Skip to content

Commit

Permalink
Merge pull request #2609 from dbluhm/fix/signed-attach-resilience
Browse files Browse the repository at this point in the history 
fix: more resilient checks in verify signed attachments
  • Loading branch information
@swcurran
swcurran committed Nov 18, 2023
2 parents 63943f4 + d0b6bfd commit a81c2c7
Showing 1 changed file with 11 additions and 5 deletions.
16 changes: 11 additions & 5 deletions aries_cloudagent/messaging/decorators/attach_decorator.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -448,13 +448,19 @@ async def verify(self, wallet: BaseWallet, signer_verkey: str = None) -> bool:

sign_input = (b64_protected + "." + b64_payload).encode("ascii")
b_sig = b64_to_bytes(b64_sig, urlsafe=True)
verkey = bytes_to_b58(b64_to_bytes(protected["jwk"]["x"], urlsafe=True))
encoded_pk = DIDKey.from_did(protected["jwk"]["kid"]).public_key_b58
verkey_to_check.append(encoded_pk)
jwk = protected["jwk"]
verkey = bytes_to_b58(b64_to_bytes(jwk["x"], urlsafe=True))
if not await wallet.verify_message(sign_input, b_sig, verkey, ED25519):
return False
if not await wallet.verify_message(sign_input, b_sig, encoded_pk, ED25519):
return False

if "kid" in jwk:
encoded_pk = DIDKey.from_did(protected["jwk"]["kid"]).public_key_b58
verkey_to_check.append(encoded_pk)
if not await wallet.verify_message(
sign_input, b_sig, encoded_pk, ED25519
):
return False

if signer_verkey and signer_verkey not in verkey_to_check:
return False
return True
Expand Down

0 comments on commit a81c2c7

Please sign in to comment.