4. Practical work: Loire Compliance¶

In this last part, the goal will remain the same as last time, only this time for the Loire or v2 Compliance. There are many changes between Loire and Tagus, we will focus mainly on the signature format VC-JWT, the new ontology, and the requirements in the new 24.11 Compliance Document. Again, there are multiple ways of going through this, but we will try this time to use the Credential Helper, a tool compatible with any ontology, to take an example or create a new object. Then we will install a signer tool to sign our Verifiable Credential into VC-JWT format.

4.1 Creating a Verifiable Credential Array¶

For this Loire release, we will need quite a few objects to fulfill the first level of compliance as a Service Provider. For this we will use the Credential Helper and the most straight forward way, is to use the provided example that already contains all the necessary classes.

Note

A new feature is coming soon to support the Gaia-X Participant Compliance.

So first of all, we are going to take the example provided in the Unsigned Verifiable Credentials Tab
Then change any desired attribute, like the Service Offering or Legal Person

Alternatively, it is possible to follow the steps on the Credential Helper by providing Gaia-X ontology, then creating all the required objects. However, this requires a deep understanding of the Compliance document and the Gaia-X ontology.

4.2 Install the signer tool vc-jwt¶

Now that we have our payload, we need a tool to be able to sign it. Even though, vc-jwt.io is available as an online tool, we are going to deploy it locally in order to use the keypair, certificate and DID Document that were created on the first guide Gaia-X ready DID.

4.2.1 Clone the project¶

First of all, we need to clone the repository locally from Gitlab

git clone https://gitlab.com/gaia-x/gaia-x-community/vc-jwt.io.git

4.2.2 Configuring the .env file¶

Just as stated on the README, we are going to start by generating a basic .env file

cd backend/
npm install
npm run generate-env

Or use this example (it only contains invalid values that needs to be replaced)

DOMAIN=raw.githubusercontent.com:YassirSellami:trusted-identity:main
PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
             MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDzuCfVHFMALcO62xVPqRI6Uf9NHlsin85IviE71iiBxb
             YiThyH/2ovkU9u4jPcNzbfJzgw==
             -----END PRIVATE KEY-----"
PRIVATE_KEY_ALGORITHM="RS256"
PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
            MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA87gn1RxTAC3DupjRjbRR
            qpR0Er7jGFXVT9l1IhJgZ9sMVxQahC46+fAU+HFEHqwSW3sN71+9BbpMjfC+CGou
            wwIDAQAB
            -----END PUBLIC KEY-----"
CERTIFICATE="-----BEGIN CERTIFICATE-----
             MIIDDTCCAfWgAwIBAgIUKce6TIsbGEwl/17UilKiuz+/ScowDQYJKoZIhvcNAQEL
             IYn/VZLuGLaqBGr0fWcyRRC1hDZEg85wkTm4x4GLewJVZYrw6nGtVQKWbmvnCwVj
             ZBSUsE5Q05hqPcWt/KAi5fU=
             -----END CERTIFICATE-----"
JWKS_KEY_NAME="JWK2020-RSA"

Next, we are going to change all the values with one we have created before in the first guide:

DOMAIN //To use the did we created before
PRIVATE_KEY
PRIVATE_KEY_ALGORITHM
PUBLIC_KEY
CERTIFICATE
JWKS_KEY_NAME //To refer to the correct verification method

Note

The PRIVATE_KEY_ALGORITHM must match the value previously created, JWKS_KEY_NAME is the last part (after the #) in the verification method related to the keypair.

4.2.3 Running vc-jwt¶

Here there are 2 options, either running the project with docker or locally with npm

The project contain a frontend as well as a backend project, for the following steps we will only need the backend.

With Docker Compose

To run this project with Docker Compose, you need to run the following command at the root of the project:

docker compose up -d --build

This will build and start two containers, one for the frontend and one for the backend. You can now use your very one Verifiable Credential Playground at: [http://localhost:3000/playground](http://localhost:3000/playground).

With NPM

the backend can be run with:

cd backend
npm install
npm run start:dev

You can now use your very one Verifiable Credential Playground at: [http://localhost:3000/playground](http://localhost:3000/playground).

4.3 Requesting the Legal Registration Number¶

For this payload, we will need only one Verifiable Credential signed by third party, which is the Gaia-X Legal Registration Number Notary. For this we can simply call the Gaia-X notary

And then request a VC with a valid registration number.

We will need the VC in the next step.

4.4 Signing the credentials¶

First of all, we are going to sign all the credential we gathered from the credential helper, for this we are going to use the following request endpoint, that can be imported into an http client.

We just need to update the request body and replace the [] with your array of credentials

curl --location 'localhost:4000/verifiable-credentials/enveloped-vc-array' \
--header 'Content-Type: application/json' \
--data '[]'

Now, you must have received a list of Enveloped Verifiable Credentials, in the VC-JWT format.

Next, we need to create a Verifiable Presentation from the previous list of enveloped credential list.

Before that step, we will need to add the Gaia-X Legal Registration Number we got previously, by simply adding the jwt token as an enveloped Verifiable Credential, same as the rest of the Verifiable Credentials.

And again, we just need to update the request body and replace the [] with the array of enveloped credentials plus the legal registration number.

curl --location 'localhost:4000/verifiable-credentials/enveloped-vc-array-to-vp' \
--header 'Content-Type: application/json' \
--data '[]'

Now we have a signed Verifiable Presentation with all the required Credentials, keep this Verifiable Presentation on hand as it will be needed in the Certificate afterward.

4.5 Calling the Compliance¶

Finally, now we only need to send the signed Verifiable Presentation as body to the Compliance Engine, we can again either use the Swagger documentation