diff --git a/credential/integrity/jwt.go b/credential/integrity/jwt.go index a14be343..72175bdc 100644 --- a/credential/integrity/jwt.go +++ b/credential/integrity/jwt.go @@ -44,7 +44,13 @@ func SignVerifiableCredentialJWT(signer jwx.Signer, cred credential.VerifiableCr return nil, errors.Wrap(err, "setting KID protected header") } } - signed, err := jwt.Sign(t, jwt.WithKey(jwa.SignatureAlgorithm(signer.ALG), signer.PrivateKey, jws.WithProtectedHeaders(hdrs))) + + // Ed25519 is not supported by the jwx library yet https://github.com/TBD54566975/ssi-sdk/issues/520 + alg := signer.ALG + if alg == "Ed25519" { + alg = jwa.EdDSA.String() + } + signed, err := jwt.Sign(t, jwt.WithKey(jwa.SignatureAlgorithm(alg), signer.PrivateKey, jws.WithProtectedHeaders(hdrs))) if err != nil { return nil, errors.Wrap(err, "signing JWT credential") } @@ -271,7 +277,12 @@ func SignVerifiablePresentationJWT(signer jwx.Signer, parameters *JWTVVPParamete return nil, errors.Wrap(err, "setting KID protected header") } } - signed, err := jwt.Sign(t, jwt.WithKey(jwa.SignatureAlgorithm(signer.ALG), signer.PrivateKey, jws.WithProtectedHeaders(hdrs))) + // Ed25519 is not supported by the jwx library yet https://github.com/TBD54566975/ssi-sdk/issues/520 + alg := signer.ALG + if alg == "Ed25519" { + alg = jwa.EdDSA.String() + } + signed, err := jwt.Sign(t, jwt.WithKey(jwa.SignatureAlgorithm(alg), signer.PrivateKey, jws.WithProtectedHeaders(hdrs))) if err != nil { return nil, errors.Wrap(err, "signing JWT presentation") } diff --git a/crypto/jwx/jwk.go b/crypto/jwx/jwk.go index 814d5e82..748670ce 100644 --- a/crypto/jwx/jwk.go +++ b/crypto/jwx/jwk.go @@ -82,9 +82,13 @@ func (k *PrivateKeyJWK) ToPrivateKey() (gocrypto.PrivateKey, error) { if err != nil { return nil, errors.Wrap(err, "getting alg from key and curve") } + // Ed25519 is not supported by the jwx library yet https://github.com/TBD54566975/ssi-sdk/issues/520 + if alg == jwa.Ed25519.String() { + alg = jwa.EdDSA.String() + } k.ALG = alg } - if IsSupportedJWXSigningVerificationAlgorithm(k.ALG) || IsSupportedKeyAgreementType(k.ALG) { + if IsSupportedJWXSigningVerificationAlgorithm(k.ALG) || IsSupportedKeyAgreementType(k.CRV) { return k.toSupportedPrivateKey() } if IsExperimentalJWXSigningVerificationAlgorithm(k.ALG) { diff --git a/crypto/jwx/jwt.go b/crypto/jwx/jwt.go index 7ac55c5c..02772039 100644 --- a/crypto/jwx/jwt.go +++ b/crypto/jwx/jwt.go @@ -179,12 +179,23 @@ func (s *Signer) SignWithDefaults(kvs map[string]any) ([]byte, error) { return nil, errors.Wrap(err, "setting KID protected header") } } - return jwt.Sign(t, jwt.WithKey(jwa.SignatureAlgorithm(s.ALG), s.PrivateKey, jws.WithProtectedHeaders(hdrs))) + + // Ed25519 is not supported by the jwx library yet https://github.com/TBD54566975/ssi-sdk/issues/520 + alg := s.ALG + if alg == "Ed25519" { + alg = jwa.EdDSA.String() + } + return jwt.Sign(t, jwt.WithKey(jwa.SignatureAlgorithm(alg), s.PrivateKey, jws.WithProtectedHeaders(hdrs))) } // Verify parses a token given the verifier's known algorithm and key, and returns an error, which is nil upon success func (v *Verifier) Verify(token string) error { - if _, err := jwt.Parse([]byte(token), jwt.WithKey(jwa.SignatureAlgorithm(v.ALG), v.publicKey)); err != nil { + alg := jwa.SignatureAlgorithm(v.ALG) + // Ed25519 is not supported by the jwx library yet https://github.com/TBD54566975/ssi-sdk/issues/520 + if alg == "Ed25519" { + alg = jwa.EdDSA + } + if _, err := jwt.Parse([]byte(token), jwt.WithKey(alg, v.publicKey)); err != nil { return errors.Wrap(err, "verifying JWT") } return nil @@ -205,7 +216,12 @@ func (*Verifier) Parse(token string) (jws.Headers, jwt.Token, error) { // VerifyAndParse attempts to turn a string into a jwt.Token and verify its signature using the verifier func (v *Verifier) VerifyAndParse(token string) (jws.Headers, jwt.Token, error) { - parsed, err := jwt.Parse([]byte(token), jwt.WithKey(jwa.SignatureAlgorithm(v.ALG), v.publicKey)) + alg := jwa.SignatureAlgorithm(v.ALG) + // Ed25519 is not supported by the jwx library yet https://github.com/TBD54566975/ssi-sdk/issues/520 + if alg == "Ed25519" { + alg = jwa.EdDSA + } + parsed, err := jwt.Parse([]byte(token), jwt.WithKey(alg, v.publicKey)) if err != nil { return nil, nil, errors.Wrap(err, "parsing and verifying JWT") } @@ -235,7 +251,7 @@ func AlgFromKeyAndCurve(kty, crv string) (string, error) { case jwa.X25519.String(): return jwa.X25519.String(), nil case jwa.Ed25519.String(): - return jwa.EdDSA.String(), nil + return jwa.Ed25519.String(), nil default: return "", fmt.Errorf("unsupported OKP jwt curve: %s", curve) } @@ -277,6 +293,7 @@ func GetSupportedJWXSigningVerificationAlgorithms() []string { jwa.ES384.String(), jwa.ES512.String(), jwa.EdDSA.String(), + jwa.Ed25519.String(), } } diff --git a/cryptosuite/jws2020/jsonwebkey2020.go b/cryptosuite/jws2020/jsonwebkey2020.go index b5e5b1e4..ecabf4fe 100644 --- a/cryptosuite/jws2020/jsonwebkey2020.go +++ b/cryptosuite/jws2020/jsonwebkey2020.go @@ -182,7 +182,12 @@ func (s *JSONWebKeySigner) Sign(tbs []byte) ([]byte, error) { if err := headers.Set(jws.CriticalKey, []string{b64}); err != nil { return nil, err } - return jws.Sign(nil, jws.WithKey(jwa.SignatureAlgorithm(s.ALG), s.PrivateKey), jws.WithHeaders(headers), jws.WithDetachedPayload(tbs)) + // Ed25519 is not supported by the jwx library yet https://github.com/TBD54566975/ssi-sdk/issues/520 + alg := s.ALG + if alg == "Ed25519" { + alg = jwa.EdDSA.String() + } + return jws.Sign(nil, jws.WithKey(jwa.SignatureAlgorithm(alg), s.PrivateKey), jws.WithHeaders(headers), jws.WithDetachedPayload(tbs)) } func (s *JSONWebKeySigner) GetKeyID() string { @@ -238,7 +243,12 @@ func (v JSONWebKeyVerifier) Verify(message, signature []byte) error { if err != nil { return errors.Wrap(err, "getting public key") } - _, err = jws.Verify(signature, jws.WithKey(jwa.SignatureAlgorithm(v.ALG), pubKey), jws.WithDetachedPayload(message)) + // Ed25519 is not supported by the jwx library yet https://github.com/TBD54566975/ssi-sdk/issues/520 + alg := v.ALG + if alg == "Ed25519" { + alg = jwa.EdDSA.String() + } + _, err = jws.Verify(signature, jws.WithKey(jwa.SignatureAlgorithm(alg), pubKey), jws.WithDetachedPayload(message)) return err } diff --git a/go.work.sum b/go.work.sum index 440be32e..2f602b2f 100644 --- a/go.work.sum +++ b/go.work.sum @@ -202,6 +202,7 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/teserakt-io/golang-ed25519 v0.0.0-20210104091850-3888c087a4c8 h1:RBkacARv7qY5laaXGlF4wFB/tk5rnthhPb8oIBGoagY= github.com/teserakt-io/golang-ed25519 v0.0.0-20210104091850-3888c087a4c8/go.mod h1:9PdLyPiZIiW3UopXyRnPYyjUXSpiQNHRLu8fOsR3o8M= github.com/tidwall/gjson v1.6.7 h1:Mb1M9HZCRWEcXQ8ieJo7auYyyiSux6w9XN3AdTpxJrE= @@ -241,14 +242,18 @@ golang.org/x/exp v0.0.0-20190731235908-ec7cb31e5a56/go.mod h1:JhuoJpWY28nO4Vef9t golang.org/x/image v0.0.0-20190802002840-cff245a6509b h1:+qEpEAPhDZ1o0x3tHzZTQDArnOixOzGD9HUJfcg0mb4= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b h1:clP8eMhB30EHdc0bd2Twtq6kgU7yl5ub2cQLSdrv1Dg= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= @@ -268,6 +273,7 @@ golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=