LdpPresentationGenerator fails to add public key to a VP proof node. #332
Replies: 8 comments
-
Thanks for your contribution 🔥 We will take a look asap 🚀 |
Beta Was this translation helpful? Give feedback.
-
I think you don't have the whole picture here. LD proofs can have embedded JWKs, in which case you'd be correct, simply adding the Generally, LDP verification has to be done on the expanded form of the credential. As a matter of security, public key material should not be embedded directly, but should be resolved from the credential/presentation issuer's DID to establish provenance. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
that's not a bug either :) the |
Beta Was this translation helpful? Give feedback.
-
Sorry, I am still not fully grasping what should be correct implementation here. Is default MethodResolver not capable of passing LdpVerification checks as it will never provide correct verification method? To me it looks like that DataIntegrityKeyPair class implements wrong interface. 0.6.1: 0.6.2: In both version LdpVerifier checks VerificationKey interface:
|
Beta Was this translation helpful? Give feedback.
-
no, the key aspect is to remember, that all verification checks happen on the expanded JSON-LD of a LDP-Credential. Expansion is the process of dereferencing and resolving all linked data, such as the public key material. That means, whether you embed the JWK or link it via a URL does not matter in the end, because both "variants" produce the same (ugly) JSON document. You have to expand though. The If you have discovered bug, I would ask you to provide a reproducible test case, preferably as Gist, otherwise I would like to convert this issue in a discussion, as that seems more appropriate. |
Beta Was this translation helpful? Give feedback.
-
Thanks. Since its not directly identity hub issue- lets convert this one to discussion then. I will try using referenced verification and see if it works. Still, LdpVerifier and DataIntegrityKeyPair code looks a bit misleading or wrong. In any case, if that part will continue blocking me - will report with a gist in connector repo :) |
Beta Was this translation helpful? Give feedback.
-
I would also recommend reading up on the related specifications and material about Linked-data proofs, in particular the W3C VC Data Model, the W3C JsonWebSignature2020 Specification and the W3C VC Data Integrity document, but like i said, if you have specific suggestions for improvements, feel free to raise a well-scoped issue. just be aware that when adding linked proofs to a VC, they must subsequently be resolvable, e.g. via a DID resolver, a HTTP resolver, or some other method, otherwise the verification fails. |
Beta Was this translation helpful? Give feedback.
-
Bug Report
With version
0.6.2
there seem to be a change of how VP proofs are populated. Missing publicKeyJwk leads to an verification exception in LdpVerifier as it fails to correctly parse verification method.if (!(verificationMethod instanceof VerificationKey)) { return failure("Proof did not contain a valid VerificationMethod, expected VerificationKey, got: %s".formatted(verificationMethod.getClass())); }
Possible Implementation
LdpPresentationGenerator fails to add publicKeyJwk as it was not passed to proof draft verification method. JsonWebKeyPair uses provided key to derive public key.
https://github.com/eclipse-edc/IdentityHub/blob/main/core/identity-hub-credentials/src/main/java/org/eclipse/edc/identityhub/core/creators/LdpPresentationGenerator.java#L169
Passing jwk to the proof makes VP proof valid again.
Beta Was this translation helpful? Give feedback.
All reactions