Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

production V+ shows tampered credentials as valid #135

Closed
jchartrand opened this issue Sep 19, 2024 · 6 comments
Closed

production V+ shows tampered credentials as valid #135

jchartrand opened this issue Sep 19, 2024 · 6 comments
Assignees
@jchartrand
Labels
priority

Comments

@jchartrand
Copy link
Contributor

If I remove characters from the json of a valid verifiable credential and then try to verify in V+ it still shows as valid.

Here is a valid VC that correctly validates. But, remove any character, say from the top level 'name', and paste the json into V+
and it will still show as valid:

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1"
  ],
  "type": [
    "VerifiablePresentation"
  ],
  "verifiableCredential": [
    {
      "type": [
        "VerifiableCredential",
        "OpenBadgeCredential"
      ],
      "name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop",
      "issuer": {
        "url": "https://www.jwel.mit.edu/",
        "type": "Profile",
        "name": "MIT Jameel World Education Lab",
        "image": {
          "id": "https://raw.githubusercontent.com/camilamassa/UCVtest/e59b713594cd79cf8fd2bcc96d034ab388d005a8/LongBannerLogoNoMIT.png",
          "type": "Image"
        },
        "id": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q"
      },
      "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://purl.imsglobal.org/spec/ob/v3p0/context-3.0.1.json",
        {
          "renderMethod": "urn:uuid:b2ab3546-228a-47a8-b97a-9a5646007c53",
          "css3MediaQuery": "urn:uuid:c4c53282-e8e2-4914-83d8-566e25d2f899",
          "digestMultibase": "urn:uuid:caef1a4e-67b8-4dfc-9881-2b51da7edc1b"
        },
        "https://w3id.org/vc/status-list/2021/v1",
        "https://w3id.org/security/suites/ed25519-2020/v1"
      ],
      "renderMethod": [
        {
          "id": "https://raw.githubusercontent.com/camilamassa/UCVtest/main/test%202.html",
          "type": "SvgRenderingTemplate2023",
          "name": "PDF Display",
          "css3MediaQuery": "@media (orientation: portrait)"
        }
      ],
      "credentialSubject": {
        "type": [
          "AchievementSubject"
        ],
        "name": "James Chartrand",
        "achievement": {
          "id": "urn:uuid:951b475e-b795-43bc-ba8f-a2d01efd2eb1",
          "type": [
            "Achievement"
          ],
          "name": "Certificate of Completion of “Three Steps for an Entrepreneurial Mindset” Workshop",
          "criteria": {
            "type": "Criteria",
            "narrative": "This certifies the completion of the “Three Steps for an Entrepreneurial Mindset” Workshop at Universidad César Vallejo. This program comprised 25 hours of activities from March 20 - 22, 2024."
          },
          "description": "MIT Jameel World Education Lab Certificate of Completion",
          "fieldOfStudy": "Three Steps for an Entrepreneurial Mindset” Workshop",
          "achievementType": "Certificate of Completion"
        },
        "id": "did:key:z6Mkf3PfuXaHjNzUbqYpTomBC4EgdLd5dTkA6czW29NoMveC"
      },
      "id": "669674646789dd1f426d9f80",
      "credentialStatus": {
        "id": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7#117",
        "type": "StatusList2021Entry",
        "statusPurpose": "revocation",
        "statusListIndex": "117",
        "statusListCredential": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7"
      },
      "issuanceDate": "2024-07-16T13:32:17Z",
      "proof": {
        "type": "Ed25519Signature2020",
        "created": "2024-07-16T13:32:17Z",
        "verificationMethod": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q#z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q",
        "proofPurpose": "assertionMethod",
        "proofValue": "z5XgUpmW48Xf3KVAFjkxvLZgmPbDiLbH3G23RoMXVQ4yc8Xh7oijawaFWARHH9yeGD2w8pEfssj7xhmptEKHMbfhF"
      }
    }
  ]
}
@alexfigtree alexfigtree moved this to Backlog in DCC Engineering Sep 19, 2024
@alexfigtree alexfigtree moved this from Backlog to To Do (Current sprint) in DCC Engineering Sep 19, 2024
@alexfigtree alexfigtree moved this from To Do (Current sprint) to In Progress in DCC Engineering Sep 19, 2024
@jchartrand
Copy link
Contributor Author

And now I can't reproduce it - now it shows an error when I tamper with the credential. But, the error it shows is generic and it no longer says it has been tampered with, and doesn't show any of the other checks:
image

@jchartrand
Copy link
Contributor Author

This is so bizarre. Using the credential above, if I change the top level 'name' property in the VC ("name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop") - changing the 'C' in Chartrand to an 'S' then it incorrectly shows as verified, i.e, it doesn't detect the tampering.
If, though, using the same credential, I instead change the credentialSubject.name, again changing the 'C' in Chartrand to an 'S' then it does show an error.

@jchartrand
Copy link
Contributor Author

Same thing happens in the LCW, as you can see here where I've changed my last name in the credential title (changed the C to an S):
Screenshot 2024-09-20 at 10 36 55 AM

@jchartrand
Copy link
Contributor Author

Update:

The problem seems to have something to do with the non-url id at the top level of the VC. The following two VCs are identical except that the second has 'urn:uuid' prefixing the top level id. It is only the first VC - without the 'urn:uuid' - that incorrectly shows the VC as verified when the top level name property is tampered with.

Passes verification even after tampering (no urn:uuid prefixing the top level 'id'):

{
    "type": [
        "VerifiableCredential",
        "OpenBadgeCredential"
    ],
    "name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop",
    "issuer": {
        "url": "https://www.jwel.mit.edu/",
        "type": "Profile",
        "name": "MIT Jameel World Education Lab",
        "image": {
            "id": "https://raw.githubusercontent.com/camilamassa/UCVtest/e59b713594cd79cf8fd2bcc96d034ab388d005a8/LongBannerLogoNoMIT.png",
            "type": "Image"
        },
        "id": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q"
    },
    "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://purl.imsglobal.org/spec/ob/v3p0/context-3.0.1.json",
        {
            "renderMethod": "urn:uuid:b2ab3546-228a-47a8-b97a-9a5646007c53",
            "css3MediaQuery": "urn:uuid:c4c53282-e8e2-4914-83d8-566e25d2f899",
            "digestMultibase": "urn:uuid:caef1a4e-67b8-4dfc-9881-2b51da7edc1b"
        },
        "https://w3id.org/vc/status-list/2021/v1",
        "https://w3id.org/security/suites/ed25519-2020/v1"
    ],
    "renderMethod": [
        {
            "id": "https://raw.githubusercontent.com/camilamassa/UCVtest/main/test%202.html",
            "type": "SvgRenderingTemplate2023",
            "name": "PDF Display",
            "css3MediaQuery": "@media (orientation: portrait)"
        }
    ],
    "credentialSubject": {
        "type": [
            "AchievementSubject"
        ],
        "name": "James Chartrand",
        "achievement": {
            "id": "urn:uuid:951b475e-b795-43bc-ba8f-a2d01efd2eb1",
            "type": [
                "Achievement"
            ],
            "name": "Certificate of Completion of “Three Steps for an Entrepreneurial Mindset” Workshop",
            "criteria": {
                "type": "Criteria",
                "narrative": "This certifies the completion of the “Three Steps for an Entrepreneurial Mindset” Workshop at Universidad César Vallejo. This program comprised 25 hours of activities from March 20 - 22, 2024."
            },
            "description": "MIT Jameel World Education Lab Certificate of Completion",
            "fieldOfStudy": "Three Steps for an Entrepreneurial Mindset” Workshop",
            "achievementType": "Certificate of Completion"
        },
        "id": "did:key:z6Mkf3PfuXaHjNzUbqYpTomBC4EgdLd5dTkA6czW29NoMveC"
    },
    "id": "669674646789dd1f426d9f80",
    "credentialStatus": {
        "id": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7#117",
        "type": "StatusList2021Entry",
        "statusPurpose": "revocation",
        "statusListIndex": "117",
        "statusListCredential": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7"
    },
    "issuanceDate": "2024-07-16T13:32:17Z",
    "proof": {
        "type": "Ed25519Signature2020",
        "created": "2024-09-20T18:07:12Z",
        "verificationMethod": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q#z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q",
        "proofPurpose": "assertionMethod",
        "proofValue": "z46wvcKbu8pcW9VtfiVeUEd23J2sAkj1Ld7Jbs15n9Q9vpVzE9y8pwrcRXq3rwdW7abwCdH3tbYnx5etNVzeWnJZd"
    }
}

Fails verification after tampering (urn:uuid prefixes the top level 'id'):

{
    "type": [
        "VerifiableCredential",
        "OpenBadgeCredential"
    ],
    "name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop",
    "issuer": {
        "url": "https://www.jwel.mit.edu/",
        "type": "Profile",
        "name": "MIT Jameel World Education Lab",
        "image": {
            "id": "https://raw.githubusercontent.com/camilamassa/UCVtest/e59b713594cd79cf8fd2bcc96d034ab388d005a8/LongBannerLogoNoMIT.png",
            "type": "Image"
        },
        "id": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q"
    },
    "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://purl.imsglobal.org/spec/ob/v3p0/context-3.0.1.json",
        {
            "renderMethod": "urn:uuid:b2ab3546-228a-47a8-b97a-9a5646007c53",
            "css3MediaQuery": "urn:uuid:c4c53282-e8e2-4914-83d8-566e25d2f899",
            "digestMultibase": "urn:uuid:caef1a4e-67b8-4dfc-9881-2b51da7edc1b"
        },
        "https://w3id.org/vc/status-list/2021/v1",
        "https://w3id.org/security/suites/ed25519-2020/v1"
    ],
    "renderMethod": [
        {
            "id": "https://raw.githubusercontent.com/camilamassa/UCVtest/main/test%202.html",
            "type": "SvgRenderingTemplate2023",
            "name": "PDF Display",
            "css3MediaQuery": "@media (orientation: portrait)"
        }
    ],
    "credentialSubject": {
        "type": [
            "AchievementSubject"
        ],
        "name": "James Chartrand",
        "achievement": {
            "id": "urn:uuid:951b475e-b795-43bc-ba8f-a2d01efd2eb1",
            "type": [
                "Achievement"
            ],
            "name": "Certificate of Completion of “Three Steps for an Entrepreneurial Mindset” Workshop",
            "criteria": {
                "type": "Criteria",
                "narrative": "This certifies the completion of the “Three Steps for an Entrepreneurial Mindset” Workshop at Universidad César Vallejo. This program comprised 25 hours of activities from March 20 - 22, 2024."
            },
            "description": "MIT Jameel World Education Lab Certificate of Completion",
            "fieldOfStudy": "Three Steps for an Entrepreneurial Mindset” Workshop",
            "achievementType": "Certificate of Completion"
        },
        "id": "did:key:z6Mkf3PfuXaHjNzUbqYpTomBC4EgdLd5dTkA6czW29NoMveC"
    },
    "id": "urn:uuid:669674646789dd1f426d9f80",
    "credentialStatus": {
        "id": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7#117",
        "type": "StatusList2021Entry",
        "statusPurpose": "revocation",
        "statusListIndex": "117",
        "statusListCredential": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7"
    },
    "issuanceDate": "2024-07-16T13:32:17Z",
    "proof": {
        "type": "Ed25519Signature2020",
        "created": "2024-09-20T18:19:11Z",
        "verificationMethod": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q#z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q",
        "proofPurpose": "assertionMethod",
        "proofValue": "z5tWC8PJw4GPGKWztaZ7fhJJrgFPgUUJHAAZ4vzWorxLjk96iP3C2z5DVYo1NVSG64HJCFoSHNLQCmcCpxXg6iTnQ"
    }
}

@jchartrand
Copy link
Contributor Author

This is only a problem with pre-VC2 libraries. The latest VC libs (which support VC2 and BitstringStatusList) don't allow a non-uri id at all, so the verification will always fail.

@alexfigtree alexfigtree moved this from In Progress to Done (Deployed) in DCC Engineering Oct 3, 2024
@alexfigtree
Copy link
Member

Done and deployed 10/3/24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jchartrand jchartrand

Labels
priority
Projects
DCC Engineering
Status: Done (Deployed)
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jchartrand @alexfigtree