Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RSA Proof wrong canonicalization #524

Closed
fabrii opened this issue Jun 3, 2023 · 6 comments
Closed

RSA Proof wrong canonicalization #524

fabrii opened this issue Jun 3, 2023 · 6 comments

Comments

@fabrii
Copy link

fabrii commented Jun 3, 2023

Hi!

There seems to be an error when calculating the canonicalization of a RsaSignature2018 proof.

The result of the library is like this:

_:c14n0 <http://purl.org/dc/terms/created> "2023-06-03T20:00:01Z"^^<xsd:dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#RsaSignature2018> .
_:c14n0 <sec:proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <sec:verificationMethod> <urn:oid:2.16.858.0.0.0.3.0#1> .

when it should be like this:

_:c14n0 <http://purl.org/dc/terms/created> "2023-06-03T20:00:01Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#RsaSignature2018> .
_:c14n0 <https://w3id.org/security#proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <https://w3id.org/security#verificationMethod> <urn:oid:2.16.858.0.0.0.3.0#1> .

On the other side, the Ed25519Signature2020 is working ok:

_:c14n0 <http://purl.org/dc/terms/created> "2023-05-23T21:37:44Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#Ed25519Signature2020> .
_:c14n0 <https://w3id.org/security#proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <https://w3id.org/security#verificationMethod> <urn:oid:2.16.858.0.0.0.3.0#1> .
@davidlehn
Copy link
Member

Please provide minimal runnable test code that shows the issue. There's not enough info here to know what may be going on. If I had to guess, one of the contexts you are using, or not using, has not defined "sec" and "xsd", so they are being used literally as IRI schemes, rather than being expanded.

@fabrii
Copy link
Author

fabrii commented Jun 4, 2023

Hi @davidlehn. Here I have a reproducer. Start the application and see the console output log.

https://github.com/fabrii/dc-playground

Thanks!

@fabrii
Copy link
Author

fabrii commented Jun 7, 2023

Is the "https://w3id.org/security/v1" context missing somewhere?

I am doing the canonicalization also in a Java library, with the same contexts used in Javascript, and it works ok, without manually adding the security context.

@dlongley
Copy link
Member

dlongley commented Jun 7, 2023

It's known that RsaSignature2018 is broken when using it with the VC 1.0 context:

w3c/vc-data-model#778

@fabrii
Copy link
Author

fabrii commented Jun 7, 2023

Hi @dlongley. Thanks for your response.

I read the https://w3c-ccg.github.io/lds-rsa2018/ spec, and although I know is an unofficial draft, there is no warning of this. Note also that RsaSignature2018 is heavily used in https://www.w3.org/TR/vc-data-model/

Is there any known workaround?

In Java, I am using https://github.com/danubetech/verifiable-credentials-java that uses https://github.com/WebOfTrustInfo/ld-signatures-java under the hoods, and they seem to not have the problem. I will ask @peacekeeper about this.

Thanks

@fabrii
Copy link
Author

fabrii commented Jun 27, 2023

Closing here to open in digitalbazaar/jsonld-signatures#174

@fabrii fabrii closed this as completed Jun 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants