no_suitable_keys: DID document for did:ion:

Question

no_suitable_keys: DID document for did:ion:

vollit opened this issue 3 years ago · comments

Hello, im trying to verify the JWTCredential, i made a resolver for the did:ion that resolves a DIDdocument like this:

{
   "@context":"https://w3id.org/did-resolution/v1",
   "didDocument":{
      "id":"did:ion:EiAbPkmihA4QYekuRDZLRJXCJmRXujIt27bzoQ7V8TIjBA",
      "@context":[
         "https://www.w3.org/ns/did/v1",
         {
            "@base":"did:ion:EiAbPkmihA4QYekuRDZLRJXCJmRXujIt27bzoQ7V8TIjBA"
         }
      ],
      "service":[
         {
            "id":"#gemeente",
            "type":"LinkedDomain",
            "serviceEndpoint":"fictievegemeente.nl"
         }
      ],
      "verificationMethod":[
         {
            "id":"#key-1",
            "controller":"",
            "type":"EcdsaSecp256k1VerificationKey2019",
            "publicKeyJwk":{
               "kty":"EC",
               "crv":"secp256k1",
               "x":"IWzoDukXeTR_YUk_0OnLKDWsMSBL4oaKZSYRhi6Bq0o",
               "y":"iFt2Ct4Qcl0E8Oy_fUUkIlaqw_Wc0z4iA1Pk1-lLK8k"
            }
         }
      ],
      "authentication":[
         "#key-1"
      ]
   },
   "didDocumentMetadata":{
      "method":{
         "published":true,
         "recoveryCommitment":"EiAwYZXpWB27sbYKQspL3O1SjX15Du7i-j5y17QClzHW8A",
         "updateCommitment":"EiAnMhGvlhGmp0wA-LjlgRdmXNSsl_gIJalf8H8JzFgbFQ"
      },
      "canonicalId":"did:ion:EiAbPkmihA4QYekuRDZLRJXCJmRXujIt27bzoQ7V8TIjBA"
   }
}

The code i run is:

const IonResolver = getResolver()

const didResolver = new Resolver({
    ...IonResolver
})


export async function generateVc(){

//this is an object wich holds the keys for the issuer
var did = DID;

var iondid = {
  did: did.state.longForm,
  signer: ES256KSigner(did.privateJwk.d, true),
  alg: "ES256K"
}

const issuer = iondid as Issuer

const vcPayload: JwtCredentialPayload = {
    sub: did.state.shortForm,
    nbf: 1562950282,
    vc: {
      '@context': ['https://www.w3.org/2018/credentials/v1'],
      type: ['VerifiableCredential'],
      credentialSubject: {
        degree: {
          type: 'Stemgerechtigd',
          name: 'Je mag stemmen'
        }
      }
    }
  }
  
  const vcJwt = await createVerifiableCredentialJwt(vcPayload, issuer,{ header: { alg: 'ES256K' }})

  const verifiedVC = await verifyCredential(vcJwt, didResolver,{ header: { alg: 'ES256K' }})
    
}

The Algorithms are matching, but it keeps saying that they can't find the public key to verify the VC. But the verification method is present in the DIDDocument.

Error: no_suitable_keys: DID document for did:ion:EiAbPkmihA4QYekuRDZLRJXCJmRXujIt27bzoQ7V8TIjBA:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJrZXktMSIsInB1YmxpY0tleUp3ayI6eyJjcnYiOiJzZWNwMjU2azEiLCJrdHkiOiJFQyIsIngiOiJJV3pvRHVrWGVUUl9ZVWtfME9uTEtEV3NNU0JMNG9hS1pTWVJoaTZCcTBvIiwieSI6ImlGdDJDdDRRY2wwRThPeV9mVVVrSWxhcXdfV2MwejRpQTFQazEtbExLOGsifSwicHVycG9zZXMiOlsiYXV0aGVudGljYXRpb24iXSwidHlwZSI6IkVjZHNhU2VjcDI1NmsxVmVyaWZpY2F0aW9uS2V5MjAxOSJ9XSwic2VydmljZXMiOlt7ImlkIjoiZ2VtZWVudGUiLCJzZXJ2aWNlRW5kcG9pbnQiOiJmaWN0aWV2ZWdlbWVlbnRlLm5sIiwidHlwZSI6IkxpbmtlZERvbWFpbiJ9XX19XSwidXBkYXRlQ29tbWl0bWVudCI6IkVpQW5NaEd2bGhHbXAwd0EtTGpsZ1JkbVhOU3NsX2dJSmFsZjhIOEp6RmdiRlEifSwic3VmZml4RGF0YSI6eyJkZWx0YUhhc2giOiJFaUJmT3RBREFEWG44b09lc0xxcHduMlpfZ2d1V2VkYy05dHp3Q2lJdWxyZEhBIiwicmVjb3ZlcnlDb21taXRtZW50IjoiRWlBd1laWHBXQjI3c2JZS1FzcEwzTzFTalgxNUR1N2ktajV5MTdRQ2x6SFc4QSJ9fQ does not have public keys for ES256K

I think I'm missing a step, can someone help me?

