Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disclosure encoding is lost which may result in incorrect matching #37

Open
c2bo opened this issue Feb 17, 2024 · 2 comments
Open

Disclosure encoding is lost which may result in incorrect matching #37

c2bo opened this issue Feb 17, 2024 · 2 comments

Comments

@c2bo
Copy link

c2bo commented Feb 17, 2024

One of the quirks of SD-JWT is that the disclosures themselves can be encoded however the issuer deems right. There is no necessity to define rules like always using minified JSON or certain characters etc.

This means that as a holder, you have to keep the original base64 disclosure to compute hashes and disclose them. From my understanding you are parsing the disclosures and only working on the parsed disclosures - losing the initial encoding. As long as the issuer uses the same kind of encoding (e.g., JSON minified with utf-8) everything is fine, but if for example the JSON is not minified by the issuer the result will be different hashes breaking everything.

I created a small test based on your examples that uses an example of the sd-jwt-vc spec (with the python implementation from Daniel that does not minify JSON) that loses the disclosures in the process: https://gist.github.com/c2bo/06bb2fc028c31e01a5ba9108e2f738df

Output is

{
  iss: 'https://example.com/issuer',
  iat: 1683000000,
  exp: 1883000000,
  vct: 'https://credentials.example.com/identity_credential',
  cnf: {
    jwk: {
      kty: 'EC',
      crv: 'P-256',
      x: 'TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc',
      y: 'ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ'
    }
  }
}

My understanding would be, that the output of getPrettyClaims() should include the resolved disclosures, for example

"given_name": "John"

which does not happen because the calculated digests differ from the ones in the SD-JWT (because of different encoding). Output of the digests results in:

Disclosures and digests differ:

"WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwiZ2l2ZW5fbmFtZSIsIkpvaG4iXQ" -> ["2GLC42sKQveCfGfryNRN9w","given_name","John"]

whereas the issuer provided

"WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd" -> ["2GLC42sKQveCfGfryNRN9w", "given_name", "John"]
@berendsliedrecht
Copy link
Owner

Hi! Yeah that is a really good catch.

This library will be merged into the openwalletfoundations sd-jwt-js so this issue will have to be resolved there (if it also occurs there).

@c2bo
Copy link
Author

c2bo commented Feb 22, 2024

I quickly glanced over that implementation and it seems to not share this problem. I just wanted to make you aware of this problem if this library is already used in demos etc (e.g., with credo).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c2bo @berendsliedrecht