Verify credentials

[sk91]

Hi,

Is there currently a way to actually verify a credential?

I would guess that the correct flow should leverage verifyCredential method from 'did-jwt-vc' but I could not find the correct way to do it with veramo

[rado0x54]

Hey @sk91,

the current release of Veramo solely utilizes JWT-VC and JWT-VP representations of VC and VP. Signature verification of those are done generically while receiving those messages via a dedicated MessageHandler: https://github.com/uport-project/veramo/blob/next/packages/did-jwt/src/message-handler.ts#L14

Further format and structural validations are done in the respective credential/presentation message handler:
https://github.com/uport-project/veramo/blob/next/packages/credential-w3c/src/message-handler.ts

We are currently working to integrate JSON-LD Credentials and as part of this are working add a new dedicated verification interface for credentials and presentations independent from encoding: See #375

With that ticket we will very likely expose a universal verification interface for credentials.

[mirceanis]

To provide a more concrete answer on top of what @rado0x54 has commented, here's an example of a minimalistic verifier of JWT VCs/VPs:

index.ts:

import { createAgent, IMessageHandler, IResolver } from "@veramo/core";
import { W3cMessageHandler } from "@veramo/credential-w3c";
import { JwtMessageHandler } from "@veramo/did-jwt";
import { DIDResolverPlugin } from "@veramo/did-resolver";
import { getUniversalResolverFor } from "@veramo/did-resolver/build/universal-resolver";
import { MessageHandler } from "@veramo/message-handler";
import { Resolver } from "did-resolver";

export const agent = createAgent<IResolver & IMessageHandler>({
  plugins: [
    new DIDResolverPlugin({
      resolver: new Resolver({
        ...getUniversalResolverFor(["ethr", "web", "key", "io", "elem"]),
      }),
    }),
    new MessageHandler({
      messageHandlers: [new JwtMessageHandler(), new W3cMessageHandler()],
    }),
  ],
});

const jwtVCToBeChecked: string =
  "eyJhbGciOiJFUzI1NksiLCJ0eXAiOiJKV1QifQ.eyJ2YyI6eyJjcmVkZW50aWFsU3ViamVjdCI6eyJuYW1lIjoiQWxpY2UifSwiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiXSwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlByb2ZpbGUiXX0sInN1YiI6ImRpZDpldGhyOnJpbmtlYnk6MHgwNTk4NTdjZmY4YTM0OTA4YWY0MjY3ZmQyZDFlNWY4NGRhZjRiZTMzIiwibmJmIjoxNjE4NTgxODcwLCJpc3MiOiJkaWQ6ZXRocjpyaW5rZWJ5OjB4MDI2NGYzMWUwZjJmODZkYzM3NjU2NzA0MWNkMjllNzA4MzM4NWM3ZjI0MjY1YWRiYzJiNGFhYjI3N2E1ZGY4MTM5In0.fSKxO3L9ODYP8gVxFSidzphsgbgPDfxEjIp5-jCr5_gbf1NkiR_KqHBwxn76ctVHNzsy6GeLNVOrsCPOFCawXw";

(async () => {
  try {
    const message = await agent.handleMessage({
      raw: jwtVCToBeChecked,
    });
    console.log("Credential is valid", JSON.stringify(message, null, 2));
  } catch (error) {
    console.error(`credential verification failed. It's is probably not valid`);
  }
})();

package.json:

{
  "scripts": {
    "start": "ts-node index.ts"
  },
  "devDependencies": {
    "ts-node": "^9.1.1",
    "typescript": "^4.2.4"
  },
  "dependencies": {
    "@veramo/core": "^1.1.1-next.38",
    "@veramo/credential-w3c": "^1.1.1-next.38",
    "@veramo/did-jwt": "^1.1.1-next.38",
    "@veramo/did-resolver": "^1.1.1-next.38",
    "@veramo/message-handler": "^1.1.1-next.38",
    "did-resolver": "^3.1.0"
  }
}

tsconfig.json:

{
  "compilerOptions": {
    "module": "CommonJS",
    "lib": ["dom", "ES2017"]
  }
}

What happens here is that the raw JWT is sent to the MessageHandler.handleMessage() method which passes it through the chain of handlers:

• JwtMessageHandler does the JWT cryptographic verification, using the DID document resolution provided by DIDResolverPlugin. In this example, the universal resolver is used, for the [ethr, web, key, io, elem] DID methods.
• then passes it to W3cMessageHandler which runs some validations on the resulting payload and turns it into a Message.

If all goes well, the message is returned, otherwise an error is thrown.

Please note that if an error is thrown it can be from a number of reasons, not only for invalid credentials.
It can also be an error in the DID resolver (like a network issue, or lacking a configuration for the DID method of the issuer of the JWT).

We realise it's very awkward to do verification like this and are working to improve the verification API, especially with more relevant error messages.