Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add did-jwk support #466

Merged
merged 3 commits into from
Oct 17, 2022
Merged

Add did-jwk support #466

merged 3 commits into from
Oct 17, 2022

Conversation

theosirian
Copy link
Collaborator

Adds did-jwk support as described in https://github.com/quartzjer/did-jwk/blob/main/spec.md

Although the spec mentions canonicalization is optional, it has been implemented here with serde_jcs. So generally, we can expect the same jwk, with an arbitrary field ordering on input, to generate the same did-jwk identifier when using SSI.

Copy link
Contributor

@chunningham chunningham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great 👍 Could be worth it to include more tests, although looks like you have covered all the spec-provided test cases (at least one should-fail case could be handy as this did method is just a function)

did-jwk/README.md Show resolved Hide resolved
@chunningham chunningham requested a review from cobward October 6, 2022 09:13
Comment on lines 41 to 44
// TODO: pass through these errors somehow
return (
ResolutionMetadata {
error: Some(ERROR_INVALID_DID.to_string()),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with how we use ResolutionMetadata usually, but could you just format the error as a string in the error field?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if it's not a specified set https://w3c-ccg.github.io/did-resolution/#errors (but why wouldn't we use an enum if it were)

Copy link
Contributor

@cobward cobward Oct 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha yes:

The error code from the resolution process. This property is REQUIRED when there is an error in the resolution process. The value of this property MUST be a single keyword ASCII string. The possible property values of this field SHOULD be registered in the DID Specification Registries [DID-SPEC-REGISTRIES].

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case I think the TODO can just be removed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #468

_ => return None,
};
let jwk = jwk.to_public();
let jwk = serde_jcs::to_string(&jwk).unwrap();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know if this never fails?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From docs.rs:

Serialization can fail if T's implementation of Serialize fails.

If JWK is safe to serialize then it shouldn't be a problem, otherwise I can add error handling.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we should change the .unwrap() to .ok()?

Copy link
Contributor

@cobward cobward left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed something in the spec that might need addressing:

Only JWKs containing public key material may be used, a JWK for a private key must never be used and must be rejected by all implementations when encountered.

From that I would expect that the resolve method should check that the encoded JWK does not contain the private key (and if so return an error instead of resolving?).

Also if we are being very precise about the spec then I would expect generate to return None instead of converting it to a public key.

I might be misunderstanding the strength of the language used in the spec though :)

@sbihel
Copy link
Member

sbihel commented Oct 6, 2022

Could you rebase please?

@theosirian
Copy link
Collaborator Author

theosirian commented Oct 6, 2022

@sbihel rebased.

@cobward I wasn't sure myself, maybe @awoie can help us here.

I chose to go with .to_public in generate because from the outside user perspective in DIDKit that wouldn't be available, the user would have to figure it out themselves.

Hadn't thought of the resolve perspective, it could happen, there could be a .to_public call there too, but there isn't much to do to remediate if the did has been created and shared with the private key material.

@awoie
Copy link

awoie commented Oct 11, 2022

i believe the only requirement is that we shouldn't allow private key material in the <JWK> in the did:jwk:<JWK>.

@theosirian
Copy link
Collaborator Author

theosirian commented Oct 12, 2022

I have kept the .to_public() call in generation and, in dereference, added a comparison of the decoded JWK against its .to_public() conversion, throwing an ERROR_INVALID_DID if they do not match together with a matching test for this case. I believe that should be enough to cover that requirement. Also rebased to current main.

@sbihel
Copy link
Member

sbihel commented Oct 13, 2022

Could you still address the leftover TODO and unwrap?

@theosirian
Copy link
Collaborator Author

@sbihel done and rebased.

@chunningham chunningham merged commit 24efa09 into main Oct 17, 2022
@chunningham chunningham deleted the feat/did-jwk branch October 17, 2022 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants