From 5d7cd190771aad89620bff9e1e271436e9d78bd3 Mon Sep 17 00:00:00 2001 From: nklomp Date: Sun, 15 Jan 2023 04:19:42 +0100 Subject: [PATCH 01/10] debug values --- .../src/suites/impl/JsonWebSignatureWithRSASupport.ts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts index 1a4ad5e49..79add91b8 100644 --- a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts +++ b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts @@ -90,8 +90,10 @@ export class JsonWebSignature { async sign({ verifyData, proof }: any) { try { const signer: any = await this.key?.signer() + console.log(`SIG SUITE sign verifyData: ${u8a.toString(verifyData, 'base64url')}`) const detachedJws = await signer.sign({ data: verifyData }) proof.jws = detachedJws + console.log(`SIG SUITE sign jws: ${detachedJws}`) return proof } catch (e) { console.warn('Failed to sign.') @@ -162,6 +164,7 @@ export class JsonWebSignature { expansionMap, compactProof, }) + console.log(`createProof verifyData: ${u8a.toString(verifyData, 'base64url')}`) // sign data proof = await this.sign({ @@ -232,6 +235,8 @@ export class JsonWebSignature { async verifySignature({ verifyData, verificationMethod, proof }: any) { if (verificationMethod.publicKey) { const key = verificationMethod.publicKey as CryptoKey + console.log(`SIG SUITE verifySig jws: ${proof.jws}`) + console.log(`SIG SUITE verifySig verifyData: ${u8a.toString(verifyData, 'base64url')}`) return await subtle.verify( { name: key.algorithm?.name ? key.algorithm.name : 'RSASSA-PKCS1-V1_5', @@ -266,6 +271,8 @@ export class JsonWebSignature { instance: true, // this means we get a key pair class instance, not just json. }) + console.log(`verifyProof verifyData: ${u8a.toString(verifyData, 'base64url')}`) + // verify signature on data const verified = await this.verifySignature({ verifyData, From 67a8185c5d60a4036e74b412f8e3a1e6720c05ed Mon Sep 17 00:00:00 2001 From: nklomp Date: Sun, 15 Jan 2023 04:28:18 +0100 Subject: [PATCH 02/10] split signature from jws --- .../src/suites/impl/JsonWebSignatureWithRSASupport.ts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts index 79add91b8..8fb887fd5 100644 --- a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts +++ b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts @@ -235,15 +235,16 @@ export class JsonWebSignature { async verifySignature({ verifyData, verificationMethod, proof }: any) { if (verificationMethod.publicKey) { const key = verificationMethod.publicKey as CryptoKey - console.log(`SIG SUITE verifySig jws: ${proof.jws}`) + const signature = proof.jws.split('.')[2] + console.log(`SIG SUITE verifySig jws: ${signature}`) console.log(`SIG SUITE verifySig verifyData: ${u8a.toString(verifyData, 'base64url')}`) return await subtle.verify( { name: key.algorithm?.name ? key.algorithm.name : 'RSASSA-PKCS1-V1_5', - hash: 'SHA-256', + hash: 'SHA-256', // todo get from proof.jws header }, key, - typeof proof.jws === 'string' ? u8a.fromString(proof.jws, 'base64url') : proof.jws, + u8a.fromString(signature, 'base64url'), verifyData ) } From b388091cfea0993d0e20f9d61402a7cbbae9b9e4 Mon Sep 17 00:00:00 2001 From: nklomp Date: Sun, 15 Jan 2023 04:53:23 +0100 Subject: [PATCH 03/10] split signature from jws --- .../src/suites/impl/JsonWebSignatureWithRSASupport.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts index 8fb887fd5..13fcfb1c7 100644 --- a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts +++ b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts @@ -236,6 +236,10 @@ export class JsonWebSignature { if (verificationMethod.publicKey) { const key = verificationMethod.publicKey as CryptoKey const signature = proof.jws.split('.')[2] + const header = proof.jws.split('.')[0] + const verifyDataString = u8a.toString(verifyData, 'base64url') + const data = `${header}.