If ES256K algorithm is used to create a JWT with a basic ethr-did as issuer then the verification fails.
The reason is that the DID Doc for a basic ethr-DID has only one public Key Entry with ethereumAddress for publicKey.
Than cannot be used to run ecVerify because the full public key is never known.
The solution proposed here is to fallback to a ES256K-R verification mechanism with a list of recovered public keys based on all possible values of the recovery parameter (0 or 1).
Testing
A test has been added to check for this situation, with the token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNTYxOTcxMTE5LCJpc3MiOiJkaWQ6ZXRocjoweGNmMDNkZDBhODk0ZWY3OWNiNWI2MDFhNDNjNGIyNWUzYWU0YzY3ZWQifQ.t5o1vzZExArlrrTVHmwtti7fnicXqvWrX6SS3F-Lu3budH7p6zQHjG8X7EvUTRUxhvr-eENCbXeteSE4rgF7MA
run ./gradlew test to run through the entire test suite.
This fixes [#167009918] in pivotal.
Description
If
ES256Kalgorithm is used to create a JWT with a basic ethr-did as issuer then the verification fails.The reason is that the DID Doc for a basic ethr-DID has only one public Key Entry with
ethereumAddressfor publicKey. Than cannot be used to runecVerifybecause the full public key is never known.The solution proposed here is to fallback to a
ES256K-Rverification mechanism with a list of recovered public keys based on all possible values of the recovery parameter (0 or 1).Testing
A test has been added to check for this situation, with the token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNTYxOTcxMTE5LCJpc3MiOiJkaWQ6ZXRocjoweGNmMDNkZDBhODk0ZWY3OWNiNWI2MDFhNDNjNGIyNWUzYWU0YzY3ZWQifQ.t5o1vzZExArlrrTVHmwtti7fnicXqvWrX6SS3F-Lu3budH7p6zQHjG8X7EvUTRUxhvr-eENCbXeteSE4rgF7MArun
./gradlew testto run through the entire test suite.