aries-cloudagent-python icon indicating copy to clipboard operation
aries-cloudagent-python copied to clipboard
verified publisher icon hyperledger

Old style Indy “~” verkeys are not properly resolved in all places, such as when using Indy DIDs and W3C JSON-LD VCs

Open quinndevos-anonyome opened this issue 2 years ago • 1 comments

This DID is written to the Indicio TestNet: did:sov:vDJcpAkTATe2AbWo82BdX

Its verkey is ~GYRtc273Xs8awcJcqoWzjo

When I attempt to issue a W3C credential using this DID as the issuer DID, the holder fails to store the issued credential:

aries_cloudagent.protocols.issue_credential.v2_0.formats.handler.V20CredFormatError: Received invalid credential: <DocumentVerificationResult(verified=False, document={'@context': ['https://www.w3.org/2018/credentials/v1', 'https://w3id.org/citizenship/v1'], 'type': ['VerifiableCredential', 'PermanentResident'], 'issuer': 'did:sov:vDJcpAkTATe2AbWo82BdX', 'issuanceDate': '2023-11-23T05:40:12.511Z', 'credentialSubject': {'type': ['PermanentResident'], 'givenName': 'froyo', 'familyName': 'self'}, 'proof': {'type': 'Ed25519Signature2018', 'verificationMethod': 'did:sov:vDJcpAkTATe2AbWo82BdX#key-1', 'created': '2023-11-23T05:40:25.741498+00:00', 'proofPurpose': 'assertionMethod', 'jws': 'eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..f6RqTBxaDgQc8Na25iAxMELQdhZO5ykxSHNwMRrDg5GHBggcL1-y4SyrlOmwZTO3wTIJ7Rk4EZ4RmhFrTQOECg'}}, results=[<ProofResult(verified=False, proof={'@context': ['https://www.w3.org/2018/credentials/v1', 'https://w3id.org/citizenship/v1'], 'type': 'Ed25519Signature2018', 'verificationMethod': 'did:sov:vDJcpAkTATe2AbWo82BdX#key-1', 'created': '2023-11-23T05:40:25.741498+00:00', 'proofPurpose': 'assertionMethod', 'jws': 'eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..f6RqTBxaDgQc8Na25iAxMELQdhZO5ykxSHNwMRrDg5GHBggcL1-y4SyrlOmwZTO3wTIJ7Rk4EZ4RmhFrTQOECg'}, error=ValueError("Invalid character '~'"), purpose_result=None)>], errors=[ValueError("Invalid character '~'")])>

I used the ACApy API PATCH ledger/rotate-public-did-keypair to write a new verkey to Indicio TestNet for this DID, which fixed the issue - the new resolved verkey does not contain a tilde ~ and the credential is stored successfully.

https://indyscan.indiciotech.io/txs/IND_TESTNET/domain?page=1&pageSize=50&filterTxNames=[%22NYM%22]&sortFromRecent=true&search=vDJcpAkTATe2AbWo82BdX

image

However, this solution doesn't solve the issue which is that ACApy does not know how to handle verkeys with tildes ~.

quinndevos-anonyome avatar Nov 23 '23 06:11 quinndevos-anonyome

This should work — IIRC, the “~” indicates that the DID identifier should be “added” (not sure the semantics of the addition) to the shortened “~” verkey representation to get the actual verkey. The resolver that is being used is in this path in the code is not aware of that rule and so is not detecting the “~” and reacting accordingly. It’s there as an early Indy days (unnecessary) “optimization” done to save space — very unfortunate.

The resolver code in Indy needs to be checked to look for where this check is now being used, and add it back in.

Renaming the issue to reflect what is needed.

swcurran avatar Nov 24 '23 20:11 swcurran