${verifyDataString}` + console.log(`SIG SUITE verifySig input: ${data}`) console.log(`SIG SUITE verifySig jws: ${signature}`) console.log(`SIG SUITE verifySig verifyData: ${u8a.toString(verifyData, 'base64url')}`) return await subtle.verify( @@ -245,7 +249,7 @@ export class JsonWebSignature { }, key, u8a.fromString(signature, 'base64url'), - verifyData + u8a.fromString(data, 'base64url') ) } const verifier = await verificationMethod.verifier() From e98ac2b97b3248538b7cd5d05f0c7f639a63feed Mon Sep 17 00:00:00 2001 From: nklomp Date: Sun, 15 Jan 2023 05:58:22 +0100 Subject: [PATCH 04/10] fix sig verification --- .../src/suites/JsonWebSignature2020.ts | 6 +++--- .../src/suites/impl/JsonWebSignatureWithRSASupport.ts | 9 ++++----- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/packages/vc-handler-ld-local/src/suites/JsonWebSignature2020.ts b/packages/vc-handler-ld-local/src/suites/JsonWebSignature2020.ts index 4f0cd1c38..163adcd75 100644 --- a/packages/vc-handler-ld-local/src/suites/JsonWebSignature2020.ts +++ b/packages/vc-handler-ld-local/src/suites/JsonWebSignature2020.ts @@ -48,14 +48,14 @@ export class SphereonJsonWebSignature2020 extends SphereonLdSignature { } const headerString = encodeJoseBlob(header) - const dataString = u8a.toString(args.data, 'base64url') - const messageString = `${headerString}.${dataString}` + const messageBuffer = u8a.concat([u8a.fromString(`${headerString}.`, 'utf-8'), args.data]) + const messageString = u8a.toString(messageBuffer, 'base64') //will be decoded to bytes in the keyManagerSign, hence the base64 arg to the method below const signature = await context.agent.keyManagerSign({ keyRef: key.kid, algorithm: alg, data: messageString, - encoding: 'utf-8', + encoding: 'base64', }) // returns base64url signature return `${headerString}..${signature}` }, diff --git a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts index 13fcfb1c7..ab305aa0e 100644 --- a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts +++ b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts @@ -236,10 +236,9 @@ export class JsonWebSignature { if (verificationMethod.publicKey) { const key = verificationMethod.publicKey as CryptoKey const signature = proof.jws.split('.')[2] - const header = proof.jws.split('.')[0] - const verifyDataString = u8a.toString(verifyData, 'base64url') - const data = `${header}.${verifyDataString}` - console.log(`SIG SUITE verifySig input: ${data}`) + const headerString = proof.jws.split('.')[0] + const messageBuffer = u8a.concat([u8a.fromString(`${headerString}.`, 'utf-8'), verifyData]) + console.log(`SIG SUITE verifySig input: ${u8a.toString(messageBuffer, 'utf-8')}`) console.log(`SIG SUITE verifySig jws: ${signature}`) console.log(`SIG SUITE verifySig verifyData: ${u8a.toString(verifyData, 'base64url')}`) return await subtle.verify( @@ -249,7 +248,7 @@ export class JsonWebSignature { }, key, u8a.fromString(signature, 'base64url'), - u8a.fromString(data, 'base64url') + messageBuffer ) } const verifier = await verificationMethod.verifier() From 3070df22e8e979371fbc97bbb088a5e95e50e4dc Mon Sep 17 00:00:00 2001 From: nklomp Date: Sun, 15 Jan 2023 06:41:43 +0100 Subject: [PATCH 05/10] fix auth proofpurpose for verify presentation when domain/challenge are provided --- .../src/ld-credential-module.ts | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/packages/vc-handler-ld-local/src/ld-credential-module.ts b/packages/vc-handler-ld-local/src/ld-credential-module.ts index c6ae2bb72..87f822d86 100644 --- a/packages/vc-handler-ld-local/src/ld-credential-module.ts +++ b/packages/vc-handler-ld-local/src/ld-credential-module.ts @@ -53,7 +53,7 @@ export class LdCredentialModule { key: IKey, verificationMethodId: string, purpose: typeof ProofPurpose = new CredentialIssuancePurpose(), - context: IAgentContext + context: IAgentContext, ): Promise { debug(`Issue VC method called for ${key.kid}...