Merge pull request #491 from sklump/pre-verify-check-revoc

instrument pre-verification to reject proof bypassing revocation check
openwallet-foundation · May 6, 2020 · 75b9560 · 75b9560
2 parents a0b4d80 + 7fe5dac
commit 75b9560
Show file tree

Hide file tree

Showing 3 changed files with 278 additions and 206 deletions.
diff --git a/aries_cloudagent/config/default_context.py b/aries_cloudagent/config/default_context.py
@@ -117,7 +117,7 @@ async def bind_providers(self, context: InjectionContext):
             BaseVerifier,
             ClassProvider(
                 "aries_cloudagent.verifier.indy.IndyVerifier",
-                ClassProvider.Inject(BaseWallet),
+                ClassProvider.Inject(BaseLedger),
             ),
         )
 

diff --git a/aries_cloudagent/verifier/indy.py b/aries_cloudagent/verifier/indy.py
@@ -8,6 +8,8 @@
 from indy.error import IndyError
 
 from ..messaging.util import canon, encode
+from ..ledger.base import BaseLedger
+
 from .base import BaseVerifier
 
 LOGGER = logging.getLogger(__name__)
@@ -24,18 +26,17 @@ class PreVerifyResult(Enum):
 class IndyVerifier(BaseVerifier):
     """Indy verifier class."""
 
-    def __init__(self, wallet):
+    def __init__(self, ledger: BaseLedger):
         """
         Initialize an IndyVerifier instance.
 
         Args:
-            wallet: IndyWallet instance
+            ledger: ledger instance
 
         """
-        self.wallet = wallet
+        self.ledger = ledger
 
-    @staticmethod
-    def pre_verify(pres_req: dict, pres: dict) -> (PreVerifyResult, str):
+    async def pre_verify(self, pres_req: dict, pres: dict) -> (PreVerifyResult, str):
         """
         Check for essential components and tampering in presentation.
 
@@ -64,6 +65,19 @@ def pre_verify(pres_req: dict, pres: dict) -> (PreVerifyResult, str):
         if "proof" not in pres:
             return (PreVerifyResult.INCOMPLETE, "Missing 'proof'")
 
+        for (index, ident) in enumerate(pres["identifiers"]):
+            if not ident.get("timestamp"):
+                cred_def_id = ident["cred_def_id"]
+                cred_def = await self.ledger.get_credential_definition(cred_def_id)
+                if not cred_def["value"].get("revocation"):
+                    return (
+                        PreVerifyResult.INCOMPLETE,
+                        (
+                            f"Missing timestamp in presentation identifier #{ident} "
+                            f"for cred def id {cred_def_id}"
+                        ),
+                    )
+
         for (uuid, req_pred) in pres_req["requested_predicates"].items():
             try:
                 canon_attr = canon(req_pred["name"])
@@ -178,7 +192,7 @@ async def verify_presentation(
             rev_reg_entries: revocation registry entries
         """
 
-        (pv_result, pv_msg) = self.pre_verify(presentation_request, presentation)
+        (pv_result, pv_msg) = await self.pre_verify(presentation_request, presentation)
         if pv_result != PreVerifyResult.OK:
             LOGGER.error(
                 f"Presentation on nonce={presentation_request['nonce']} "