fix: accepts alternative iss for Google (MystenLabs#693)

* fix: add alternative iss to Google * add test
rooch-network · Nov 15, 2023 · 22003f9 · 22003f9
1 parent 3dee479
commit 22003f9
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 4 deletions.
diff --git a/fastcrypto-zkp/benches/zklogin.rs b/fastcrypto-zkp/benches/zklogin.rs
@@ -109,6 +109,7 @@ mod zklogin_benches {
                     &eph_pubkey,
                     &map,
                     &ZkLoginEnv::Prod,
+                    true,
                 )
             })
         });

diff --git a/fastcrypto-zkp/src/bn254/unit_tests/zk_login_e2e_tests.rs b/fastcrypto-zkp/src/bn254/unit_tests/zk_login_e2e_tests.rs
@@ -43,6 +43,7 @@ async fn test_end_to_end_twitch() {
         &eph_pubkey,
         &map,
         &ZkLoginEnv::Test,
+        true,
     );
     assert!(res.is_ok());
 
@@ -53,6 +54,7 @@ async fn test_end_to_end_twitch() {
         &eph_pubkey,
         &map,
         &ZkLoginEnv::Prod,
+        true,
     );
     assert!(res_prod.is_err());
 }
@@ -86,6 +88,7 @@ async fn test_end_to_end_kakao() {
         &eph_pubkey,
         &map,
         &ZkLoginEnv::Test,
+        true,
     );
     assert!(res.is_ok());
 
@@ -96,6 +99,7 @@ async fn test_end_to_end_kakao() {
         &eph_pubkey,
         &map,
         &ZkLoginEnv::Prod,
+        true,
     );
     assert!(res_prod.is_err());
 }
@@ -128,6 +132,7 @@ async fn test_end_to_end_apple() {
         &eph_pubkey,
         &map,
         &ZkLoginEnv::Test,
+        true,
     );
     assert!(res.is_ok());
 
@@ -138,6 +143,7 @@ async fn test_end_to_end_apple() {
         &eph_pubkey,
         &map,
         &ZkLoginEnv::Prod,
+        true,
     );
     assert!(res_prod.is_err());
 }
@@ -170,6 +176,7 @@ async fn test_end_to_end_slack() {
         &eph_pubkey,
         &map,
         &ZkLoginEnv::Test,
+        true,
     );
     assert!(res.is_ok());
 
@@ -180,6 +187,7 @@ async fn test_end_to_end_slack() {
         &eph_pubkey,
         &map,
         &ZkLoginEnv::Prod,
+        true,
     );
     assert!(res_prod.is_err());
 }

diff --git a/fastcrypto-zkp/src/bn254/unit_tests/zk_login_tests.rs b/fastcrypto-zkp/src/bn254/unit_tests/zk_login_tests.rs
@@ -5,7 +5,8 @@ use std::str::FromStr;
 
 use crate::bn254::poseidon::hash;
 use crate::bn254::utils::{
-    gen_address_seed, gen_address_seed_with_salt_hash, get_nonce, get_zk_login_address,
+    big_int_str_to_bytes, gen_address_seed, gen_address_seed_with_salt_hash, get_nonce,
+    get_zk_login_address,
 };
 use crate::bn254::zk_login::{
     convert_base, decode_base64_url, hash_ascii_str_to_field, hash_to_field, parse_jwks, to_field,
@@ -141,7 +142,14 @@ async fn test_verify_zk_login_google() {
         ),
         content,
     );
-    let res = verify_zk_login(&zk_login_inputs, 10, &eph_pubkey, &map, &ZkLoginEnv::Prod);
+    let res = verify_zk_login(
+        &zk_login_inputs,
+        10,
+        &eph_pubkey,
+        &map,
+        &ZkLoginEnv::Prod,
+        true,
+    );
     assert!(res.is_ok());
 }
 
