Merge pull request #17 from iden3/feature/add-user-id-check

add userID check
iden3 · Jun 3, 2022 · 7b76e51 · 7b76e51
2 parents 6d130b5 + 8a64b56
commit 7b76e51
Show file tree

Hide file tree

Showing 7 changed files with 114 additions and 92 deletions.
diff --git a/auth.go b/auth.go
@@ -99,6 +99,14 @@ func (v *Verifier) VerifyAuthResponse(ctx context.Context, response protocol.Aut
 		if err != nil {
 			return err
 		}
+
+		// verify proof author
+
+		err = cv.VerifyIDOwnership(response.From, big.NewInt(int64(proofResponse.ID)))
+		if err != nil {
+			return err
+		}
+
 		// verify query
 		err = cv.VerifyQuery(ctx, query, v.claimSchemaLoader)
 		if err != nil {
@@ -161,6 +169,21 @@ func (v *Verifier) FullVerify(ctx context.Context, token string, request protoco
 		return nil, err
 	}
 
+	circuitVerifier, err := getPublicSignalsVerifier(circuits.CircuitID(t.CircuitID), t.ZkProof.PubSignals)
+	if err != nil {
+		return nil, err
+	}
+
+	challengeBytes, err := t.GetMessageHash()
+	if err != nil {
+		return nil, err
+	}
+
+	err = circuitVerifier.VerifyIDOwnership(authMsgResponse.From, new(big.Int).SetBytes(challengeBytes))
+	if err != nil {
+		return &authMsgResponse, err
+	}
+
 	// verify proof requests
 	err = v.VerifyAuthResponse(ctx, authMsgResponse, request)
 	return &authMsgResponse, err

diff --git a/auth_test.go b/auth_test.go
diff --git a/proofs/zk_test.go b/proofs/zk_test.go
@@ -16,37 +16,37 @@ func TestVerifyProof(t *testing.T) {
 	proofMessage := protocol.ZeroKnowledgeProofResponse{ZKProof: types.ZKProof{
 		Proof: &types.ProofData{
 			A: []string{
-				"17300412240859444515392568163435804813017976692285923296472945635331932727680",
-				"7987339170212675259821816067019157877322619530773523635442853691144276581175",
+				"957698408427964949373649712039920043210974666537246242527666231574736447215",
+				"4086301798091555580700861865212439093760939259461303470105592576075967110809",
 				"1",
 			},
 			B: [][]string{
 				{
-					"5486219459376127769845397505363323827097781846702616106528032766863904141460",
-					"11039278958960874345161114839879155843571258672217556129876164981000000213181",
+					"17761559932897315893618895130972320113328240504534127684296053239008480650132",
+					"5632193781365169642645888319571038406614807943044397798965094551600628234503",
 				},
 				{
-					"5734177967798447984375578254489289977886713350854096962368592857583115164274",
-					"21771665105082077940581255424279921654694357633832951123887813648180657619621",
+					"1365440307473149802051965484085369690014133594254254856398071522896525497247",
+					"9143247083381732337710902360194843027755305930598838459668134140717530368519",
 				},
 				{
 					"1",
 					"0",
 				}},
 			C: []string{
-				"4106769399781383134298643763906436588385207522345794758381044448953462017859",
-				"1234974648670414565564350118653247493464081700953044140002324628423327393314",
+				"16707768020019049851803695616000699953210287095055797633254316035548791886996",
+				"20859199949100338932805050654787060104015161388984781255169527105633884420687",
 				"1",
 			},
 			Protocol: "groth16",
 		},
 		PubSignals: []string{
-			"26599593799728934680860584327714016459626247438431721735682191132926148608",
-			"4418769696461428246512928789643504202311642636963003365499223889989622854438",
-			"12345",
-			"16446163964048470129035485707706889290749894786011731450838224817103550600055",
-			"77831441471838426779291891106433475666842073117835485972167846259714555904",
-			"1653653936",
+			"379949150130214723420589610911161895495647789006649785264738141299135414272",
+			"18656147546666944484453899241916469544090258810192803949522794490493271005313",
+			"1",
+			"17339270624307006522829587570402128825147845744601780689258033623056405933706",
+			"26599707002460144379092755370384635496563807452878989192352627271768342528",
+			"1642074362",
 			"106590880073303418818490710639556704462",
 			"2",
 			"5",

diff --git a/pubsignals/atomicMtp.go b/pubsignals/atomicMtp.go
@@ -2,9 +2,10 @@ package pubsignals
 
 import (
 	"context"
-
 	"github.com/iden3/go-circuits"
 	"github.com/iden3/go-iden3-auth/loaders"
+	"github.com/pkg/errors"
+	"math/big"
 )
 
