search

uport-project / uport-mobile

uPort mobile app
https://uport.me
GNU General Public License v3.0
76 stars 28 forks source link

Unable to verify signature for JWT #17

Open rmw2 opened 5 years ago

rmw2 commented 5 years ago

A few people have reported issues in which a response coming back from the mobile app is unable to be verified. It's unlikely that the problem is in the libraries, as a valid signature with other issues would not crash in this particular place.

In android chrome, a user provided this trace image

A similar trace was provided by an EthDenver user, after receiving the response from a disclosure request: imagen

Initial suspicions were that an old signer of some sort is using the wrong algorithm to sign -- I think I've seen something similar with ES256K vs ES256K-R? However, the latter crash was experienced by a user after supposedly creating a fresh account on the latest version of the app, so that's particularly confusing, and I have been unable to reproduce so far.

OR13 commented 5 years ago

Current readme docs might lead users to create signatures that are note recoverable:

const jwt = await didJWT.createJWT(
        {
          aud: "did:example:123",
          exp: 1957463421,
          name: "uPort Developer"
        },
        {
          issuer: "did:example:123",
          alg: "ES256K-R",
          signer
        }
      );

Might be better to be explicit with the algorithm.