Skip to content
This repository has been archived by the owner on Jan 20, 2025. It is now read-only.

Verify JWT according to kid header instead of checking with all verification method #98

Open
nitin-vavdiya opened this issue May 8, 2024 · 0 comments · May be fixed by #99
Open

Verify JWT according to kid header instead of checking with all verification method #98

nitin-vavdiya opened this issue May 8, 2024 · 0 comments · May be fixed by #99

Comments

@nitin-vavdiya
Copy link
Contributor

Current Behavior

While verifying JWT, as per the current implementation it is iterating through all verification methods available in the DID document. Currently, this is not a bug but the implemented solution is not optimal/efficient

Example:
Consider the JWT header:

{
 "kid": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b",
 "typ": "JWT",
 "alg": "ES256K"
}

and did document:

{
    "@context":
    [
        "https://www.w3.org/ns/did/v1",
        "https://w3c.github.io/vc-jws-2020/contexts/v1"
    ],
    "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
    "verificationMethod":
    [
        {
            "publicKeyJwk":
            {
                "x": "2IU_u50oEO1ym0ZELQPKtYzJA6UJ_J11cpnoFxxFsNM",
                "crv": "Ed25519",
                "kty": "OKP"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#b879cfac-7e51-45c1-97fa-3db84db10e44",
            "type": "JsonWebKey2020"
        },
        {
            "publicKeyJwk":
            {
                "kty": "EC",
                "x": "hZvJ0heaxQxeeBXlSuC-4IPx_UFGeOL5UEYLzLdzfIQ",
                "y": "EufmJauadvvkKl7lB7HkzzF9AIVLx4qN9Ih5yf-7eLc",
                "crv": "secp256k1"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b",
            "type": "JsonWebKey2020"
        }
    ]
}

According to the current implementation, it will try to verify JWT with both verification methods available in the DID document.

Expected Behavior

  1. It should select the verification method according to the kid of JWT and then verify JWT
  2. If kid it not match with verification method(let's say after key revocation/rotation), it should fail(fast) instead of checking with all verification methods available in the DID document

Steps To Reproduce

  1. Create a Did document one verification methods
  2. Create VC then create VP as JWT with any one kid
  3. Revoke/rotate the key and update the DID document
  4. Verify JWT, it will fail after signature verification. It should fail without signature verification as kid will not match with verification method

Related to: eclipse-tractusx/managed-identity-wallet#303
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@nitin-vavdiya