search

decentralized-identity / veramo

A JavaScript Framework for Verifiable Data
https://veramo.io
Apache License 2.0
414 stars 130 forks source link

[bug] `publicKeyMultibase` in a DID document is not usable to verify JWT credentials #1248

Closed mirceanis closed 9 months ago

mirceanis commented 9 months ago

Bug severity 3

Describe the bug

Credentials issued by did:peer fail verification. Here is a sample test to reproduce the issue:

    // using an agent with `@veramo/did-provider-peer#PeerDIDProvider`
    // and `@veramo/did-provider-peer#getResolver`

    // did:peer uses publicKeyMultibase
    const issuer = await agent.didManagerCreate({
      provider: 'did:peer',
      options: {
        num_algo: 0
      }
    })
    const payload = {
      issuer: issuer.did,
      credentialSubject: {
        nothing: 'else matters',
      },
    }
    const credential = await agent.createVerifiableCredential({
      credential: payload,
      proofFormat: 'jwt',
    })
    const verifyResult = await agent.verifyCredential({ credential })
    expect(verifyResult.verified).toBeTruthy()

Details It seems that the publicKeyMultibase is a multibase encoding of a multicodec encoding of an ed25519 public key. did-jwt@7.2.5 doesn't know how to interpret the multicodec encoding so it tries to use the byte array as is so verification fails.

The fix would be in the did-jwt library.

Versions (please complete the following information):