Mircea Nistor · Answer 1 · Thu Jan 13 2022 22:06:26 GMT+0800 (China Standard Time)

@vollit Thanks for reporting this.

It's because the public key material is written as publicKeyJwk. This library doesn't have support for that key representation yet.
Are you able to use a different representation for the key?

vollit · Answer 2 · Thu Jan 13 2022 23:27:44 GMT+0800 (China Standard Time)

@mirceanis So i need to convert it to a Hex key? It is very annoying that ION did uses in al the library's a JWK but i need the keys for some functions as Hex.

Thanks for the reply! I wil try this.

Mircea Nistor · Answer 3 · Thu Jan 13 2022 23:37:08 GMT+0800 (China Standard Time)

Actually, this might be a different issue.
This library relies on did-jwt for the actual verification, and there should be support for publicKeyJwk there, but something is not right.

Do you have a sample JWT that should be verified by this?

Mircea Nistor · Answer 4 · Fri Jan 14 2022 00:50:49 GMT+0800 (China Standard Time)

@vollit I wasn't able to reproduce your issue.
I added a test in #99 that uses a DID document with publicKeyJwk. Everything works out fine.

While writing the test, I noticed 2 thing in your sample:

the publicKeyJwk you are using is hardcoded but the private key is not.
Please ensure that your public key is derived from your did.privateJwk.d, since that is what you are using to sign.
the Signer you are using is actually creating ES256K-R signatures, but you are specifying ES256K as algorithm.
This can be fixed like so:

var issuer: Issuer = {
  did: did.state.longForm,
  signer: ES256KSigner(did.privateJwk.d, false), // set the recoverable flag to false
  alg: "ES256K"
}

uport-automation-bot · Answer 5 · Fri Jan 14 2022 01:01:21 GMT+0800 (China Standard Time)

🎉 This issue has been resolved in version 2.1.9 🎉

The release is available on:

Your semantic-release bot 📦🚀

Mircea Nistor · Answer 6 · Fri Jan 14 2022 01:02:55 GMT+0800 (China Standard Time)

please reopen this issue if you addressed the things I noted and the problem still persists.

uport-automation-bot · Answer 7 · Fri Jan 14 2022 02:53:54 GMT+0800 (China Standard Time)

Yes, that sounds about right. In your example it looks like it is base64url encoding, not hex.

…

On Thu, Jan 13, 2022, 19:16 'vollit' via uPort Info ***@***.***> wrote: @mirceanis <https://github.com/mirceanis> Thnx for investigating my problem. I appreciate it! I changed the Signer parameter to false but it keeps giving the error. ION did stores both his PrivateKey & the PublicKey as JWK's but the Issuer() function needs a string PrivateKey. So I assumed that the "d" in the PrivateJWK represented the HexPrivateKey, but that could be incorrect. Because thats the only thing that is different between my code and your test. "privateJwk": { "kty": "EC", "crv": "secp256k1", "d": "uCIIFqRMIXRLJd7qlHQk-eIbqGoRKHAGrNJevRSP4vY", "x": "IWzoDukXeTR_YUk_0OnLKDWsMSBL4oaKZSYRhi6Bq0o", "y": "iFt2Ct4Qcl0E8Oy_fUUkIlaqw_Wc0z4iA1Pk1-lLK8k" }, "publicKeyJwk": { "kty": "EC", "crv": "secp256k1", "x": "IWzoDukXeTR_YUk_0OnLKDWsMSBL4oaKZSYRhi6Bq0o", "y": "iFt2Ct4Qcl0E8Oy_fUUkIlaqw_Wc0z4iA1Pk1-lLK8k" }, — Reply to this email directly, view it on GitHub <#98 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AMUS7AWAJMPJOXJNC26KJGTUV4JJFANCNFSM5L33N2WA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you commented.Message ID: ***@***.***>

vollit · Answer 8 · Fri Jan 14 2022 03:00:02 GMT+0800 (China Standard Time)

The problem is fixed i made 2 mistakes:

The private key was not encoded in base64.
The resolver resolved the DIDDocument in a wrong way, so the VerifyJWT could not find the PublicKey.

Thanks for the help!