Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VerifiableCredential.verify doesnt validate the signer of the vc against the real issuer #420

Closed
Johnnyevans32 opened this issue Feb 21, 2024 · 4 comments
Assignees

Comments

@Johnnyevans32
Copy link

Johnnyevans32 commented Feb 21, 2024

here is a scenerio where alice fake signs a vc with bob as the issuer, and the parsed jwt doesnt signify anywhere in its returned payload that alice signed the vc

```
const bob = await DidKeyMethod.create();
const alice = await DidKeyMethod.create();
const authAuthorizationVc = await 
VerifiableCredential.create({
  type: "AuthAuthorization",
  issuer: bob.did,
  subject: bob.did,
  data: { data: "ok" },
  expirationDate: moment()
    .add(1, "minutes")
    .toISOString()
    .replace(/\.\d+Z$/, "Z"),
});

const signedVcJwt = await 
authAuthorizationVc.sign({
  did: alice,
});


console.log({ signedVcJwt, bob, alice });
const verified = await VerifiableCredential.verify({ vcJwt: signedVcJwt });
console.log({ verified });
@nitro-neal
Copy link
Contributor

Looking at this

@nitro-neal nitro-neal self-assigned this Feb 21, 2024
@jiyoonie9
Copy link

@nitro-neal as part of working on this issue, would we be able to verify that web5-kt works the same way?

@nitro-neal
Copy link
Contributor

Yup I have test vectors that test for that:
decentralized-identity/web5-spec#121

@nitro-neal nitro-neal moved this to In Code Review in SDK Development Mar 14, 2024
@nitro-neal
Copy link
Contributor

Merged here - #421

Thank you for the support!

@github-project-automation github-project-automation bot moved this from In Code Review to Done in SDK Development Mar 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants