Implement zk proof verification flow. Refactor registration to use EC…

…DSA for Brainpool. Minor improvements
rarimo · Dec 10, 2024 · 79271e3 · 79271e3
1 parent 59beeef
commit 79271e3
Show file tree

Hide file tree

Showing 30 changed files with 934 additions and 263 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -14,4 +14,4 @@ FROM alpine:3.9
 COPY --from=buildbase /usr/local/bin/incognito-light-registrator /usr/local/bin/incognito-light-registrator
 RUN apk add --no-cache ca-certificates
 
-ENTRYPOINT ["incognito-light-registrator", "run", "service"]
+ENTRYPOINT ["incognito-light-registrator"]
diff --git a/config.yaml b/config.yaml
@@ -1,5 +1,13 @@
 verifier:
+  verification_keys_paths:
+    sha1: "./verification_keys/registerIdentityLight160.json"
+    sha224: "./verification_keys/registerIdentityLight224.json"
+    sha256: "./verification_keys/registerIdentityLight256.json"
+    sha384: "./verification_keys/registerIdentityLight384.json"
+    sha512: "./verification_keys/registerIdentityLight512.json"
   master_certs_path: "./masterList.dev.pem"
+  disableTimeChecks: false
+  disableNameChecks: false
 
 log:
   level: debug

diff --git a/docs/spec/components/schemas/DocumentSod.yaml b/docs/spec/components/schemas/DocumentSod.yaml
@@ -1,41 +1,38 @@
-allOf:
-  - $ref: '#/components/schemas/DocumentSodKey'
-  - type: object
-    required:
-      - attributes
-    properties:
-      attributes:
-        type: object
-        required:
-          - hash_algorithm
-          - signature_algorithm
-          - signed_attributes
-          - signature
-          - encapsulated_content
-          - pem_file
-          - dg15
-        properties:
-          hash_algorithm:
-            type: string
-            description: The hash algorithm used to hash the content
-          signature_algorithm:
-            type: string
-            description: The signature algorithm used to sign the content
-          signed_attributes:
-            type: string
-            description: The signed attributes, for e.g. 104 bytes-long hex string
-          signature:
-            type: string
-            description: Signature corresponding to the algorithm
-          encapsulated_content:
-            type: string
-            description: The encapsulated content, for e.g. 186 bytes-long hex string
-          pem_file:
-            type: string
-            description: The PEM file containing the public key
-          dg15:
-            type: string
-            description: The Data Group 15, hex string
+type: object
+required:
+  - hash_algorithm
+  - signature_algorithm
+  - signed_attributes
+  - signature
+  - encapsulated_content
+  - aa_signature
+  - pem_file
+  - dg15
+properties:
+  hash_algorithm:
+    type: string
+    description: The hash algorithm used to hash the content
+  signature_algorithm:
+    type: string
+    description: The signature algorithm used to sign the content
+  signed_attributes:
+    type: string
+    description: The signed attributes, for e.g. 104 bytes-long hex string
+  signature:
+    type: string
+    description: Signature corresponding to the algorithm
+  aa_signature:
+    type: string
+    description: The active authentication signature
+  encapsulated_content:
+    type: string
+    description: The encapsulated content, for e.g. 186 bytes-long hex string
+  pem_file:
+    type: string
+    description: The PEM file containing the public key
+  dg15:
+    type: string
+    description: The Data Group 15, hex string
 
 
 
diff --git a/docs/spec/components/schemas/Register.yaml b/docs/spec/components/schemas/Register.yaml
@@ -7,14 +7,12 @@ allOf:
       attributes:
         type: object
         required:
-          - signature
-          - document_hash
+          - zk_proof
+          - document_sod
         properties:
-          signature:
-            type: string
-            example: 7768792064696420796F75206576656E206465636F6465642069743F
-            description: ECDSA signature of the document hash
-          document_hash:
-            type: string
-            example: 7768792064696420796F75206576656E206465636F6465642069743F
-            description: Poseidon hash of the document
+          zk_proof:
+            type: object
+            format: types.ZKProof
+            description: Zero-knowledge proof with dg1 public input
+          document_sod:
+            $ref: '#/components/schemas/DocumentSod'
diff --git a/docs/spec/components/schemas/Signature.yaml b/docs/spec/components/schemas/Signature.yaml
@@ -0,0 +1,20 @@
+allOf:
+  - $ref: '#/components/schemas/SignatureKey'
+  - type: object
+    required:
+      - attributes
+    properties:
+      attributes:
+        type: object
+        required:
+          - signature
+          - document_hash
+        properties:
+          signature:
+            type: string
+            example: 7768792064696420796F75206576656E206465636F6465642069743F
+            description: ECDSA signature of the document hash
+          document_hash:
+            type: string
+            example: 7768792064696420796F75206576656E206465636F6465642069743F
+            description: Poseidon hash of the document
diff --git a/docs/spec/components/schemas/SignatureKey.yaml b/docs/spec/components/schemas/SignatureKey.yaml
@@ -0,0 +1,11 @@
+type: object
+required:
+  - id
+  - type
+properties:
+  id:
+    type: string
+  type:
+    type: string
+    enum:
+      - signature
diff --git a/docs/spec/paths/intergrations@incognito-light-registrator@[email protected] b/docs/spec/paths/intergrations@incognito-light-registrator@[email protected]
@@ -13,7 +13,7 @@ post:
           properties:
             data:
               type: object
-              $ref: '#/components/schemas/DocumentSod'
+              $ref: '#/components/schemas/Register'
   responses:
     '200':
       description: Success
@@ -24,7 +24,7 @@ post:
             properties:
               data:
                 type: object
-                $ref: '#/components/schemas/Register'
+                $ref: '#/components/schemas/Signature'
     '500':
       description: Internal Error
       content:

diff --git a/go.mod b/go.mod
@@ -8,9 +8,10 @@ require (
 	github.com/fatih/structs v1.1.0
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/go-ozzo/ozzo-validation/v4 v4.3.0
-	github.com/google/jsonapi v0.0.0-20200226002910-c8283f632fb7
 	github.com/hashicorp/vault/api v1.15.0
 	github.com/iden3/go-iden3-crypto v0.0.17
+	github.com/iden3/go-rapidsnark/types v0.0.3
+	github.com/iden3/go-rapidsnark/verifier v0.0.5
 	github.com/pkg/errors v0.9.1
 	github.com/rarimo/certificate-transparency-go v0.0.0-20240305114501-050b1f19639a
 	github.com/rubenv/sql-migrate v1.6.1
@@ -42,6 +43,7 @@ require (
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/google/jsonapi v0.0.0-20200226002910-c8283f632fb7 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect

diff --git a/go.sum b/go.sum
@@ -1685,6 +1685,10 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/iden3/go-iden3-crypto v0.0.17 h1:NdkceRLJo/pI4UpcjVah4lN/a3yzxRUGXqxbWcYh9mY=
 github.com/iden3/go-iden3-crypto v0.0.17/go.mod h1:dLpM4vEPJ3nDHzhWFXDjzkn1qHoBeOT/3UEhXsEsP3E=
+github.com/iden3/go-rapidsnark/types v0.0.3 h1:f0s1Qdut1qHe1O67+m+xUVRBPwSXnq5j0xSrBi0jqM4=
+github.com/iden3/go-rapidsnark/types v0.0.3/go.mod h1:ApgcaUxKIgSRA6fAeFxK7p+lgXXfG4oA2HN5DhFlfF4=
+github.com/iden3/go-rapidsnark/verifier v0.0.5 h1:J7y0ovrEjDQoWtZmlrp4tgGng1A9faMeYsQH4igAEqA=
+github.com/iden3/go-rapidsnark/verifier v0.0.5/go.mod h1:KgL3Yr9NehlFDI4EIWVLE3UDUi8ulyjbp7HcXSBfiGI=
 github.com/imkira/go-interpol v1.1.0/go.mod h1:z0h2/2T3XF8kyEPpRgJ3kmNv+C43p+I/CoI+jC3w2iA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/flux v0.65.1/go.mod h1:J754/zds0vvpfwuq7Gc2wRdVwEodfpCFM7mYlOw2LqY=

diff --git a/internal/assets/migrations/001_initial.sql b/internal/assets/migrations/001_initial.sql
@@ -8,13 +8,15 @@ create table document_sod
     dg15                 varchar(512)                not null, -- base64 encoded
     hash_algorithm       smallint                    not null, -- 0 - sha1, 1 - sha256, 2 - sha384, 3 - sha512
     signature_algorithm  smallint                    not null, -- 0 - rsa, 1 - rsapss, 2 - ecdsa, 3 - brainpool
-    signed_attributes    varchar(256)                not null, -- hex encoded
-    encapsulated_content varchar(1024)               not null, -- hex encoded
-    signature            varchar(1024)               not null, -- hex encoded
+    signed_attributes    varchar(512)                not null, -- hex encoded
+    encapsulated_content varchar(4096)               not null, -- hex encoded
+    signature            varchar(4096)               not null, -- hex encoded
+    aa_signature         varchar(4096)               not null, -- hex encoded
     pem_file             varchar(4096)               not null,
     error_kind           smallint,                             -- 0 - signed attributes validation failed, 1 - PEM file parsing failed, 2 - PEM file validation failed, 3 - signature verification failed
     error                varchar(1024),                        -- error message
-    unique nulls not distinct (hash_algorithm, signature_algorithm, signed_attributes, encapsulated_content, signature, error_kind, error)
+    unique nulls not distinct (hash_algorithm, signature_algorithm, signed_attributes, encapsulated_content, signature,
+                               aa_signature, error_kind, error)
     -- We need to ensure that we won't store the same document with the same error multiple times.
     -- Perhaps the same document can fail verification with different errors
 );

diff --git a/internal/config/verifier.go b/internal/config/verifier.go
@@ -3,6 +3,7 @@ package config
 import (
 	"os"
 
+	"github.com/rarimo/passport-identity-provider/internal/types"
 	"gitlab.com/distributed_lab/figure/v3"
 	"gitlab.com/distributed_lab/kit/comfig"
 	"gitlab.com/distributed_lab/kit/kv"
@@ -13,7 +14,10 @@ type VerifierConfiger interface {
 }
 
 type VerifierConfig struct {
-	MasterCerts []byte
+	VerificationKeys  map[types.HashAlgorithm][]byte
+	MasterCerts       []byte
+	DisableTimeChecks bool
+	DisableNameChecks bool
 }
 
 type verifier struct {
@@ -30,7 +34,10 @@ func NewVerifierConfiger(getter kv.Getter) VerifierConfiger {
 func (v *verifier) VerifierConfig() *VerifierConfig {
 	return v.once.Do(func() interface{} {
 		newCfg := struct {
-			MasterCertsPath string `fig:"master_certs_path,required"`
+			VerificationKeysPaths map[string]string `fig:"verification_keys_paths,required"`
+			MasterCertsPath       string            `fig:"master_certs_path,required"`
+			DisableTimeChecks     bool              `fig:"disable_time_checks"`
+			DisableNameChecks     bool              `fig:"disable_name_checks"`
 		}{}
 
 		err := figure.
@@ -42,13 +49,26 @@ func (v *verifier) VerifierConfig() *VerifierConfig {
 			panic(err)
 		}
 
+		verificationKeys := make(map[types.HashAlgorithm][]byte)
+		for algo, path := range newCfg.VerificationKeysPaths {
+			verificationKey, err := os.ReadFile(path)
+			if err != nil {
+				panic(err)
+			}
+
+			verificationKeys[types.HashAlgorithmFromString(algo)] = verificationKey
+		}
+
 		masterCerts, err := os.ReadFile(newCfg.MasterCertsPath)
 		if err != nil {
 			panic(err)
 		}
 
 		return &VerifierConfig{
-			MasterCerts: masterCerts,
+			VerificationKeys:  verificationKeys,
+			MasterCerts:       masterCerts,
+			DisableTimeChecks: newCfg.DisableTimeChecks,
+			DisableNameChecks: newCfg.DisableNameChecks,
 		}
 	}).(*VerifierConfig)
 }
diff --git a/internal/data/document_sod.go b/internal/data/document_sod.go
@@ -23,6 +23,7 @@ type DocumentSOD struct {
 	SignedAttributed    string                      `db:"signed_attributes" structs:"signed_attributes"`
 	EncapsulatedContent string                      `db:"encapsulated_content" structs:"encapsulated_content"`
 	Signature           string                      `db:"signature" structs:"signature"`
+	AaSignature         string                      `db:"aa_signature" structs:"aa_signature"`
 	PemFile             string                      `db:"pem_file" structs:"pem_file"`
 	ErrorKind           *types.DocumentSODErrorKind `db:"error_kind" structs:"error_kind"`
 	Error               *string                     `db:"error" structs:"error"`

diff --git a/internal/data/postgres/document_sod.go b/internal/data/postgres/document_sod.go
@@ -64,7 +64,9 @@ func (q *DocumentSODQ) Insert(value data.DocumentSOD) (*data.DocumentSOD, error)
 	var result data.DocumentSOD
 	clauses := structs.Map(value)
 	stmt := sq.Insert(documentSODTableName).SetMap(clauses).Suffix(
-		"on conflict (hash_algorithm, signature_algorithm, signed_attributes, encapsulated_content, signature, error_kind, error) do update set updated_at = current_timestamp returning *",
+		"on conflict " +
+			"(hash_algorithm, signature_algorithm, signed_attributes, encapsulated_content, signature, aa_signature, error_kind, error) " +
+			"do update set updated_at = current_timestamp returning *",
 	)
 	err := q.db.Get(&result, stmt)
 	if errors.Is(err, sql.ErrNoRows) {