Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing IssuerSigned Items in a mdoc authentication session #727

Open
vanhoanHoang opened this issue Sep 2, 2024 · 1 comment
Open

Missing IssuerSigned Items in a mdoc authentication session #727

vanhoanHoang opened this issue Sep 2, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@vanhoanHoang
Copy link

vanhoanHoang commented Sep 2, 2024

Hi team,

I have recently looked at the OpenID4VP with mdoc format and run into a Wallet issue which does not send IssuerSigned items to Verifier. I have created a mdoc credential org.iso.18013.5.1.mDL containing 3 attributes: family_name, given_name, birth_date

I then created a verification session to request the Wallet to submit this credential. The presentation_definition looks like this:

{
   "id":"803c9bc1-ce15-47b2-8b60-9023db04cc0c",
   "input_descriptors":[
      {
         "id":"org.iso.18013.5.1.mDL",
         "purpose":"Testing mdoc",
         "format":{
            "mso_mdoc":{
               "alg":[
                  "RSA",
                  "ECDSA",
                  "EdDSA"
               ]
            }
         },
         "constraints":{
            "fields":[
               {
                  "path":[
                     "family_name"
                  ],
                  "filter":{
                     "pattern":".*",
                     "type":"string"
                  },
                  "intent_to_retain":true
               },
               {
                  "path":[
                     "$.type"
                  ],
                  "filter":{
                     "pattern":"org.iso.18013.5.1.mDL",
                     "type":"string"
                  },
                  "intent_to_retain":true
               }
            ]
         }
      }
   ]
}

Note that I added family_name in the presentation_definiton for testing purpose only. More specifically, I added this in the suspect of Wallet only sending attributes required explicitly in the presentation_definition. But removing it does not have any effect on Wallet behavior, resulting in the same vp_token which does not contain any IssuerSigned items as indicated below:

The following is an vp_token constructed by the Wallet to present to Verifier:

vp_token=o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xgGppc3N1ZXJBdXRohEOhASahGCFZAUswggFHMIHuoAMCAQICCDntyHqaePkqMAoGCCqGSM49BAMCMBcxFTATBgNVBAMMDE1ET0MgUk9PVCBDQTAeFw0yNDA1MDIxMzEzMzBaFw0yNTA1MDIxMzEzMzBaMBsxGTAXBgNVBAMMEE1ET0MgVGVzdCBJc3N1ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQbREg0GIX6hBQPd3kMad6BC5d6cjb0kNowagy-KgpEE3nd3hRrNqRLa6e7wGewS3G61LaSpGFgE9iT1ECuJTeBoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB_wQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiEAjnAEEADd7CojCyWG7MWfis0Vb12TPZNjvF4iY7sKtpgCIBiFqLU3MnppsCJiDwfFxF1ik7hu7ZJ6PwToLMUcrfhjWQHD2BhZAb6mZ3ZlcnNpb25jMS4wb2RpZ2VzdEFsZ29yaXRobWdTSEEtMjU2bHZhbHVlRGlnZXN0c6Fxb3JnLmlzby4xODAxMy41LjGjAFggPOVIT8AfKkEtdFPwfNURxRweIxA5tcVzvFQ3eRBsBekBWCD-C-T_D9EyDjf9RYCShmR-NegK-QpjpLR4m0_0IaCJMQJYINidsvlZ2uy_lNQt86JlAf65aXxjG9zowy5R_0kCyoanbWRldmljZUtleUluZm-haWRldmljZUtleaQBAiABIVgge5FMzcP3o2brlVkHzXr3HLA9UWw4Z5IL-oXpKUatYLwiWCDHPlV4LYM5MtrPDorZgmNcE93i4fXco09IRGaRdQmIzWdkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGx2YWxpZGl0eUluZm-jZnNpZ25lZMB4HjIwMjQtMDktMDJUMDk6Mjg6MjQuNzM1NjkyNzgwWml2YWxpZEZyb23AeB4yMDI0LTA5LTAyVDA5OjI4OjI0LjczNTY5MzY1NVpqdmFsaWRVbnRpbMB4HjIwMjUtMDktMDJUMDk6Mjg6MjQuNzM1NjkzNzIzWlhATQVhul0vXQkexIdE2jGk3zPyfFPHoWygRKaQ8Vaw-pmOazSE2s8VaG7wEj01m4iZJz1G38ivukUujpKljKFJW2xkZXZpY2VTaWduZWSiam5hbWVTcGFjZXPYGEGgamRldmljZUF1dGihb2RldmljZVNpZ25hdHVyZYRDoQEmoRghgPZYQLgfCA5rVqA3cZKrwLjDcsrutRqeNoGzJCfhD6GiSZmdNL9qaKjfaxCl54QQvLrleCLlDqyPXMzbhHYzbWBiHv1mc3RhdHVzAA%3D%3D&presentation_submission=%7B%22id%22%3A%22pX019X5Dtlmu%22%2C%22definition_id%22%3A%22pX019X5Dtlmu%22%2C%22descriptor_map%22%3A%5B%7B%22id%22%3A%22org.iso.18013.5.1.mDL%22%2C%22format%22%3A%22mso_mdoc%22%2C%22path%22%3A%22%24%22%2C%22path_nested%22%3A%7B%22id%22%3A%22org.iso.18013.5.1.mDL%22%2C%22format%22%3A%22mso_mdoc%22%2C%22path%22%3A%22%24.documents%5B0%5D%22%7D%7D%5D%7D&state=bcQbBJjpuQU

By decoding the vp_token, we can obtain the mdoc details as shown in the Figure below:

image

We can see that the IssuerSigned items is an empty List as shown in the namespace org.iso.18013.5.1 . I guess there are some problems on the mdoc library side not to include all these items ?

Can you have a look at this please ?

Cheers,
Hoan Hoang

@vanhoanHoang vanhoanHoang added the bug Something isn't working label Sep 2, 2024
@vanhoanHoang
Copy link
Author

vanhoanHoang commented Oct 1, 2024

I have looked into the iso 18013-7 spec and realized that my presentation_definition had not been relevant for mso_mdoc. I have created a new one as followings:

{
    "id": "7c80dc00-604f-4edd-9956-87a2426437fa",
    "input_descriptors": [
      {
        "id": "org.iso.18013.5.1.mDL",
        "purpose": "verify mdl of users",
        "format": {
          "mso_mdoc": {
            "alg": [
              "ECDSA"
            ]
          }
        },
        "constraints": {
          "fields": [
            {
              "path": [
                "$['org.iso.18013.5.1']['given_name']"
              ],
              "filter": {
                "type": "string",
                "pattern": ".*"
              },
              "intent_to_retain": true
            }
          ],
          "limit_disclosure": "required"
        }
      }
    ]
  }

However, the wallet still does not send the requested claim, which is given_name. The problem is currently with this line CODE in the InputDescriptorField class.

Currently, this line splits the namespace concatenated with the claim using a . as the delimiter. However, for namespaces that already contain a . (such as those in mdl), this causes the claim and the namespace to be incorrectly split and then added to the MDocRequestBuilder.

This is leading to incorrect behavior, as the claim isn't being processed as expected. Could we address this issue in the InputDescriptorField class to correctly handle namespaces with . in the next release ? @severinstampler :)

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant