Skip to content

Commit

Permalink
Merge branch 'main' of github.com:rarimo/passport-identity-provider i…
Browse files Browse the repository at this point in the history
…nto quick-fix/prepend-prefix
  • Loading branch information
mhrynenko committed May 16, 2024
2 parents f838797 + 4f8ce46 commit 3e3bf82
Showing 1 changed file with 32 additions and 23 deletions.
55 changes: 32 additions & 23 deletions internal/service/api/handlers/create_identity.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"crypto/sha256"
"encoding/asn1"
"encoding/hex"
"encoding/json"
"encoding/pem"
"fmt"
"math/big"
Expand Down Expand Up @@ -62,42 +63,50 @@ func CreateIdentity(w http.ResponseWriter, r *http.Request) {
return
}

rawReqData, err := json.Marshal(req.Data)
if err != nil {
Log(r).WithError(err).Error("failed to marshal create identity request")
ape.RenderErr(w, problems.InternalError())
return
}
log := Log(r).WithField("request_data", string(rawReqData))

algorithm := signatureAlgorithm(req.Data.DocumentSOD.Algorithm)
if algorithm == "" {
Log(r).WithError(fmt.Errorf("%s is not a valid algorithm", req.Data.DocumentSOD.Algorithm)).Error("failed to select signature algorithm")
log.WithError(fmt.Errorf("%s is not a valid algorithm", req.Data.DocumentSOD.Algorithm)).Error("failed to select signature algorithm")
ape.RenderErr(w, problems.BadRequest(fmt.Errorf("%s is not a valid algorithm", req.Data.DocumentSOD.Algorithm))...)
return
}

signedAttributes, err := hex.DecodeString(req.Data.DocumentSOD.SignedAttributes)
if err != nil {
Log(r).WithError(err).Error("failed to decode hex string")
log.WithError(err).Error("failed to decode hex string")
ape.RenderErr(w, problems.BadRequest(err)...)
return
}

encapsulatedContent, err := hex.DecodeString(req.Data.DocumentSOD.EncapsulatedContent)
if err != nil {
Log(r).WithError(err).Error("failed to decode hex string")
log.WithError(err).Error("failed to decode hex string")
ape.RenderErr(w, problems.BadRequest(err)...)
return
}

if err := validateSignedAttributes(signedAttributes, encapsulatedContent, algorithm); err != nil {
Log(r).WithError(err).Error("failed to validate signed attributes")
log.WithError(err).Error("failed to validate signed attributes")
ape.RenderErr(w, problems.InternalError())
return
}

cert, err := parseCertificate([]byte(req.Data.DocumentSOD.PemFile))
if err != nil {
Log(r).WithError(err).Error("failed to parse certificate")
log.WithError(err).Error("failed to parse certificate")
ape.RenderErr(w, problems.InternalError())
return
}

if err := verifySignature(req, cert, signedAttributes, algorithm); err != nil {
Log(r).WithError(err).Error("failed to verify signature")
log.WithError(err).Error("failed to verify signature")
ape.RenderErr(w, problems.InternalError())
return
}
Expand All @@ -107,51 +116,51 @@ func CreateIdentity(w http.ResponseWriter, r *http.Request) {
switch algorithm {
case SHA1withECDSA:
if err := verifier.VerifyGroth16(req.Data.ZKProof, cfg.VerificationKeys[SHA1]); err != nil {
Log(r).WithError(err).Error("failed to verify Groth16")
log.WithError(err).Error("failed to verify Groth16")
ape.RenderErr(w, problems.BadRequest(err)...)
return
}
case SHA256withRSA, SHA256withECDSA:
if err := verifier.VerifyGroth16(req.Data.ZKProof, cfg.VerificationKeys[SHA256]); err != nil {
Log(r).WithError(err).Error("failed to verify Groth16")
log.WithError(err).Error("failed to verify Groth16")
ape.RenderErr(w, problems.BadRequest(err)...)
return
}
default:
Log(r).WithField("algorithm", req.Data.DocumentSOD.Algorithm).Debug("invalid signature algorithm")
log.WithField("algorithm", req.Data.DocumentSOD.Algorithm).Debug("invalid signature algorithm")
ape.RenderErr(w, problems.BadRequest(errors.New("invalid signature algorithm"))...)
return
}

encapsulatedData := resources.EncapsulatedData{}
if _, err = asn1.Unmarshal(encapsulatedContent, &encapsulatedData); err != nil {
Log(r).WithError(err).Error("failed to unmarshal ASN.1")
log.WithError(err).Error("failed to unmarshal ASN.1")
ape.RenderErr(w, problems.InternalError())
return
}

