-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(afj): enable revocation tests #430
feat(afj): enable revocation tests #430
Conversation
Signed-off-by: Timo Glastra <timo@animo.id>
Signed-off-by: Timo Glastra <timo@animo.id>
Signed-off-by: Timo Glastra <timo@animo.id>
Signed-off-by: Timo Glastra <timo@animo.id>
Signed-off-by: Timo Glastra <timo@animo.id>
Signed-off-by: Timo Glastra <timo@animo.id>
OK ready to merge. Currently this runs all revocation tests of which some won't work, but I will add more tags to filter out the cases AFJ can't handle soon. Some context from @JamesKEbert as to what is happening with ACA-Py returning
This seems related to this closed issue in ACA-Py: hyperledger/aries-cloudagent-python#1455. I'm going to keep the AFJ backchannel 'incorrect' for now, so we have a clear test case that shows ACA-Py is returning |
@shaanjot @ianco --- could the two of you look at @TimoGlastra 's last comment and decide who should fix it and priority? Per Timo -- it's related to this: hyperledger/aries-cloudagent-python#1455 |
Aca-py does some cleanup of timestamps in received proof presentations to prevent manipulation from a malicious client. Proof-of-non-revocation should include a timestamp and proofs that don't require proof-of-non-revocation shouldn't (as far as I recall). Sounds from the above comments like aca-py is accepting a presentation with a revoked credential without a proof-of-non-revocation, but this should fail in the indy-sdk verification and nothing that aca-py is doing should make this pass. I'd need to dig into the specific test case to see what is being requested and presented. |
IMHO -- from a "business perspective" (e.g. I don't know what the Indy code is doing), a verifier should be able to ask for a proof WITHOUT asking for a revocation status, and a prover should be able to respond with claims from revocable or non-revocable credential. The question is whether if the prover responds with claims from a revocable credential, does the "proof of non-revocation" need to be included? My thought is the prover should decide and either should work. Is that the case here? Likewise: A verifier should be able to ask for a proof INCLUDING asking for a revocation status, and a prover should be able to respond with claims from revocable or non-revocable credential. If the prover responds with claims from a non-revocable credential, the "proof of non-revocation" will not be included -- and that MUST work. |
@TimoGlastra @JamesKEbert can you point to any specific tests? What's happening vs what's expected? |
I'm not sure this is relevant to the conversion about the issue, but wanted to point you to https://github.com/sklump/aries-rfcs/tree/master/concepts/0441-present-proof-best-practices#semantics-of-non-revocation-interval-presence-and-absence |
@ianco the following test cases: @T006-HIPE0011,@T006.2-HIPE0011 - Proof should be unverified, but is verified @nodlesh The issue here (as I understand it) is that ACA-Py requests a proof with non-revocation: {
"nonce": "634583947884382252947072",
"name": "test proof",
"version": "0.1.0",
"requested_attributes": {
"address_attrs": {
"restrictions": [
{
"schema_name": "Schema_DriversLicense_Revoc",
"schema_version": "1.1.0"
}
],
"name": "address"
}
},
"requested_predicates": {},
"non_revoked": { "to": 1644356194, "from": 1644356194 }
} while AFJ makes a proof without non-revocation (because we strip the {
"proof": {
"proofs": [
{
"primary_proof": {
"eq_proof": {
"revealed_attrs": {
"address": "21751895109898684064665132381010603351785496039964583518083248344707107214824"
},
"a_prime": "35951694140173391187382984975312833053133269398945471140443956866014292443437180157021795855506085234619280222403945504171909454495448538993828950287078921910157120871212232549420607207973326118007426513324799348562424146976063537156906218966399368090477267784614388002291933067090791696790270764774476516047329458255824561370194002372999650164866349325627459102520156614487474466566224604842279287486030546926214884481488293461125152750242215887275481513561875317163951079812241942175232153462987080722844609252508491423173605670561904908328303832529311231483103805738792100983548602445188473322599816788062344895483",
"e": "182816191046963617115316113252273659784079255429559237547775528711348740757728231488946255140070041184081122940836033415400870903181088610",
"v": "48942573298623877827018040803166076598059146638876198516324295161079875753053908166945474683207552870190120728284014774283648143323077116351480344970810293185809500344833921949768833959667904351128201631449835011243923986939035589536863143524633301118275951414678187741136397319956236498294420116912190008399873524737566368254336977687374197450102601702839295390696830582691938246145152610347468847009702320766643464570999227099291582226639501500104098879117215077954058429576213722952137561505534608218454253577033949765865465893714450201053623592891792884846237597978471938106483796075750369951519131473531482879205948078901579969295280835810154711679832187415384661663356343354468567361001525634232916797597382022604065028369791359110458000327381778276576326616407537351476936238394176878652914784892291523073454860033486048891209502313559329690266432398882378396003378071448110625478581041610219742075126857660094564",
"m": {
"age": "6557787004113693124538755399218385029872350397170895310008224030114218805375297563176921033207841971383804920344741913460763793242426214242693211820398531381336496712161450451744",
"master_secret": "6435591023206324734353112322772517005078559963369279218329463943267643550477224601965199242031743841443919193635024347873326158195575388024286362997264564940505492382588279602130",
"dl_number": "2546217642122550478472232298439388459601226041411930259349861674001813118762618443397865340333151956203365606625613317412755644233379468217369795470740931020399698527425348218684",
"expiry": "6975994867256434384218323298829091107642403219246322267833281640199044585243493218477379952077215003934687513907869878926092511425632310988045583907645650135368106020070640493382"
},
"m2": "4350513776990549372192451651957300165486458565819859036512101432784095655711035489224969151103459867910705970963187721051850109591983055171405537667302963837524747177677477510688"
},
"ge_proofs": []
}
}
],
"aggregated_proof": {
"c_hash": "85013567076856774462532618607322836223946623513776238687646533288200783680954",
"c_list": [
[
1, 28, 202, 210, 147, 1, 137, 48, 163, 19, 93, 122, 110, 183, 180, 48,
14, 175, 12, 95, 92, 218, 168, 89, 34, 243, 76, 168, 181, 28, 181,
122, 2, 20, 7, 214, 16, 227, 3, 193, 112, 13, 117, 145, 21, 28, 117,
129, 140, 160, 137, 9, 237, 232, 3, 185, 0, 141, 108, 217, 199, 212,
147, 70, 253, 109, 146, 103, 99, 228, 168, 149, 200, 35, 227, 154, 76,
255, 169, 27, 217, 30, 128, 190, 86, 56, 148, 192, 230, 87, 115, 144,
98, 93, 192, 109, 38, 176, 0, 189, 179, 153, 13, 187, 140, 215, 237,
202, 194, 32, 22, 85, 194, 238, 70, 89, 12, 153, 186, 54, 133, 163,
238, 250, 110, 214, 180, 221, 142, 5, 198, 51, 181, 153, 160, 192,
114, 0, 127, 45, 92, 84, 2, 224, 4, 239, 176, 80, 234, 244, 9, 158,
190, 51, 18, 180, 20, 199, 205, 72, 9, 127, 212, 190, 59, 243, 242,
131, 115, 36, 239, 222, 61, 2, 220, 237, 119, 205, 200, 141, 75, 150,
191, 112, 107, 35, 54, 33, 245, 112, 155, 205, 165, 190, 4, 67, 215,
94, 72, 198, 25, 66, 151, 152, 192, 54, 202, 65, 246, 169, 46, 71,
142, 170, 229, 249, 75, 219, 98, 64, 194, 82, 147, 222, 230, 134, 146,
162, 92, 206, 68, 91, 249, 105, 73, 56, 25, 37, 128, 45, 188, 32, 117,
92, 217, 184, 248, 234, 129, 139, 220, 10, 231, 18, 20, 219, 251
]
]
}
},
"requested_proof": {
"revealed_attrs": {
"address_attrs": {
"raw": "9 6 st, Q Ontario Canada, K9O 3R5",
"encoded": "21751895109898684064665132381010603351785496039964583518083248344707107214824",
"sub_proof_index": 0
}
},
"self_attested_attrs": {},
"unrevealed_attrs": {},
"predicates": {}
},
"identifiers": [
{
"schema_id": "PMUiB2ovzCTiqYrWrF5Kde:2:Schema_DriversLicense_Revoc:1.1.0",
"cred_def_id": "PMUiB2ovzCTiqYrWrF5Kde:3:CL:147358:7294",
"rev_reg_id": "PMUiB2ovzCTiqYrWrF5Kde:4:PMUiB2ovzCTiqYrWrF5Kde:3:CL:147358:7294:CL_ACCUM:d0d039af-ec4e-455c-a481-3a9059967a14"
}
]
} |
Thanks @TimoGlastra I'll look into these 2 tests |
@TimoGlastra please see PR: hyperledger/aries-cloudagent-python#1628 |
Enables revocation tests for AFJ in the holder role. Will enable AFJ in the role of verifier soon.
I've added
@RFC0441
to revocation tests that follow RFC0441, as we don't support revocation not adhering to the best practices.There are still quite some tests failing, but would like to merge (once the PR in AFJ is merged) so we can get a daily update of the interop status for revocation.
It's weird as some tests are failing where it expects the verification to fail, but it actually succeeds. ACA-Py is the verifier so I'm not sure how it is possible for ACA-Py to return verified=true if the credential was revoked. Maybe AFJ is doing something incorrect, but ACA-Py shouldn't accept the presentation in that case. See this comment for more context. Will need to dig deeper into this