search

digitalbazaar / jsonld.js

A JSON-LD Processor and API implementation in JavaScript
https://json-ld.org/
Other
1.64k stars 195 forks source link

RSA Proof wrong canonicalization #524

Closed fabrii closed 1 year ago

fabrii commented 1 year ago

Hi!

There seems to be an error when calculating the canonicalization of a RsaSignature2018 proof.

The result of the library is like this:

_:c14n0 <http://purl.org/dc/terms/created> "2023-06-03T20:00:01Z"^^<xsd:dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#RsaSignature2018> .
_:c14n0 <sec:proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <sec:verificationMethod> <urn:oid:2.16.858.0.0.0.3.0#1> .

when it should be like this:

_:c14n0 <http://purl.org/dc/terms/created> "2023-06-03T20:00:01Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#RsaSignature2018> .
_:c14n0 <https://w3id.org/security#proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <https://w3id.org/security#verificationMethod> <urn:oid:2.16.858.0.0.0.3.0#1> .

On the other side, the Ed25519Signature2020 is working ok:

_:c14n0 <http://purl.org/dc/terms/created> "2023-05-23T21:37:44Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#Ed25519Signature2020> .
_:c14n0 <https://w3id.org/security#proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <https://w3id.org/security#verificationMethod> <urn:oid:2.16.858.0.0.0.3.0#1> .
davidlehn commented 1 year ago

Please provide minimal runnable test code that shows the issue. There's not enough info here to know what may be going on. If I had to guess, one of the contexts you are using, or not using, has not defined "sec" and "xsd", so they are being used literally as IRI schemes, rather than being expanded.

fabrii commented 1 year ago

Hi @davidlehn. Here I have a reproducer. Start the application and see the console output log.

https://github.com/fabrii/dc-playground

Thanks!

fabrii commented 1 year ago

Is the "https://w3id.org/security/v1" context missing somewhere?

I am doing the canonicalization also in a Java library, with the same contexts used in Javascript, and it works ok, without manually adding the security context.

dlongley commented 1 year ago

It's known that RsaSignature2018 is broken when using it with the VC 1.0 context:

https://github.com/w3c/vc-data-model/issues/778

fabrii commented 1 year ago

Hi @dlongley. Thanks for your response.

I read the https://w3c-ccg.github.io/lds-rsa2018/ spec, and although I know is an unofficial draft, there is no warning of this. Note also that RsaSignature2018 is heavily used in https://www.w3.org/TR/vc-data-model/

Is there any known workaround?

In Java, I am using https://github.com/danubetech/verifiable-credentials-java that uses https://github.com/WebOfTrustInfo/ld-signatures-java under the hoods, and they seem to not have the problem. I will ask @peacekeeper about this.

Thanks

fabrii commented 1 year ago

Closing here to open in https://github.com/digitalbazaar/jsonld-signatures/issues/174