Closed ydanneg closed 4 months ago
I temporarily created a simple custom JwtSignatureVerifier
to workaround it.
private class TrustedJwtSignatureVerifier(private val trust: X509CertificateTrust, private val delegate: JwtSignatureVerifier) : JwtSignatureVerifier {
override fun checkSignature(jwt: String): Claims? {
val signedJwt = SignedJWT.parse(jwt)
val x5c = signedJwt.header.x509CertChain
if (x5c != null) {
val chain = x5c.map { X509CertUtils.parse(it.decode()) }
if (!trust.isTrusted(chain)) {
return null
}
val verifier = DefaultJWSVerifierFactory().createJWSVerifier(signedJwt.header, chain[0].publicKey)
return if (!signedJwt.verify(verifier)) null
else signedJwt.jwtClaimsSet.asClaims()
}
return delegate.checkSignature(jwt)
}
}
But according to specs dNSName
should be validated as well here. And Web-based key resolution
also should be supported.
I think it would be great to have similar validation as eudi-lib-jvm-siop-openid4vp-kt
has in RequestAuthenticator
: https://github.com/eu-digital-identity-wallet/eudi-lib-jvm-siop-openid4vp-kt/blob/73b82ca8e46681436ff91d6fc16ca58614bef482/src/main/kotlin/eu/europa/ec/eudi/openid4vp/internal/request/RequestAuthenticator.kt#L102
Dear @ydanneg
Thank you for raising this. So far, the library has been targeting SD-JWT not SD-JWT-VC, although there are some examples for the later.
Your proposal though sounds like a reasonable addition. My only concern is whether SD-JWT-VC support should be added to this library or whether a new library is needed.
In the future besides the signature verification, I expect that support for credential metadata (not issuer metadata) can be added as well.
I will get back to this, shortly
In order to support this feature we need to implement #189
Hi @ydanneg
Some skeleton code has been added to #191 (work in progress) for an SD-JWT-VC - specific verifier. Any comments are welcomed (preferably to the PR)
Dear @ydanneg,
v0.4.0 of eudi-lib-jvm-sdjwt-kt, with support for verifying the signature of SD-JWT VCs, has been released and has reached Maven Central.
Please let us know of any issues that might arise.
Thanks.
Hi.
Current version of the library including samples and tests verifies issuance with known Issuer's self-signed certificate only. The real-world case will be that Issuer's certificate is signed by some trusted CA which is used as trust anchor by holder and verifiers.
CA (Trust Anchor) -> Issuer
SD-JWT-VC says it supports x5c JWT header that can be used to
I think it should be applied to holders and verifiers that don't support
JWT VC Issuer Metadata
that can be used to retrieve Issuer public keys. Not sure about it. More specification analysis is required here.It also can be that we don't know the type of a key used to sign issued credential JWT. Example can be that CA certificate is ECDSA and leaf certificate is RSA. Library should detect type algorithm from the header and use leaf certificate from x5c to verify a signature.
PS. I'm not expect in mentioned specification, probably some analysis is required additionally to support different cases.
Specs: https://github.com/openid/oid4vc-haip-sd-jwt-vc/blob/main/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.md#issuer-identification-and-key-resolution-to-validate-an-issued-credential-issuer-key-resolution https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-08.html#section-5.1
Code references: https://github.com/eu-digital-identity-wallet/eudi-lib-jvm-sdjwt-kt/blob/main/src/main/kotlin/eu/europa/ec/eudi/sdjwt/SdJwtVerifier.kt#L253 https://github.com/eu-digital-identity-wallet/eudi-lib-jvm-sdjwt-kt/blob/main/src/main/kotlin/eu/europa/ec/eudi/sdjwt/NimbusIntegration.kt#L153