Skip to content

fix: bind BJJ signature proof signing key to issuer published state#411

Open
Alexander-frenki wants to merge 3 commits into
mainfrom
fix/bjj-sig-issuer-key-binding
Open

fix: bind BJJ signature proof signing key to issuer published state#411
Alexander-frenki wants to merge 3 commits into
mainfrom
fix/bjj-sig-issuer-key-binding

Conversation

@Alexander-frenki

Copy link
Copy Markdown
Contributor

Summary

verifyBJJSignatureProof trusted the public key embedded in proof.issuerData.authCoreClaim and only checked that state.value was published on-chain — it never verified that the auth claim is included in that state's claims tree (proof.issuerData.mtp was parsed but unused). An attacker could place their own key in authCoreClaim, sign with it, and forge a credential from any issuer DID that verifyProofs would accept.

Bind the signing key to the issuer's published state:

  • state.value === poseidon(claimsTreeRoot, revocationTreeRoot, rootOfRoots)
  • rootFromProof(issuerData.mtp, hiAuth, hvAuth) === state.claimsTreeRoot

Also verify fetched credential proofs in FetchHandler's plaintext offer and issuance-response paths before saving (previously only the encrypted path verified), so received credentials are validated rather than blindly trusted.

Adds a regression test covering a forged credential re-signed by a key not in the issuer's claims tree.

verifyBJJSignatureProof trusted the public key embedded in
proof.issuerData.authCoreClaim and only checked that the state value was
published on-chain, never verifying that the auth claim is included in that
state's claims tree (issuerData.mtp was parsed but unused). An attacker could
put their own key in authCoreClaim, sign with it, and forge a credential from
any issuer DID that verifyProofs would accept.

Bind the signing key to the published state:
- state.value === poseidon(claimsTreeRoot, revocationTreeRoot, rootOfRoots)
- rootFromProof(issuerData.mtp, hiAuth, hvAuth) === state.claimsTreeRoot

Also verify fetched credential proofs in FetchHandler's plaintext offer and
issuance-response paths before saving (previously only the encrypted path
verified), so received credentials are validated, not blindly trusted.

Add regression test covering a forged credential re-signed by a key not in the
issuer claims tree.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants