Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify JWT according to kid header instead of checking with all verification method #98

Open
nitin-vavdiya opened this issue May 8, 2024 · 0 comments · May be fixed by #99
Open

Verify JWT according to kid header instead of checking with all verification method #98

nitin-vavdiya opened this issue May 8, 2024 · 0 comments · May be fixed by #99

Comments

@nitin-vavdiya
Copy link
Contributor

Current Behavior

While verifying JWT, as per the current implementation it is iterating through all verification methods available in the DID document. Currently, this is not a bug but the implemented solution is not optimal/efficient

Example:
Consider the JWT header:

{
 "kid": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b",
 "typ": "JWT",
 "alg": "ES256K"
}

and did document:

{
    "@context":
    [
        "https://www.w3.org/ns/did/v1",
        "https://w3c.github.io/vc-jws-2020/contexts/v1"
    ],
    "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
    "verificationMethod":
    [
        {
            "publicKeyJwk":
            {
                "x": "2IU_u50oEO1ym0ZELQPKtYzJA6UJ_J11cpnoFxxFsNM",
                "crv": "Ed25519",
                "kty": "OKP"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#b879cfac-7e51-45c1-97fa-3db84db10e44",
            "type": "JsonWebKey2020"
        },
        {
            "publicKeyJwk":
            {
                "kty": "EC",
                "x": "hZvJ0heaxQxeeBXlSuC-4IPx_UFGeOL5UEYLzLdzfIQ",
                "y": "EufmJauadvvkKl7lB7HkzzF9AIVLx4qN9Ih5yf-7eLc",
                "crv": "secp256k1"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b",
            "type": "JsonWebKey2020"
        }
    ]
}

According to the current implementation, it will try to verify JWT with both verification methods available in the DID document.

Expected Behavior

  1. It should select the verification method according to the kid of JWT and then verify JWT
  2. If kid it not match with verification method(let's say after key revocation/rotation), it should fail(fast) instead of checking with all verification methods available in the DID document

Steps To Reproduce

  1. Create a Did document one verification methods
  2. Create VC then create VP as JWT with any one kid
  3. Revoke/rotate the key and update the DID document
  4. Verify JWT, it will fail after signature verification. It should fail without signature verification as kid will not match with verification method

Related to: eclipse-tractusx/managed-identity-wallet#303
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@nitin-vavdiya