tmp

impl/internal/did/did.go

@@ -169,18 +169,25 @@ func CreateDIDDHTDID(pubKey ed25519.PublicKey, opts CreateDIDDHTOpts) (*did.Docu
 			// mark as seen
 			seenIDs[vm.VerificationMethod.ID] = true
 
-			// make sure the verification method JWK KID is set to its thumbprint
-			vm.VerificationMethod.ID = id + "#" + vm.VerificationMethod.PublicKeyJWK.KID
-
-			// e.g. #key-1 -> did:dht:123456789abcdefghi#key-1
-			if strings.HasPrefix(vm.VerificationMethod.ID, "#") {
-				vm.VerificationMethod.ID = id + vm.VerificationMethod.ID
+			// if verification method ID is set, make sure it's fully qualified
+			if vm.VerificationMethod.ID != "" {
+				if strings.HasPrefix(vm.VerificationMethod.ID, "#") {
+					vm.VerificationMethod.ID = id + vm.VerificationMethod.ID
+				} else if !strings.Contains(vm.VerificationMethod.ID, "#") {
+					vm.VerificationMethod.ID = id + "#" + vm.VerificationMethod.ID
+				}
+			} else {
+				// if no verification method ID is set, set it to the JWK thumbprint
+				thumbprint, err := vm.VerificationMethod.PublicKeyJWK.Thumbprint()
+				if err != nil {
+					return nil, fmt.Errorf("failed to calculate JWK thumbprint: %v", err)
+				}
+				vm.VerificationMethod.ID = id + "#" + thumbprint
+				vm.VerificationMethod.PublicKeyJWK.KID = thumbprint
 			}
 
-			// e.g. key-1 -> did:dht:123456789abcdefghi#key-1
-			if !strings.Contains(vm.VerificationMethod.ID, "#") {
-				vm.VerificationMethod.ID = id + "#" + vm.VerificationMethod.ID
-			}
+			// make sure the JWK KID matches the unqualified VM ID
+			vm.VerificationMethod.PublicKeyJWK.KID = strings.TrimPrefix(vm.VerificationMethod.ID, id+"#")
 
 			// if there's no controller, set it to the DID itself
 			if vm.VerificationMethod.Controller == "" {
@@ -346,7 +353,22 @@ func (d DHT) ToDNSPacket(doc did.Document, types []TypeIndex, gateways []Authori
 	var vmIDs []string
 	for i, vm := range doc.VerificationMethod {
 		recordIdentifier := fmt.Sprintf("k%d", i)
-		keyLookup[vm.ID] = recordIdentifier
+
+		// calculate the JWK thumbprint
+		thumbprint, err := vm.PublicKeyJWK.Thumbprint()
+		if err != nil {
+			return nil, fmt.Errorf("failed to calculate JWK thumbprint: %v", err)
+		}
+
+		// check if the VM ID matches the JWK thumbprint
+		unqualifiedVMID := strings.TrimPrefix(vm.ID, doc.ID+"#")
+		if unqualifiedVMID == thumbprint {
+			// if the VM ID matches the thumbprint, use the thumbprint as the key in the keyLookup map
+			keyLookup[vm.ID] = thumbprint
+		} else {
+			// otherwise, use the unqualified VM ID
+			keyLookup[vm.ID] = unqualifiedVMID
+		}
 
 		keyType := keyTypeForJWK(*vm.PublicKeyJWK)
 		if keyType < 0 {
@@ -365,8 +387,13 @@ func (d DHT) ToDNSPacket(doc did.Document, types []TypeIndex, gateways []Authori
 			return nil, err
 		}
 
-		keyBase64URL := base64.RawURLEncoding.EncodeToString(pubKeyBytes)
-		txtRecord := fmt.Sprintf("t=%d;k=%s", keyType, keyBase64URL)
+		txtRecord := ""
+
+		// only include the id if it's not the JWK thumbprint
+		if unqualifiedVMID != thumbprint {
+			txtRecord += fmt.Sprintf("id=%s;", unqualifiedVMID)
+		}
+		txtRecord += fmt.Sprintf("t=%d;k=%s", keyType, base64.RawURLEncoding.EncodeToString(pubKeyBytes))
 
 		// only include the alg if it's not the default alg for the key type
 		forKeyType := algIsDefaultForJWK(*vm.PublicKeyJWK)
@@ -595,6 +622,7 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*DIDDHTDocument, error) {
 			if strings.HasPrefix(record.Hdr.Name, "_k") {
 				unchunkedTextRecord := unchunkTextRecord(record.Txt)
 				data := parseTxtData(unchunkedTextRecord)
+				vmID := data["id"]
 				keyType := keyTypeLookUp(data["t"])
 				keyBase64URL := data["k"]
 				controller := data["c"]
@@ -634,15 +662,21 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*DIDDHTDocument, error) {
 				}
 
 				// compare pubkey to identity key to see if they're equal, and if they are set the vmID and kid to 0
-				var vmID string
 				if identityKey.Equal(pubKey) {
 					vmID = "0"
 					pubKeyJWK.KID = "0"
 				}
 
 				// if the verification method ID is not set, set it to the thumbprint
 				if vmID == "" {
-					vmID = pubKeyJWK.KID
+					thumbprint, err := pubKeyJWK.Thumbprint()
+					if err != nil {
+						return nil, fmt.Errorf("failed to calculate JWK thumbprint: %v", err)
+					}
+					vmID = thumbprint
+					pubKeyJWK.KID = thumbprint
+				} else {
+					pubKeyJWK.KID = vmID
 				}
 
 				vm := did.VerificationMethod{
@@ -734,15 +768,18 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*DIDDHTDocument, error) {
 						seenVersion = true
 					case "auth":
 						for _, valueItem := range valueItems {
-							doc.Authentication = append(doc.Authentication, doc.ID+"#"+keyLookup[valueItem])
+							s := keyLookup[valueItem]
+							doc.Authentication = append(doc.Authentication, doc.ID+"#"+s)
 						}
 					case "asm":
 						for _, valueItem := range valueItems {
-							doc.AssertionMethod = append(doc.AssertionMethod, doc.ID+"#"+keyLookup[valueItem])
+							s := keyLookup[valueItem]
+							doc.AssertionMethod = append(doc.AssertionMethod, doc.ID+"#"+s)
 						}
 					case "agm":
 						for _, valueItem := range valueItems {
-							doc.KeyAgreement = append(doc.KeyAgreement, doc.ID+"#"+keyLookup[valueItem])
+							s := keyLookup[valueItem]
+							doc.KeyAgreement = append(doc.KeyAgreement, doc.ID+"#"+s)
 						}
 					case "inv":
 						for _, valueItem := range valueItems {

impl/internal/did/did_vectors_test.go

@@ -110,7 +110,7 @@ func TestVectors(t *testing.T) {
 			VerificationMethods: []VerificationMethod{
 				{
 					VerificationMethod: did.VerificationMethod{
-						ID:           secpJWK.KID,
+						ID:           "sig",
 						Type:         cryptosuite.JSONWebKeyType,
 						Controller:   "did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y",
 						PublicKeyJWK: &secpJWK,

impl/internal/did/testdata/vector-2-did-document.json

@@ -16,7 +16,7 @@
       }
     },
     {
-      "id": "did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#0GkvkdCGu3DL7Mkv0W1DhTMCBT9-z0CkFqZoJQtw7vw",
+      "id": "did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#sig",
       "type": "JsonWebKey",
       "controller": "did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y",
       "publicKeyJwk": {
@@ -25,13 +25,13 @@
         "x": "1_o0IKHGNamet8-3VYNUTiKlhVK-LilcKrhJSPHSNP0",
         "y": "qzU8qqh0wKB6JC_9HCu8pHE-ZPkDpw4AdJ-MsV2InVY",
         "alg": "ES256K",
-        "kid": "0GkvkdCGu3DL7Mkv0W1DhTMCBT9-z0CkFqZoJQtw7vw"
+        "kid": "sig"
       }
     }
   ],
   "authentication": ["did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#0"],
-  "assertionMethod": ["did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#0", "did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#0GkvkdCGu3DL7Mkv0W1DhTMCBT9-z0CkFqZoJQtw7vw"],
-  "capabilityInvocation": ["did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#0", "did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#0GkvkdCGu3DL7Mkv0W1DhTMCBT9-z0CkFqZoJQtw7vw"],
+  "assertionMethod": ["did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#0", "did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#sig"],
+  "capabilityInvocation": ["did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#0", "did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#sig"],
   "capabilityDelegation": ["did:dht:cyuoqaf7itop8ohww4yn5ojg13qaq83r9zihgqntc5i9zwrfdfoo#0"],
   "service": [
     {

impl/internal/did/testdata/vector-2-dns-records.json

@@ -39,7 +39,7 @@
     "name": "_k1._did.",
     "type": "TXT",
     "ttl": 7200,
-    "rdata": ["t=1;k=Atf6NCChxjWpnrfPt1WDVE4ipYVSvi4pXCq4SUjx0jT9;c=did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y"]
+    "rdata": ["id=sig;t=1;k=Atf6NCChxjWpnrfPt1WDVE4ipYVSvi4pXCq4SUjx0jT9;c=did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y"]
   },
   {
     "name": "_s0._did.",

impl/internal/did/testdata/vector-2-public-key-jwk-2.json

@@ -4,5 +4,5 @@
   "x": "1_o0IKHGNamet8-3VYNUTiKlhVK-LilcKrhJSPHSNP0",
   "y": "qzU8qqh0wKB6JC_9HCu8pHE-ZPkDpw4AdJ-MsV2InVY",
   "alg": "ES256K",
-  "kid": "0GkvkdCGu3DL7Mkv0W1DhTMCBT9-z0CkFqZoJQtw7vw"
+  "kid": "sig"
 }