Webvh did method (#1542)

* Initial commit - Webvh Signed-off-by: jamshale <jamiehalebc@gmail.com> * Update for server changes and refactor Signed-off-by: jamshale <jamiehalebc@gmail.com> * Fix linting Signed-off-by: jamshale <jamiehalebc@gmail.com> * Repair unit tests Signed-off-by: jamshale <jamiehalebc@gmail.com> * Updates from comments Signed-off-by: jamshale <jamiehalebc@gmail.com> * Updates from comments Signed-off-by: jamshale <jamiehalebc@gmail.com> * Return integration test assertions Signed-off-by: jamshale <jamiehalebc@gmail.com> * Fix mis-named test file Signed-off-by: jamshale <jamiehalebc@gmail.com> * Change endorsement verbage to witness Signed-off-by: jamshale <jamiehalebc@gmail.com> * resolve schema Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * add did method and resolver Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * register resolver Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * rename class Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * add pattern regex Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug resolver Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix class name Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * add base resolver Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * change import path Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * change did regex Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * uncomment did example Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * edit did regex Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug resolver Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug resolver Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug resolver Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * import resolver Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix coroutine await Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * regex Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * add attested resource model and schema creation Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix import path Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * disable model Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * simplify publication Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * update schema serialization Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * update schema serialization Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * update schema serialization Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * update schema serialization Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * update registry Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * di-proof option deserializing Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * di-proof option deserializing Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * di-proof option deserializing Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug upload Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug upload Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug upload Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * proof set to proof Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * edit resource options Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * linting Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * Add async configuration endpoint Signed-off-by: jamshale <jamiehalebc@gmail.com> * Fix test Signed-off-by: jamshale <jamiehalebc@gmail.com> * debug cred def Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug cred def Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug cred def Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * Fix test Signed-off-by: jamshale <jamiehalebc@gmail.com> * epublish statuslist Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * add bitstring plugin Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * Initial commit - Webvh Signed-off-by: jamshale <jamiehalebc@gmail.com> * Update for server changes and refactor Signed-off-by: jamshale <jamiehalebc@gmail.com> * Fix linting Signed-off-by: jamshale <jamiehalebc@gmail.com> * Repair unit tests Signed-off-by: jamshale <jamiehalebc@gmail.com> * Updates from comments Signed-off-by: jamshale <jamiehalebc@gmail.com> * Updates from comments Signed-off-by: jamshale <jamiehalebc@gmail.com> * Return integration test assertions Signed-off-by: jamshale <jamiehalebc@gmail.com> * Fix mis-named test file Signed-off-by: jamshale <jamiehalebc@gmail.com> * Change endorsement verbage to witness Signed-off-by: jamshale <jamiehalebc@gmail.com> * Add async configuration endpoint Signed-off-by: jamshale <jamiehalebc@gmail.com> * Fix test Signed-off-by: jamshale <jamiehalebc@gmail.com> * Fix test Signed-off-by: jamshale <jamiehalebc@gmail.com> * fix witness config Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * improve did registration Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * update multikey Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * remove strict ssl Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * remove strict ssl Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * re enable ssl Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix multitenant witness Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix multitenant witness Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix witness kid Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * create aliases constant Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * alias constants Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * clean up witness code Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix variable type Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix alias creation Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix aliases Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix did doc context Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * add status list registry object Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * remove async tag Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * devug upload response Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * anoncreds tests Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug revocation list Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * debug revocation list Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * keep proof on resolved resource Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix upload path Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix upload path Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * change revocation registry assertion code for uploads Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * add revocatino registry value object Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * get statuts list timestamp fix Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * add revocation interval timestamps Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * log timestamps Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * add default statuslist timestamp Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * transform timestamp to int Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix issuer key variable Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * fix metadata and content variable names Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * improve verification method derivation Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * update tests Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> * Updates and fixes with testing and documentation Signed-off-by: jamshale <jamiehalebc@gmail.com> * Small update Signed-off-by: jamshale <jamiehalebc@gmail.com> --------- Signed-off-by: jamshale <jamiehalebc@gmail.com> Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca> Co-authored-by: PatStLouis <patrick.st-louis@opsecid.ca> Co-authored-by: Patrick St-Louis <43082425+PatStLouis@users.noreply.github.com>
openwallet-foundation · Feb 24, 2025 · 0c8f4e0 · 0c8f4e0
1 parent def1537
commit 0c8f4e0
Show file tree

Hide file tree

Showing 54 changed files with 8,616 additions and 0 deletions.
