Key resolver: check expires/revoked against reference time #4084
Description
Parent PRD
What to build
Extend DIDKeyResolver.ResolveKeyByID() to check Expires and Revoked fields on the verification method against the reference time (ResolveMetadata.ResolveTime) before returning the key.
Per PSA 10.4.3, key resolution selects the correct key and validates:
- The reference time must be before the
Expiresdate (if set) - The key must not be marked as
Revokedwith a revocation date before the reference time
If the key was expired or revoked at the reference time, it should not be returned (return an appropriate error).
This is a generic mechanism — it works for any DID method that sets Expires/Revoked on its verification methods, not just did:x509.
Acceptance criteria
-
ResolveKeyByIDchecksExpiresagainstResolveMetadata.ResolveTime— rejects if key was expired at reference time -
ResolveKeyByIDchecksRevokedagainstResolveMetadata.ResolveTime— rejects if key was revoked before reference time - A key that was valid at the reference time but later expired/revoked is accepted (PSA 10.4.3)
- When
ResolveTimeis nil (current time), standard time-based checks apply - Existing key resolution behavior is unchanged for DID methods that don't set these fields
- Unit tests for: expired key rejected, revoked key rejected, key valid at issuance but later revoked accepted, key without expires/revoked accepted
Blocked by
- Blocked by Add expires and revoked fields to VerificationMethod (go-did) #4082 (
expires/revokedfields on VerificationMethod in go-did) - Can be done in parallel with did:x509 resolver: CRL check and set expires/revoked on keys #4083 (did:x509 resolver changes)
User stories addressed
- User story 6: key validity checked at credential's issuance time
- User story 8: layered validation model follows PSA spec