[BUG] verifyPresentation doesn't verify VCs inside VP
kimdhamilton opened this issue · comments
Current Behavior
verifyPresentation
verifies the outer VP but not the VCs inside
Expected Behavior
My understanding is that VP verification includes verification of VP plus VCs contained in it. The VC-DATA-MODEL is not clear on this, but this is the convention that we've established based on common interpretation/expectation. Documented here: https://github.com/w3c-ccg/vc-http-api/blob/main/verification.md
Failure Information
verifyPresentation
succeeds when VP is wrapping a known failing VC
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
-
Created an expired VC, e.g.
const expiredVc = 'eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjYyMDgzNTIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiXSwiY3JlZGVudGlhbFN1YmplY3QiOnsiZGVncmVlIjp7InR5cGUiOiJCYWNoZWxvckRlZ3JlZSIsIm5hbWUiOiJCYWNjYWxhdXLDqWF0IGVuIG11c2lxdWVzIG51bcOpcmlxdWVzIn19fSwic3ViIjoiZGlkOmV0aHI6MHg0MzVkZjNlZGE1NzE1NGNmOGNmNzkyNjA3OTg4MWYyOTEyZjU0ZGI0IiwibmJmIjoxNjI2MjA4MzQyLCJpc3MiOiJkaWQ6a2V5Ono2TWtzR0toMjNtSFp6MkZwZU5ENld4SnR0ZDhUV2hrVGdhN210Yk0xeDF6TTY1bSJ9.n0Cko-LZtZjrVHMjzlMUUxB6GGkx9MlNy68nALEeh_Doj42UDZkCwF872N4pVzyqKEexAX8PxAgtqote2rHMAA'
-
Confirm it fails
verifyCredential
, as expected -
Wrap that in a VP and sign it with
createVerifiablePresentationJwt
, e.g. as in index.test.ts
const presentationPayload = {
vp: {
'@context': [DEFAULT_CONTEXT, EXTRA_CONTEXT_A],
type: [DEFAULT_VP_TYPE],
verifiableCredential: [ expiredVc],
},
}
- Note that
verifyPresentation
succeeds whereasverifyCredential
failed
Workarounds Considered
Callers can call verifyCredential
on each VC in the presentation, but I wanted to discuss and document this, since this may be a common expectation, and would lead to unexpected behavior (possible security issues)
Thanks for reporting this.
This is somewhat intentional. The main reason for this behavior is that the embedded credentials in a VP are not limited to JWT format (that I'm aware of). Since this library doesn't have the ability to verify credentials in other kinds of formats it is left to the application to do the verification.
You are right that this aspect should be better documented.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.