fix: improve did key id resolving (#2624)

Author: TimoGlastra

.changeset/odd-deer-create.md

@@ -0,0 +1,5 @@
+---
+"@credo-ts/core": patch
+---
+
+fix: improve did key id resolving. We used `startsWith` to match, but that has loopholes, and did not correctly handle all relative key ids. We now 'compact' each key id (remove the did prefix) but only if the keyId starts with the did document id, and compares them.

packages/core/src/modules/dids/domain/DidDocument.ts

@@ -113,7 +113,7 @@ export class DidDocument {
     // TODO: once we use JSON-LD we should use that to resolve references in did documents.
     // for now we check whether the key id ends with the keyId.
     // so if looking for #123 and key.id is did:key:123#123, it is valid. But #123 as key.id is also valid
-    const verificationMethod = this.verificationMethod?.find((key) => key.id.endsWith(keyId))
+    const verificationMethod = this.verificationMethod?.find((key) => this.matchKeyId(keyId, key.id))
 
     if (!verificationMethod) {
       throw new CredoError(`Unable to locate verification method with id '${keyId}'`)
@@ -136,10 +136,10 @@ export class DidDocument {
 
     for (const purpose of purposes) {
       for (const key of this[purpose] ?? []) {
-        if (typeof key === 'string' && key.endsWith(keyId)) {
+        if (typeof key === 'string' && this.matchKeyId(keyId, key)) {
           return this.dereferenceVerificationMethod(key)
         }
-        if (typeof key !== 'string' && key.id.endsWith(keyId)) {
+        if (typeof key !== 'string' && this.matchKeyId(keyId, key.id)) {
           return key
         }
       }
@@ -148,6 +148,16 @@ export class DidDocument {
     throw new CredoError(`Unable to locate verification method with id '${keyId}' in purposes ${purposes}`)
   }
 
+  private matchKeyId(externalKeyId: string, didDocumentKeyId: string) {
+    // Compact is did removed from start but only if it matches the id of this document.
+    const compactExternalKeyId = externalKeyId.startsWith(this.id) ? externalKeyId.slice(this.id.length) : externalKeyId
+    const compactDidDocumentKeyId = didDocumentKeyId.startsWith(this.id)
+      ? didDocumentKeyId.slice(this.id.length)
+      : didDocumentKeyId
+
+    return compactExternalKeyId === compactDidDocumentKeyId
+  }
+
   public findVerificationMethodByPublicKey(publicJwk: PublicJwk, allowedPurposes?: DidVerificationMethods[]) {
     const allPurposes: DidVerificationMethods[] = [
       'authentication',

packages/core/src/modules/dids/domain/__tests__/DidDocument.test.ts

@@ -176,6 +176,38 @@ describe('Did | DidDocument', () => {
     }
   })
 
+  it('should resolve both relative and absolute keyId combinations', () => {
+    const didDocument = DidDocument.fromJSON({
+      '@context': ['https://www.w3.org/ns/did/v1', 'https://w3id.org/security/suites/jws-2020/v1'],
+      id: 'did:web:verifier.dev.eduid.nl',
+      verificationMethod: [
+        {
+          id: 'did:web:verifier.dev.eduid.nl#0',
+          type: 'JsonWebKey2020',
+          publicKeyJwk: {
+            kty: 'EC',
+            crv: 'P-256',
+            kid: '02435f281d2d4a2bc2eed6a87bc24a4e7ba1f7f7276c9bc1ffdd6e27b58638d9be',
+            use: 'sig',
+            key_ops: ['verify'],
+            alg: 'ES256',
+            x: 'Q18oHS1KK8Lu1qh7wkpOe6H39ydsm8H_3W4ntYY42b4',
+            y: 'zF-vLyHCwUNlVjf8xC4vgZzZ6mJFEACXe-A4jOU3YJI',
+          },
+          controller: 'did:web:verifier.dev.eduid.nl',
+        },
+      ],
+      authentication: ['#0'],
+      assertionMethod: ['#0'],
+      capabilityDelegation: ['#0'],
+      capabilityInvocation: ['#0'],
+    })
+
+    expect(didDocument.dereferenceKey('did:web:verifier.dev.eduid.nl#0', ['authentication'])).toEqual(
+      didDocument.verificationMethod?.[0]
+    )
+  })
+
   it('should correctly transforms DidDoc class to Json', () => {
     const didDocumentJson = JsonTransformer.toJSON(didDocumentInstance)