-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signed Documents Can Be Modified In Certain Situations #117
Comments
This is a known issue over in jsonld.js: digitalbazaar/jsonld.js#199 This happens because |
Okay cool, I'm seeing this happen before toRDF like that issue talks about. It happens in the |
When doing some testing I've come across a certain situation which will allow a signed document to be modified and still pass verification.
I've traced it back to this line in jsonld. So I wasn't sure if I should open a ticket there or here, please let me know if you'd like me to move this issue.
What's happening is if a "@type" entry is not mapped it is silently dropped from the expanded JSON and thus won't be a part of the digest. While unmapped properties are handled by the strict expansionMap provided in this library unmapped types are just dropped.
This means that the document can be modified after signing to add additional unmapped types and still be valid. On the other side it means that when signing you can unknowingly not sign the full document if you don't have all the "@type" values mapped properly.
I have made a reproducible test case here. To verify this issue you just need to:
The text was updated successfully, but these errors were encountered: