RSA Proof wrong canonicalization

[fabrii]

Hi!

There seems to be an error when calculating the canonicalization of a RsaSignature2018 proof.

The result of the library is like this:

_:c14n0 <http://purl.org/dc/terms/created> "2023-06-03T20:00:01Z"^^<xsd:dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#RsaSignature2018> .
_:c14n0 <sec:proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <sec:verificationMethod> <urn:oid:2.16.858.0.0.0.3.0#1> .

when it should be like this:

_:c14n0 <http://purl.org/dc/terms/created> "2023-06-03T20:00:01Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#RsaSignature2018> .
_:c14n0 <https://w3id.org/security#proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <https://w3id.org/security#verificationMethod> <urn:oid:2.16.858.0.0.0.3.0#1> .

On the other side, the Ed25519Signature2020 is working ok:

_:c14n0 <http://purl.org/dc/terms/created> "2023-05-23T21:37:44Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#Ed25519Signature2020> .
_:c14n0 <https://w3id.org/security#proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <https://w3id.org/security#verificationMethod> <urn:oid:2.16.858.0.0.0.3.0#1> .

[davidlehn]

Please provide minimal runnable test code that shows the issue. There's not enough info here to know what may be going on. If I had to guess, one of the contexts you are using, or not using, has not defined "sec" and "xsd", so they are being used literally as IRI schemes, rather than being expanded.

[fabrii]

Hi @davidlehn. Here I have a reproducer. Start the application and see the console output log.

https://github.com/fabrii/dc-playground

Thanks!

[fabrii]

Is the "https://w3id.org/security/v1" context missing somewhere?

I am doing the canonicalization also in a Java library, with the same contexts used in Javascript, and it works ok, without manually adding the security context.

[dlongley]

It's known that RsaSignature2018 is broken when using it with the VC 1.0 context:

w3c/vc-data-model#778

[fabrii]

Hi @dlongley. Thanks for your response.

I read the https://w3c-ccg.github.io/lds-rsa2018/ spec, and although I know is an unofficial draft, there is no warning of this. Note also that RsaSignature2018 is heavily used in https://www.w3.org/TR/vc-data-model/

Is there any known workaround?

In Java, I am using https://github.com/danubetech/verifiable-credentials-java that uses https://github.com/WebOfTrustInfo/ld-signatures-java under the hoods, and they seem to not have the problem. I will ask @peacekeeper about this.

Thanks

[fabrii]

Closing here to open in digitalbazaar/jsonld-signatures#174