search

decentralized-identity / did-jwt

Create and verify DID verifiable JWT's in Javascript
Apache License 2.0
333 stars 71 forks source link

[BUG] multicodec encoded publicKeyMultibase is not interpreted correctly #297

Closed mirceanis closed 1 year ago

mirceanis commented 1 year ago

Steps to Reproduce

The following test case fails:

 // resolver that uses publicKeyMultibase ( from the wild )
    const resolver = {
      resolve: async () => ({
        didDocumentMetadata: {},
        didResolutionMetadata: {
          contentType: 'application/did+ld+json',
        },
        didDocument: {
          '@context': ['https://www.w3.org/ns/did/v1', 'https://w3id.org/security/suites/ed25519-2020/v1'],
          id: 'did:peer:0z6MknNW5mvrUpssSJwZRQSinLWXzcECPtjzeKUsTR1Mvumfw',
          verificationMethod: [
            {
              id: 'did:peer:0z6MknNW5mvrUpssSJwZRQSinLWXzcECPtjzeKUsTR1Mvumfw#6MknNW5mvrUpssSJwZRQSinLWXzcECPtjzeKUsTR1Mvumfw',
              type: 'Ed25519VerificationKey2020',
              controller: 'did:peer:0z6MknNW5mvrUpssSJwZRQSinLWXzcECPtjzeKUsTR1Mvumfw',
              publicKeyMultibase: 'z6MknNW5mvrUpssSJwZRQSinLWXzcECPtjzeKUsTR1Mvumfw',
            },
          ],
          authentication: [
            'did:peer:0z6MknNW5mvrUpssSJwZRQSinLWXzcECPtjzeKUsTR1Mvumfw#6MknNW5mvrUpssSJwZRQSinLWXzcECPtjzeKUsTR1Mvumfw',
          ],
          assertionMethod: [
            'did:peer:0z6MknNW5mvrUpssSJwZRQSinLWXzcECPtjzeKUsTR1Mvumfw#6MknNW5mvrUpssSJwZRQSinLWXzcECPtjzeKUsTR1Mvumfw',
          ],
        },
      }),
    }
    const jwt =
      'eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIl0sImNyZWRlbnRpYWxTdWJqZWN0Ijp7Im5vdGhpbmciOiJlbHNlIG1hdHRlcnMifX0sIm5iZiI6MTY5NTA1MjE4MSwiaXNzIjoiZGlkOnBlZXI6MHo2TWtuTlc1bXZyVXBzc1NKd1pSUVNpbkxXWHpjRUNQdGp6ZUtVc1RSMU12dW1mdyJ9.mvgdqscXYjIXRuut83e8AfcBVdQJJOppQ9flohALoke_qRL9rR0FBOuBjWbf6uHftKv8lqUcqZuPnmsAJ0sbAA'

    // fails with invalid_signature
    const { payload } = await verifyJWT(jwt, { resolver })

Details

The extractPublicKeyBytes() method used to get the raw public key from the VerificationMethod does not account for multicodec.

The publicKeyMultibase in the example is a multibase encoding of a multicodec encoding of the actual key material. This pattern is fairly common, so it should be supported.

uport-automation-bot commented 1 year ago

:tada: This issue has been resolved in version 7.4.0 :tada:

The release is available on:

Your semantic-release bot :package::rocket: