Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat/oav3 dnsdid did revocation #158

Closed
wants to merge 17 commits into from

Conversation

cavacado
Copy link
Contributor

@cavacado cavacado commented Feb 9, 2021

rough draft for logic and generate script want to have review early to see if correct implementation or not:
no test yet
commits:

  • package-lock
  • logic for revocation for dns-did documents and dns document
  • generate script for dns-did document + dns document for v3 only currently

yehjxraymond and others added 17 commits January 20, 2021 16:16
Co-authored-by: Raymond Yeh <ray@geek.sg>
* chore: refactored verifier into skip, test & verify

* feat: document store verification & generating revoked docs

* chore: update comment

Co-authored-by: Raymond Yeh <ray@geek.sg>
Co-authored-by: Raymond Yeh <ray@geek.sg>
* feat: verification for dns-did

* chore: refactored constraint checks

* fix: lint

* fix: test description

Co-authored-by: Nebulis <nebounet@gmail.com>

Co-authored-by: Raymond Yeh <ray@geek.sg>
Co-authored-by: Nebulis <nebounet@gmail.com>
* chore: refactored into test verify skip

* chore: refactoring test [wip]

* chore: refractor test

* chores: empty-test-for-v3

* chore: removed unnecessary tests

* chore: refractor-test-case

* chore: added-v3-test

* chore: added-v3-verify

* test: added v3-verify-test

* chore: fix-lint

* chore: refactored code

Co-authored-by: Raymond Yeh <ray@geek.sg>
Co-authored-by: Chen Ren <siachenren@gmail.com>
* chore: refactored previous verifier

* chore: refactored test

* chore: rename test & added v3 tests

* feat: verify for v3 documents

* fix: lint

* fix: token registry's test & oav3 integration test (#157)

* chore: integration test for all OAv3 documents

* chore: better var naming

* fix: lint

* chore: added getFailingFragments to tests

* fix: reasons for dnsTxt moved out

Co-authored-by: Raymond Yeh <ray@geek.sg>

Co-authored-by: Raymond Yeh <ray@geek.sg>
@@ -119,12 +140,19 @@ const verifyV2 = async (document: SignedWrappedDocument<v2.OpenAttestationDocume
issuance,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should probably add the details about revocation here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

got it

const revocationStatus =
metaData.proof.revocation.type === v3.RevocationType.RevocationStore
? await isRevokedOnDocumentStore({
documentStore: metaData.proof.revocation?.address,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's weird to use optional param here and not above (metaData.proof.revocation.type)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

metaData.proof.revocation.type for v3 is not optional though
its inconsistent with v2, for v2, issuers[x].revocation.type is optional.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean

  • metaData.proof.revocation.type L176
  • metaData.proof.revocation?.address L178

same object (metaData.proof.revocation), but once used with optional and not the other

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yea sorry am not reading correctly

Comment on lines +212 to +239
const validSignatureWithoutDnsTxt = {
...baseDidDocument,
openAttestationMetadata: {
...baseDidDocument.openAttestationMetadata,
identityProof: {
type: v3.IdentityProofType.DNSDid,
identifier: "notinuse.tradetrust.io",
},
},
};
const wrappedInvalidDnsDidDocument = await __unsafe__use__it__at__your__own__risks__wrapDocument(
validSignatureWithoutDnsTxt
);
const signatureForInvalidDocument = await wallet.signMessage(
utils.arrayify(`0x${wrappedInvalidDnsDidDocument.proof.merkleRoot}`)
);
const signedInvalidDnsDidDocument: v3.SignedWrappedDocument = {
...wrappedInvalidDnsDidDocument,
proof: {
...wrappedInvalidDnsDidDocument.proof,
key: "did:ethr:0xE712878f6E8d5d4F9e87E10DA604F9cB564C9a89#controller",
signature: signatureForInvalidDocument,
},
};
writeFileSync(
"./test/fixtures/v3/did-revocation-store-invalid-signed.json",
JSON.stringify(signedInvalidDnsDidDocument, null, 2)
);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably can leave these out. You probably want two files only:

  1. DID document with revocation store that is not revoked
  2. DID document with revocation store that is revoked

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure

Comment on lines +65 to +74
return r?.type === v2.RevocationType.RevocationStore
? isRevokedOnDocumentStore({
documentStore: r?.address,
merkleRoot,
provider: options.provider,
targetHash,
})
: Promise.resolve({
revoked: false,
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will result in a way to "unrevoke" my document. If I'm a recipient of document and I found out that the issuer revoked my document, I simply obfuscate my revocation type to skip the revocation check.

Should check that its NONE, else throw.

Might want to have a separate function to do this on top or something.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but wont the previous error (lines 57-61) cover this vulnerability?
the code from 64-74 will only run if r.type is well defined.

separate function as in extract it out as a callback back function to make it neater?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

got it after discussion with @yehjxraymond

proofs,
provider: options.provider,
})
: {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same vulnerability introduced

Base automatically changed from feat/oav3 to master February 9, 2021 06:14
@cavacado
Copy link
Contributor Author

closing this, as I am going to open another PR due to the master moving ahead and I don't want to deal with the merge-conflicts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants