Agent confusion issue

[rkaw92]

It seems that this implementation of the WebID TLS verifier does not handle fragment identifiers correctly.
Let us take the example snippet from the README, and modify the WebID URI (that represents a real person, not the Profile URI) so that it points to another fragment:

// ...
subjectaltname: 'URI:https://test_nicola.databox.me/profile/card#somebodyelse'
// ...

If we run the script, the verification passes:

webid.verify(validCert, function(error, agentURI) {
  console.log('error: %s', error);
  console.log('agentURI: %s', agentURI);
});

The below is printed:

error: null
agentURI: https://test_nicola.databox.me/profile/card#somebodyelse

Even though there is no fragment "somebodyelse" in the file!

This is bad - if using an aggregated RDF file with multiple fragments representing different persons (a normal use case, according to WebID spec examples), we are able to impersonate any of them, provided that our key (modulus/exponent) exists anywhere in the same file.

The query used for finding the person fragment should probably be tweaked.

[melvincarvalho]

Good catch. I think it would be worth adding a test for this.

[rkaw92]

I guess we should be adding a selector (is that the SparQL term?) that only regards statements about our particular subject (identified by the WebID IRI) when verifying, rather than querying by key only.

[kjetilk]

@RubenVerborgh it seems you're the closest to make an assessment about it, I'm pretty much at loss here.

[RubenVerborgh]

Proposed solution is right; currently, it selects all keys in the file, does not filter webid.

[melvincarvalho]

Agreed.

Suggest the solution would be to add a test, with multiple webids in a single document.

Then use sparql to follow your nose and fix the failing test..

[kjetilk]

OK, I'm unfamiliar with the code, and don't feel confident about fixing it, but concretely, this entails modifying the SPARQL query in
https://github.com/linkeddata/node-webid/blob/master/tls/index.js#L14
so that ?webid isn't a variable, but set to the actual WebID?

[RubenVerborgh]

Indeed; we can also just string manipulate the query.