fix: clean up and check challenge

affinidi · Sep 25, 2023 · ad0ecb4 · ad0ecb4
1 parent 8315d66
commit ad0ecb4
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 18 deletions.
diff --git a/sdk/core/src/CommonNetworkMember/BaseNetworkMember.ts b/sdk/core/src/CommonNetworkMember/BaseNetworkMember.ts
@@ -738,9 +738,6 @@ export abstract class BaseNetworkMember {
         registryUrl,
         resolveLegacyElemLocally,
         resolveKeyLocally,
-        // metricsUrl: metricsUrl,
-        // component: eventComponent,
-        // beforeDocumentLoader: options.otherOptions?.beforeDocumentLoader,
       },
       platformCryptographyTools,
     )
@@ -1011,6 +1008,7 @@ export abstract class BaseNetworkMember {
     platformCryptographyTools: IPlatformCryptographyTools,
     options: StaticValidateOptions,
     vp: unknown,
+    verifierDid?: string,
     challenge?: string,
     didDocuments?: any,
   ): Promise<PresentationValidationOutput> {
@@ -1022,9 +1020,6 @@ export abstract class BaseNetworkMember {
         registryUrl,
         resolveLegacyElemLocally,
         resolveKeyLocally,
-        // metricsUrl: metricsUrl,
-        // component: eventComponent,
-        // beforeDocumentLoader: options.otherOptions?.beforeDocumentLoader,
       },
       platformCryptographyTools,
     )
@@ -1034,17 +1029,20 @@ export abstract class BaseNetworkMember {
     if (response.result === true) {
       const vpChallenge = response.data.proof.challenge
 
-      // After validating the VP we need to validate the VP's challenge token
-      // to ensure that it was issued from the correct DID and that it hasn't expired.
-      // try {
-      //   Util.isJWT(vpChallenge) && (await this._holderService.verifyPresentationChallenge(vpChallenge, this.did))
-      // } catch (error) {
-      //   return {
-      //     isValid: false,
-      //     suppliedPresentation: response.data,
-      //     errors: [error],
-      //   }
-      // }
+      if (verifierDid) {
+        // After validating the VP we need to validate the VP's challenge token
+        // to ensure that it was issued from the correct DID and that it hasn't expired.
+        try {
+          Util.isJWT(vpChallenge) &&
+            (await HolderService.verifyPresentationChallenge(affinity, vpChallenge, verifierDid))
+        } catch (error) {
+          return {
+            isValid: false,
+            suppliedPresentation: response.data,
+            errors: [error],
+          }
+        }
+      }
 
       return {
         isValid: true,

diff --git a/sdk/core/src/services/HolderService.ts b/sdk/core/src/services/HolderService.ts
@@ -245,6 +245,34 @@ export default class HolderService {
       throw new Error('Token expired or invalid expiration')
     }
   }
+
+  static async verifyPresentationChallenge(affinityService: any, challenge: string, expectedIssuer: string) {
+    const token = Affinity.fromJwt(challenge)
+
+    const { payload } = token
+
+    const strippedExpectedIssuer = stripParamsFromDidUrl(expectedIssuer)
+    const strippedPayloadIssuer = stripParamsFromDidUrl(payload.iss)
+    if (strippedExpectedIssuer !== strippedPayloadIssuer) {
+      throw new Error('Token not issued by expected issuer.')
+    }
+
+    const did = DidDocumentService.keyIdToDid(expectedIssuer)
+    const didDocument = await affinityService.resolveDid(did)
+    const publicKey = DidDocumentService.getPublicKey(strippedExpectedIssuer, didDocument, payload.kid)
+
+    const digestService = new DigestService()
+    const { digest: tokenDigest, signature } = digestService.getTokenDigest(token)
+    const isSignatureVerified = KeysService.verify(tokenDigest, publicKey, signature)
+
+    if (!isSignatureVerified) {
+      throw new Error('Signature on token is invalid')
+    }
+
+    if (payload.exp < Date.now()) {
+      throw new Error('Token expired or invalid expiration')
+    }
+  }
   async verifyCredentialOfferRequest(credentialOfferRequestToken: string) {
     try {
       await this._affinityService.validateJWT(credentialOfferRequestToken)

diff --git a/sdk/core/test/unit/CommonNetworkMember.test.ts b/sdk/core/test/unit/CommonNetworkMember.test.ts
@@ -1584,7 +1584,12 @@ describe('CommonNetworkMember', () => {
       resolveKeyLocally: true,
     }
 
-    const resultStaticMethod = await AffinidiWallet.verifyPresentation(testPlatformTools, staticOptions, vp)
+    const resultStaticMethod = await AffinidiWallet.verifyPresentation(
+      testPlatformTools,
+      staticOptions,
+      vp,
+      requesterCommonNetworkMember.did,
+    )
     expect(resultStaticMethod.isValid).to.eq(true)
   })