Skip to content
This repository has been archived by the owner on Mar 27, 2024. It is now read-only.

Signinig & Verification: Incorrect canonicalization of credential status #1592

Closed
sudeshrshetty opened this issue Apr 9, 2020 · 7 comments · Fixed by #1598
Closed

Signinig & Verification: Incorrect canonicalization of credential status #1592

sudeshrshetty opened this issue Apr 9, 2020 · 7 comments · Fixed by #1598

Comments

@sudeshrshetty
Copy link
Contributor

sudeshrshetty commented Apr 9, 2020
edited by troyronda
Loading

During interop tests noticed an issues with canonicalization of verifiable credentials with credentials status.

Sample Doc :

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1"
  ],
  "credentialSchema": [],
  "credentialStatus": {
    "id": "http://issuer.vc.rest.example.com:8070/status/1",
    "type": "CredentialStatusList2017"
  },
  "credentialSubject": {
    "degree": {
      "degree": "MIT",
      "type": "BachelorDegree"
    },
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "name": "Jayden Doe",
    "spouse": "did:example:c276e12ec21ebfeb1f712ebc6f1"
  },
  "id": "https://example.com/credentials/932236e0-966c-44cf-9342-236c0a2c77a7",
  "issuanceDate": "2020-03-16T22:37:26.544Z",
  "issuer": {
    "id": "did:elem:EiBJJPdo-ONF0jxqt8mZYEj9Z7FbdC87m2xvN0_HAbcoEg",
    "name": "alice_f94db66c-be63-4f03-af10-4205d1f625e1"
  },
  "proof": {
    "created": "2020-04-08T04:00:22Z",
    "jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..6ICruO8hE3mYEyWeM01aB9iPmsGqhZg8rpNXPTofUUulYXJUJ2DOLe0uv1KJ3bR4N71h_Hp_S3YmzIUpyeoNCw",
    "proofPurpose": "assertionMethod",
    "type": "Ed25519Signature2018",
    "verificationMethod": "did:elem:EiBJJPdo-ONF0jxqt8mZYEj9Z7FbdC87m2xvN0_HAbcoEg#xqc3gS1gz1vch7R3RvNebWMjLvBOY-n_14feCYRPsUo"
  },
  "type": [
    "VerifiableCredential",
    "UniversityDegreeCredential"
  ]
}

After canonicalization using JSON LD LIB (https://github.com/digitalbazaar/jsonld-signatures/tree/master/lib)

<did:elem:EiBJJPdo-ONF0jxqt8mZYEj9Z7FbdC87m2xvN0_HAbcoEg> <http://schema.org/name> "alice_6edf241c-ac8e-4c31-8c53-a0b0e69d937e"^^<http://www.w3.org/1999/02/22-rdf-syntax-ns#HTML> .
<did:example:ebfeb1f712ebc6f1c276e12ec21> <http://schema.org/name> "Jayden Doe"^^<http://www.w3.org/1999/02/22-rdf-syntax-ns#HTML> .
<did:example:ebfeb1f712ebc6f1c276e12ec21> <http://schema.org/spouse> "did:example:c276e12ec21ebfeb1f712ebc6f1" .
<did:example:ebfeb1f712ebc6f1c276e12ec21> <https://example.org/examples#degree> _:c14n0 .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://example.org/examples#UniversityDegreeCredential> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/2018/credentials#VerifiableCredential> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#credentialStatus> <http://issuer.vc.rest.example.com:8070/status/1> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#credentialSubject> <did:example:ebfeb1f712ebc6f1c276e12ec21> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#issuanceDate> "2020-03-16T22:37:26.544Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#issuer> <did:elem:EiBJJPdo-ONF0jxqt8mZYEj9Z7FbdC87m2xvN0_HAbcoEg> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://example.org/examples#BachelorDegree> .
_:c14n0 <https://example.org/examples#degree> "MIT" .

Using Aries Framework Go:

