Library compatibility when non well-formed DIDs are present

[vitorpamplona]

Is there any chance this UriUtils.isAbsoluteUri(subject) restriction can be made optional for those of us trying to cryptographically verify credentials generated by javascript libraries that do not enforce that rule?

Skipping the field breaks the cryptographic verification process on around 1B existing, and otherwise valid, credentials from the DIVOC system (COVID-19 immunization records) in India. They shipped those W3C VCs with DIDs that include a space.

Otherwise, we are left having to fork this project just to remove that line. :(

[filip26]

Hi @vitorpamplona , thank you for opening the issue. Could you provide an example, a test case?

[vitorpamplona]

Here's an example. (I can't share the original code because of health data)

Check the space on the id field.

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://cowin.gov.in/credentials/vaccination/v1"
  ],
  "type": ["VerifiableCredential", "ProofOfVaccinationCredential"],
  "credentialSubject": {
    "type": "Person",
    "id": "did:Driving License:AA44 2022001122",
    "name": "Test"
  }
}

JavaScript JSON-LD yields

_:b0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/2018/credentials#VerifiableCredential> .
_:b0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://schema.org/ProofOfVaccinationCredential> .
_:b0 <https://www.w3.org/2018/credentials#credentialSubject> <did:Driving License:AA44 2022001122> .
<did:Driving License:AA44 2022001122> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://schema.org/Person> .
<did:Driving License:AA44 2022001122> <https://schema.org/name> "Test" .

Titanium JSON-LD does:

WARNING: Non well-formed subject [did:Driving License:AA44 2022001122] has been skipped.
_:b0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/2018/credentials#VerifiableCredential> .
_:b0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://schema.org/ProofOfVaccinationCredential> .

The fix I implemented changes 2 classes:

On JsonLdToRdf, from line 108

// 1.3.1.
if (BlankNode.isWellFormed(subject)) {
    rdfSubject = Rdf.createBlankNode(subject);

} else if (UriUtils.isAbsoluteUri(subject)) {
    rdfSubject = Rdf.createIRI(subject);

}  else if (UriUtils.isAbsoluteUri(subject.replaceAll(" ", ""))) {      // <<---------- ADDED LINE
    rdfSubject = Rdf.createIRI(subject);                                // <<---------- ADDED LINE

} else {
    LOGGER.log(Level.WARNING, "Non well-formed subject [{0}] has been skipped.", subject);
    continue;
}

On ObjectToRdf, from line 101

if (BlankNode.isWellFormed(idString)) {
    return Optional.of(Rdf.createBlankNode(idString));

} else if (UriUtils.isAbsoluteUri(idString)) {
    return Optional.of(Rdf.createIRI(idString));
} else if (UriUtils.isAbsoluteUri(idString.replaceAll(" ", ""))) {   // <<---------- ADDED LINE
    return Optional.of(Rdf.createIRI(idString));                     // <<---------- ADDED LINE
}

One these 4 lines are added, the rest of the code correctly verifies the credential.

[filip26]

There are two issues:

1. plain space is not allowed char for DID, did:Driving License:AA44 2022001122 is not valid DID URL. see DID Syntax
2. Titanium parses whole URL to determine if the URL is absolute
   • I'm thinking of simplifying the implementation of UriUtils.isAbsoluteUri() by checking just for the presence of a scheme (did, http, ...)
     • it will allow your example to pass but issue 1. remains

[vitorpamplona]

I understand they are not complying with the DID spec. But it might be too late for us. There are too many credentials out there already. :(

[filip26]

The proposed performance re-implementation of UriUtils.isAbsoluteUri() will allow invalid URLs starting with valid scheme (like did:) to pass the check.

[vitorpamplona]

Happy new year! :)

[filip26]

@vitorpamplona checkout 1.3.0-SNAPSHOT. You can disable URIs validation with JsonLdOptions.setUriValidation(false). Please feel free to re-open.

[vitorpamplona]

I confirm it's working :)