Limit maximum revocation list credential size

[clehner]

Add a size limit for HTTP(S) responses when loading a revocation list credential. Revocation list credentials are received from remote sources and loaded into memory for credential status checking. This change is to prevent resource exhaustion due to attempting to load unboundedly large responses.

The limit is added as a constant value (ssi::revocation::MAX_RESPONSE_LENGTH), set to 2MB for now. An error type variant is added for the case of an oversize revocation list credential response.

Testing

The remote credential loading functionality is not tested in ssi currently. It also isn't tested in DIDKit's tests (Pending in spruceid/didkit#239). DIDKit CLI doesn't have a way to check credential status currently (Relevant issue: spruceid/didkit#240).

To perform a test, here is a patch to DIDKit to enable checking credentialStatus during credential verification on the CLI:

diff --git a/cli/src/main.rs b/cli/src/main.rs
index 0764813..be81e46 100644
--- a/cli/src/main.rs
+++ b/cli/src/main.rs
@@ -472 +472,3 @@ fn main() {
-            let options = LinkedDataProofOptions::from(proof_options);
+            let mut options = LinkedDataProofOptions::from(proof_options);
+            use ssi::vc::Check;
+            options.checks = Some(vec![Check::Proof, Check::CredentialStatus]);

Here is then a patch to a test vector verifiable credential case-14.json from vc-api-test-suite that uses credentialStatus with RevocationList2020Status, patching it to use an oversized revocation list credential. This replaces the revocation list credential URL with a URL to a resource of size 4096KB (Generated using dd if=/dev/zero bs=1024 count=4096 > 4096k):

diff --git a/packages/vc-http-api-test-server/__fixtures__/verifiableCredentials/case-14.json b/packages/vc-http-api-test-server/__fixtures__/verifiableCredentials/case-14.json
index 9927c0b..df38a49 100644
--- a/packages/vc-http-api-test-server/__fixtures__/verifiableCredentials/case-14.json
+++ b/packages/vc-http-api-test-server/__fixtures__/verifiableCredentials/case-14.json
@@ -21 +21 @@
-      "revocationListCredential": "https://w3c-ccg.github.io/vc-http-api/fixtures/revocationList.json"
+      "revocationListCredential": "https://demo.didkit.dev/2021/10/29/4096k"

Attempting to verify that credential then results in an error, resulting from the newly added size limit:

vc-api-test-suite $ didkit vc-verify-credential < packages/vc-http-api-test-server/__fixtures__/verifiableCredentials/case-14.json
{"checks":["proof"],"warnings":[],"errors":["Crypto error","Unable to fetch revocation list credential: Unable to load resource: Resource is too large: 4194304, expected maximum: 2097152"]}

WebAssembly Limitation

reqwest doesn't have the chunk or bytes_stream methods in its WebAssembly backend: it doesn't offer chunked/streamed response reading. An issue about this is here: seanmonstar/reqwest#1234. This PR addresses the WebAssembly case by performing a less comprensive check: the content-length header is checked, and then the payload size is checked after receiving the entire payload. This means that it is possible that an unusually large response could cause a problem for a user of the library in WASM - i.e. if the content-header is missing or set incorrectly. But this seems like the best that can be done currently. The length is still checked in this case after receiving the body, so in the case of an oversized response, execution will not proceed to JSON-LD parsing.

[sbihel]

I think it is fine as it is, but maybe in the future we'll want to use some kind of bounded stream instead of reading everything in one go.

[clehner]

Rebased/squashed