<did:elem:EiBJJPdo-ONF0jxqt8mZYEj9Z7FbdC87m2xvN0_HAbcoEg> <http://schema.org/name> "alice_6edf241c-ac8e-4c31-8c53-a0b0e69d937e"^^<http://www.w3.org/1999/02/22-rdf-syntax-ns#HTML> .
<did:example:ebfeb1f712ebc6f1c276e12ec21> <http://schema.org/name> "Jayden Doe"^^<http://www.w3.org/1999/02/22-rdf-syntax-ns#HTML> .
<did:example:ebfeb1f712ebc6f1c276e12ec21> <http://schema.org/spouse> "did:example:c276e12ec21ebfeb1f712ebc6f1" .
<did:example:ebfeb1f712ebc6f1c276e12ec21> <https://example.org/examples#degree> _:c14n0 .
<http://issuer.vc.rest.example.com:8070/status/1> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <CredentialStatusList2017> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://example.org/examples#UniversityDegreeCredential> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/2018/credentials#VerifiableCredential> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#credentialStatus> <http://issuer.vc.rest.example.com:8070/status/1> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#credentialSubject> <did:example:ebfeb1f712ebc6f1c276e12ec21> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#issuanceDate> "2020-03-16T22:37:26.544Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#issuer> <did:elem:EiBJJPdo-ONF0jxqt8mZYEj9Z7FbdC87m2xvN0_HAbcoEg> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://example.org/examples#BachelorDegree> .
_:c14n0 <https://example.org/examples#degree> "MIT" .
@sudeshrshetty sudeshrshetty mentioned this issue Apr 9, 2020
Open
sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 9, 2020
@sudeshrshetty
fix: temporary work around for json ld canonizing issue
f94da3c 
- Excluding "credentialStatus.type" from VC which is causing document
canonizing issue (hyperledger-archives#1592)
- closes hyperledger-archives#1593

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
@sudeshrshetty sudeshrshetty mentioned this issue Apr 9, 2020
Closed
@sudeshrshetty
Copy link
Contributor Author

Revert Fix #1594 once this issue resolved

sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 9, 2020
@sudeshrshetty
fix: temporary work around for json ld canonizing issue
6da4e0c 
- Excluding "credentialStatus.type" from VC which is causing document
canonizing issue (hyperledger-archives#1592)
- closes hyperledger-archives#1593

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 9, 2020
@sudeshrshetty
fix: temporary work around for json ld canonizing issue
bce8aaf 
- Excluding "credentialStatus.type" from VC which is causing document
canonizing issue (hyperledger-archives#1592)
- closes hyperledger-archives#1593

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 9, 2020
@sudeshrshetty
fix: temporary work around for json ld canonizing issue
dbe28fe 
- Excluding "credentialStatus.type" from VC which is causing document
canonizing issue (hyperledger-archives#1592)
- closes hyperledger-archives#1593

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 9, 2020
@sudeshrshetty
fix: temporary work around for json ld canonizing issue
186bc18 
- Excluding "credentialStatus.type" from VC which is causing document
canonizing issue (hyperledger-archives#1592)
- closes hyperledger-archives#1593

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
@kdimak
Copy link
Contributor

kdimak commented Apr 9, 2020

If we check JSON-LD normalization at JSON-LD Playground, we will get the result WITH credential status (as in aries):

<did:elem:EiBJJPdo-ONF0jxqt8mZYEj9Z7FbdC87m2xvN0_HAbcoEg> <http://schema.org/name> "alice_6edf241c-ac8e-4c31-8c53-a0b0e69d937e"^^<http://www.w3.org/1999/02/22-rdf-syntax-ns#HTML> .
<did:example:ebfeb1f712ebc6f1c276e12ec21> <http://schema.org/name> "Jayden Doe"^^<http://www.w3.org/1999/02/22-rdf-syntax-ns#HTML> .
<did:example:ebfeb1f712ebc6f1c276e12ec21> <http://schema.org/spouse> "did:example:c276e12ec21ebfeb1f712ebc6f1" .
<did:example:ebfeb1f712ebc6f1c276e12ec21> <https://example.org/examples#degree> _:c14n0 .
<http://issuer.vc.rest.example.com:8070/status/1> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://json-ld.org/playground/CredentialStatusList2017> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://example.org/examples#UniversityDegreeCredential> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/2018/credentials#VerifiableCredential> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#credentialStatus> <http://issuer.vc.rest.example.com:8070/status/1> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#credentialSubject> <did:example:ebfeb1f712ebc6f1c276e12ec21> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#issuanceDate> "2020-03-16T22:37:26.544Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
<https://example.com/credentials/bea1bc1e-054d-4ceb-b72c-f2f757e93b5d> <https://www.w3.org/2018/credentials#issuer> <did:elem:EiBJJPdo-ONF0jxqt8mZYEj9Z7FbdC87m2xvN0_HAbcoEg> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://example.org/examples#BachelorDegree> .
_:c14n0 <https://example.org/examples#degree> "MIT" .

So we need to investigate JSON-LD normalization algorithm in the specification and any test suite available to see at what side (Go, JS) is the issue.

@troyronda @sandrask

@troyronda troyronda changed the title Signinig & Verification: Incorrect canonizing of credential status Signinig & Verification: Incorrect canonicalization of credential status Apr 9, 2020
@troyronda
Copy link
Contributor

troyronda commented Apr 9, 2020
edited
Loading

Note the difference between the Go and JS library is that the Go library includes:

<http://issuer.vc.rest.example.com:8070/status/1> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <CredentialStatusList2017> .