@@ -569,3 +577,38 @@ fn test_all_inputs_hash() {
         "2487117669597822357956926047501254969190518860900347921480370492048882803688".to_string()
     );
 }
+
+#[test]
+fn test_alternative_iss_for_google() {
+    let input = ZkLoginInputs::from_json("{\"proofPoints\":{\"a\":[\"7566241567720780416751598994698310678767195459947224622023785587667176814058\",\"18104499930818305143361187733659014043953751050617136254447624192327280445771\",\"1\"],\"b\":[[\"11369230593957954942221175389182778816136534144714579815927653075736806430994\",\"11928003240637992017698644299021052465098754853899210401706726930513411198353\"],[\"2597127058046351054449743605218058440565462021354202666955356076272028963802\",\"3385145993275542896693643488618289924488296318344621918448585222369718288892\"],[\"1\",\"0\"]],\"c\":[\"395141536511114303768253959602639884294254888080713473665269769443249414257\",\"21430657725804540809568084344756144327539843580919730138594118365564728808275\",\"1\"]},\"issBase64Details\":{\"value\":\"yJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLC\",\"indexMod4\":1},\"headerBase64\":\"eyJhbGciOiJSUzI1NiIsImtpZCI6ImM5YWZkYTM2ODJlYmYwOWViMzA1NWMxYzRiZDM5Yjc1MWZiZjgxOTUiLCJ0eXAiOiJKV1QifQ\"}", "4959624758616676340947699768172740454110375485415332267384397278368360470616").unwrap();
+    let mut eph_pubkey_bytes = vec![0];
+    eph_pubkey_bytes.extend(
+        big_int_str_to_bytes(
+            "3598866369818193253063936208363210863933653800990958031560302098730308306242903464",
+        )
+        .unwrap(),
+    );
+    let mut all_jwk = ImHashMap::new();
+    all_jwk.insert(
+        JwkId::new(
+            OIDCProvider::Google.get_config().iss,
+            "c9afda3682ebf09eb3055c1c4bd39b751fbf8195".to_string(),
+        ),
+        JWK {
+            kty: "RSA".to_string(),
+            e: "AQAB".to_string(),
+            n: "whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6fpCTu6ZalGI82s7XK3tan4dJt90ptUPKD2zvxqTzFNfx4HHHsrYCf2-FMLn1VTJfQazA2BvJqAwcpW1bqRUEty8tS_Yv4hRvWfQPcc2Gc3-_fQOOW57zVy-rNoJc744kb30NjQxdGp03J2S3GLQu7oKtSDDPooQHD38PEMNnITf0pj-KgDPjymkMGoJlO3aKppsjfbt_AH6GGdRghYRLOUwQU-h-ofWHR3lbYiKtXPn5dN24kiHy61e3VAQ9_YAZlwXC_99GGtw_NpghFAuM4P1JDn0DppJldy3PGFC0GfBCZASw".to_string(),
+            alg: "RS256".to_string(),
+        },
+    );
+
+    let res = verify_zk_login(
+        &input,
+        10000,
+        &eph_pubkey_bytes,
+        &all_jwk,
+        &ZkLoginEnv::Test,
+        true,
+    );
+    assert!(res.is_ok());
+}
diff --git a/fastcrypto-zkp/src/bn254/zk_login.rs b/fastcrypto-zkp/src/bn254/zk_login.rs
@@ -151,7 +151,7 @@ impl OIDCProvider {
     /// Returns the OIDCProvider for the given iss string.
     pub fn from_iss(iss: &str) -> Result<Self, FastCryptoError> {
         match iss {
-            "https://accounts.google.com" => Ok(Self::Google),
+            "https://accounts.google.com" | "accounts.google.com" => Ok(Self::Google),
             "https://id.twitch.tv/oauth2" => Ok(Self::Twitch),
             "https://www.facebook.com" => Ok(Self::Facebook),
             "https://kauth.kakao.com" => Ok(Self::Kakao),
@@ -349,6 +349,14 @@ impl ZkLoginInputs {
         &self.jwt_details.iss
     }
 
+    /// Get the sanitized iss string to use standard iss string.
+    pub fn get_sanitized_iss(&self) -> &str {
+        if &self.jwt_details.iss == "accounts.google.com" {
+            "https://accounts.google.com"
+        } else {
+            &self.jwt_details.iss
+        }
+    }
     /// Get the zk login proof.
     pub fn get_proof(&self) -> &ZkLoginProof {
         &self.proof_points

diff --git a/fastcrypto-zkp/src/bn254/zk_login_api.rs b/fastcrypto-zkp/src/bn254/zk_login_api.rs
@@ -227,9 +227,16 @@ pub fn verify_zk_login(
     eph_pubkey_bytes: &[u8],
     all_jwk: &ImHashMap<JwkId, JWK>,
     env: &ZkLoginEnv,
+    should_sanitize_iss: bool,
 ) -> Result<(), FastCryptoError> {
     // Load the expected JWK based on (iss, kid).
-    let (iss, kid) = (input.get_iss().to_string(), input.get_kid().to_string());
+    let (iss, kid) = match should_sanitize_iss {
+        true => (
+            input.get_sanitized_iss().to_string(),
+            input.get_kid().to_string(),
+        ),
+        false => (input.get_iss().to_string(), input.get_kid().to_string()),
+    };
     let jwk = all_jwk
         .get(&JwkId::new(iss.clone(), kid.clone()))
         .ok_or_else(|| {
-Original file line number
+Diff line change
@@ Expand Up / @@ -109,6 +109,7 @@ mod zklogin_benches { @@
                         &eph_pubkey,
                         &map,
                         &ZkLoginEnv::Prod,
+                        true,
                     )
                 })
             });
@@ Expand Down @@