add thumbprint checking

decentralized-identity · Mar 21, 2024 · de24473 · de24473
1 parent b9c2f23
commit de24473
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 17 deletions.
diff --git a/impl/go.mod b/impl/go.mod
@@ -4,7 +4,7 @@ go 1.22
 
 require (
 	github.com/BurntSushi/toml v0.3.1
-	github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20240109225800-c9f99e5db02a
+	github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20240321215515-97ccd06a631d
 	github.com/allegro/bigcache/v3 v3.1.0
 	github.com/anacrolix/dht/v2 v2.20.0
 	github.com/anacrolix/log v0.14.0
@@ -75,7 +75,7 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.15.1 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/uuid v1.4.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect

diff --git a/impl/go.sum b/impl/go.sum
@@ -60,8 +60,8 @@ github.com/RoaringBitmap/roaring v0.4.17/go.mod h1:D3qVegWTmfCaX4Bl5CrBE9hfrSrrX
 github.com/RoaringBitmap/roaring v0.4.23/go.mod h1:D0gp8kJQgE1A4LQ5wFLggQEyvDi06Mq5mKs52e1TwOo=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
-github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20240109225800-c9f99e5db02a h1:xvPnLvpf6zCNkgA5brq38wFOJBWoq3rMxXRH8xHrHp4=
-github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20240109225800-c9f99e5db02a/go.mod h1:v3JouHTB++xJi6zTC+hbtTeBZkfdp/orSHF/+inJozU=
+github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20240321215515-97ccd06a631d h1:lEekCCpwjxtQBNNUoUmPiDg35t3quQzDgtetug5xbx4=
+github.com/TBD54566975/ssi-sdk v0.0.4-alpha.0.20240321215515-97ccd06a631d/go.mod h1:UoNlAhXuPb1VxsAkNbLyr4XYeyHhLvcwSbkmsaOeGjM=
 github.com/alecthomas/assert/v2 v2.0.0-alpha3 h1:pcHeMvQ3OMstAWgaeaXIAL8uzB9xMm2zlxt+/4ml8lk=
 github.com/alecthomas/assert/v2 v2.0.0-alpha3/go.mod h1:+zD0lmDXTeQj7TgDgCt0ePWxb0hMC1G+PGTsTCv1B9o=
 github.com/alecthomas/atomic v0.1.0-alpha2 h1:dqwXmax66gXvHhsOS4pGPZKqYOlTkapELkLb3MNdlH8=
@@ -328,8 +328,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
-github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=

diff --git a/impl/internal/did/did.go b/impl/internal/did/did.go
@@ -147,15 +147,8 @@ func CreateDIDDHTDID(pubKey ed25519.PublicKey, opts CreateDIDDHTOpts) (*did.Docu
 			// mark as seen
 			seenIDs[vm.VerificationMethod.ID] = true
 
-			// update ID and controller in place, setting to thumbprint if none is provided
-
-			// e.g. nothing -> did:dht:123456789abcdefghi#<jwk key id>
-			if vm.VerificationMethod.ID == "" {
-				vm.VerificationMethod.ID = id + "#" + vm.VerificationMethod.PublicKeyJWK.KID
-			} else {
-				// make sure the verification method ID and KID match
-				vm.VerificationMethod.PublicKeyJWK.KID = vm.VerificationMethod.ID
-			}
+			// make sure the verification method JWK KID is set to its thumbprint
+			vm.VerificationMethod.ID = id + "#" + vm.VerificationMethod.PublicKeyJWK.KID
 
 			// e.g. #key-1 -> did:dht:123456789abcdefghi#key-1
 			if strings.HasPrefix(vm.VerificationMethod.ID, "#") {
@@ -304,15 +297,16 @@ func (d DHT) ToDNSPacket(doc did.Document, types []TypeIndex) (*dns.Msg, error)
 		if err != nil {
 			return nil, err
 		}
+
 		// as per the spec's guidance DNS representations use compressed keys, so we must marshal them as such
 		pubKeyBytes, err := crypto.PubKeyToBytes(pubKey, crypto.ECDSAMarshalCompressed)
 		if err != nil {
 			return nil, err
 		}
-		keyBase64Url := base64.RawURLEncoding.EncodeToString(pubKeyBytes)
 
+		keyBase64URL := base64.RawURLEncoding.EncodeToString(pubKeyBytes)
 		vmKeyFragment := vm.ID[strings.LastIndex(vm.ID, "#")+1:]
-		txtRecord := fmt.Sprintf("id=%s;t=%d;k=%s", vmKeyFragment, keyType, keyBase64Url)
+		txtRecord := fmt.Sprintf("id=%s;t=%d;k=%s", vmKeyFragment, keyType, keyBase64URL)
 		// note the controller if it differs from the DID
 		if vm.Controller != doc.ID {
 			// handle the case where the controller of the identity key is not the DID itself
@@ -525,6 +519,11 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*did.Document, []TypeIndex, error) {
 				if vmID == "0" && controller != d.String() {
 					return nil, nil, fmt.Errorf("controller of identity key must be the DID itself, instead it is: %s", controller)
 				}
+
+				if vmID != "0" && pubKeyJWK.KID != vmID {
+					return nil, nil, fmt.Errorf("verification method JWK KID must be set to its thumbprint")
+				}
+
 				vm := did.VerificationMethod{
 					ID:           d.String() + "#" + vmID,
 					Type:         JSONWebKeyType,