How to apply canonicalization before signing JSON-LD Verifiable Credential?

Question

I want to sign Verifiable Credential in JSON structure with Linked Data (JSON-LD) like below:

{
    "@context":[
        "https://www.w3.org/2018/credentials/v1",
        "https://w3id.org/security/bbs/v1"
    ],
    "id":"1234",
    "type":[
        "VerifiableCredential"
    ],
    "issuer":"exampleIssuer",
    "validFrom":"2022-06-30T00:00:00Z+01:00",
    "expirationDate":"2022-07-30T00:00:00Z+01:00",
    "credentialSubject":{
        "customerId":"123456",
        "name":"Test User",
        "birthDate":"1.1.1991"
    },
    "proof":{
        "type":"BbsBlsSignatureProof2020",
        "verificationMethod":"did:example:489398593#test",
        "created":"2021-12-31T10:54:18Z+01:00",
        "proofPurpose":"assertionMethod",
        "proofValue":"...",
        "nonce":"..."
    }
}

The signing itself is not a problem. The problem is the canonicalization = how to prepare the data before signing.

The BbsBlsSignatureProof2020 specifies to use https://w3id.org/security#URDNA2015 (aka URDCA2015) canonicalization algorithm following the RDF Dataset Canonicalization. (the same is for EcdsaSecp256k1RecoverySignature2020 and JsonWebSignature2020).

Is this a must-do or is it just default canonicalization algorithm and I can use any other?

The thing is, RDF is rather complex when working with JSON-LD and seems to have quite some flaws. I would really like to use much easier JCS (JSON Canonicalization Scheme) instead, which works only with syntax of the JSON.

Any feedback on this would be highly appreciated.

Answer 1

As @Rein pointed out it's better to use existing JSON-LD library. Some are listed here: https://json-ld.org/ (Titanium library is available for Java, but there are also libraries using different languages).

However, I've found out that the best option for Java devs is to use this library: iron-vc

• it is from the same developers as Titanium lib. above
• it already contains Titanium lib. and builds upon it
• it also contains RDF Dataset normalization lib., used for the canonicalization process
• it is designed to work with Verifiable Credentials and Verifiable Presentations
• by default there is available implementation of Ed25519 Signature 2020 signature suite
• I myself created fork of it which contains Json Web Signature 2020 signature suite impl. - there is pull request opened to update the original lib.

Answer 2

First, JSON-LD and Verifiable Credentials (VC) are formats to improve interoperability with other parties that issue/verify the VCs in question.

That means you can't use just any canonicalization algorithm, you must use the exact algorithm as specified. Otherwise, the resulting hash and thus signature could differ. Without looking into the differences between JCS and URDNA2015, maybe it could work in most cases, but fail in certain edge cases (due to details being different, e.g. sorting).

You probably want to select a (good) JSON-LD library to perform signing and thus canonicalization, instead of building it yourself (because it is hard to get right, as you found out).