diff --git a/webvh/.devcontainer/Dockerfile b/webvh/.devcontainer/Dockerfile
@@ -0,0 +1,22 @@
+# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.134.0/containers/python-3/.devcontainer/base.Dockerfile
+ARG VARIANT="3.12"
+FROM mcr.microsoft.com/devcontainers/python:${VARIANT}
+
+ARG POETRY_VERSION="1.8.3"
+ENV POETRY_HOME="/opt/poetry" \
+    POETRY_VERSION=${POETRY_VERSION}
+
+RUN curl -sSL https://install.python-poetry.org | python3 - \
+    && update-alternatives --install /usr/local/bin/poetry poetry /opt/poetry/bin/poetry 900 \
+    # Enable tab completion for bash
+    && poetry completions bash >> /home/vscode/.bash_completion \
+    # Enable tab completion for Zsh
+    && mkdir -p /home/vscode/.zfunc/ \
+    && poetry completions zsh > /home/vscode/.zfunc/_poetry \
+    && echo "fpath+=~/.zfunc\nautoload -Uz compinit && compinit" >> /home/vscode/.zshrc
+
+COPY pyproject.toml ./
+# COPY pyproject.toml poetry.lock ./
+RUN poetry config virtualenvs.create true \
+    && poetry install --no-root --no-interaction --with integration --extras "aca-py" \
+    && rm -rf /root/.cache/pypoetry
diff --git a/webvh/.devcontainer/devcontainer.json b/webvh/.devcontainer/devcontainer.json
@@ -0,0 +1,59 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/python
+{
+  "name": "webvh",
+  "build": {
+    "dockerfile": "Dockerfile",
+    "context": "..",
+    "args": {
+      "VARIANT": "3.12-bullseye",
+      "POETRY_VERSION": "1.8.3"
+    }
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": ["ms-python.python", "ms-python.vscode-pylance"],
+      "settings": {
+        "python.testing.pytestArgs": ["./webvh", "--no-cov"],
+        "python.testing.unittestEnabled": false,
+        "python.testing.pytestEnabled": true,
+        "python.testing.pytestPath": "pytest",
+        "editor.defaultFormatter": null,
+        "editor.formatOnSave": false, // enable per language
+        "[python]": {
+          "editor.formatOnSave": true,
+          "editor.codeActionsOnSave": {
+              "source.fixAll": true,
+              "source.organizeImports": true
+            },
+          "editor.defaultFormatter": "charliermarsh.ruff",
+          "ruff.organizeImports": true
+        },
+        "ruff.codeAction.fixViolation": {
+            "enable": true
+        },
+        "ruff.fixAll": true,
+        "ruff.format.args": ["--config=./pyproject.toml"],
+        "ruff.lint.args": ["--config=./pyproject.toml"]
+      }
+    }
+  },
+
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "moby": false
+    }
+  },
+
+  // Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
+  "remoteUser": "vscode",
+
+  "remoteEnv": {
+    "RUST_LOG": "aries-askar::log::target=error"
+  },
+
+  "mounts": [],
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  "forwardPorts": [3000, 3001],
+  "postCreateCommand": "bash ./.devcontainer/post-install.sh"
+}
diff --git a/webvh/.devcontainer/post-install.sh b/webvh/.devcontainer/post-install.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -ex
+
+# Convenience workspace directory for later use
+WORKSPACE_DIR=$(pwd)
+
+# install all ACA-Py requirements
+python -m pip install --upgrade pip
+
+# Generate Poetry Lock file
+poetry lock --no-update
diff --git a/webvh/.vscode/launch.json b/webvh/.vscode/launch.json
@@ -0,0 +1,64 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+      {
+        "name": "Run/Debug Witness",
+        "type": "debugpy",
+        "request": "launch",
+        "module": "acapy_agent",
+        "justMyCode": false,
+        "args": ["start", "--arg-file=${workspaceRoot}/docker/witness.yml"]
+      },
+      {
+        "name": "Run/Debug Multitenant",
+        "type": "debugpy",
+        "request": "launch",
+        "module": "acapy_agent",
+        "justMyCode": false,
+        "args": ["start", "--arg-file=${workspaceRoot}/docker/multitenant.yml"]
+      },
+      {
+        "name": "Run/Debug Controller",
+        "type": "debugpy",
+        "request": "launch",
+        "module": "acapy_agent",
+        "justMyCode": false,
+        "args": ["start", "--arg-file=${workspaceRoot}/docker/controller.yml"]
+      },
+      {
+        "name": "ruff - webvh",
+        "type": "debugpy",
+        "request": "launch",
+        "module": "ruff",
+        "console": "integratedTerminal",
+        "sudo": true,
+        "justMyCode": false,
+        "cwd": "${workspaceFolder}/webvh",
+        "args": ["check", "."]
