Skip to content
This repository has been archived by the owner on Feb 29, 2024. It is now read-only.

Commit

Permalink
Merge pull request #1835 from Artemkaaas/bugfix/endoed-values-check
Browse files Browse the repository at this point in the history 
 IS-1319: Added check that encoded values from Libindy Proof match to encoded values from Crypto Proof.
  • Loading branch information
@Artemkaaas
Artemkaaas authored Aug 27, 2019
2 parents e9150d5 + 83a517b commit 61232de
Show file tree
Hide file tree
Showing 5 changed files with 213 additions and 21 deletions.
19 changes: 16 additions & 3 deletions libindy/Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion libindy/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ named_type_derive = "0.2.1"
byteorder = "1.3.2"
log-panics = "2.0.0"
zeroize = "0.9.3"
ursa = { version = "0.1.1", optional = true }
ursa = { version = "0.2.0-dev-1", optional = true }

[dependencies.uuid]
version = "0.7.4"
Expand Down
30 changes: 30 additions & 0 deletions libindy/src/services/anoncreds/verifier.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ impl Verifier {
&received_self_attested_attrs,
&received_predicates)?;

Verifier::_verify_revealed_attribute_values(&proof_req, &full_proof)?;

Verifier::_verify_requested_restrictions(&proof_req,
schemas,
cred_defs,
Expand Down Expand Up @@ -298,6 +300,34 @@ impl Verifier {
))
}

fn _verify_revealed_attribute_values(proof_req: &ProofRequest,
proof: &Proof) -> IndyResult<()> {
for (attr_referent, attr_info) in proof.requested_proof.revealed_attrs.iter() {
let reveal_attr_encoded = attr_info.encoded.to_string();
let sub_proof_index = attr_info.sub_proof_index as usize;

let attr_name = proof_req.requested_attributes.get(attr_referent.as_str())
.as_ref()
.map(|attr_info| attr_info.name.as_str())
.ok_or(IndyError::from_msg(IndyErrorKind::ProofRejected, format!("Attribute with referent \"{}\" not found in ProofRequest", attr_referent)))?;

let crypto_proof_encoded = proof.proof.proofs
.get(sub_proof_index)
.ok_or(IndyError::from_msg(IndyErrorKind::ProofRejected, format!("CryptoProof not found by index \"{}\"", sub_proof_index)))?
.revealed_attrs()?
.iter()
.find(|(key, _)|attr_common_view(&attr_name) == attr_common_view(&key))
.map(|(_, val)| val.to_string())
.ok_or(IndyError::from_msg(IndyErrorKind::ProofRejected, format!("Attribute with name \"{}\" not found in CryptoProof", attr_name)))?;

if reveal_attr_encoded != crypto_proof_encoded {
return Err(IndyError::from_msg(IndyErrorKind::ProofRejected,
format!("Encoded Values for \"{}\" are different in RequestedProof \"{}\" and CryptoProof \"{}\"", attr_name, reveal_attr_encoded, crypto_proof_encoded)));
}
}
Ok(())
}

fn _verify_requested_restrictions(proof_req: &ProofRequest,
schemas: &HashMap<SchemaId, SchemaV1>,
cred_defs: &HashMap<CredentialDefinitionId, CredentialDefinitionV1>,
Expand Down
91 changes: 78 additions & 13 deletions libindy/tests/anoncreds.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ use indy::ErrorCode;
use utils::constants::*;
use utils::Setup;

use utils::domain::anoncreds::schema::Schema;
use utils::domain::anoncreds::credential_definition::CredentialDefinition;
use utils::domain::anoncreds::credential::CredentialInfo;
use utils::domain::anoncreds::credential_for_proof_request::{CredentialsForProofRequest, RequestedCredential};
use utils::domain::anoncreds::proof::Proof;
Expand Down Expand Up @@ -2921,6 +2923,81 @@ mod high_cases {
"{}");
assert_code!(ErrorCode::CommonInvalidStructure, res);
}

