Skip to content

Commit

Permalink
updates to alg checking
Browse files Browse the repository at this point in the history
  • Loading branch information
nitro-neal committed Feb 14, 2024
1 parent d91fe6d commit 1e63970
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 6 deletions.
7 changes: 6 additions & 1 deletion packages/credentials/src/jwt.ts
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ import { Convert } from '@web5/common';
import { LocalKeyManager as CryptoApi } from '@web5/crypto';
import { DidDht, DidIon, DidKey, DidJwk, DidWeb, DidResolver, utils as didUtils } from '@web5/dids';

const crypto = new CryptoApi();

/**
* Result of parsing a JWT.
*/
Expand Down Expand Up @@ -141,12 +143,15 @@ export class Jwt {
throw new Error('Verification failed: Expected kid in JWT header to dereference to a DID Document Verification Method with publicKeyJwk');
}

if(publicKeyJwk.alg && (publicKeyJwk.alg !== decodedJwt.header.alg)) {
throw new Error('Verification failed: Expected alg in JWT header to match DID Document Verification Method alg');
}

const signedData = `${encodedJwt.header}.${encodedJwt.payload}`;
const signedDataBytes = Convert.string(signedData).toUint8Array();

const signatureBytes = Convert.base64Url(encodedJwt.signature).toUint8Array();

const crypto = new CryptoApi();
const isSignatureValid = await crypto.verify({
key : publicKeyJwk,
signature : signatureBytes,
Expand Down
10 changes: 5 additions & 5 deletions packages/credentials/tests/jwt.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import type { JwtHeaderParams, JwtPayload, PrivateKeyJwk } from '@web5/crypto';
import { expect } from 'chai';
import { Convert } from '@web5/common';
import { Ed25519 } from '@web5/crypto';
import { DidKey, PortableDid } from '@web5/dids';
import { DidJwk, DidKey, PortableDid } from '@web5/dids';

import { Jwt } from '../src/jwt.js';

Expand Down Expand Up @@ -100,9 +100,9 @@ describe('Jwt', () => {
}
});

it.skip('throws error if public key alg is not supported', async () => {
const did = await DidKey.create({ options: { algorithm: 'secp256k1'} });
const header: JwtHeaderParams = { typ: 'JWT', alg: 'ES256K', kid: did.document.verificationMethod![0].id };
it('throws error if public key alg is not supported', async () => {
const did = await DidJwk.create({ options: { algorithm: 'secp256k1'} });
const header: JwtHeaderParams = { typ: 'JWT', alg: 'ES256', kid: did.document.verificationMethod![0].id };
const base64UrlEncodedHeader = Convert.object(header).toBase64Url();

const payload: JwtPayload = { iat: Math.floor(Date.now() / 1000) };
Expand All @@ -112,7 +112,7 @@ describe('Jwt', () => {
await Jwt.verify({ jwt: `${base64UrlEncodedHeader}.${base64UrlEncodedPayload}.hijk` });
expect.fail();
} catch(e: any) {
expect(e.message).to.include('not supported');
expect(e.message).to.include('Verification failed: Expected alg in JWT header to match DID Document Verification Method alg');
}
});

Expand Down

0 comments on commit 1e63970

Please sign in to comment.