170`	`170`	`}`
`171`	`171`
`172`	`172`	`#[test]`