Fix/pid 3454 verify profile (#93)

* verify if credentialSubjectID equal to ProfileID

* refactor

* add unit tests

* fix formating

* more unit tests; do verifyCredentialSubjectID private

* change error message

Author: ilya-korotya

circuits.go

@@ -3,6 +3,7 @@ package circuits
 import (
 	"bytes"
 	"encoding/json"
+	"math/big"
 	"reflect"
 	"sync"
 
@@ -358,3 +359,19 @@ func GetCircuit(id CircuitID) (*Data, error) {
 	}
 	return &circuit, nil
 }
+
+// verifyCredentialSubjectID checks that the credentialSubject ID in the issuerClaim matches the profileID.
+func verifyCredentialSubjectID(userID core.ID, issuerClaim core.Claim, nonce *big.Int) error {
+	profileID, err := core.ProfileID(userID, nonce)
+	if err != nil {
+		return errors.Errorf("failed to generate profile ID: %v", err)
+	}
+	credentialSubjectID, err := issuerClaim.GetID()
+	if err != nil {
+		return errors.Errorf("failed to get credential subject ID: %v", err)
+	}
+	if profileID.BigInt().Cmp(credentialSubjectID.BigInt()) != 0 {
+		return errors.New(ErrorUserProfileMismatch)
+	}
+	return nil
+}

circuits_test.go

@@ -5,6 +5,7 @@ import (
 	"math/big"
 	"testing"
 
+	it "github.com/iden3/go-circuits/v2/testing"
 	core "github.com/iden3/go-iden3-core/v2"
 	"github.com/iden3/go-merkletree-sql/v2"
 	"github.com/stretchr/testify/assert"
@@ -92,3 +93,88 @@ func TestStateJsonMarshallers(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, in, out)
 }
+
+func TestVerifyCredentialSubjectID(t *testing.T) {
+	tests := []struct {
+		name         string
+		user         *it.IdentityTest
+		claim        func(t *testing.T) *core.Claim
+		nonceSubject *big.Int
+	}{
+		{
+			name:         "Success. Same profileID with nonce",
+			user:         it.NewIdentity(t, userPK),
+			nonceSubject: big.NewInt(10),
+			claim: func(t *testing.T) *core.Claim {
+				profileID, err := core.ProfileID(it.NewIdentity(t, userPK).ID, big.NewInt(10))
+				require.NoError(t, err)
+				return it.DefaultUserClaim(t, profileID)
+			},
+		},
+		{
+			name:         "Success. Same genesis profileID",
+			user:         it.NewIdentity(t, userPK),
+			nonceSubject: big.NewInt(0),
+			claim: func(t *testing.T) *core.Claim {
+				return it.DefaultUserClaim(t, it.NewIdentity(t, userPK).ID)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := verifyCredentialSubjectID(tt.user.ID, *tt.claim(t), tt.nonceSubject)
+			require.NoError(t, err)
+		})
+	}
+}
+
+func TestVerifyCredentialSubjectID_Error(t *testing.T) {
+	tests := []struct {
+		name         string
+		userID       *it.IdentityTest
+		claim        func(t *testing.T) *core.Claim
+		nonceSubject *big.Int
+		err          string
+	}{
+		{
+			name:   "Different userID on the claim",
+			userID: it.NewIdentity(t, userPK),
+			claim: func(t *testing.T) *core.Claim {
+				// put another indentity to claim
+				return it.DefaultUserClaim(t, it.NewIdentity(t, issuerPK).ID)
+			},
+			nonceSubject: big.NewInt(10),
+			err:          ErrorUserProfileMismatch,
+		},
+		{
+			name:   "Different nonceSubject on the claim",
+			userID: it.NewIdentity(t, userPK),
+			claim: func(t *testing.T) *core.Claim {
+				profileID, err := core.ProfileID(it.NewIdentity(t, userPK).ID, big.NewInt(11))
+				require.NoError(t, err)
+				return it.DefaultUserClaim(t, profileID)
+			},
+			nonceSubject: big.NewInt(10),
+			err:          ErrorUserProfileMismatch,
+		},
+		{
+			name:   "Different nonceSubject on the claim. Genesis profile",
+			userID: it.NewIdentity(t, userPK),
+			claim: func(t *testing.T) *core.Claim {
+				profileID, err := core.ProfileID(it.NewIdentity(t, userPK).ID, big.NewInt(11))
+				require.NoError(t, err)
+				return it.DefaultUserClaim(t, profileID)
+			},
+			nonceSubject: big.NewInt(0),
+			err:          ErrorUserProfileMismatch,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := verifyCredentialSubjectID(tt.userID.ID, *tt.claim(t), tt.nonceSubject)
+			require.EqualError(t, err, tt.err)
+		})
+	}
+}

credentialAtomicQueryMTPV2.go

@@ -86,6 +86,11 @@ func (a AtomicQueryMTPV2Inputs) Validate() error {
 		return errors.New(ErrorEmptyRequestID)
 	}
 
+	if err := verifyCredentialSubjectID(
+		*a.ID, *a.Claim.Claim, a.ClaimSubjectProfileNonce); err != nil {
+		return err
+	}
+
 	return nil
 }
 

credentialAtomicQueryMTPV2OnChain.go

@@ -146,6 +146,11 @@ func (a AtomicQueryMTPV2OnChainInputs) Validate() error {
 		return errors.New(ErrorEmptyChallenge)
 	}
 
+	if err := verifyCredentialSubjectID(
+		*a.ID, *a.Claim.Claim, a.ClaimSubjectProfileNonce); err != nil {
+		return err
+	}
+
 	return nil
 }
 

credentialAtomicQueryMTPV2OnChain_test.go

@@ -7,6 +7,8 @@ import (
 	"testing"
 
 	it "github.com/iden3/go-circuits/v2/testing"
+	core "github.com/iden3/go-iden3-core/v2"
+	"github.com/iden3/go-iden3-core/v2/w3c"
 	"github.com/iden3/go-iden3-crypto/poseidon"
 	"github.com/stretchr/testify/require"
 )
@@ -211,3 +213,16 @@ func TestAtomicQueryMTPVOnChain2Outputs_CircuitUnmarshal(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, wantStatesInfo, statesInfo, string(j))
 }
+
+func TestAttrQueryMTPV2OnChain_ErrorUserProfileMismatch(t *testing.T) {
+	did, err := w3c.ParseDID("did:iden3:polygon:amoy:x81nCirrkbsh7qZrbnzhZtkwfY76wjUmygcoYztcS")
+	require.NoError(t, err)
+	userID, err := core.IDFromDID(*did)
+	require.NoError(t, err)
+
+	inputs := queryMTPV2OnChainInputs(t)
+	inputs.ID = &userID
+
+	err = inputs.Validate()
+	require.Equal(t, err.Error(), ErrorUserProfileMismatch)
+}

credentialAtomicQueryMTPV2_test.go

@@ -6,6 +6,8 @@ import (
 	"testing"
 
 	it "github.com/iden3/go-circuits/v2/testing"
+	core "github.com/iden3/go-iden3-core/v2"
+	"github.com/iden3/go-iden3-core/v2/w3c"
 	"github.com/stretchr/testify/require"
 )
 
