Proof shouldn't override/hardcode jsonld contexts

[sudeshrshetty]

It is json ld doc author's responsibility to pass proof related contexts. Aries shouldn't override/hardcode contexts.

Currently "JsonWebSignature2020" is treated as invalid RDF even though proper context is available in VC.
Because aries proof digest calculator overrides it and adds its own context which doesn't have JsonWebSignature2020.

https://github.com/hyperledger/aries-framework-go/blob/b077c8b62a512a89a9c8caa7ca95ee397f458380/pkg/doc/signature/proof/jws.go#L109

[kdimak]

It was implemented in accordance with the reference implementation by Digitalbazaar.

https://github.com/digitalbazaar/jsonld-signatures/blob/521fe3a56e60d4210a45acaab9dcaf64acad739c/lib/ProofSet.js#L304

If we want to be compatible with their implementation, we should leave the context substitution as is by default.

This means that JsonWebSignature2020 proof type is invalid since it's not declared in https://w3id.org/security/v2. And thus it's not included in proof's JSON-LD canonization result.

[llorllale]

@kdimak @sudeshrshetty @fqutishat I'm not sure about the implications on interop, but here is an example of an JSON-LD document for which downstream projects are verifying proofs using verifier.DocumentVerifier:

Example

{
    "@context": "https://w3id.org/security/v2",
    "id": "http://www.example.org/foo/documents/a3480d17-df7f-449f-9480-e2c35e20a865",
    "allowedAction": ["read", "write"],
    "invocationTarget": {
        "ID": "http://www.example.org/foo/documents/a3480d17-df7f-449f-9480-e2c35e20a865",
        "Type": "urn:edv:document"
    },
    "proof": [{
        "created": "2020-12-04T15:28:14.673975717-05:00",
        "jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..6OfIULug35ZmoU7lysChVpD6sjYfV71UwxqIZ8u0woYSIzRtzCo3MsZJw6cGIZMEaMssnQyRqIzo8B0yHEL2Dw",
        "nonce": "da7CcJahAdFG0GXN-JnS2f2mywcFNtaLyXtGVqku2DwVwUaJbGpUQjhlNi5kDbS4ZMi2cNhEN5ac6LponS-C9w",
        "proofPurpose": "capabilityDelegation",
        "type": "Ed25519Signature2018",
        "verificationMethod": "did:key:z6MkmkFTTczYKzU94t45sG65iZi2HA21tAU9ns8bXSmBEap4#z6MkmkFTTczYKzU94t45sG65iZi2HA21tAU9ns8bXSmBEap4"
    }]
}

Every single one of the terms in that document are defined between https://w3id.org/security/v1 and https://w3id.org/security/v2, so there's no need for the trustbloc context in this case. You can confirm this by removing the cache from this line and see that it works.

It seems most if not all the signature suites are using jsonld.Processor. All that are using it are affected by this design decision.

The problem we are facing downstream is a panic due to fatal error: concurrent map read and map write of the internal map of CachingDocumentLoader. If an application has pre-loaded all contexts at startup, it does not expect calls to AddDocument(), especially for contexts that are already cached. The application also should not have to reload the contexts for every verification - that's why we chose to use CachingDocumentLoader.

[llorllale]

Example goroutine stacktraces:

AddDocument

goroutine 111248 [running]:
runtime.throw(0xb9d095, 0x15)
        /usr/local/go/src/runtime/panic.go:1116 +0x72 fp=0xc000dff170 sp=0xc000dff140 pc=0x4377f2
runtime.mapassign_faststr(0xad1ac0, 0xc0003e08d0, 0xba2294, 0x1c, 0x8)
        /usr/local/go/src/runtime/map_faststr.go:211 +0x3f1 fp=0xc000dff1d8 sp=0xc000dff170 pc=0x415f31
github.com/piprate/json-gold/ld.(*CachingDocumentLoader).AddDocument(...)
        /go/pkg/mod/github.com/trustbloc/[email protected]/ld/document_loader.go:243
github.com/hyperledger/aries-framework-go/pkg/doc/signature/jsonld.getCachingDocumentLoader(0xd929c0, 0xc0003b4360, 0xc000864540, 0xc00072e780)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/jsonld/processor.go:268 +0x18e fp=0xc000dff2c0 sp=0xc000dff1d8 pc=0x9acd0e
github.com/hyperledger/aries-framework-go/pkg/doc/signature/jsonld.useDocumentLoader(...)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/jsonld/processor.go:261
github.com/hyperledger/aries-framework-go/pkg/doc/signature/jsonld.(*Processor).GetCanonicalDocument(0xc0002c1ae0, 0xc000864510, 0xc000a14a50, 0x2, 0x2, 0x8, 0xc000dff430, 0x9ab48d, 0xc000a14a50, 0xc000a14a40)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/jsonld/processor.go:120 +0x1dc fp=0xc000dff3e0 sp=0xc000dff2c0 pc=0x9ab6dc
github.com/hyperledger/aries-framework-go/pkg/doc/signature/suite/ed25519signature2018.(*Suite).GetCanonicalDocument(0xc000b58f00, 0xc000864510, 0xc000a14a50, 0x2, 0x2, 0xc000a14a50, 0x1, 0x2, 0xc00050d320, 0xbc
00000000000056)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/suite/ed25519signature2018/suite.go:45 +0x5e fp=0xc000dff440 sp=0xc000dff3e0 pc=0x9b691e
github.com/hyperledger/aries-framework-go/pkg/doc/signature/proof.prepareJWSProof(0x7ff08b2061e8, 0xc000b58f00, 0xc0008644e0, 0xc0001c8c00, 0x1, 0x1, 0xc0001f6500, 0x1, 0xc000ef2c40, 0xc000dff5d8, ...)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/proof/jws.go:123 +0x2ec fp=0xc000dff528 sp=0xc000dff440 pc=0x9b216c
github.com/hyperledger/aries-framework-go/pkg/doc/signature/proof.createVerifyJWS(0x7ff08b2061e8, 0xc000b58f00, 0xc000864270, 0xc000e82000, 0xc0001c8c00, 0x1, 0x1, 0xda2ce0, 0xc000dff670, 0x40cfa5, ...)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/proof/jws.go:86 +0x94 fp=0xc000dff600 sp=0xc000dff528 pc=0x9b1a94
github.com/hyperledger/aries-framework-go/pkg/doc/signature/proof.CreateVerifyData(0x7ff08b2061e8, 0xc000b58f00, 0xc000864270, 0xc000e82000, 0xc0001c8c00, 0x1, 0x1, 0xa8f6e0, 0xc000010050, 0xa8f6e0, ...)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/proof/data.go:51 +0xa5 fp=0xc000dff680 sp=0xc000dff600 pc=0x9b0845
github.com/hyperledger/aries-framework-go/pkg/doc/signature/verifier.(*DocumentVerifier).verifyObject(0xc000b593b0, 0xc000864270, 0xc0001c8c00, 0x1, 0x1, 0x0, 0x0)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/verifier/verifier.go:104 +0x1ec fp=0xc000dff740 sp=0xc000dff680 pc=0x9b536c
github.com/hyperledger/aries-framework-go/pkg/doc/signature/verifier.(*DocumentVerifier).Verify(0xc000b593b0, 0xc0009d0000, 0x3be, 0x400, 0xc0001c8c00, 0x1, 0x1, 0x2d, 0xc000eea160)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/verifier/verifier.go:78 +0x130 fp=0xc000dff7a0 sp=0xc000dff740 pc=0x9b5150
github.com/trustbloc/edge-core/pkg/zcapld.(*Verifier).verifyProof(0xc000e3f4c0, 0xc000eea160, 0x2d, 0xc000eea160)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/verify.go:230 +0x105 fp=0xc000dff808 sp=0xc000dff7a0 pc=0x9e07c5
github.com/trustbloc/edge-core/pkg/zcapld.(*Verifier).verifyCapabilityChainAttenuation(0xc000e3f4c0, 0xc0000c5c30, 0xc00042efd0, 0xc0006d61b0, 0x1, 0x1, 0x0, 0x1)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/verify.go:252 +0x136 fp=0xc000dff8f8 sp=0xc000dff808 pc=0x9e09b6
github.com/trustbloc/edge-core/pkg/zcapld.(*Verifier).verifyCapabilityChain(0xc000e3f4c0, 0xc00042efd0, 0xc000d0ffa3, 0x5, 0xc000dffae0, 0x20, 0xb0da80)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/verify.go:216 +0x47e fp=0xc000dff9c0 sp=0xc000dff8f8 pc=0x9e003e
github.com/trustbloc/edge-core/pkg/zcapld.(*Verifier).Verify(0xc000e3f4c0, 0xc000dffab8, 0xc000dffae0, 0x1184850, 0xc0002c1b10)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/verify.go:91 +0x65 fp=0xc000dffa18 sp=0xc000dff9c0 pc=0x9df945
github.com/trustbloc/edge-core/pkg/zcapld.authZHandleFunc(0xd9efe0, 0xc0004b40e0, 0xc0004a2000, 0xc0002ec380, 0xc000b58f30, 0xc00068b5f0)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/middleware.go:164 +0x5c5 fp=0xc000dffb28 sp=0xc000dffa18 pc=0x9dd145
github.com/trustbloc/edge-core/pkg/zcapld.NewHTTPSigAuthHandler.func1(0xd9efe0, 0xc0004b40e0, 0xc0004a2000)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/middleware.go:131 +0x5a fp=0xc000dffb68 sp=0xc000dffb28 pc=0x9e269a
net/http.HandlerFunc.ServeHTTP(...)
        /usr/local/go/src/net/http/server.go:2042
github.com/trustbloc/edv/cmd/edv-rest/startcmd.(*httpHandler).ServeHTTP(0xc0003b4ec0, 0xd9efe0, 0xc0004b40e0, 0xc0004a2000)
        /go/src/github.com/trustbloc/edv/cmd/edv-rest/startcmd/start.go:833 +0x322 fp=0xc000dffbf0 sp=0xc000dffb68 pc=0xa46ec2
net/http.serverHandler.ServeHTTP(0xc000032460, 0xd9efe0, 0xc0004b40e0, 0xc0004a2000)
        /usr/local/go/src/net/http/server.go:2843 +0xa3 fp=0xc000dffc20 sp=0xc000dffbf0 pc=0x7723c3
net/http.(*conn).serve(0xc000474140, 0xda0d60, 0xc000129e80)
        /usr/local/go/src/net/http/server.go:1925 +0x8ad fp=0xc000dfffc8 sp=0xc000dffc20 pc=0x76dbcd
runtime.goexit()
        /usr/local/go/src/runtime/asm_amd64.s:1374 +0x1 fp=0xc000dfffd0 sp=0xc000dfffc8 pc=0x46bea1
created by net/http.(*Server).Serve
        /usr/local/go/src/net/http/server.go:2969 +0x36c

