did-jwt icon indicating copy to clipboard operation
did-jwt copied to clipboard

Published 20 hours ago verified publisher icon decentralized-identity

Add support for providing verifier

Open sondreb opened this issue 2 years ago • 3 comments

It is currently possible to specify a custom signer, but it's not possible to specify a custom verifier.

createJWT allows signing with custom algorithm, like "SS256K" (Schnorr), but it's not possible to specify the verifier using the verifyJWT, so if the JWT/JWS is signed with a custom signer, the verifier will fail.

sondreb avatar Jun 17 '22 13:06 sondreb

Very true.

This is related to #170 in the sense that if this library were more modular you would be able to load custom verifiers too.

Otherwise the solution is to add a SS256K verifier to the embedded bunch already supported.

If that doesn't come with extra dependency baggage, it would be a quick fix, but since I haven't worked with SS256K before I'm not aware of the existing implementations out there.

Do you have insight into this, @sondreb ?

mirceanis avatar Jun 17 '22 14:06 mirceanis

We have in our identity wallet, previously migrated to @noble/secp256k1, so to avoid dependency on yet another library for the same purpose, I wanted to create our own Signer and Verifier using that library. It's not super important to use the new library, though it's very clean, zero dependencies and very fast.

did-jwt relies on elliptic package (doesn't appear to be any development on it for year and a half) which does not implement BIP0340 (Schnorr signatures), so adding support for "SS256K" wouldn't be possible without doing something with dependencies.

Couple of unrelated things I noticed:

  • The example in README.md uses publicKey instead of verificationMethod.
  • There is no support for JsonWebKey2020 (and JsonWebSignature2020), but need to use EcdsaSecp256k1VerificationKey2019.

My preferred option would be to use JsonWebKey2020 with an Schnorr Public Key, which only defines the x coordinate. Guess that could be marked by setting the "crv" on the jwk field to "SS256K", mapping that to the exact same value as the "alg" on the signed JWT/JWS. I already had a working implementation using "publicKeyMultibase", but was not sure if JWK was a "better" option.

sondreb avatar Jun 17 '22 17:06 sondreb

https://github.com/decentralized-identity/did-jwt/commit/60987e0025b1fd45e4a8e583a8c1e28df403fa0b fixes what I mentioned here with no support for JsonWebKey2020. Thanks!

sondreb avatar Jun 26 '22 18:06 sondreb