#[test]
fn verifier_verify_proof_works_for_proof_does_not_correspond_to_request_attribute() {
let other_proof_req_json = json!({
"nonce":"123432421212",
"name":"proof_req_1",
"version":"0.1",
"requested_attributes": json!({
"attr1_referent": json!({
"name":"sex"
})
}),
"requested_predicates": json!({}),
}).to_string();
let res = anoncreds::verifier_verify_proof(&other_proof_req_json,
&anoncreds::proof_json(),
&anoncreds::schemas_for_proof(),
&anoncreds::cred_defs_for_proof(),
"{}",
"{}");
assert_code!(ErrorCode::AnoncredsProofRejected, res);
}

#[test]
fn verifier_verify_proof_works_for_wrong_revealed_attr_value() {
let proof_json = anoncreds::proof_json().replace(r#"name":"1139481716457488690172217916278103335"#, r#"name":"1111111111111111111111111111111111111"#);

let res = anoncreds::verifier_verify_proof(&anoncreds::proof_request_attr(),
&proof_json,
&anoncreds::schemas_for_proof(),
&anoncreds::cred_defs_for_proof(),
"{}",
"{}");
assert_code!(ErrorCode::AnoncredsProofRejected, res);
}

#[test]
fn verifier_verify_proof_works_for_wrong_encoded() {
let proof_json = anoncreds::proof_json().replace(r#"encoded":"1139481716457488690172217916278103335"#, r#"encoded":"1111111111111111111111111111111111111"#);

let res = anoncreds::verifier_verify_proof(&anoncreds::proof_request_attr(),
&proof_json,
&anoncreds::schemas_for_proof(),
&anoncreds::cred_defs_for_proof(),
"{}",
"{}");
assert_code!(ErrorCode::AnoncredsProofRejected, res);
}

#[test]
#[ignore] // TODO: Libindy doesn't aware about algorithm used for encoding of attribute values. We can do this check only on application level.
fn verifier_verify_proof_works_for_wrong_raw() {
let proof_json = anoncreds::proof_json().replace(r#"raw":"Alex"#, r#"raw":"Bob"#);

let res = anoncreds::verifier_verify_proof(&anoncreds::proof_request_attr(),
&proof_json,
&anoncreds::schemas_for_proof(),
&anoncreds::cred_defs_for_proof(),
"{}",
"{}");
assert_code!(ErrorCode::AnoncredsProofRejected, res);
}

#[test]
fn verifier_verify_proof_works_for_revealed_attr_case_insensitive() {
let proof_req_json = anoncreds::proof_request_attr().replace(r#""name":"name""#, r#""name":"NAME""#);

let valid = anoncreds::verifier_verify_proof(&proof_req_json,
&anoncreds::proof_json(),
&anoncreds::schemas_for_proof(),
&anoncreds::cred_defs_for_proof(),
"{}",
"{}").unwrap();
assert!(valid);
}
}

mod verifier_verify_proof_with_proof_req_restrictions {
Expand All @@ -2935,7 +3012,6 @@ mod high_cases {
"{}",
"{}").unwrap();
assert!(valid);

}

#[test]
Expand Down Expand Up @@ -3019,7 +3095,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_success_for_valid_schema_id() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3044,7 +3119,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_fails_for_missing_schema_id() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3069,7 +3143,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_success_for_valid_schema_issuer_did() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3094,7 +3167,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_fails_for_missing_schema_issuer_did() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3119,7 +3191,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_success_for_valid_schema_name() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3144,7 +3215,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_fails_for_missing_schema_name() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3169,7 +3239,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_success_for_valid_schema_version() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3194,7 +3263,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_fails_for_missing_schema_version() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3219,7 +3287,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_success_for_valid_cred_def_id() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3244,7 +3311,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_fails_for_missing_cred_def_id() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand All @@ -3269,7 +3335,6 @@ mod high_cases {

#[test]
fn verifier_verify_proof_fails_for_unknown_restriction() {

let proof_req = json!({
"nonce":"123432421212",
"name":"proof_req_1",
Expand Down Expand Up @@ -3334,7 +3399,7 @@ mod high_cases {
}
}

#[cfg(not(feature="only_high_cases"))]
#[cfg(not(feature = "only_high_cases"))]
mod medium_cases {
use super::*;
use std::collections::HashSet;
Expand Down
Loading

0 comments on commit 61232de

Please sign in to comment.