@dlongley
Copy link

dlongley commented Apr 9, 2020
edited
Loading

<CredentialStatusList2017> is invalid RDF (because it is not an absolute URI). The Go processor is outputting bad data.

The type CredentialStatusList2017 is not defined in any of the contexts used and should be dropped from the canonicalized RDF. The JSON-LD playground doesn't drop it because it uses a base URL to treat any undefined values as relative URLs -- you can see that the value it uses for CredentialStatusList2017 is prefixed with the playground base URL (https://json-ld.org/playground/) to turn it into an absolute URL in the RDF:

<http://issuer.vc.rest.example.com:8070/status/1> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://json-ld.org/playground/CredentialStatusList2017> .

jsonld-signatures properly drops that undefined term on the floor. There's a long standing issue in jsonld.js for adding a feature to warn users (or throw errors) when this happens so they can be aware that they forgot to define terms: digitalbazaar/jsonld.js#199

This should be resolved by:

  1. Go processor getting fixed to drop undefined terms (relative URLs in this case) from RDF.

And, ideally, for usability purposes:

  1. A feature would be implemented in jsonld.js and the Go processor to enable digital signature libraries such as jsonld-signatures to throw errors when terms get dropped from canonicalized RDF to inform users that they are missing definitions.

@dlongley
Copy link

dlongley commented Apr 9, 2020

I should add -- if a context is added that defines CredentialStatusList2017 (which is the original source of the problem) that should also bring the output between the two libs inline.

@troyronda
Copy link
Contributor

Thanks @dlongley !

@kdimak
Copy link
Contributor

kdimak commented Apr 9, 2020

Thank you @dlongley !

sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 10, 2020
@sudeshrshetty
feat: Handling invalid RDF in canonized JSON LD
4b6e484 
Previously: we weren't dropping undefined terms from RDFs.

Fix: changed normalization aproach through json-gold library so that it
returns parsing error whenever invalid data found in dataset.

Added error handling logic for invalid RDF data errors where aries json
ld processor is going to remove the invalid data from dataset and try
again recursively. (Following
digitalbazaar/jsonld.js#199)

closes hyperledger-archives#1592

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 10, 2020
@sudeshrshetty
feat: Handling invalid RDF in canonized JSON LD
1ed4441 
Previously: we weren't dropping undefined terms from RDFs.

Fix: changed normalization aproach through json-gold library so that it
returns parsing error whenever invalid data found in dataset.

Added error handling logic for invalid RDF data errors where aries json
ld processor is going to remove the invalid data from dataset and try
again recursively. (Following
digitalbazaar/jsonld.js#199)

closes hyperledger-archives#1592

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
@sudeshrshetty sudeshrshetty mentioned this issue Apr 10, 2020
Merged
sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 10, 2020
@sudeshrshetty
feat: Handling invalid RDF in canonized JSON LD
4ace988 
Previously: we weren't dropping undefined terms from RDFs.

Fix: changed normalization aproach through json-gold library so that it
returns parsing error whenever invalid data found in dataset.

Added error handling logic for invalid RDF data errors where aries json
ld processor is going to remove the invalid data from dataset and try
again recursively. (Following
digitalbazaar/jsonld.js#199)

closes hyperledger-archives#1592

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 10, 2020
@sudeshrshetty
feat: Handling invalid RDF in canonized JSON LD
0c6d1d1 
Previously: we weren't dropping undefined terms from RDFs.

Fix: changed normalization aproach through json-gold library so that it
returns parsing error whenever invalid data found in dataset.

Added error handling logic for invalid RDF data errors where aries json
ld processor is going to remove the invalid data from dataset and try
again recursively. (Following
digitalbazaar/jsonld.js#199)

closes hyperledger-archives#1592

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
sudeshrshetty added a commit to sudeshrshetty/aries-framework-go that referenced this issue Apr 11, 2020
@sudeshrshetty
feat: Handling invalid RDF in canonized JSON LD
593f030 
Previously: we weren't dropping undefined terms from RDFs.

Fix: changed normalization aproach through json-gold library so that it
returns parsing error whenever invalid data found in dataset.

Added error handling logic for invalid RDF data errors where aries json
ld processor is going to remove the invalid data from dataset and try
again recursively. (Following
digitalbazaar/jsonld.js#199)

closes hyperledger-archives#1592

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
@troyronda troyronda mentioned this issue May 11, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Handling invalid RDF in canonized JSON LD sudeshrshetty/aries-framework-go
4 participants
@dlongley @troyronda @kdimak @sudeshrshetty