Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transformer for VC in JWT encoding uses wrong claim for issuanceDate #4754

Open
luluffy007 opened this issue Jan 24, 2025 · 1 comment
Open

Transformer for VC in JWT encoding uses wrong claim for issuanceDate #4754

luluffy007 opened this issue Jan 24, 2025 · 1 comment
Labels
triage all new issues awaiting classification

Comments

@luluffy007
Copy link

Bug Report

Describe the Bug

According to the VC specification for JWT encoding https://www.w3.org/TR/vc-data-model/#jwt-encoding, the nbf claim must be used to represent issuanceDate property of the VC. But in the class JwtToVerifiableCredentialTransformer, it's the iat claim that is used :

extractDate(vc.get(ISSUANCE_DATE_PROPERTY), claims.getIssueTime()).or(() -> extractDate(vc.get(VALID_FROM_PROPERTY), claims.getIssueTime())).ifPresent(builder::issuanceDate);

When a VC in JWT encoding has the nbf claim but not the iat claim, an exception is thrown.

Expected Behavior

A VC in JWT encoding with the nbf claim and not the iat claim must be accepted.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Generate a VC in JWT encoding with nbf claim but no iat claim (libraries like https://github.com/danubetech/verifiable-credentials-java generates such VC)
  2. Import the VC in Identity Hub
  3. Make a request to a remote connector
  4. An exception is thrown in the remote connector
Caused by: java.lang.NullPointerException: Credential must contain `issuanceDate`/`validFrom` property.
	at java.base/java.util.Objects.requireNonNull(Objects.java:259)
	at org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredential$Builder.build(VerifiableCredential.java:204)
	at org.eclipse.edc.iam.identitytrust.transform.to.JwtToVerifiableCredentialTransformer.transform(JwtToVerifiableCredentialTransformer.java:99)

Possible Implementation

In the class JwtToVerifiableCredentialTransformer, replace claims.getIssueTime() with claims.getNotBeforeTime() for setting the issuanceDate or validFrom property.
@github-actions github-actions bot added the triage all new issues awaiting classification label Jan 24, 2025
@paullatzelsperger
Copy link
Member

paullatzelsperger commented Jan 24, 2025
edited
Loading

huh, interesting. that almost sounds like a bug/error on the spec part, because "nbf" -> "not-before", which is entirely different than "issuanceDate", which is the date at which the token was created.

The obvious thing to do is to adapt the code as you suggested, which will satisfy the spec compliance, but I wonder if we should bring that up with the Spec group though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage all new issues awaiting classification
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@luluffy007 @paullatzelsperger