Giters

decentralized-identity / did-jwt-vc

Create and verify W3C Verifiable Credentials and Presentations in JWT format

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] verifyPresentation doesn't verify VCs inside VP

kimdhamilton opened this issue · comments

commented

Current Behavior

verifyPresentation verifies the outer VP but not the VCs inside

Expected Behavior

My understanding is that VP verification includes verification of VP plus VCs contained in it. The VC-DATA-MODEL is not clear on this, but this is the convention that we've established based on common interpretation/expectation. Documented here: https://github.com/w3c-ccg/vc-http-api/blob/main/verification.md

Failure Information

verifyPresentation succeeds when VP is wrapping a known failing VC

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

  1. Created an expired VC, e.g.
    const expiredVc = 'eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjYyMDgzNTIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiXSwiY3JlZGVudGlhbFN1YmplY3QiOnsiZGVncmVlIjp7InR5cGUiOiJCYWNoZWxvckRlZ3JlZSIsIm5hbWUiOiJCYWNjYWxhdXLDqWF0IGVuIG11c2lxdWVzIG51bcOpcmlxdWVzIn19fSwic3ViIjoiZGlkOmV0aHI6MHg0MzVkZjNlZGE1NzE1NGNmOGNmNzkyNjA3OTg4MWYyOTEyZjU0ZGI0IiwibmJmIjoxNjI2MjA4MzQyLCJpc3MiOiJkaWQ6a2V5Ono2TWtzR0toMjNtSFp6MkZwZU5ENld4SnR0ZDhUV2hrVGdhN210Yk0xeDF6TTY1bSJ9.n0Cko-LZtZjrVHMjzlMUUxB6GGkx9MlNy68nALEeh_Doj42UDZkCwF872N4pVzyqKEexAX8PxAgtqote2rHMAA'

  2. Confirm it fails verifyCredential, as expected

  3. Wrap that in a VP and sign it with createVerifiablePresentationJwt, e.g. as in index.test.ts

const presentationPayload = {
  vp: {
    '@context': [DEFAULT_CONTEXT, EXTRA_CONTEXT_A],
    type: [DEFAULT_VP_TYPE],
    verifiableCredential: [ expiredVc],
  },
}
  1. Note that verifyPresentation succeeds whereas verifyCredential failed

Workarounds Considered

Callers can call verifyCredential on each VC in the presentation, but I wanted to discuss and document this, since this may be a common expectation, and would lead to unexpected behavior (possible security issues)

commented

Thanks for reporting this.

This is somewhat intentional. The main reason for this behavior is that the embedded credentials in a VP are not limited to JWT format (that I'm aware of). Since this library doesn't have the ability to verify credentials in other kinds of formats it is left to the application to do the verification.

You are right that this aspect should be better documented.

commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.