search

authlete / java-oauth-server

Authorization Server Implementation in Java supporting OAuth 2.0 & OpenID Connect
https://www.authlete.com/
Apache License 2.0
278 stars 87 forks source link

VCI - Using unsupported cryptographic binding method `x5c` #59

Closed babisRoutis closed 4 months ago

babisRoutis commented 8 months ago

In the VCI issuer meta-data there is a credential_configuration_id named IdentityCredential which contains the following:

{

      "cryptographic_binding_methods_supported": [
        "jwk",
        "x5c"
      ]
}

To my understanding draft 13 of VCI doesn't specify the value x5c as an expected cryptographic_binding_methods_supported. Expected values are

TakahikoKawasaki commented 8 months ago

@babisRoutis Thank you for bringing this issue.

I guess that you are talking about the value of the cryptographic_binding_methods_supported issuer metadata in the JSON returned from https://trial.authlete.net/.well-known/openid-credential-issuer.

Technically speaking, this is not an issue of java-oauth-server. It's an issue in the configuration of the credential issuer that is running on trial.authlete.net.

If the value of the cryptographic_binding_methods_supported issuer metadata is used to list the supported formats of keys in key proofs (not in verifiable credentials) (NOTE: As OpenID4VCI Issue 283 points out, this is not so clearly stated in the specification), another issue is raised. Although the "jwt Proof Type" section of the OID4VCI spec defines a method that utilizes the x5c header parameter, the "Credential Issuer Metadata Parameters" section does not include a string constant that corresponds to x5c.

babisRoutis commented 8 months ago

Dear @TakahikoKawasaki

I guess that you are talking about the value of the cryptographic_binding_methods_supported issuer metadata in the JSON returned from https://trial.authlete.net/.well-known/openid-credential-issuer.

Indeed.

Technically speaking, this is not an issue of java-oauth-server. It's an issue in the configuration of the credential issuer that is running on trial.authlete.net.

That's clear

If the value of the cryptographic_binding_methods_supported issuer metadata is used to list the supported formats of keys in key proofs (not in verifiable credentials) (NOTE: As OpenID4VCI Issue 283 points out, this is not so clearly stated in the specification), another issue is raised. Although the "jwt Proof Type" section of the OID4VCI spec defines a method that utilizes the x5c header parameter, the "Credential Issuer Metadata Parameters" section does not include a string constant that corresponds to x5c.

I was about to comment on issue 283, that I find the definition of cryptographic_binding_methods_supported confusing. :smile:

Initially, I had the impression that, as you describe, it expresses the ways a key can be found inside the proof. My current understanding though, exactly because x5c was missing, is that it expresses the format of keys in the issued VC.

I guess it should be clarified in VCI spec.