Add support for ECDSA keys w/VC-JWT enveloped VCs.

digitalbazaar · Aug 1, 2024 · 86a5b53 · 86a5b53
1 parent a96bf95
commit 86a5b53
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 6 deletions.
diff --git a/lib/envelopes.js b/lib/envelopes.js
@@ -2,12 +2,17 @@
  * Copyright (c) 2019-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
+import * as EcdsaMultikey from '@digitalbazaar/ecdsa-multikey';
 import * as Ed25519Multikey from '@digitalbazaar/ed25519-multikey';
 import {importJWK, jwtVerify} from 'jose';
 import {didIo} from '@bedrock/did-io';
 
 const {util: {BedrockError}} = bedrock;
 
+// supported JWT algs
+const ECDSA_ALGS = ['ES256', 'ES384'];
+const EDDSA_ALGS = ['Ed25519', 'EdDSA'];
+
 export async function verifyEnvelopedCredential({envelopedCredential} = {}) {
   try {
     const {contents: jwt} = _parseEnvelope({
@@ -87,8 +92,22 @@ function _parseEnvelope({envelope}) {
 async function _verifyJwt({jwt, proofPurpose} = {}) {
   let verificationMethod;
   let controller;
-  const resolveKey = async protectedHeader => {
-    const vm = await didIo.get({url: protectedHeader.kid});
+  // `resolveKey` is passed `protectedHeader`
+  const resolveKey = async ({alg, kid}) => {
+    const isEcdsa = ECDSA_ALGS.includes(alg);
+    const isEddsa = !isEcdsa && EDDSA_ALGS.includes(alg);
+    if(!(isEcdsa || isEddsa)) {
+      throw new BedrockError(
+        `Unsupported JWT "alg": "${alg}".`, {
+          name: 'DataError',
+          details: {
+            httpStatusCode: 400,
+            public: true
+          }
+        });
+    }
+
+    const vm = await didIo.get({url: kid});
     // `vm.controller` must be the issuer of the JWT; also ensure that
     // the specified controller authorized `vm` for the given proof purpose
     ({controller} = vm);
@@ -113,10 +132,16 @@ async function _verifyJwt({jwt, proofPurpose} = {}) {
           }
         });
     }
-    // FIXME: support other key types
-    const keyPair = await Ed25519Multikey.from(vm);
-    const jwk = await Ed25519Multikey.toJwk({keyPair});
-    jwk.alg = 'EdDSA';
+    let jwk;
+    if(isEcdsa) {
+      const keyPair = await EcdsaMultikey.from(vm);
+      jwk = await EcdsaMultikey.toJwk({keyPair});
+      jwk.alg = alg;
+    } else {
+      const keyPair = await Ed25519Multikey.from(vm);
+      jwk = await Ed25519Multikey.toJwk({keyPair});
+      jwk.alg = 'EdDSA';
+    }
     return importJWK(jwk);
   };
 

diff --git a/package.json b/package.json
@@ -28,6 +28,7 @@
     "@digitalbazaar/bbs-2023-cryptosuite": "^1.1.0",
     "@digitalbazaar/data-integrity": "^2.0.0",
     "@digitalbazaar/ecdsa-2019-cryptosuite": "^2.0.0",
+    "@digitalbazaar/ecdsa-multikey": "^1.7.0",
     "@digitalbazaar/ecdsa-rdfc-2019-cryptosuite": "^1.0.1",
     "@digitalbazaar/ecdsa-sd-2023-cryptosuite": "^3.2.0",
     "@digitalbazaar/ed25519-multikey": "^1.1.0",