@@ -221,3 +223,16 @@ func TestAtomicQueryMTPV2Outputs_CircuitUnmarshal(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, wantStatesInfo, statesInfo, string(j))
 }
+
+func TestAtomicQueryMTPV2Inputs_ErrorUserProfileMismatch(t *testing.T) {
+	did, err := w3c.ParseDID("did:iden3:polygon:amoy:x81nCirrkbsh7qZrbnzhZtkwfY76wjUmygcoYztcS")
+	require.NoError(t, err)
+	userID, err := core.IDFromDID(*did)
+	require.NoError(t, err)
+
+	inputs := queryMTPV2Inputs(t)
+	inputs.ID = &userID
+
+	err = inputs.Validate()
+	require.Equal(t, err.Error(), ErrorUserProfileMismatch)
+}

credentialAtomicQuerySigV2.go

@@ -107,6 +107,12 @@ func (a AtomicQuerySigV2Inputs) Validate() error {
 	if a.Query.Values == nil {
 		return errors.New(ErrorEmptyQueryValue)
 	}
+
+	if err := verifyCredentialSubjectID(
+		*a.ID, *a.Claim.Claim, a.ClaimSubjectProfileNonce); err != nil {
+		return err
+	}
+
 	return nil
 }
 

credentialAtomicQuerySigV2OnChain.go

@@ -168,6 +168,12 @@ func (a AtomicQuerySigV2OnChainInputs) Validate() error {
 	if a.Challenge == nil {
 		return errors.New(ErrorEmptyChallenge)
 	}
+
+	if err := verifyCredentialSubjectID(
+		*a.ID, *a.Claim.Claim, a.ClaimSubjectProfileNonce); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -345,7 +351,6 @@ func (a AtomicQuerySigV2OnChainInputs) GetPublicStatesInfo() (StatesInfo, error)
 	return statesInfo, nil
 }
 
-
 // AtomicQuerySigV2OnChainPubSignals public inputs
 type AtomicQuerySigV2OnChainPubSignals struct {
 	BaseConfig

credentialAtomicQuerySigV2OnChain_test.go

@@ -7,6 +7,8 @@ import (
 	"testing"
 
 	it "github.com/iden3/go-circuits/v2/testing"
+	core "github.com/iden3/go-iden3-core/v2"
+	"github.com/iden3/go-iden3-core/v2/w3c"
 	"github.com/iden3/go-iden3-crypto/poseidon"
 	"github.com/stretchr/testify/require"
 )
@@ -219,3 +221,16 @@ func TestAtomicQuerySigV2OnChainOutputs_CircuitUnmarshal(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, wantStatesInfo, statesInfo, string(j))
 }
+
+func TestAttrQuerySigV2OnChain_ErrorUserProfileMismatch(t *testing.T) {
+	did, err := w3c.ParseDID("did:iden3:polygon:amoy:x81nCirrkbsh7qZrbnzhZtkwfY76wjUmygcoYztcS")
+	require.NoError(t, err)
+	userID, err := core.IDFromDID(*did)
+	require.NoError(t, err)
+
+	inputs := querySigV2OnChainInputs(t)
+	inputs.ID = &userID
+
+	err = inputs.Validate()
+	require.Equal(t, err.Error(), ErrorUserProfileMismatch)
+}

credentialAtomicQuerySigV2_test.go

@@ -9,6 +9,7 @@ import (
 
 	it "github.com/iden3/go-circuits/v2/testing"
 	core "github.com/iden3/go-iden3-core/v2"
+	"github.com/iden3/go-iden3-core/v2/w3c"
 	"github.com/iden3/go-merkletree-sql/v2"
 	"github.com/stretchr/testify/require"
 )
@@ -282,3 +283,16 @@ func hashPtrFromInt(i *big.Int) *merkletree.Hash {
 	}
 	return h
 }
+
+func TestAttrQuerySigV2_ErrorUserProfileMismatch(t *testing.T) {
+	did, err := w3c.ParseDID("did:iden3:polygon:amoy:x81nCirrkbsh7qZrbnzhZtkwfY76wjUmygcoYztcS")
+	require.NoError(t, err)
+	userID, err := core.IDFromDID(*did)
+	require.NoError(t, err)
+
+	inputs := querySigV2Inputs(t)
+	inputs.ID = &userID
+
+	err = inputs.Validate()
+	require.Equal(t, err.Error(), ErrorUserProfileMismatch)
+}