LoadDocument

goroutine 33137 [running]:
runtime.throw(0xba51ac, 0x21)
        /usr/local/go/src/runtime/panic.go:1116 +0x72 fp=0xc0006c87a8 sp=0xc0006c8778 pc=0x4377f2
runtime.mapaccess2_faststr(0xad09c0, 0xc0005035f0, 0xba1084, 0x1c, 0x0, 0xc0005a94e0)
        /usr/local/go/src/runtime/map_faststr.go:116 +0x4a5 fp=0xc0006c8818 sp=0xc0006c87a8 pc=0x415b25
github.com/piprate/json-gold/ld.(*CachingDocumentLoader).LoadDocument(0xc0005009a0, 0xba1084, 0x1c, 0x0, 0x1, 0xc0005a94e0)
        /go/pkg/mod/github.com/trustbloc/[email protected]/ld/document_loader.go:229 +0x53 fp=0xc0006c8860 sp=0xc0006c8818 pc=0x995533
github.com/piprate/json-gold/ld.(*Context).parse(0xc000352e40, 0xa977e0, 0xc0002f4780, 0xc0005a94e0, 0x1, 0x1, 0x100, 0x0, 0x0, 0x0)
        /go/pkg/mod/github.com/trustbloc/[email protected]/ld/context.go:188 +0x207 fp=0xc0006c8bb0 sp=0xc0006c8860 pc=0x980bc7
github.com/piprate/json-gold/ld.(*Context).Parse(...)
        /go/pkg/mod/github.com/trustbloc/[email protected]/ld/context.go:115
github.com/piprate/json-gold/ld.(*JsonLdApi).Expand(0xc0006c8ff0, 0xc000352e40, 0x0, 0x0, 0xad1d40, 0xc00046bfb0, 0xc0009d6840, 0x7f589a297500, 0x0, 0xa8, ...)
        /go/pkg/mod/github.com/trustbloc/[email protected]/ld/api_expand.go:135 +0x1af6 fp=0xc0006c8f88 sp=0xc0006c8bb0 pc=0x96d496
github.com/piprate/json-gold/ld.(*JsonLdProcessor).expand(0xc0006c9307, 0xad1d40, 0xc00046bfb0, 0xc0009d6840, 0xc000410c00, 0x0, 0x416d05, 0x7f589a415cc8, 0x203000)
        /go/pkg/mod/github.com/trustbloc/[email protected]/ld/processor.go:180 +0x171 fp=0xc0006c9060 sp=0xc0006c8f88 pc=0x99bd11
github.com/piprate/json-gold/ld.(*JsonLdProcessor).ToRDF(0xc0006c9307, 0xad1d40, 0xc00046bfb0, 0xc0009d6840, 0x30, 0x30, 0xb22840, 0x0)
        /go/pkg/mod/github.com/trustbloc/[email protected]/ld/processor.go:499 +0x213 fp=0xc0006c90f0 sp=0xc0006c9060 pc=0x99e4d3
github.com/piprate/json-gold/ld.(*JsonLdProcessor).Normalize(0xc0006c9307, 0xad1d40, 0xc00046bfb0, 0xc0006c9160, 0x203000, 0x203000, 0x203000, 0x203000)
        /go/pkg/mod/github.com/trustbloc/[email protected]/ld/processor.go:575 +0x79b fp=0xc0006c92c0 sp=0xc0006c90f0 pc=0x99f23b
github.com/hyperledger/aries-framework-go/pkg/doc/signature/jsonld.(*Processor).GetCanonicalDocument(0xc00072ed50, 0xc00046bfb0, 0xc0005a8970, 0x2, 0x2, 0x8, 0xc0006c9430, 0x9ab14d, 0xc0005a8970, 0xc0005a8960)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/jsonld/processor.go:126 +0x239 fp=0xc0006c93e0 sp=0xc0006c92c0 pc=0x9ab3f9
github.com/hyperledger/aries-framework-go/pkg/doc/signature/suite/ed25519signature2018.(*Suite).GetCanonicalDocument(0xc000904390, 0xc00046bfb0, 0xc0005a8970, 0x2, 0x2, 0xc0005a8970, 0x1, 0x2, 0xc0003b36e0, 0xc4
00000000000056)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/suite/ed25519signature2018/suite.go:45 +0x5e fp=0xc0006c9440 sp=0xc0006c93e0 pc=0x9b65de
github.com/hyperledger/aries-framework-go/pkg/doc/signature/proof.prepareJWSProof(0x7f589a046938, 0xc000904390, 0xc00046bf80, 0xc000010560, 0x1, 0x1, 0xc0002f4600, 0x1, 0xc0006eec40, 0xc0006c95d8, ...)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/proof/jws.go:123 +0x2ec fp=0xc0006c9528 sp=0xc0006c9440 pc=0x9b1e2c
