Skip to content
This repository was archived by the owner on Jan 20, 2025. It is now read-only.
This repository was archived by the owner on Jan 20, 2025. It is now read-only.

Verify JWT according to kid header instead of checking with all verification method  #98

Open
Open
Verify JWT according to kid header instead of checking with all verification method #98
@nitin-vavdiya

Description

@nitin-vavdiya
nitin-vavdiya
opened on May 8, 2024

Current Behavior

While verifying JWT, as per the current implementation it is iterating through all verification methods available in the DID document. Currently, this is not a bug but the implemented solution is not optimal/efficient

Example:
Consider the JWT header:

{
 "kid": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b",
 "typ": "JWT",
 "alg": "ES256K"
}

and did document:

{
    "@context":
    [
        "https://www.w3.org/ns/did/v1",
        "https://w3c.github.io/vc-jws-2020/contexts/v1"
    ],
    "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
    "verificationMethod":
    [
        {
            "publicKeyJwk":
            {
                "x": "2IU_u50oEO1ym0ZELQPKtYzJA6UJ_J11cpnoFxxFsNM",
                "crv": "Ed25519",
                "kty": "OKP"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#b879cfac-7e51-45c1-97fa-3db84db10e44",
            "type": "JsonWebKey2020"
        },
        {
            "publicKeyJwk":
            {
                "kty": "EC",
                "x": "hZvJ0heaxQxeeBXlSuC-4IPx_UFGeOL5UEYLzLdzfIQ",
                "y": "EufmJauadvvkKl7lB7HkzzF9AIVLx4qN9Ih5yf-7eLc",
                "crv": "secp256k1"
            },
            "controller": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000",
            "id": "did:web:3bdf-203-129-213-107.ngrok-free.app:BPNL000000000000#1b4c2d5b-479b-4a19-834a-fecd42c3d60b",
            "type": "JsonWebKey2020"
        }
    ]
}

According to the current implementation, it will try to verify JWT with both verification methods available in the DID document.

Expected Behavior

  1. It should select the verification method according to the kid of JWT and then verify JWT
  2. If kid it not match with verification method(let's say after key revocation/rotation), it should fail(fast) instead of checking with all verification methods available in the DID document

Steps To Reproduce

  1. Create a Did document one verification methods
  2. Create VC then create VP as JWT with any one kid
  3. Revoke/rotate the key and update the DID document
  4. Verify JWT, it will fail after signature verification. It should fail without signature verification as kid will not match with verification method

Related to: eclipse-tractusx/managed-identity-wallet#303

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions