[BUG] Problems with self signed certificates

[Javieral95]

Summary

Hi! I have some problems when I try to use this signing tool (I was follow gx-compliance repository).

I tried to generate private/public keys using openSSL and then generate a self signed certificate, the content of these keys are used in .env file.

I used the following script to generate keys/cert:

openssl genrsa -out keypair.pem 2048
openssl rsa -in keypair.pem -pubout -out publickey.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key

openssl req -new -key pkcs8.key -out my_request.csr
openssl x509 -req -days 3650 -in my_request.csr -signkey pkcs8.key -out cert.key

rm my_request.csr

So, using the previous script the key was in PKCS8 format. I think thats correct. Isnt it?
Anyway, I have modified the code (env and index.js) to add a variable JWT_ALGORITHM inside the .env file (so I can switch to use for example X509)... but I have tried to change this variable and change the method to generate keys and it still fails.

Current Behavior

Fails when try to check self description with the Compliance Service:

📝 Loaded ./config/self-description.json
📈 Hashed canonized SD 1efd1a5039805ed10455271e11ade83d2a6e044761c25da5cb1ecc4b6294e8b1
🔒 SD signed successfully (local)
✅ Verification successful (local)
📁 ./output/1663918326577_self-signed_LegalPerson.json saved
📁 ./output/1663918326577_did.json saved

🔍 Checking Self Description with the Compliance Service...
'Something went wrong:'
{
  statusCode: 409,
  message: 'Verification for the given jwk and jws failed.',
  error: 'Conflict'
}

Expected Behavior

A successful process

Steps to Reproduce

node ./index.js after modify self-description.json and env file.

Environment

PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCz8c/UjRnLRIm0
V5XZrX+YtEe57pjtjkjhs3kDpKI8gw04jtr+XHtxF1dPykdYG/WzIpk8KNW5U6Ci
...
Q7RgZby31d1Sok6YubMMdtDa0eDVaSdFEIfr+LdFzBHC9RGt/FJLvdhHCOUNHnAl
FKYM055z0JJC4wZdCSYmPQSumIPHfcJWaKKMnDvsVHoh7tNtOLAX9BrFgHolsY3+
+1zPmXn1KZuyolUXHKpMjPRc
-----END PRIVATE KEY-----"
CERTIFICATE="-----BEGIN CERTIFICATE-----
MIIDfTCCAmUCFEb5J7SaEulAVI/WltT09D4cWBT7MA0GCSqGSIb3DQEBCwUAMHsx
...
nMO89712xzIR64Ch5DI5yKCQ5NVFDUUrcfqvrWd2hzAU723VxPEHu6jlD8ISKTJI
MwGwF/i9VqRwGiAMv6+1QjqXazjCiXX4KJQP2czY1fSN
-----END CERTIFICATE-----"
JWT_ALGORITH="PS256" #PS256 or ES256 (X509)
VERIFICATION_METHOD="did:web:compliance.gaia-x.eu"
X5U_URL="https://compliance.gaia-x.eu/.well-known/x509CertificateChain.pem"
API_VERSION="2204"
BASE_URL="https://compliance.gaia-x.eu"

Anything else

When i used yours Hackaton tool everything works!

Also, my self description is the following one:

{
    "@context": [
        "http://www.w3.org/ns/shacl#", 
        "http://www.w3.org/2001/XMLSchema#", 
        "http://w3id.org/gaia-x/participant#"
    ],
    "@id": "http://example.org/participant-dp6gtq7i75lmk9p4j2tfgCTICTICTIC2",
    "@type": [
        "VerifiableCredential", 
        "LegalPerson"
    ],
    "credentialSubject": {
      "id": "did:web:examnple.com",
      "gx-participant:registrationNumber": {
        "@value": "G-33906637",
        "@type": "xsd:string"
    }, 
      "gx-participant:headquarterAddress": {
        "@type": "gx-participant:Address",
        "gx-participant:country": {
          "@type": "xsd:string",
          "@value": "ES"
        },
        "gx-participant:street-address": {
            "@value": "C. Ada Byron, 39",
            "@type": "xsd:string"
        },
        "gx-participant:postal-code": {
            "@value": "33203",
            "@type": "xsd:string"
        },
        "gx-participant:locality": {
            "@value": "Gijon",
            "@type": "xsd:string"
        }
      },
      "gx-participant:legalAddress": {
        "@type": "gx-participant:Address",
        "gx-participant:country": {
          "@type": "xsd:string",
          "@value": "ES"
        },
        "gx-participant:street-address": {
            "@value": "C. Ada Byron, 39",
            "@type": "xsd:string"
        },
        "gx-participant:postal-code": {
            "@value": "33203",
            "@type": "xsd:string"
        },
        "gx-participant:locality": {
            "@value": "Gijon",
            "@type": "xsd:string"
        }
      }
    }
  }

Thanks a lot!!!

[oceanByte]

Hi @Javieral95 , thanks for this very detailed issue! This makes it much easier to help. I assume there is an issue on how you are creating the certificate. Can you try to follow this guide an provide feedback then? https://gitlab.com/gaia-x/lab/compliance/gx-compliance/-/tree/2206-development#how-to-setup-certificates

[Javieral95]

Hi @oceanByte ! Thanks for the quick response and for your excellent work!
So, my problem is that I need a certificate signed by a Trust Anchor entity, Isnt it?

Im sorry for that, but Im a little bit confused about the process I need to follow.Do you have any guide to help me?

Thank you very much again!

[Javieral95]

Hi! Sorry to bother you again. I have made some changes and improvements, but I keep getting the same error.

Now I deploy all services in my local machine in order to do some test before the final deployment (Gx-Registry, Gx-Compliance and then, self-description-signer). I generated keys and a self signed certificate for my Compliance service (and I save it in the registry database). Then, I generated another keys and certificate (signed by my compliance service's certificate) for my self-description.
Also, I upload the did.json and my trust chain to the .well-know folder inside my compliace project.

My keys and certificates are generated using this script:

#1 generate the private key and CA for root
openssl req -nodes -new -x509  -keyout test_root_key.key -out test_root_ca.crt

#2. create the certificate request
openssl req -new -nodes -keyout test_key.key -out test_ca_request.req

#3. sign the certificate request
openssl x509 -req -in test_ca_request.req -CA test_root_ca.crt -CAkey test_root_key.key -CAcreateserial -out test_ca.crt

#4. build a chain file
cat test_key.key > x509CertificateChain.pem
cat test_ca.crt >> x509CertificateChain.pem
cat test_root_ca.crt >> x509CertificateChain.pem

When I run the self-description-signed, all services are communicated correctly and the registry server checks that the certificate is correct... but the SignatureService function fails inside the Compliace Server when it execute the following line:
const result = await jose.compactVerify(jws, rsaPublicKey)

Getting this error in the compliance server (I added this console log)
ERROR: JWSSignatureVerificationFailed: signature verification failed

And the following error in self-description-signer:

🔒 SD signed successfully (local)
✅ Verification successful (local)
📁 ./output/1664202044001_self-signed_LegalPerson.json saved
📁 ./output/1664202044001_did.json saved

🔍 Checking Self Description with the Compliance Service...
'Something went wrong:'
{
  statusCode: 409,
  message: 'Verification for the given jwk and jws failed.',
  error: 'Conflict'
}

Thanks you very much again!

[Abrom8]

Could you provide your self-signed self-description with the proof? @Javieral95

[Javieral95]

Of course @Abrom8 !

{
  "@context": [
    "http://www.w3.org/ns/shacl#",
    "http://www.w3.org/2001/XMLSchema#",
    "http://w3id.org/gaia-x/participant#"
  ],
  "@id": "http://example.org/participant-dp6gtq7i75lmk9p4j2tfgCTICTICTIC2",
  "@type": [
    "VerifiableCredential",
    "LegalPerson"
  ],
  "credentialSubject": {
    "id": "did:web:examnple.com",
    "gx-participant:registrationNumber": {
      "@value": "G-33906637",
      "@type": "xsd:string"
    },
    "gx-participant:headquarterAddress": {
      "@type": "gx-participant:Address",
      "gx-participant:country": {
        "@type": "xsd:string",
        "@value": "ES"
      },
      "gx-participant:street-address": {
        "@value": "C. Ada Byron, 39",
        "@type": "xsd:string"
      },
      "gx-participant:postal-code": {
        "@value": "33203",
        "@type": "xsd:string"
      },
      "gx-participant:locality": {
        "@value": "Gijon",
        "@type": "xsd:string"
      }
    },
    "gx-participant:legalAddress": {
      "@type": "gx-participant:Address",
      "gx-participant:country": {
        "@type": "xsd:string",
        "@value": "ES"
      },
      "gx-participant:street-address": {
        "@value": "C. Ada Byron, 39",
        "@type": "xsd:string"
      },
      "gx-participant:postal-code": {
        "@value": "33203",
        "@type": "xsd:string"
      },
      "gx-participant:locality": {
        "@value": "Gijon",
        "@type": "xsd:string"
      }
    }
  },
  "proof": {
    "type": "JsonWebKey2020",
    "created": "2022-09-27T06:17:13.913Z",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did:web:compliance.gaia-x.eu",
    "jws": "eyJhbGciOiJQUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..npku2Nw27nadjj0Cj-yiTknZnBA-TBNsgn8vLeZb_fWwdKD7bC5DHRC84q5Bxg4DLDNsnqg0uU6d-XTv1PnIUWwKNImkPnMDDfd4DcLg3Y4o5cUXHYyILuQpEuONVRKsz4vpZu4C0DPapDZRiZhTPB90sPcx8koWkofGAczr0bNzfFU4AGvPGuGKyI_dXW2ixXt_HH-zUZ8uPsanF6tjI-nePztkLpGuAgbcQCn8hHj_OhmG1aomZTU1f96bGCi7EchrEEliiBwsNrxjWr2M0Z_3ocMaZIA91NCaQPCA3Ma1onZmNNev9LsfwZuZtMaKkYg8oefOqjOsScIe0hLI7A"
  }
}

Thank you for your quick response. :)

[Abrom8]

"verificationMethod": "did:web:compliance.gaia-x.eu" in the proof has to point to your generated did.json. You can achieve this by setting the VERIFICATION_METHOD in the config/.env file.

It defaults to your-domain.com/.well-known/did.json if you enter did:web:your-domain.com. You can also specify a specific path, check the did:web specifications for this. Custom paths are only available in version 2206.

I see that you are using the old SD format. I would recommend to have a look into the latest 2206 version. It includes many fixes regarding W3C compliance. You can find the new examples in our README and here: https://gitlab.com/gaia-x/lab/compliance/gx-compliance

[kettenbach-it]

I'm getting the same error as well. I'm signing with letsencrypt, too.

Please allow me a stupid question: is part of the verification process, that the self description is pulled from the url given as id?
Which would mean, that I have to deploy it to the web for a successful verification?

[oceanByte]

is part of the verification process, that the self description is pulled from the url given as id?

You do not need to upload your self description anywhere. Can you share a signed Self Description here?

[kettenbach-it]

I found out, that our SD format seems to be outdate. I'll update and retry

[kettenbach-it]

The compliance service fails even with the example in the repo:

{
	"@context": [
		"https://www.w3.org/2018/credentials/v1",
		"https://registry.gaia-x.eu/v2206/api/shape"
	],
	"type": ["VerifiableCredential", "LegalPerson"],
	"id": "https://delta-dao.com/.well-known/participant.json",
	"issuer": "did:web:delta-dao.com",
	"issuanceDate": "2022-09-15T20:05:20.997Z",
	"credentialSubject": {
		"id": "did:web:delta-dao.com",
		"gx-participant:legalName": "deltaDAO AG",
		"gx-participant:registrationNumber": {
			"gx-participant:registrationNumberType": "leiCode",
			"gx-participant:registrationNumberNumber": "391200FJBNU0YW987L26"
		},
		"gx-participant:blockchainAccountId": "0x4C84a36fCDb7Bc750294A7f3B5ad5CA8F74C4A52",
		"gx-participant:headquarterAddress": {
			"gx-participant:addressCountryCode": "DE",
			"gx-participant:addressCode": "DE-HH",
			"gx-participant:streetAddress": "Geibelstraße 46b",
			"gx-participant:postalCode": "22303"
		},
		"gx-participant:legalAddress": {
			"gx-participant:addressCountryCode": "DE",
			"gx-participant:addressCode": "DE-HH",
			"gx-participant:streetAddress": "Geibelstraße 46b",
			"gx-participant:postalCode": "22303"
		},
		"gx-participant:termsAndConditions": "70c1d713215f95191a11d38fe2341faed27d19e083917bc8732ca4fea4976700"
	}
}

Output:

❯ node self-description-signer/index.js
📝 Loaded ./config/self-description.json
📈 Hashed canonized SD b6af77b2b5dabd126267b0d51437ca806e91406fdd4a62d070b698fd3cd28197
🔒 SD signed successfully (local)
✅ Verification successful (local)
📁 ./output/1664354910655_self-signed_LegalPerson.json saved
📁 ./output/1664354910655_did.json saved 

🔍 Checking Self Description with the Compliance Service...
'Something went wrong:'
{
  statusCode: 409,
  message: 'Verification for the given jwk and jws failed.',
  error: 'Conflict'
}

[kettenbach-it]

this is the file 1664354910655_self-signed_LegalPerson.json:

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://registry.gaia-x.eu/v2206/api/shape"
  ],
  "type": [
    "VerifiableCredential",
    "LegalPerson"
  ],
  "id": "https://delta-dao.com/.well-known/participant.json",
  "issuer": "did:web:delta-dao.com",
  "issuanceDate": "2022-09-15T20:05:20.997Z",
  "credentialSubject": {
    "id": "did:web:delta-dao.com",
    "gx-participant:legalName": "deltaDAO AG",
    "gx-participant:registrationNumber": {
      "gx-participant:registrationNumberType": "leiCode",
      "gx-participant:registrationNumberNumber": "391200FJBNU0YW987L26"
    },
    "gx-participant:blockchainAccountId": "0x4C84a36fCDb7Bc750294A7f3B5ad5CA8F74C4A52",
    "gx-participant:headquarterAddress": {
      "gx-participant:addressCountryCode": "DE",
      "gx-participant:addressCode": "DE-HH",
      "gx-participant:streetAddress": "Geibelstraße 46b",
      "gx-participant:postalCode": "22303"
    },
    "gx-participant:legalAddress": {
      "gx-participant:addressCountryCode": "DE",
      "gx-participant:addressCode": "DE-HH",
      "gx-participant:streetAddress": "Geibelstraße 46b",
      "gx-participant:postalCode": "22303"
    },
    "gx-participant:termsAndConditions": "70c1d713215f95191a11d38fe2341faed27d19e083917bc8732ca4fea4976700"
  },
  "proof": {
    "type": "JsonWebSignature2020",
    "created": "2022-09-28T08:48:30.655Z",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did:web:compliance.gaia-x.eu",
    "jws": "eyJhbGciOiJQUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..Doyg5mRjRGj93SAMAr2z6c3n4vXEWMp4ByPFd1xMQtaBKFlHcIAtwn8j2KGOWbPOfk42KfFsCa-oHbz66FC4ZIdG7l25UzoCF9I6N3IqjOaeOIdOfLg-TKvZw-YLg30H8WGvcZzPW0yi8RRP-fKqRnpXYTrMf4tXh_fBc5fzeA1BBCRNF7R6n6eA50syQdsxvmy3leSCF1t3Pr74einUkxIiRH6HHaQylnAamqwFE3SbsZR3G0ECw2YYWkw7klBsdJmuSZJ1GSwzPC2RkW8_VfLcN8L2PYr10HVtpbQPa71bRf2vLKGpaJKo-qUnicCYhGC8bP7Yg1P2cVl-AlvTZQ"
  }
}

And this is the did.json:

{
  "@context": [
    "https://www.w3.org/ns/did/v1"
  ],
  "id": "did:web:compliance.gaia-x.eu",
  "verificationMethod": [
    {
      "@context": "https://w3c-ccg.github.io/lds-jws2020/contexts/v1/",
      "id": "did:web:compliance.gaia-x.eu",
      "type": "JsonWebKey2020",
      "controller": "did:web:compliance.gaia-x.eu#JWK2020-RSA",
      "publicKeyJwk": {
        "kty": "RSA",
        "n": "zhSD36KpgmLNpwA4owG6RGIm578J2Tp5RAvaXbG4EHC8VsVoQJbSi4vfNTtALDY5tM39BovBiUrkzyi-GrW6HaFJuvFqTrmierQ8dXf-0C7O2EeRiHXqKxeBHBW9tASWOhQw89zN8NhG7KGaLj6Qvp4pofIZdWZO1ibFZEcOXzD8UdB4DOgjYOooTIPXeHrpXqvWX6lnKtbjckW47acXLVHWuPz7szUPLMvF6ekxW3KEOa0-Vn5TubZfuln8YzLNrgP-vNACHlb_v1QtvgHx7_ImzxpEJETa8MPe3YVpJ33aiJimrPoWY4ybFUO2uAfaLzPDSGhZRYYD-4Dwg6Q_rQ",
        "e": "AQAB",
        "alg": "PS256",
        "x5u": "https://compliance.gaia-x.eu/.well-known/x509CertificateChain.pem"
      }
    }
  ],
  "assertionMethod": [
    "did:web:compliance.gaia-x.eu#JWK2020-RSA"
  ]
}

[kettenbach-it]

The documentation says:

X5U_URL - You need to generate a .pem file with the certificate chain of your certificate and upload it to your server (make it accessible via URI). You can find an example here: https://www.delta-dao.com/.well-known/x509CertificateChain.pem

I didn't publish the x509CertificateChain when I sign my own SD.
Do I have to do that for the verification?

[XDong2022]

@oceanByte Hi Albert, I am Xin :), thank you very much for your support in the Hackathon sessions!
@kettenbach-it Volker is colleague from our team :).
Now our SD has been successfully signed by letsencrypt keys locally, but failed by signing from compliance service.
My understanding for the next step testing:

-We should make did.json available under https://my-domain/.well-known/did.json

-We should make x509CertificateChain.pem available under https://my-domain/.well-known/x509CertificateChain.pem

-We test the verification process again to make SD signed from compliance service officially

Could you please check if my understanding is correct? Thank you very much!

[moritzkirstein]

Hi @XDong2022
It seems you are on the right path. Both, the did.json as well as the x509CertificateChain.pem files are required for the Compliance Service to verify your signature.
You need to make sure to have the correct links in your did.json, e.g. in the example above:

"x5u": "https://compliance.gaia-x.eu/.well-known/x509CertificateChain.pem"

this still links to the compliance service x509 chain.

Using the signer you can generate the correct did by making sure to set the correct environment variables, so the X5U_URL and VERIFICATION_METHOD need to point to your domain.

[kettenbach-it]

Okay, I'll built a container with did.json and x509CertificateChain.pem and will deploy it on a public route given in the json

[XDong2022]

@moritzkirstein OK, thank you Moritz for the very clear explanation :)!

[Javieral95]

Hi! Thanks you all for your help and new questions. Im very happy to know that I am not the only one with the same issue :)

I made the changes you told to me and I am working now with the V2206. Everything works fine... but I still have some problems.

I am doing some tests on a local deployment using docker, like the following:

                    ┌───────────────┐   ┌─────────────┐
            ┌───────┤ GX-Compliance ├──►│ GX-Registry │
            │       └───────────────┘   └─────────────┘
            │                     ▲
            │                     │
            │                     │
            │                     │
            │                     │
            │                     │
            ▼                     ├──────────────────────────┐
    ┌────────────────┐            │ self-description-signer  │
    │  http-server   │            └──────────────────────────┘
    └────────────────┘

I generated the keys using OpenSSL instead Letsencrypt to avoid the need to have a public domain (I don`t know if isnt correct). The generation is using the following script:

#1 generate the private key and CA for root
openssl req -nodes -new -x509  -keyout test_root_key.key -out test_root_ca.crt

#2. create the certificate request
openssl req -new -nodes -keyout test_key.key -out test_ca_request.req

#3. sign the certificate request
openssl x509 -req -in test_ca_request.req -CA test_root_ca.crt -CAkey test_root_key.key -CAcreateserial -out test_ca.crt

#4. build a chain file
cat test_key.key > x509CertificateChain.pem
cat test_ca.crt >> x509CertificateChain.pem
cat test_root_ca.crt >> x509CertificateChain.pem

So, I have:

• Root cert/keys: Stored in registry database.
• Compliance cert: Signed by root cert.
• Https Server cert: Signed by root cert.
• My Self Description cert: Signed by root cert.

And now I have the following content in my self-description-signer .env file:

...
VERIFICATION_METHOD="did:web:host.docker.internal"   #"did:web:compliance.gaia-x.eu"
X5U_URL="https://host.docker.internal/.well-known/x509CertificateChain.pem"
API_VERSION="2206"
BASE_URL="http://host.docker.internal:3000"

The did.json is stored in the http-server/.well-known folder (with the x509CertificateChain.pem file, generated using the above script). The compliance service read the request, but the private async getDidWebDocument(did: string): Promise<DIDDocument> function inside src/common/services/proof.service.ts/ProofService.ts file now throws now the following error:

'resolver_error: DID must resolve to a valid https URL containing a JSON document: FetchError: request to https://host.docker.internal/.well-known/did.json failed, reason: self signed certificate'

But If I do a normal GET request, I can read the json file. My question is regarding the reason: self signed certificate ... Do I really need a Certificate signed by a GAIA-X Trusted anchor? Or Can I still doing local test?

Thanks for all again!

[kettenbach-it]

My question is regarding the reason: self signed certificate ... Do I really need a Certificate signed by a GAIA-X Trusted anchor? Or Can I still doing local test?

For the validation to succeed - afaik - a self signed certificate won't work.
I suggest you use letsencrypt to generate a key/cert. That's what we do.
At least until now, letsencrypt is accepted as an official trust anchor by GAIA-X.

[Javieral95]

Thanks @kettenbach-it

I will try to change the approach and start working with Letsencrypt. I will need to find a way to create a public domain (for security issues in my company it might take a while).
So, I'll keep the issue open until I can give more details, if you don't mind.

Thanks again, you've all been a great help.

[XDong2022]

@moritzkirstein @oceanByte Hi Moritz and Albert, we have tested the total signing and verification process successfully :)! Very appreciated for your great support :)!
One notice point is the address code is also mandatory field and the value should be defined as: ISO 3166-2:DE - Wikipedia

This field is not yet defined as mandatory in the current trust framework specification...

@Javieral95 Hi Javier, in your configuration the base_url should not be changed, just use the original value: BASE_URL="https://compliance.gaia-x.eu"

Thank you for you all and for any questions I can help, please feel free to let me know :)!

[oceanByte]

Hi @XDong2022, thank you very much for your feedback! The mandatory field is named addressCode in our implementation. And it follows ISO 3166-2. I see where the confusion is coming from and we will discuss with the community to provide a proper update or at least add a comment in the documentation here.

[Javieral95]

Alright! It is now working. Thanks to all of you. Especially to @XDong2022 for the last comment.
I was trying to run all services in a local environment in order to do some tests, using docker compose (I was trying to verify the SD against a local GX-Compliance and a local GX-Registry), but I had a lot of problems (maybe I'll try again in the future).

But against Compliance Gaia-X EU everything works, thanks again.
You are doing an excellent job from Gaia-X and DeltaDAO, keep it up 😁

I close the issue.