 // AtomicQueryMTP is a wrapper for circuits.AtomicQueryMTPPubSignals
@@ -44,3 +45,14 @@ func (c *AtomicQueryMTP) VerifyStates(ctx context.Context, stateResolver StateRe
 
 	return nil
 }
+
+// VerifyIDOwnership returns error if ownership id wasn't verified in circuit
+func (c *AtomicQueryMTP) VerifyIDOwnership(sender string, challenge *big.Int) error {
+	if sender != c.UserID.String() {
+		return errors.Errorf("sender is not used for proof creation, expected %s, user from public signals: %s}", sender, c.UserID.String())
+	}
+	if challenge.Cmp(c.Challenge) != 0 {
+		return errors.Errorf("challenge is not used for proof creation, expected , expected %s, challenge from public signals: %s}", challenge.String(), c.Challenge.String())
+	}
+	return nil
+}
diff --git a/pubsignals/atomicSig.go b/pubsignals/atomicSig.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"github.com/iden3/go-circuits"
 	"github.com/iden3/go-iden3-auth/loaders"
+	"github.com/pkg/errors"
+	"math/big"
 )
 
 // AtomicQuerySig is a wrapper for circuits.AtomicQuerySigPubSignals
@@ -49,3 +51,14 @@ func (c *AtomicQuerySig) VerifyStates(ctx context.Context, stateResolver StateRe
 
 	return nil
 }
+
+// VerifyIDOwnership returns error if ownership id wasn't verified in circuit
+func (c *AtomicQuerySig) VerifyIDOwnership(sender string, challenge *big.Int) error {
+	if sender != c.UserID.String() {
+		return errors.Errorf("sender is not used for proof creation, expected %s, user from public signals: %s}", sender, c.UserID.String())
+	}
+	if challenge.Cmp(c.Challenge) != 0 {
+		return errors.Errorf("challenge is not used for proof creation, expected , expected %s, challenge from public signals: %s}", challenge.String(), c.Challenge.String())
+	}
+	return nil
+}
diff --git a/pubsignals/auth.go b/pubsignals/auth.go
@@ -5,6 +5,7 @@ import (
 	"github.com/iden3/go-circuits"
 	"github.com/iden3/go-iden3-auth/loaders"
 	"github.com/pkg/errors"
+	"math/big"
 )
 
 // Auth is a wrapper for circuits.AuthPubSignals
@@ -30,3 +31,14 @@ func (c *Auth) VerifyStates(ctx context.Context, stateResolver StateResolver) er
 	}
 	return nil
 }
+
+// VerifyIDOwnership returns error if ownership id wasn't verified in circuit
+func (c *Auth) VerifyIDOwnership(sender string, challenge *big.Int) error {
+	if sender != c.UserID.String() {
+		return errors.Errorf("sender is not used for proof creation, expected %s, user from public signals: %s}", sender, c.UserID.String())
+	}
+	if challenge.Cmp(c.Challenge) != 0 {
+		return errors.Errorf("challenge is not used for proof creation, expected , expected %s, challenge from public signals: %s}", challenge.String(), c.Challenge.String())
+	}
+	return nil
+}
diff --git a/pubsignals/circuitVerifier.go b/pubsignals/circuitVerifier.go
@@ -17,6 +17,7 @@ type StateResolver interface {
 type Verifier interface {
 	VerifyQuery(ctx context.Context, query Query, schemaLoader loaders.SchemaLoader) error
 	VerifyStates(ctx context.Context, resolver StateResolver) error
+	VerifyIDOwnership(userIdentifier string, challenge *big.Int) error
 
 	circuits.PubSignalsUnmarshaller
 }