+      },
+      {
+        "name": "ruff fix - webvh",
+        "type": "debugpy",
+        "request": "launch",
+        "module": "ruff",
+        "console": "integratedTerminal",
+        "sudo": true,
+        "justMyCode": false,
+        "cwd": "${workspaceFolder}/webvh",
+        "args": ["check", ".", "--fix"]
+      },
+      { 
+        "name": "Python: Debug Tests",
+        "type": "debugpy",
+        "request": "launch",
+        "program": "${file}",
+        "purpose": ["debug-test"],
+        "console": "integratedTerminal",
+        "justMyCode": false
+      }
+    ]
+  }
+
diff --git a/webvh/README.md b/webvh/README.md
@@ -0,0 +1,197 @@
+# did:webvh Plugin
+
+## Description
+
+This plugin provides support for the webvh did method. It provides a controller role that interacts with a did webvh server to resolve and create dids, and a witness role that interacts with the did controller to sign did requests.
+
+### Components
+ - `server` - The server component is responsible for handling requests from the did controller and witness components. It is responsible for verifying the upload requests are signed by proof a trusted source and hosting the did.json and did.jsonl files.
+ - `controller` - The controller is the agent that is responsible for the did. It can create and update webvh dids and anoncreds objects and interact with other agents. The controller does not have the ability to sign with the key that is verified by the server, and needs to get a proof from an agent which does have the correct key(s).
+- `witness` - The witness is the agent that is responsible for signing requests from the controller. The witness has the ability to sign with the key that is verified by the server, and can provide a proof to the controller that it is a trusted source. It can also create dids and anoncreds objects itself and act as a controller by self signing the upload requests with the server.
+
+#### Server
+The server currently used by the plugin is located at https://github.com/decentralized-identity/didwebvh-server-py. The server currently contains a single public multikey that is created from the witness agent. It will only allow dids to be created where the original request is signed by that key. After the initial did is created the public multikey from the controller is obtained from the original request and stored by  the server. Any updates to the did must be signed by the controller key.
+Other implementations of the server are very much possible, but any servers the use this plugin much have the same API and verification process.
+
+## Configuration
+
+### Create the witness signing key
+The first thing to do is setup the witness key that is used by the server to authenticate any new dids. In the witness agent it is identified using a key id (kid) `webvh:{server domain}@witnessKey`. You can create the key manually or it will be created automatically when using the `POST /did/webvh/configuration` endpoint.
+
+Witness - `POST /did/webvh/configuration`
+```json
+{
+    "auto_attest": true,
+    "server_url": "https://id.test-suite.app",
+    "witness": true
+}
+```
+ - auto_attest - If true the witness will automatically sign any requests from the controller. If false the witness will need to sign the requests manually.
+ - server_url - The url of the server that the witness is using.
+ - witness - If true the agent will be setup as a witness agent.
+ - witness_key - If a public multikey is provided it will be used instead as the witness signing key.
+
+### Connect the witness and controller agents
+
+Create an invitation from the witness agent and accept it from the controller agent.
+
+Witness - `POST /out-of-bound/create-invitation`
+```json
+{
+  "handshake_protocols": [
+    "https://didcomm.org/didexchange/1.1"
+  ]
+}
+```
+This is the most basic invitation that can be created. It is using didexchange 1.1 as the handshake protocol. 
