vechain-sdk-js icon indicating copy to clipboard operation
vechain-sdk-js copied to clipboard

Published 20 hours ago verified publisher icon vechain

Certificate signed by SDK fails to Verify in ThorDevKit

Open claytonneal opened this issue 10 months ago • 2 comments

In thordevkit the following code is used to verify signer address:

if (address.fromPublicKey(pubKey) !== safeToLowerCase(cert.signer)) {
            throw new Error('signature does not match with signer')
}

i.e. lowercased signer However the SDK does not do the same lowercased validation. This means a certificate will Pass validation in the SDK and fail validation in ThorDevKit (or vice-versa). The SDK and ThorDevKit should align on this so both will validate

The fix when using the SDK but validating via ThorDevKit is:

const cert = {
		domain: window.location.hostname,
		payload: msg.payload,
		purpose: msg.purpose,
		signer: address.toLowerCase(),	// has to be like that because of diff between thor-sdk and thor-devkit
		timestamp: Math.floor(Date.now() / 1000),
	};

but that will fail validation in the SDK

claytonneal avatar Apr 19 '24 10:04 claytonneal

FYI certificate.verify() will throw if signer is lowerCase'd: https://github.com/vechain/vechain-sdk-js/blob/b27bb34a6b5e6af44daa8362c79c07e06d6cd091/packages/core/src/certificate/certificate.ts#L57-L63

alexander-khrystych avatar Apr 19 '24 11:04 alexander-khrystych

Also, there's a different on the encoding side, while thor-devkit encodes the signer parameter as lowercase, the SDK doesn't. I guess it'd be ideal to keep compatibility between the two also on the encoding part

HiiiiD avatar Apr 19 '24 12:04 HiiiiD

The proposed solution makes the verify method case insensitive, albeit the SDK sticks to adhere to the proposed https://eips.ethereum.org/EIPS/eip-55 convention to represent the addresses.

lucanicoladebiasi avatar May 13 '24 15:05 lucanicoladebiasi