search

eclipse-tractusx / managed-identity-wallet

Apache License 2.0
7 stars 20 forks source link

Validation of the VP failed when it was generated through IATP. #303

Open thackerronak opened 2 months ago

thackerronak commented 2 months ago

Current Behavior

Getting the signature failed while validating VP { "valid": false, "validateJWTExpiryDate": true, "validateAudience": true, "vp": "eyJraWQiO.." } below error showing in the console Error is Ed25519Verifier requires alg=EdDSA in JWSHeader.

Expected Behavior

It should work and give a valid VP

Steps To Reproduce

Generate VP through iatp endpoint /api/presentations/iatp?asJwt=true

then validate that VP via presentations validation endpoint /api/presentations/validation?asJwt=true

nitin-vavdiya commented 2 months ago

There are 2 issues in this scenario:

1. In MIW application

When we create VP as JWT using the ES256k algorithm, the kid claim in the JWT header is not correct.

i.e: The did document in my local:

{
    "@context":
    [
        "https://www.w3.org/ns/did/v1",
        "https://w3c.github.io/vc-jws-2020/contexts/v1"
    ],
    "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
    "verificationMethod":
    [
        {
            "publicKeyJwk":
            {
                "x": "2IU_u50oEO1ym0ZELQPKtYzJA6UJ_J11cpnoFxxFsNM",
                "crv": "Ed25519",
                "kty": "OKP"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#b879cfac-7e51-45c1-97fa-3db84db10e44",
            "type": "JsonWebKey2020"
        },
        {
            "publicKeyJwk":
            {
                "kty": "EC",
                "x": "hZvJ0heaxQxeeBXlSuC-4IPx_UFGeOL5UEYLzLdzfIQ",
                "y": "EufmJauadvvkKl7lB7HkzzF9AIVLx4qN9Ih5yf-7eLc",
                "crv": "secp256k1"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b",
            "type": "JsonWebKey2020"
        }
    ]
}

In the above did document there is 2 verification methods for Ed25519 and ES256k as below:

Ed25519 : did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#b879cfac-7e51-45c1-97fa-3db84db10e44

ES256k: did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b

The signed VP using ES256k:

eyJraWQiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAiLCJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJzdWIiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAiLCJhdWQiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAiLCJpc3MiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAiLCJ2cCI6eyJpZCI6ImRpZDp3ZWI6M2JkZi0yMDMtMTI5LTIxMy0xMDcubmdyb2stZnJlZS5hcHA6QlBOTDAwMDAwMDAwMDAwMCM4M2Q2ODEwYi1kMzEwLTQ0OGMtOGYyYS02ODcwODA2MTVlODUiLCJwcm9vZiI6bnVsbCwidHlwZSI6WyJWZXJpZmlhYmxlUHJlc2VudGF0aW9uIl0sIkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sInZlcmlmaWFibGVDcmVkZW50aWFsIjpbeyJpc3N1YW5jZURhdGUiOiIyMDI0LTA1LTA2VDA2OjMzOjI2WiIsImNyZWRlbnRpYWxTdWJqZWN0IjpbeyJob2xkZXJJZGVudGlmaWVyIjoiQlBOTDAwMDAwMDAwMDAwMCIsInN0YXJ0VGltZSI6IjIwMjQtMDUtMDZUMDY6MzM6MjYuNDIzMDA3WiIsImlkIjoiZGlkOndlYjozYmRmLTIwMy0xMjktMjEzLTEwNy5uZ3Jvay1mcmVlLmFwcDpCUE5MMDAwMDAwMDAwMDAwIiwibWVtYmVyT2YiOiJDYXRlbmEtWCIsInR5cGUiOiJNZW1iZXJzaGlwQ3JlZGVudGlhbCIsInN0YXR1cyI6IkFjdGl2ZSJ9XSwiaWQiOiJkaWQ6d2ViOjNiZGYtMjAzLTEyOS0yMTMtMTA3Lm5ncm9rLWZyZWUuYXBwOkJQTkwwMDAwMDAwMDAwMDAjMDU5YjAwYzEtMGU3Mi00ZmM3LTgwYjAtMjdmNzBmMjhlYzllIiwicHJvb2YiOnsicHJvb2ZQdXJwb3NlIjoiYXNzZXJ0aW9uTWV0aG9kIiwidHlwZSI6Ikpzb25XZWJTaWduYXR1cmUyMDIwIiwidmVyaWZpY2F0aW9uTWV0aG9kIjoiZGlkOndlYjozYmRmLTIwMy0xMjktMjEzLTEwNy5uZ3Jvay1mcmVlLmFwcDpCUE5MMDAwMDAwMDAwMDAwI2I4NzljZmFjLTdlNTEtNDVjMS05N2ZhLTNkYjg0ZGIxMGU0NCIsImNyZWF0ZWQiOiIyMDI0LTA1LTA2VDA2OjMzOjI5WiIsImp3cyI6ImV5SmhiR2NpT2lKRlpFUlRRU0o5Li4yN0VZNFhlZ0xUX0ltX3JMOXdTOTFyaUV4SXIwZnFzaW5VVjB2Vmw5d0NZeVVEQWt2dkUwUHBQclhTWlNfYzV2ak9yZl91X3JHWmE0VGgzd2NkeERDdyJ9LCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiTWVtYmVyc2hpcENyZWRlbnRpYWwiXSwiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJodHRwczovL2NhdGVuYXgtbmcuZ2l0aHViLmlvL3Byb2R1Y3QtY29yZS1zY2hlbWFzL2J1c2luZXNzUGFydG5lckRhdGEuanNvbiIsImh0dHBzOi8vdzNpZC5vcmcvc2VjdXJpdHkvc3VpdGVzL2p3cy0yMDIwL3YxIl0sImlzc3VlciI6ImRpZDp3ZWI6M2JkZi0yMDMtMTI5LTIxMy0xMDcubmdyb2stZnJlZS5hcHA6QlBOTDAwMDAwMDAwMDAwMCIsImV4cGlyYXRpb25EYXRlIjoiMjAyMy0wOS0zMFQxODozMDowMFoifV19LCJleHAiOjE3MTQ5Nzk2ODcsImp0aSI6ImRpZDp3ZWI6M2JkZi0yMDMtMTI5LTIxMy0xMDcubmdyb2stZnJlZS5hcHA6QlBOTDAwMDAwMDAwMDAwMCM4M2Q2ODEwYi1kMzEwLTQ0OGMtOGYyYS02ODcwODA2MTVlODUifQ.HhV3xaez7XSIOQHQ33p35OINzgZzkylwWANjs7txuJQCqKTlpVTQ8pGtZyzdiiIg4Ssfl1SngidZuf7P3WpDlg

The header of JWT:

{
  "kid": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
  "typ": "JWT",
  "alg": "ES256K"
}

Here kid is just the did of the issuer without any specific key ID.

Here it should be did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#**1b4c2d5b-479b-4a19-834a-fecd42c3d60b as kid

2. In SSI-lib:

In SSI lib, multiple verification methods are not supported. In class SignedJwtVerifier, in the verify() method, we select the first verification method instead of matching the kid of the verification method

Ref:

image

borisrizov-zf commented 1 month ago

Good catch, Ronak. I'm aware we have some drift between the ssi-lib and the miw. We'll have to address those this week.