privateKey := make([]asn1.RawValue, 0)
if _, err = asn1.Unmarshal(encapsulatedData.PrivateKey.FullBytes, &privateKey); err != nil {
Log(r).WithError(err).Error("failed to unmarshal ASN.1")
log.WithError(err).Error("failed to unmarshal ASN.1")
ape.RenderErr(w, problems.InternalError())
return
}

privKeyEl := resources.PrivateKeyElement{}
if _, err = asn1.Unmarshal(privateKey[0].FullBytes, &privKeyEl); err != nil {
Log(r).WithError(err).Error("failed to unmarshal ASN.1")
log.WithError(err).Error("failed to unmarshal ASN.1")
ape.RenderErr(w, problems.InternalError())
return
}

if err := validatePubSignals(cfg, req.Data, privKeyEl.OctetStr.Bytes); err != nil {
Log(r).WithError(err).Error("failed to validate pub signals")
log.WithError(err).Error("failed to validate pub signals")
ape.RenderErr(w, problems.BadRequest(err)...)
return
}

if err := validateCert(cert, cfg.MasterCerts); err != nil {
Log(r).WithError(err).Error("failed to validate certificate")
log.WithError(err).Error("failed to validate certificate")
ape.RenderErr(w, problems.BadRequest(err)...)
return
}
Expand All @@ -162,7 +171,7 @@ func CreateIdentity(w http.ResponseWriter, r *http.Request) {
FilterBy("user_did", req.Data.ID.String()).
Get()
if err != nil {
Log(r).WithError(err).Error("failed to get claim by user DID")
log.WithError(err).Error("failed to get claim by user DID")
ape.RenderErr(w, problems.InternalError())
return
}
Expand All @@ -186,14 +195,14 @@ func CreateIdentity(w http.ResponseWriter, r *http.Request) {

identityExpiration, err := getExpirationTimeFromPubSignals(req.Data.ZKProof.PubSignals)
if err != nil {
Log(r).WithError(err).Error("failed to get expiration time")
log.WithError(err).Error("failed to get expiration time")
ape.RenderErr(w, problems.BadRequest(err)...)
return
}

issuingAuthority, err := strconv.Atoi(req.Data.ZKProof.PubSignals[2])
if err != nil {
Log(r).WithError(err).Error("failed to convert string to int")
log.WithError(err).Error("failed to convert string to int")
ape.RenderErr(w, problems.InternalError())
return
}
Expand All @@ -204,7 +213,7 @@ func CreateIdentity(w http.ResponseWriter, r *http.Request) {

blinder, err := vaultClient.Blinder()
if err != nil {
Log(r).WithError(err).Error("failed to get blinder from the vault")
log.WithError(err).Error("failed to get blinder from the vault")
ape.RenderErr(w, problems.InternalError())
return
}
Expand All @@ -214,26 +223,26 @@ func CreateIdentity(w http.ResponseWriter, r *http.Request) {
salt := new(big.Int).SetUint64(uint64(time.Now().UTC().UnixMilli()))
documentHash, err := poseidon.HashBytes(signedAttributes)
if err != nil {
Log(r).WithError(err).Error("failed to hash signed attributes")
log.WithError(err).Error("failed to hash signed attributes")
ape.RenderErr(w, problems.InternalError())
return
}

nullifier, err := poseidon.Hash([]*big.Int{documentHash, blinder, salt})
if err != nil {
Log(r).WithError(err).Error("failed to build nullifier")
log.WithError(err).Error("failed to build nullifier")
ape.RenderErr(w, problems.InternalError())
return
}

existing, err := masterQ.Claim().FilterBy("document_hash", documentHash.String()).Get()
if err != nil {
Log(r).WithError(err).Error("failed to get claim by document hash")
log.WithError(err).Error("failed to get claim by document hash")
ape.RenderErr(w, problems.InternalError())
return
}
if existing != nil {
log := Log(r).WithField("document_hash", documentHash.String())
log = log.WithField("document_hash", documentHash.String())
if existing.IsBanned {
log.Info("user of the provided document is banned")
ape.RenderErr(w, problems.InternalError())
Expand Down Expand Up @@ -288,7 +297,7 @@ func CreateIdentity(w http.ResponseWriter, r *http.Request) {

return nil
}); err != nil {
Log(r).WithError(err).Error("failed to execute SQL transaction")
log.WithError(err).Error("failed to execute SQL transaction")
// error was rendered beforehand
return
}
Expand Down

0 comments on commit 3e3bf82

Please sign in to comment.