Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Verification between is broken between sdk and cloud-agent #116

Open
amagyar-iohk opened this issue Jan 29, 2025 · 1 comment
Open

JWT Verification between is broken between sdk and cloud-agent #116

amagyar-iohk opened this issue Jan 29, 2025 · 1 comment
Labels
priority:critical business is impacted, performance drained, crash, feature blocked, reproducible, interoperability

Comments

@amagyar-iohk
Copy link
Contributor

amagyar-iohk commented Jan 29, 2025
edited
Loading

Describe the bug

JWT Verification is not working. After further investigation I was able to track down one of the issues

JWTCore.ts:

    protected getPKInstance(verificationMethod: didResolver.VerificationMethod) {
[...]
        if (verificationMethod.publicKeyJwk) {
            const { crv, x } = verificationMethod.publicKeyJwk;
            if (crv === Curve.ED25519) {
                pk = this.apollo.createPublicKey({
                    [KeyProperties.curve]: Curve.ED25519,
                    [KeyProperties.type]: KeyTypes.EC,
                    [KeyProperties.rawKey]: base64url.baseDecode(x!)
                })
            } else if (crv === Curve.SECP256K1) {
                pk = this.apollo.createPublicKey({
                    [KeyProperties.curve]: Curve.SECP256K1,
                    [KeyProperties.type]: KeyTypes.EC,
                    [KeyProperties.rawKey]: base64url.baseDecode(x!)
                })
            }
[...]

Pollux.ts

  private async verifyPresentationSubmissionJWT(
    presentationSubmission: JWTPresentationSubmission,
    options: IPollux.verifyPresentationSubmission.options.JWT | IPollux.verifyPresentationSubmission.options.SDJWT
  ): Promise<boolean> {
[...]
          const verifiableCredentialValid = await this.JWT.verify({
            holderDID: verifiableCredential.subject ? DID.fromString(verifiableCredential.subject) : undefined,
            issuerDID: verifiableCredential.issuer,
            jws: verifiableCredential.id
          });
[...]

Possible fixes

After further investigation I noticed two issues

Issue 1

The publicKeyJwk recovery seems to be wrong:

pk = this.apollo.createPublicKey({
    [KeyProperties.curve]: {curve},
    [KeyProperties.type]: {type},
    [KeyProperties.rawKey]: base64url.baseDecode(x!)
})

The key is being recovered using the x as raw data. It should be replaced with

pk = this.apollo.createPublicKey({
    [KeyProperties.curve]: {curve},
    [KeyProperties.type]: {type},
    [KeyProperties.curvePointX]: base64url.baseDecode(x!),
    [KeyProperties.curvePointY]: base64url.baseDecode(y!)
})

Issue 2

In the Additional Context we have the did:prism parsed from Cloud-Agent most specifically this part:

            "publicKeyJwk":{
               "crv":"secp256k1",
               "x":"CW_WcMRO9zLh80SFPjJjnR2GYrwcUJFE6FSvTt2bgyg",
               "y":"az189wjSfAMUsunG6MlUIdAGXQ8nvDtXg3rHforhWXw",
               "kty":"EC"
            }

In which the crv property is secp256k1 according to jose iana type.

So there's an issue regarding this comparison:

            } else if (crv === Curve.SECP256K1) {

Because Curve.SECP256K1 resolves as Secp256k1

Additional context

issuerDID:

{
   "didResolutionMetadata":{
      "contentType":"application/did+ld+json"
   },
   "didDocumentMetadata":{
      
   },
   "didDocument":{
      "id":"did:prism:dbb0b17ff1dc54b7504a5f173f495f8aa86e0384ae84325ed9156725f3ede5b2",
      "controller":[
         
      ],
      "verificationMethod":[
         {
            "id":"did:prism:dbb0b17ff1dc54b7504a5f173f495f8aa86e0384ae84325ed9156725f3ede5b2#key-assertion-1",
            "type":"JsonWebKey2020",
            "controller":"did:prism:dbb0b17ff1dc54b7504a5f173f495f8aa86e0384ae84325ed9156725f3ede5b2",
            "publicKeyJwk":{
               "crv":"secp256k1",
               "x":"CW_WcMRO9zLh80SFPjJjnR2GYrwcUJFE6FSvTt2bgyg",
               "y":"az189wjSfAMUsunG6MlUIdAGXQ8nvDtXg3rHforhWXw",
               "kty":"EC"
            }
         },
         {
            "id":"did:prism:dbb0b17ff1dc54b7504a5f173f495f8aa86e0384ae84325ed9156725f3ede5b2#key-authentication-1",
            "type":"JsonWebKey2020",
            "controller":"did:prism:dbb0b17ff1dc54b7504a5f173f495f8aa86e0384ae84325ed9156725f3ede5b2",
            "publicKeyJwk":{
               "crv":"secp256k1",
               "x":"M0pjD4rQyZB6bKfgegRmSkS00UsfeIJ2suKQrcPKX1s",
               "y":"maHMcUz-rXdY5Sh7EdxXNLvxIm7yidxzvbnz4uanbk8",
               "kty":"EC"
            }
         }
      ],
      "service":[
         {
            "id":"did:prism:dbb0b17ff1dc54b7504a5f173f495f8aa86e0384ae84325ed9156725f3ede5b2#agent-base-url",
            "type":"L",
            "serviceEndpoint":"http://localhost:8085"
         }
      ]
   }
}

Cloud-agent version: 1.40.1-134-d16da04
@amagyar-iohk amagyar-iohk added the priority:critical business is impacted, performance drained, crash, feature blocked, reproducible, interoperability label Jan 29, 2025
@curtis-h
Copy link

Issue is caused by cloud agent changes: #89
The cloud agent has swtiched to using short-form DIDs for JWT Credential issuance, which the SDK can not handle currently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority:critical business is impacted, performance drained, crash, feature blocked, reproducible, interoperability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@curtis-h @amagyar-iohk