impierce/did-manager

[Bug] did:web generates a did that encodes default ports in the @id.

Closed this issue ยท 2 comments

berkes commented

Description

When generating a did:web, the port is always encoded in the id. This results in an invalid did document.

E.g. https://agent.poc9.eduwallet.nl/.well-known/did.json which has the contents:

{
  "id": "did:web:agent.poc9.eduwallet.nl%3A443",
  "verificationMethod": [
    {
      "id": "did:web:agent.poc9.eduwallet.nl%3A443#key-0",
      "controller": "did:web:agent.poc9.eduwallet.nl%3A443",
      "type": "JsonWebKey2020",
      "publicKeyJwk": {
        "kty": "OKP",
        "alg": "EdDSA",
        "kid": "bQKQRzaop7CgEvqVq8UlgLGsdF-R-hnLFkKFZqW2VN0",
        "crv": "Ed25519",
        "x": "GlnK9ePs802XxAglROQzoGurm9Qpv0IFPEbdMCILN_U"
      }
    }
  ],
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1"
  ]
}

The ids and controller all include the :443 port, the default port for https.

I presume that for default ports this must not be included. If we look at the spec for origin its unclear whats needed. But if we look at the implementation for rusts URL, we see that default ports are omitted. And since your code uses the ascii_serialization() that omits default ports, it would be wise to exclude default ports from the ID as well.

In any case: our DID is invalid, as can be seen in the universal resolver, which, rightfully, gives the following error:

https://dev.uniresolver.io/#did:web:agent.poc9.eduwallet.nl

{
  "error": "notFound",
  "message": "resolver_error: DID document id does not match requested did",
  "contentType": "application/did+ld+json"
}

And resolving the did https://dev.uniresolver.io/#did:web:agent.poc9.eduwallet.nl%3A443 gives a 400. This may be a limitation or bug in the universal resolver. But even if it would resolve this, we'd then have to always include :443 in the DID, the url and so on.

Hardware Specification

Operating system:
RAM:
Cores:
Device:

Steps to Reproduce the Bug

  1. run agent_application from impierce/ssi-agent with AGENT_CONFIG_DID_METHOD_WEB_ENABLED=true on an actual domain with SSL enabled (ngrok or so?)
  2. note the log output showing the example did.json and where to host it.
  3. fetch https://example.com/.well-known/did.json as the application hosts it for us.
  4. visit https://dev.uniresolver.io/ and insert the did.
  5. Resolve.
  6. See the error

Expected Behaviour

Dids with ids that exclude common ports which match their scheme.

Actual Behaviour

Dids with ids that include common ports which match their scheme.

Errors

DID document id does not match requested did",

daniel-mader commented

Thanks for the detailed report! ๐Ÿ‘ I'll look into it and fix it ๐Ÿ™‚

github-actions commented

๐ŸŽ‰ This issue has been resolved in version 1.0.0-beta.1 ๐ŸŽ‰

The release is available on GitHub release

Your semantic-release bot ๐Ÿ“ฆ๐Ÿš€