Merge pull request openwallet-foundation#84 from Indicio-tech/feature…

…/credential-attachments-verifier Validate supplements upon proof request
burdettadam · Sep 8, 2022 · a724753 · a724753
2 parents 45f8df1 + ea26976
commit a724753
Showing 1 changed file with 56 additions and 0 deletions.
diff --git a/aries_cloudagent/protocols/present_proof/v2_0/formats/indy/handler.py b/aries_cloudagent/protocols/present_proof/v2_0/formats/indy/handler.py
@@ -17,6 +17,8 @@
 from ......messaging.decorators.attach_decorator import AttachDecorator
 from ......messaging.util import canon
 from ......wallet.models.attachment_data_record import AttachmentDataRecord
+from ......wallet.util import b64_to_bytes
+from .....issue_credential.v2_0.hashlink import Hashlink
 
 from ....indy.pres_exch_handler import IndyPresExchHandler
 
@@ -369,6 +371,60 @@ async def verify_pres(self, pres_ex_record: V20PresExRecord) -> V20PresExRecord:
             rev_reg_defs,
             rev_reg_entries,
         )
+
+        valid_suppliments = True
+
+        def find_attachment(attatchment_id: str)->str:
+            for attachment in pres_ex_record.attach:
+                if attachment.ident == attatchment_id:
+                    return attachment
+            return None
+
+        def find_supplement_attr(supplement, key):
+            for attr in supplement.attrs:
+                if attr.key == key:
+                    return attr.value
+            return None
+
+        supplements = pres_ex_record.supplements
+        for supplement in supplements:
+
+            # Only hashlink data validation is supported at the moment
+            if supplement.type != "hashlink-data":
+                valid_suppliments = False
+                break
+
+            attatchment_id = supplements.ref
+            attachment = find_attachment(attatchment_id)
+
+            # No matching attachment found
+            if not attachment:
+                valid_suppliments = False
+                break
+
+            # Assuming that only B64 data attachment is allowed, retreive the data
+            data = attachment.data.base64
+            if not data:
+                valid_suppliments = False
+                break
+
+            # Grab the attr that contains the hashlink
+            key = find_supplement_attr(supplement, "field")
+
+            # Retrieve the hashlink and the associated decoded data
+            hashlink = indy_proof["requested_proof"]["revealed_attrs"][key]["raw"]
+            data = b64_to_bytes(data, urlsafe=True)
+
+            # Verify the hashlinks
+            valid_suppliments = Hashlink.verify(hashlink, data)
+
+            # Don't bother verifying more suppliments if this one failed to validate
+            if not valid_suppliments:
+                break
+
+        if verified and not valid_suppliments:
+            verified = valid_suppliments
+
         pres_ex_record.verified = json.dumps(verified)
         pres_ex_record.verified_msgs = list(set(verified_msgs))
         return pres_ex_record