diff --git a/aries_cloudagent/protocols/present_proof/v2_0/formats/indy/handler.py b/aries_cloudagent/protocols/present_proof/v2_0/formats/indy/handler.py index fcf05d46a0..1f186966b9 100644 --- a/aries_cloudagent/protocols/present_proof/v2_0/formats/indy/handler.py +++ b/aries_cloudagent/protocols/present_proof/v2_0/formats/indy/handler.py @@ -17,6 +17,8 @@ from ......messaging.decorators.attach_decorator import AttachDecorator from ......messaging.util import canon from ......wallet.models.attachment_data_record import AttachmentDataRecord +from ......wallet.util import b64_to_bytes +from .....issue_credential.v2_0.hashlink import Hashlink from ....indy.pres_exch_handler import IndyPresExchHandler @@ -369,6 +371,60 @@ async def verify_pres(self, pres_ex_record: V20PresExRecord) -> V20PresExRecord: rev_reg_defs, rev_reg_entries, ) + + valid_suppliments = True + + def find_attachment(attatchment_id: str)->str: + for attachment in pres_ex_record.attach: + if attachment.ident == attatchment_id: + return attachment + return None + + def find_supplement_attr(supplement, key): + for attr in supplement.attrs: + if attr.key == key: + return attr.value + return None + + supplements = pres_ex_record.supplements + for supplement in supplements: + + # Only hashlink data validation is supported at the moment + if supplement.type != "hashlink-data": + valid_suppliments = False + break + + attatchment_id = supplements.ref + attachment = find_attachment(attatchment_id) + + # No matching attachment found + if not attachment: + valid_suppliments = False + break + + # Assuming that only B64 data attachment is allowed, retreive the data + data = attachment.data.base64 + if not data: + valid_suppliments = False + break + + # Grab the attr that contains the hashlink + key = find_supplement_attr(supplement, "field") + + # Retrieve the hashlink and the associated decoded data + hashlink = indy_proof["requested_proof"]["revealed_attrs"][key]["raw"] + data = b64_to_bytes(data, urlsafe=True) + + # Verify the hashlinks + valid_suppliments = Hashlink.verify(hashlink, data) + + # Don't bother verifying more suppliments if this one failed to validate + if not valid_suppliments: + break + + if verified and not valid_suppliments: + verified = valid_suppliments + pres_ex_record.verified = json.dumps(verified) pres_ex_record.verified_msgs = list(set(verified_msgs)) return pres_ex_record