github.com/hyperledger/aries-framework-go/pkg/doc/signature/proof.createVerifyJWS(0x7f589a046938, 0xc000904390, 0xc00046bce0, 0xc0000a2000, 0xc000010560, 0x1, 0x1, 0xda1780, 0xc0006c9670, 0x40cfa5, ...)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/proof/jws.go:86 +0x94 fp=0xc0006c9600 sp=0xc0006c9528 pc=0x9b1754
github.com/hyperledger/aries-framework-go/pkg/doc/signature/proof.CreateVerifyData(0x7f589a046938, 0xc000904390, 0xc00046bce0, 0xc0000a2000, 0xc000010560, 0x1, 0x1, 0xa8e600, 0xc000194020, 0xa8e600, ...)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/proof/data.go:51 +0xa5 fp=0xc0006c9680 sp=0xc0006c9600 pc=0x9b0505
github.com/hyperledger/aries-framework-go/pkg/doc/signature/verifier.(*DocumentVerifier).verifyObject(0xc0009047e0, 0xc00046bce0, 0xc000010560, 0x1, 0x1, 0x0, 0x0)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/verifier/verifier.go:104 +0x1ec fp=0xc0006c9740 sp=0xc0006c9680 pc=0x9b502c
github.com/hyperledger/aries-framework-go/pkg/doc/signature/verifier.(*DocumentVerifier).Verify(0xc0009047e0, 0xc0008d2800, 0x3be, 0x400, 0xc000010560, 0x1, 0x1, 0x2d, 0xc0009d6210)
        /go/pkg/mod/github.com/hyperledger/[email protected]/pkg/doc/signature/verifier/verifier.go:78 +0x130 fp=0xc0006c97a0 sp=0xc0006c9740 pc=0x9b4e10
github.com/trustbloc/edge-core/pkg/zcapld.(*Verifier).verifyProof(0xc000538940, 0xc0009d6210, 0x2d, 0xc0009d6210)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/verify.go:230 +0x105 fp=0xc0006c9808 sp=0xc0006c97a0 pc=0x9e0485
github.com/trustbloc/edge-core/pkg/zcapld.(*Verifier).verifyCapabilityChainAttenuation(0xc000538940, 0xc000782000, 0xc000b6a2c0, 0xc00001a590, 0x1, 0x1, 0x0, 0x1)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/verify.go:252 +0x136 fp=0xc0006c98f8 sp=0xc0006c9808 pc=0x9e0676
github.com/trustbloc/edge-core/pkg/zcapld.(*Verifier).verifyCapabilityChain(0xc000538940, 0xc000b6a2c0, 0xc0006e03a3, 0x4, 0xc0006c9ae0, 0x20, 0xb0c9a0)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/verify.go:216 +0x47e fp=0xc0006c99c0 sp=0xc0006c98f8 pc=0x9dfcfe
github.com/trustbloc/edge-core/pkg/zcapld.(*Verifier).Verify(0xc000538940, 0xc0006c9ab8, 0xc0006c9ae0, 0x1183830, 0xc00072ed80)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/verify.go:91 +0x65 fp=0xc0006c9a18 sp=0xc0006c99c0 pc=0x9df605
github.com/trustbloc/edge-core/pkg/zcapld.authZHandleFunc(0xd9da80, 0xc0006e2000, 0xc0005f4600, 0xc0002e6070, 0xc0009043c0, 0xc0000ee990)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/middleware.go:164 +0x5c5 fp=0xc0006c9b28 sp=0xc0006c9a18 pc=0x9dce05
github.com/trustbloc/edge-core/pkg/zcapld.NewHTTPSigAuthHandler.func1(0xd9da80, 0xc0006e2000, 0xc0005f4600)
        /go/pkg/mod/github.com/trustbloc/[email protected]/pkg/zcapld/middleware.go:131 +0x5a fp=0xc0006c9b68 sp=0xc0006c9b28 pc=0x9e235a
net/http.HandlerFunc.ServeHTTP(...)
        /usr/local/go/src/net/http/server.go:2042
github.com/trustbloc/edv/cmd/edv-rest/startcmd.(*httpHandler).ServeHTTP(0xc0005013e0, 0xd9da80, 0xc0006e2000, 0xc0005f4600)
        /go/src/github.com/trustbloc/edv/cmd/edv-rest/startcmd/start.go:789 +0x322 fp=0xc0006c9bf0 sp=0xc0006c9b68 pc=0xa45a82
net/http.serverHandler.ServeHTTP(0xc000032460, 0xd9da80, 0xc0006e2000, 0xc0005f4600)
        /usr/local/go/src/net/http/server.go:2843 +0xa3 fp=0xc0006c9c20 sp=0xc0006c9bf0 pc=0x7720c3
net/http.(*conn).serve(0xc0006d6280, 0xd9f800, 0xc000b340c0)