Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation of the VP failed when it was generated through IATP. #303

Open
thackerronak opened this issue May 6, 2024 · 2 comments
Open

Validation of the VP failed when it was generated through IATP. #303

thackerronak opened this issue May 6, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@thackerronak
Copy link
Contributor

Current Behavior

Getting the signature failed while validating VP
{ "valid": false, "validateJWTExpiryDate": true, "validateAudience": true, "vp": "eyJraWQiO.." }
below error showing in the console
Error is Ed25519Verifier requires alg=EdDSA in JWSHeader.

Expected Behavior

It should work and give a valid VP

Steps To Reproduce

Generate VP through iatp endpoint
/api/presentations/iatp?asJwt=true

then validate that VP via presentations validation endpoint
/api/presentations/validation?asJwt=true
@thackerronak thackerronak added the bug Something isn't working label May 6, 2024
@nitin-vavdiya
Copy link
Contributor

nitin-vavdiya commented May 6, 2024
edited
Loading

There are 2 issues in this scenario:

1. In MIW application

When we create VP as JWT using the ES256k algorithm, the kid claim in the JWT header is not correct.

i.e: The did document in my local:

{
    "@context":
    [
        "https://www.w3.org/ns/did/v1",
        "https://w3c.github.io/vc-jws-2020/contexts/v1"
    ],
    "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
    "verificationMethod":
    [
        {
            "publicKeyJwk":
            {
                "x": "2IU_u50oEO1ym0ZELQPKtYzJA6UJ_J11cpnoFxxFsNM",
                "crv": "Ed25519",
                "kty": "OKP"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#b879cfac-7e51-45c1-97fa-3db84db10e44",
            "type": "JsonWebKey2020"
        },
        {
            "publicKeyJwk":
            {
                "kty": "EC",
                "x": "hZvJ0heaxQxeeBXlSuC-4IPx_UFGeOL5UEYLzLdzfIQ",
                "y": "EufmJauadvvkKl7lB7HkzzF9AIVLx4qN9Ih5yf-7eLc",
                "crv": "secp256k1"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b",
            "type": "JsonWebKey2020"
        }
    ]
}

In the above did document there is 2 verification methods for Ed25519 and ES256k as below:

Ed25519 : did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#b879cfac-7e51-45c1-97fa-3db84db10e44

ES256k: did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b

The signed VP using ES256k:

eyJraWQiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAiLCJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJzdWIiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAiLCJhdWQiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAiLCJpc3MiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAiLCJ2cCI6eyJpZCI6ImRpZDp3ZWI6M2JkZi0yMDMtMTI5LTIxMy0xMDcubmdyb2stZnJlZS5hcHA6QlBOTDAwMDAwMDAwMDAwMCM4M2Q2ODEwYi1kMzEwLTQ0OGMtOGYyYS02ODcwODA2MTVlODUiLCJwcm9vZiI6bnVsbCwidHlwZSI6WyJWZXJpZmlhYmxlUHJlc2VudGF0aW9uIl0sIkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sInZlcmlmaWFibGVDcmVkZW50aWFsIjpbeyJpc3N1YW5jZURhdGUiOiIyMDI0LTA1LTA2VDA2OjMzOjI2WiIsImNyZWRlbnRpYWxTdWJqZWN0IjpbeyJob2xkZXJJZGVudGlmaWVyIjoiQlBOTDAwMDAwMDAwMDAwMCIsInN0YXJ0VGltZSI6IjIwMjQtMDUtMDZUMDY6MzM6MjYuNDIzMDA3WiIsImlkIjoiZGlkOndlYjozYmRmLTIwMy0xMjktMjEzLTEwNy5uZ3Jvay1mcmVlLmFwcDpCUE5MMDAwMDAwMDAwMDAwIiwibWVtYmVyT2YiOiJDYXRlbmEtWCIsInR5cGUiOiJNZW1iZXJzaGlwQ3JlZGVudGlhbCIsInN0YXR1cyI6IkFjdGl2ZSJ9XSwiaWQiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAjMDU5YjAwYzEtMGU3Mi00ZmM3LTgwYjAtMjdmNzBmMjhlYzllIiwicHJvb2YiOnsicHJvb2ZQdXJwb3NlIjoiYXNzZXJ0aW9uTWV0aG9kIiwidHlwZSI6Ikpzb25XZWJTaWduYXR1cmUyMDIwIiwidmVyaWZpY2F0aW9uTWV0aG9kIjoiZGlkOndlYjozYmRmLTIwMy0xMjktMjEzLTEwNy5uZ3Jvay1mcmVlLmFwcDpCUE5MMDAwMDAwMDAwMDAwI2I4NzljZmFjLTdlNTEtNDVjMS05N2ZhLTNkYjg0ZGIxMGU0NCIsImNyZWF0ZWQiOiIyMDI0LTA1LTA2VDA2OjMzOjI5WiIsImp3cyI6ImV5SmhiR2NpT2lKRlpFUlRRU0o5Li4yN0VZNFhlZ0xUX0ltX3JMOXdTOTFyaUV4SXIwZnFzaW5VVjB2Vmw5d0NZeVVEQWt2dkUwUHBQclhTWlNfYzV2ak9yZl91X3JHWmE0VGgzd2NkeERDdyJ9LCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiTWVtYmVyc2hpcENyZWRlbnRpYWwiXSwiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJodHRwczovL2NhdGVuYXgtbmcuZ2l0aHViLmlvL3Byb2R1Y3QtY29yZS1zY2hlbWFzL2J1c2luZXNzUGFydG5lckRhdGEuanNvbiIsImh0dHBzOi8vdzNpZC5vcmcvc2VjdXJpdHkvc3VpdGVzL2p3cy0yMDIwL3YxIl0sImlzc3VlciI6ImRpZDp3ZWI6M2JkZi0yMDMtMTI5LTIxMy0xMDcubmdyb2stZnJlZS5hcHA6QlBOTDAwMDAwMDAwMDAwMCIsImV4cGlyYXRpb25EYXRlIjoiMjAyMy0wOS0zMFQxODozMDowMFoifV19LCJleHAiOjE3MTQ5Nzk2ODcsImp0aSI6ImRpZDp3ZWI6M2JkZi0yMDMtMTI5LTIxMy0xMDcubmdyb2stZnJlZS5hcHA6QlBOTDAwMDAwMDAwMDAwMCM4M2Q2ODEwYi1kMzEwLTQ0OGMtOGYyYS02ODcwODA2MTVlODUifQ.HhV3xaez7XSIOQHQ33p35OINzgZzkylwWANjs7txuJQCqKTlpVTQ8pGtZyzdiiIg4Ssfl1SngidZuf7P3WpDlg

The header of JWT:

{
 "kid": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
 "typ": "JWT",
 "alg": "ES256K"
}

Here kid is just the did of the issuer without any specific key ID.

Here it should be did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#**1b4c2d5b-479b-4a19-834a-fecd42c3d60b as kid

2. In SSI-lib:

In SSI lib, multiple verification methods are not supported.
In class SignedJwtVerifier, in the verify() method, we select the first verification method instead of matching the kid of the verification method

Ref:

image

This was referenced May 8, 2024
Open
Open
@borisrizov-zf
Copy link
Contributor

Good catch, Ronak. I'm aware we have some drift between the ssi-lib and the miw. We'll have to address those this week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thackerronak @nitin-vavdiya @borisrizov-zf