+
+Response
+```json
+{
+  "state": "initial",
+  "trace": false,
+  "invi_msg_id": "e66babc0-420c-4d77-8f9b-82a3400eda78",
+  "oob_id": "7eea7ce9-4dbe-4b72-bb4d-af24c16d77a0",
+  "invitation": {
+    "@type": "https://didcomm.org/out-of-band/1.1/invitation",
+    "@id": "e66babc0-420c-4d77-8f9b-82a3400eda78",
+    "label": "webvh-witness",
+    "handshake_protocols": [
+      "https://didcomm.org/didexchange/1.1"
+    ],
+    "services": [
+      {
+        "id": "#inline",
+        "type": "did-communication",
+        "recipientKeys": [
+          "did:key:z6MkqPPz5BSZrPr3se95qMToWeMa4ExeK9hu7JNfxnHtP7WB#z6MkqPPz5BSZrPr3se95qMToWeMa4ExeK9hu7JNfxnHtP7WB"
+        ],
+        "serviceEndpoint": "http://localhost:3000"
+      }
+    ]
+  },
+  "invitation_url": "http://localhost:3000?oob=eyJAdHlwZSI6ICJodHRwczovL2RpZGNvbW0ub3JnL291dC1vZi1iYW5kLzEuMS9pbnZpdGF0aW9uIiwgIkBpZCI6ICJlNjZiYWJjMC00MjBjLTRkNzctOGY5Yi04MmEzNDAwZWRhNzgiLCAibGFiZWwiOiAid2Vidmgtd2l0bmVzcyIsICJoYW5kc2hha2VfcHJvdG9jb2xzIjogWyJodHRwczovL2RpZGNvbW0ub3JnL2RpZGV4Y2hhbmdlLzEuMSJdLCAic2VydmljZXMiOiBbeyJpZCI6ICIjaW5saW5lIiwgInR5cGUiOiAiZGlkLWNvbW11bmljYXRpb24iLCAicmVjaXBpZW50S2V5cyI6IFsiZGlkOmtleTp6Nk1rcVBQejVCU1pyUHIzc2U5NXFNVG9XZU1hNEV4ZUs5aHU3Sk5meG5IdFA3V0IjejZNa3FQUHo1QlNaclByM3NlOTVxTVRvV2VNYTRFeGVLOWh1N0pOZnhuSHRQN1dCIl0sICJzZXJ2aWNlRW5kcG9pbnQiOiAiaHR0cDovL2xvY2FsaG9zdDozMDAwIn1dfQ"
+}
+```
+The controller will use the base64 encoded invitation_url to accept the invitation. In an application this could be provided as a QR code or a deep link.
+
+The connection is identified in the controller by an alias. You are able to set this up manually or via command line. The easiest way is by providing it when configuring the controller.
+
+Controller - `POST /did/webvh/configuration`
+```json
+{
+    "server_url": "https://id.test-suite.app",
+    "witness": false,
+    "witness_invitation": "http://localhost:3000?oob=eyJAdHlwZSI6ICJodHRwczovL2RpZGNvbW0ub3JnL291dC1vZi1iYW5kLzEuMS9pbnZpdGF0aW9uIiwgIkBpZCI6ICJlNjZiYWJjMC00MjBjLTRkNzctOGY5Yi04MmEzNDAwZWRhNzgiLCAibGFiZWwiOiAid2Vidmgtd2l0bmVzcyIsICJoYW5kc2hha2VfcHJvdG9jb2xzIjogWyJodHRwczovL2RpZGNvbW0ub3JnL2RpZGV4Y2hhbmdlLzEuMSJdLCAic2VydmljZXMiOiBbeyJpZCI6ICIjaW5saW5lIiwgInR5cGUiOiAiZGlkLWNvbW11bmljYXRpb24iLCAicmVjaXBpZW50S2V5cyI6IFsiZGlkOmtleTp6Nk1rcVBQejVCU1pyUHIzc2U5NXFNVG9XZU1hNEV4ZUs5aHU3Sk5meG5IdFA3V0IjejZNa3FQUHo1QlNaclByM3NlOTVxTVRvV2VNYTRFeGVLOWh1N0pOZnhuSHRQN1dCIl0sICJzZXJ2aWNlRW5kcG9pbnQiOiAiaHR0cDovL2xvY2FsaG9zdDozMDAwIn1dfQ"
+}
+```
+You should get a status success response and the controller logs should say `Connected to witness agent`
+
+### Auto attest
+
+This setting should be used with caution as it will automatically sign any requests from the controller. If you are using this setting it should be for testing purposes, or you should be sure any agent that creates a connection with the witness agent is trusted.
+
+Controller - `POST /did/webvh/create`
+```json
+{
+  "options": {
+    "identifier": "accounting",
+    "namespace": "finance",
+    "parameters": {
+      "portable": false,
+      "prerotation": false
+    }
+  }
+}
+```
+ - identifier - The identifier for the did. If this isn't provided it will be a randomly generated uuid.
+ - namespace - This is required and is the root identifier for the did.
+ - parameters - This is an optional object that can be used to set the did to be portable or prerotated. If portable is true the did will be able to be moved to another server. If prerotation is true the did will be able to be rotated by the controller.
+
+Response - Unless there's a problem connecting with the witness or server you should get a success response with the did document.
+```json
+{
+  "@context": [
+    "https://www.w3.org/ns/did/v1",
+    "https://w3id.org/security/multikey/v1"
+  ],
+  "id": "did:webvh:QmQ3m3nAL8Ds7bpnHHbiPZsSs9x6RmMJXomNYHgMrmghnU:id.test-suite.app:finance:accounting",
+  "authentication": [
+    "did:webvh:QmQ3m3nAL8Ds7bpnHHbiPZsSs9x6RmMJXomNYHgMrmghnU:id.test-suite.app:finance:accounting#key-01"
+  ],
+  "assertionMethod": [
+    "did:webvh:QmQ3m3nAL8Ds7bpnHHbiPZsSs9x6RmMJXomNYHgMrmghnU:id.test-suite.app:finance:accounting#key-01"
+  ],
+  "verificationMethod": [
+    {
+      "id": "did:webvh:QmQ3m3nAL8Ds7bpnHHbiPZsSs9x6RmMJXomNYHgMrmghnU:id.test-suite.app:finance:accounting#key-01",
+      "type": "Multikey",
+      "controller": "did:webvh:QmQ3m3nAL8Ds7bpnHHbiPZsSs9x6RmMJXomNYHgMrmghnU:id.test-suite.app:finance:accounting",
+      "publicKeyMultibase": "z6Mknsk9KAs7UofpuZsuSzBkmxZjo63WRwAAj1mnifkVLhqh"
+    }
+  ]
+}
+```
+
+### Manual attest
+
+Controller - Create did:webvh same as above
+
+```json
+{
+  "status": "pending",
+  "message": "The witness is pending."
+}
+```
+
+Witness get pending - `GET /did/webvh/pending`
+```json
+{
+  "results": [
+    {
+      "@context": [
+        "https://www.w3.org/ns/did/v1",
+        "https://w3id.org/security/multikey/v1"
+      ],
+      "id": "did:web:id.test-suite.app:finance:cfbac7a9-0e0c-4bd8-af71-05e33f9e47a5",
+      "verificationMethod": [
+        {
+          "id": "did:web:id.test-suite.app:finance:cfbac7a9-0e0c-4bd8-af71-05e33f9e47a5#key-01",
+          "type": "Multikey",
+          "controller": "did:web:id.test-suite.app:finance:cfbac7a9-0e0c-4bd8-af71-05e33f9e47a5",
+          "publicKeyMultibase": "z6Mkv4ZvmGpzfkxH9xvNq5mA3zwZoHuBisiQUyfCgXCfHeh4"
+        }
+      ],
+      "authentication": [
+        "did:web:id.test-suite.app:finance:cfbac7a9-0e0c-4bd8-af71-05e33f9e47a5#key-01"
+      ],
+      "assertionMethod": [
+        "did:web:id.test-suite.app:finance:cfbac7a9-0e0c-4bd8-af71-05e33f9e47a5#key-01"
+      ],
+      "proof": [
+        {
+          "type": "DataIntegrityProof",
+          "proofPurpose": "assertionMethod",
+          "verificationMethod": "did:key:z6MkkiMtuEqx8NJcJTTWANmwfpAxZM54jy9Sv867xCN63tpT#z6MkkiMtuEqx8NJcJTTWANmwfpAxZM54jy9Sv867xCN63tpT",
+          "cryptosuite": "eddsa-jcs-2022",
+          "expires": "2025-02-20T22:43:40+00:00",
+          "domain": "id.test-suite.app",
+          "challenge": "6c0bbc23-be56-5f35-b873-3313c33b319b",
+          "proofValue": "z9T5HpCDZVZ1c3LgM5ctrYPm2erJR8Ww9o369577beiHc4Dz49See8t78VioPDt76AbRP7r2DnesezY4dBxYTVQ7"
+        }
+      ]
+    }
+  ]
+}
+``` 
+Gets a list of pending did docs that need to be attested. 
+
+Witness - Attest a did doc - `POST /did/webvh/attest?id=did:web:id.test-suite.app:finance:cfbac7a9-0e0c-4bd8-af71-05e33f9e47a5`
+```json
+{
+  "status": "success",
+  "message": "Witness successful."
+}
+```
+
+Controller - The controller gets a message `Received witness response: attested` and will finish creating the did. The did should now be resolvable and available in local storage.