UNPKG

@iden3/js-iden3-auth

Version:

iden3-auth implementation in JavaScript

github.com/iden3/js-iden3-auth

iden3/js-iden3-auth

145 lines (144 loc) 6.87 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
import { IDOwnershipPubSignals } from '../circuits/ownershipVerifier.js'; import { checkIssuerNonRevState, checkUserState, getResolverByID } from '../circuits/common.js'; import { DID, getDateFromUnixTimestamp } from '@iden3/js-iden3-core'; import { getDocumentLoader } from '@iden3/js-jsonld-merklization'; import { AtomicQueryV3PubSignals, byteEncoder, checkCircuitOperator, checkQueryRequest, CircuitId, Operators, parseQueriesMetadata, ProofType, validateDisclosureNativeSDSupport, validateEmptyCredentialSubjectNoopNativeSupport, validateOperators, verifyFieldValueInclusionNativeExistsSupport } from '@0xpolygonid/js-sdk'; const valuesSize = 64; const defaultProofVerifyOpts = 1 * 60 * 60 * 1000; // 1 hour /** * Verifies the public signals for the AtomicQueryV3 circuit. * @beta */ export class AtomicQueryV3PubSignalsVerifier extends IDOwnershipPubSignals { constructor(pubSignals) { super(); this.pubSignals = new AtomicQueryV3PubSignals(); this.pubSignals = this.pubSignals.pubSignalsUnmarshal(byteEncoder.encode(JSON.stringify(pubSignals))); this.userId = this.pubSignals.userID; this.challenge = this.pubSignals.requestID; } async verifyQuery(query, schemaLoader, verifiablePresentation, opts, params) { const outs = { issuerId: this.pubSignals.issuerID, schemaHash: this.pubSignals.claimSchema, slotIndex: this.pubSignals.slotIndex, operator: this.pubSignals.operator, value: this.pubSignals.value, timestamp: this.pubSignals.timestamp, merklized: this.pubSignals.merklized, claimPathKey: this.pubSignals.claimPathKey, valueArraySize: valuesSize, isRevocationChecked: this.pubSignals.isRevocationChecked, operatorOutput: this.pubSignals.operatorOutput }; if (!query.type) { throw new Error(`proof query type is undefined`); } const loader = schemaLoader ?? getDocumentLoader(); // validate schema let context; try { context = (await loader(query.context ?? '')).document; } catch (e) { throw new Error(`can't load schema for request query`); } const queriesMetadata = await parseQueriesMetadata(query.type, JSON.stringify(context), query.credentialSubject, { documentLoader: loader }); const circuitId = CircuitId.AtomicQueryV3; await checkQueryRequest(query, queriesMetadata, context, outs, CircuitId.AtomicQueryV3, loader, opts); const queryMetadata = queriesMetadata[0]; // only one query is supported checkCircuitOperator(circuitId, outs.operator); // validate selective disclosure if (queryMetadata.operator === Operators.SD) { try { await validateDisclosureNativeSDSupport(queryMetadata, outs, verifiablePresentation, loader); } catch (e) { throw new Error(`failed to validate selective disclosure: ${e.message}`); } } else if (!queryMetadata.fieldName && queryMetadata.operator == Operators.NOOP) { try { await validateEmptyCredentialSubjectNoopNativeSupport(outs); } catch (e) { throw new Error(`failed to validate operators: ${e.message}`); } } else { try { await validateOperators(queryMetadata, outs); } catch (e) { throw new Error(`failed to validate operators: ${e.message}`); } } // verify field inclusion / non-inclusion verifyFieldValueInclusionNativeExistsSupport(outs, queryMetadata); const { proofType, verifierID, nullifier, nullifierSessionID, linkID } = this.pubSignals; switch (query.proofType) { case ProofType.BJJSignature: if (proofType !== 1) { throw new Error('wrong proof type for BJJSignature'); } break; case ProofType.Iden3SparseMerkleTreeProof: if (proofType !== 2) { throw new Error('wrong proof type for Iden3SparseMerkleTreeProof'); } break; default: // if proof type is not specified in query any proof type in signals is OK. } const nSessionId = BigInt(params?.nullifierSessionId ?? 0); if (nSessionId !== 0n) { if (BigInt(nullifier ?? 0) === 0n) { throw new Error('nullifier should be provided for nullification and should not be 0'); } // verify nullifier information const verifierDIDParam = params?.verifierDid; if (!verifierDIDParam) { throw new Error('verifierDid is required'); } const id = DID.idFromDID(verifierDIDParam); if (verifierID.bigInt() != id.bigInt()) { throw new Error('wrong verifier is used for nullification'); } if (nullifierSessionID !== nSessionId) { throw new Error(`wrong verifier session id is used for nullification, expected ${nSessionId}, got ${nullifierSessionID}`); } } else if (nullifierSessionID !== 0n) { throw new Error(`Nullifier id is generated but wasn't requested`); } if (!query.groupId && linkID !== 0n) { throw new Error(`proof contains link id, but group id is not provided`); } if (query.groupId && linkID === 0n) { throw new Error("proof doesn't contain link id, but group id is provided"); } return this.pubSignals; } async verifyStates(resolvers, opts) { const resolver = getResolverByID(resolvers, this.pubSignals.issuerID); if (!resolver) { throw new Error(`resolver not found for issuerID ${this.pubSignals.issuerID.string()}`); } await checkUserState(resolver, this.pubSignals.issuerID, this.pubSignals.issuerState); if (this.pubSignals.isRevocationChecked === 0) { return; } const issuerNonRevStateResolved = await checkIssuerNonRevState(resolver, this.pubSignals.issuerID, this.pubSignals.issuerClaimNonRevState); const acceptedStateTransitionDelay = opts?.acceptedStateTransitionDelay ?? defaultProofVerifyOpts; if (issuerNonRevStateResolved.latest) { return; } const timeDiff = Date.now() - getDateFromUnixTimestamp(Number(issuerNonRevStateResolved.transitionTimestamp)).getTime(); if (timeDiff > acceptedStateTransitionDelay) { throw new Error('issuer state is outdated'); } } }