Issue verifying ldp whit did:web

[shagamd]

When I generate an LDP_VC and enter the 'verificationMethod' as did:web in the 'proof', it is resolved but not interpreted correctly. I understand that it tries to obtain the 'verificationMethod' directly from the did.json, but it retrieves the web's structure and generates an error as it cannot obtain the key: 'Verification error(s)., getKeyPairForType does not support type: undefined.' However, the 'type' does exist but within the 'verificationMethod' of the LD.

[nklomp]

Given it is closed I am assuming it is resolved.

I am also guessing that the issue is that you really need an assertionMethod as verificationMethod relationship, as that needs to be checked when verifying a VC from an Issuer, but would be good to know what the issue was.

[ejossev]

I'm just facing the same issue - "Verification error(s)., getKeyPairForType does not support type: undefined." in an OIDC4VCI scenario where issuer uses web did. The same did.json works perfectly well in the OIDC4VP scenario.

Note The issue is for both embedded and referenced verification method.

@shagamd did you solve the issue? Can you share the experience how?

[TimoGlastra]

What is the did:web you're using? Could you share the did (or share an obfuscated did document)?

Is the verificationMethod both included in authentication and assertionMethod?

[ejossev]

This is the example of the did:web document. I can check it has been fetched by the wallet.

{
    "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1"
    ],
    "id": "did:web:vcvalidator-test-client.azuremicroservices.io",
    "verificationMethod": [
        {
            "id": "did:web:vcvalidator-test-client.azuremicroservices.io#CW1kgkCiNefC",
            "type": "JsonWebKey2020",
            "controller": "did:web:vcvalidator-test-client.azuremicroservices.io",
            "publicKeyJwk": {
                "kty": "OKP",
                "crv": "Ed25519",
                "x": "JYCAGl6C7gcDeKbNqtXBfpGzH0f5elifj7L6zYNj_Is"
            }
        }
    ],
    "authentication": [
        {
            "id": "did:web:vcvalidator-test-client.azuremicroservices.io#CW1kgkCiNefC",
            "type": "JsonWebKey2020",
            "controller": "did:web:vcvalidator-test-client.azuremicroservices.io",
            "publicKeyJwk": {
                "kty": "OKP",
                "crv": "Ed25519",
                "x": "JYCAGl6C7gcDeKbNqtXBfpGzH0f5elifj7L6zYNj_Is"
            }
        }
    ],
    "assertionMethod": [
        {
            "id": "did:web:vcvalidator-test-client.azuremicroservices.io#CW1kgkCiNefC",
            "type": "JsonWebKey2020",
            "controller": "did:web:vcvalidator-test-client.azuremicroservices.io",
            "publicKeyJwk": {
                "kty": "OKP",
                "crv": "Ed25519",
                "x": "JYCAGl6C7gcDeKbNqtXBfpGzH0f5elifj7L6zYNj_Is"
            }
        }
    ],
    "keyAgreement": []
}

And the proof looks like this:

   "proof": {
     "type": "JsonWebSignature2020",
     "created": "2024-02-05T12:08:57Z",
     "proofPurpose": "assertionMethod",
     "verificationMethod": "did:web:vcvalidator-test-client.azuremicroservices.io#CW1kgkCiNefC",
     "jws": "eyJhbGciOiJFZERTQSIsImNyaXQiOlsiYjY0Il0sImI2NCI6ZmFsc2V9..mbo1K4VN9p8_5B7fD3hiFN3yVAKgn5cSaArAM4_ibsJaV9hijHhUu8SiG6g_YPHBec0eWyHDdqHasB2H0GqXDA"
     }

However, I just discovered, that it's not an issue with did:web method, I got the same result when using JsonWebSignature2020 also with did:jwk and did:key. When I replaced the proof to Ed25519Signature2018 type, it works as expected.

[nklomp]

Could you provide a bit more context?

Which version of the wallet are you using? Also what are you using on the VCI side?
We know that current released store version of the wallet has an issue with did:web. We will be releasing a new version of the wallet soon, which has many fixes. If you can point me to a VCI issuer, where this is happening, I can test with a development version to see if it is resolved.

[ejossev]

The version that is in app store (0.1.3). I'm using our proprietary code to manage Oidc4Vci/Oidc4Vp flows, which is, at the moment, not public :-/

However, as mentioned, the issue seems to be with JsonWebSignature2020 proof types (even JsonWebKey2020 hosted in did:web document is not a problem, if the resulting proof is of (in my case) Ed25519Signature2018 type).

I can open you the issuer with mock data, but let's share that outside of public forum.

[shagamd]

@ejossev
In my case, I managed to solve it by modifying my DIDDocument. I was using JsonWebKey2020, and I changed it to Ed25519VerificationKey2018. I did this by examining the functioning of the DID resolver. When I received a did:key, it generated the following structure for me:

{
    "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/ed25519-2018/v1"
    ],
    "id": "did:key:z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ",
    "verificationMethod": [
        {
            "id": "did:key:z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ",
            "type": "Ed25519VerificationKey2018",
            "controller": "did:key:z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ",
            "publicKeyBase58": "3bri2zM45auXyW6WvgJXZ1ydJvmzfD6xgMBt5HNqPy22"
        }
    ],
    "assertionMethod": [
        "did:key:z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ#z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ"
    ],
    "authentication": [
        "did:key:z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ#z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ"
    ],
    "capabilityInvocation": [
        "did:key:z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ#z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ"
    ],
    "capabilityDelegation": [
       "did:key:z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ#z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ"
    ]
}

So, I modified the structure of my did:web to use Ed25519VerificationKey2018.
then i modify my did:web to

{
    "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/ed25519-2018/v1"
    ],
    "id": "did:web:example.com:identity:legalentity",
    "verificationMethod": [
        {
            "id": "did:web:example.com:identity:legalentity#key-0",
            "type": "Ed25519VerificationKey2018",
            "controller": "did:key:z6Mkh47kdEbVR8Q15zwDcFGNQ7Xd8W3r56MKNN6ouZLrKBoQ",
            "publicKeyBase58": "3bri2zM45auXyW6WvgJXZ1ydJvmzfD6xgMBt5HNqPy22"
        }
    ],
    "assertionMethod": [
        "did:web:example.com:identity:legalentity#key-0"
    ],
    "authentication": [
        "did:web:example.com:identity:legalentity#key-0"
    ],
    "capabilityInvocation": [
        "did:web:example.com:identity:legalentity#key-0"
    ],
    "capabilityDelegation": [
        "did:web:example.com:identity:legalentity#key-0"
    ]
}

[nklomp]

@shagamd: Okay that explains why it worked for you, given the issue indeed is in JWK handling, specifically for did:web

@ejossev: If you could send an e-mail to nklomp [at] sphereon . com, then I am happy to have a look at it. We can probably also give you access to a development build somewhere this week

[ejossev]

@nklomp Sent.