`) const suite = this.ldSuiteLoader.getSignatureSuiteForKeyType(key.type, key.meta?.verificationMethod?.type) @@ -96,10 +96,10 @@ export class LdCredentialModule { purpose: typeof ProofPurpose = !challenge && !domain ? new AssertionProofPurpose() : new AuthenticationProofPurpose({ - domain, - challenge, - }), - context: IAgentContext + domain, + challenge, + }), + context: IAgentContext, ): Promise { const suite = this.ldSuiteLoader.getSignatureSuiteForKeyType(key.type, key.meta?.verificationMethod?.type) const documentLoader = this.ldDocumentLoader.getLoader(context, true) @@ -129,7 +129,7 @@ export class LdCredentialModule { context: IAgentContext, fetchRemoteContexts = false, purpose: typeof ProofPurpose = new AssertionProofPurpose(), - checkStatus?: Function + checkStatus?: Function, ): Promise { const verificationSuites = this.getAllVerificationSuites() this.ldSuiteLoader.getAllSignatureSuites().forEach((suite) => suite.preVerificationCredModification(credential)) @@ -177,8 +177,8 @@ export class LdCredentialModule { fetchRemoteContexts = false, presentationPurpose: typeof ProofPurpose = !challenge && !domain ? new AssertionProofPurpose() - : new AuthenticationProofPurpose(domain, challenge), - checkStatus?: Function + : new AuthenticationProofPurpose({ domain, challenge }), + checkStatus?: Function, //AssertionProofPurpose() ): Promise { // console.log(JSON.stringify(presentation, null, 2)) From e2117feeb7afddfd41b6fab1d755040520c64107 Mon Sep 17 00:00:00 2001 From: nklomp Date: Sun, 15 Jan 2023 08:59:29 +0100 Subject: [PATCH 06/10] remove debug log lines --- .../src/suites/impl/JsonWebSignatureWithRSASupport.ts | 8 -------- 1 file changed, 8 deletions(-) diff --git a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts index ab305aa0e..030371335 100644 --- a/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts +++ b/packages/vc-handler-ld-local/src/suites/impl/JsonWebSignatureWithRSASupport.ts @@ -90,10 +90,8 @@ export class JsonWebSignature { async sign({ verifyData, proof }: any) { try { const signer: any = await this.key?.signer() - console.log(`SIG SUITE sign verifyData: ${u8a.toString(verifyData, 'base64url')}`) const detachedJws = await signer.sign({ data: verifyData }) proof.jws = detachedJws - console.log(`SIG SUITE sign jws: ${detachedJws}`) return proof } catch (e) { console.warn('Failed to sign.') @@ -164,7 +162,6 @@ export class JsonWebSignature { expansionMap, compactProof, }) - console.log(`createProof verifyData: ${u8a.toString(verifyData, 'base64url')}`) // sign data proof = await this.sign({ @@ -238,9 +235,6 @@ export class JsonWebSignature { const signature = proof.jws.split('.')[2] const headerString = proof.jws.split('.')[0] const messageBuffer = u8a.concat([u8a.fromString(`${headerString}.`, 'utf-8'), verifyData]) - console.log(`SIG SUITE verifySig input: ${u8a.toString(messageBuffer, 'utf-8')}`) - console.log(`SIG SUITE verifySig jws: ${signature}`) - console.log(`SIG SUITE verifySig verifyData: ${u8a.toString(verifyData, 'base64url')}`) return await subtle.verify( { name: key.algorithm?.name ? key.algorithm.name : 'RSASSA-PKCS1-V1_5', @@ -275,8 +269,6 @@ export class JsonWebSignature { instance: true, // this means we get a key pair class instance, not just json. }) - console.log(`verifyProof verifyData: ${u8a.toString(verifyData, 'base64url')}`) - // verify signature on data const verified = await this.verifySignature({ verifyData, From f57ae177d5df83d347401dc57aa4a887806e56ea Mon Sep 17 00:00:00 2001 From: nklomp Date: Mon, 16 Jan 2023 03:01:27 +0100 Subject: [PATCH 07/10] remove windows cr when going from pem to x5c --- packages/did-utils/src/x509-utils.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/did-utils/src/x509-utils.ts b/packages/did-utils/src/x509-utils.ts index f6867a297..abd3a702e 100644 --- a/packages/did-utils/src/x509-utils.ts +++ b/packages/did-utils/src/x509-utils.ts @@ -17,7 +17,7 @@ export function pemCertChainTox5c(cert: string, maxDepth?: number): string[] { * `maxdepth` The maximum number of certificates to use from the chain. */ - const intermediate = cert.replace(/-----[^\n]+\n?/gm, ',').replace(/\n/g, '') + const intermediate = cert.replace(/-----[^\n]+\n?/gm, ',').replace(/\n/g, '').replace(/\r/g, '') let x5c = intermediate.split(',').filter(function (c) { return c.length > 0 }) From 4d82518653ff456383561c22870856f110976aa0 Mon Sep 17 00:00:00 2001 From: nklomp Date: Mon, 16 Jan 2023 05:37:35 +0100 Subject: [PATCH 08/10] feat: allow existing did document for mapping --- packages/did-utils/src/didFunctions.ts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/packages/did-utils/src/didFunctions.ts b/packages/did-utils/src/didFunctions.ts index 028b78449..448d365ab 100644 --- a/packages/did-utils/src/didFunctions.ts +++ b/packages/did-utils/src/didFunctions.ts @@ -130,12 +130,13 @@ export function extractPublicKeyHexWithJwkSupport(pk: _ExtendedVerificationMetho export async function mapIdentifierKeysToDocWithJwkSupport( identifier: IIdentifier, section: DIDDocumentSection = 'keyAgreement', - context: IAgentContext + context: IAgentContext, + didDocument?: DIDDocument ): Promise<_ExtendedIKey[]> { const keys = await mapIdentifierKeysToDoc(identifier, section, context) - const didDocument = await resolveDidOrThrow(identifier.did, context) + const didDoc = didDocument ? didDocument : await resolveDidOrThrow(identifier.did, context) // dereference all key agreement keys from DID document and normalize - const documentKeys: VerificationMethod[] = await dereferenceDidKeysWithJwkSupport(didDocument, section, context) + const documentKeys: VerificationMethod[] = await dereferenceDidKeysWithJwkSupport(didDoc, section, context) const localKeys = identifier.keys.filter(isDefined) // finally map the didDocument keys to the identifier keys by comparing `publicKeyHex` From 5f183ce655a40332a65480634b356ae8fa4d7a84 Mon Sep 17 00:00:00 2001 From: nklomp Date: Mon, 16 Jan 2023 05:54:19 +0100 Subject: [PATCH 09/10] feat: allow existing did document for mapping --- packages/did-utils/src/didFunctions.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/did-utils/src/didFunctions.ts b/packages/did-utils/src/didFunctions.ts index 448d365ab..8d3aa0903 100644 --- a/packages/did-utils/src/didFunctions.ts +++ b/packages/did-utils/src/didFunctions.ts @@ -133,7 +133,9 @@ export async function mapIdentifierKeysToDocWithJwkSupport( context: IAgentContext, didDocument?: DIDDocument ): Promise<_ExtendedIKey[]> { - const keys = await mapIdentifierKeysToDoc(identifier, section, context) + const rsaDidWeb = identifier.keys && identifier.keys.length > 0 && identifier.keys[0].type === 'RSA' && didDocument + // We skip mapping in case the identifier is RSA and a did document is supplied. + const keys = rsaDidWeb ? [] : await mapIdentifierKeysToDoc(identifier, section, context) const didDoc = didDocument ? didDocument : await resolveDidOrThrow(identifier.did, context) // dereference all key agreement keys from DID document and normalize const documentKeys: VerificationMethod[] = await dereferenceDidKeysWithJwkSupport(didDoc, section, context) From 2e97af6eeab2fe0530cd12425fd6eaf72f42a012 Mon Sep 17 00:00:00 2001 From: nklomp Date: Fri, 20 Jan 2023 02:07:53 +0100 Subject: [PATCH 10/10] fix: Remove workaround for verifier missing with ed25519 key --- .../vc-handler-ld-local/src/agent/CredentialHandlerLDLocal.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/vc-handler-ld-local/src/agent/CredentialHandlerLDLocal.ts b/packages/vc-handler-ld-local/src/agent/CredentialHandlerLDLocal.ts index 8848f721f..83e03929b 100644 --- a/packages/vc-handler-ld-local/src/agent/CredentialHandlerLDLocal.ts +++ b/packages/vc-handler-ld-local/src/agent/CredentialHandlerLDLocal.ts @@ -149,9 +149,9 @@ export class CredentialHandlerLDLocal implements IAgentPlugin { } // Workaround for bug in TypeError: Cannot read property 'length' of undefined // at VeramoEd25519Signature2018.preSigningPresModification - if (!presentation.verifier) { + /*if (!presentation.verifier) { presentation.verifier = [] - } + }*/ if (!isDefined(presentation.holder) || !presentation.holder) { throw new Error('invalid_argument: args.presentation.holder must not be empty')