Merge pull request #217 from WeBankFinTech/feature/modify-hash-thumbp…

…rint

Enforce to use secp256k1 type of sign and adapt the verifications

src/main/java/com/webank/weid/protocol/base/PresentationE.java

@@ -19,6 +19,7 @@
 
 package com.webank.weid.protocol.base;
 
+import java.math.BigInteger;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -198,9 +199,9 @@ public boolean commit(WeIdAuthentication weIdAuthentication) {
         }
         // 更新proof里面的签名
         String signature = 
-            DataToolUtils.sign(
+            DataToolUtils.secp256k1Sign(
                 this.toRawData(),
-                weIdAuthentication.getWeIdPrivateKey().getPrivateKey()
+                new BigInteger(weIdAuthentication.getWeIdPrivateKey().getPrivateKey())
             );
         this.putProofValue(ParamKeyConstant.PROOF_SIGNATURE, signature);
         logger.info("[commit] commit credential with weIdAuthentication is success.");

src/main/java/com/webank/weid/service/impl/CredentialPojoServiceImpl.java

@@ -642,18 +642,23 @@ private static ErrorCode verifySingleSignedCredential(
                 return ErrorCode.getTypeByErrorCode(innerResponseData.getErrorCode());
             } else {
                 WeIdDocument weIdDocument = innerResponseData.getResult();
-                return DataToolUtils
-                    .verifySignatureFromWeId(rawData, credential.getSignature(), weIdDocument);
+                errorCode = DataToolUtils
+                    .verifySecp256k1SignatureFromWeId(rawData, credential.getSignature(),
+                        weIdDocument);
+                if (errorCode != ErrorCode.SUCCESS) {
+                    return DataToolUtils
+                        .verifySignatureFromWeId(rawData, credential.getSignature(), weIdDocument);
+                }
+                return ErrorCode.SUCCESS;
             }
         } else {
             boolean result;
             try {
-                result = DataToolUtils
-                    .verifySignature(
-                        rawData,
-                        credential.getSignature(),
-                        new BigInteger(publicKey)
-                    );
+                result = DataToolUtils.verifySecp256k1Signature(rawData,
+                    credential.getSignature(), new BigInteger(publicKey)) || DataToolUtils
+                    .verifySignature(rawData,
+                        credential.getSignature(), new BigInteger(publicKey));
+
             } catch (Exception e) {
                 logger.error("[verifyContent] verify signature fail.", e);
                 return ErrorCode.CREDENTIAL_SIGNATURE_BROKEN;
@@ -926,7 +931,7 @@ private static ResponseData<Boolean> verifyLiteCredential(
             boolean result;
             try {
                 // For Lite CredentialPojo, we begin to use Secp256k1 verify to fit external type
-                result = DataToolUtils.secp256k1VerifySignature(rawData, credential.getSignature(),
+                result = DataToolUtils.verifySecp256k1Signature(rawData, credential.getSignature(),
                     new BigInteger(publicKey));
             } catch (Exception e) {
                 logger.error("[verifyContent] verify signature fail.", e);
@@ -1082,7 +1087,7 @@ public ResponseData<CredentialPojo> createCredential(CreateCredentialPojoArgs ar
             String rawData = CredentialPojoUtils
                 .getCredentialThumbprintWithoutSig(result, saltMap, null);
 
-            String signature = DataToolUtils.sign(rawData, privateKey);
+            String signature = DataToolUtils.secp256k1Sign(rawData, new BigInteger(privateKey));
 
             result.putProofValue(ParamKeyConstant.PROOF_CREATED, result.getIssuanceDate());
 
@@ -1186,7 +1191,7 @@ public ResponseData<CredentialPojo> addSignature(
         CredentialPojoUtils.clearMap(saltMap);
         String rawData = CredentialPojoUtils
             .getEmbeddedCredentialThumbprintWithoutSig(credentialList);
-        String signature = DataToolUtils.sign(rawData, privateKey);
+        String signature = DataToolUtils.secp256k1Sign(rawData, new BigInteger(privateKey));
 
         result.putProofValue(ParamKeyConstant.PROOF_CREATED, result.getIssuanceDate());
 
@@ -1247,12 +1252,12 @@ public ResponseData<CredentialPojo> createSelectiveCredential(
             logger.error("[createSelectiveCredential] input credential is null");
             return new ResponseData<CredentialPojo>(null, ErrorCode.ILLEGAL_INPUT);
         }
-        if (credential.getType() != null 
-            && (credential.getType().contains(CredentialType.LITE1.getName()) 
+        if (credential.getType() != null
+            && (credential.getType().contains(CredentialType.LITE1.getName())
             || credential.getType().contains(CredentialType.ZKP.getName()))) {
             logger.error(
                 "[createSelectiveCredential] Lite Credential and ZKP Credential DO NOT support "
-                + "this function(createSelectiveCredential), type = {}.", credential.getType());
+                    + "this function(createSelectiveCredential), type = {}.", credential.getType());
             return new ResponseData<CredentialPojo>(null,
                 ErrorCode.CREDENTIAL_NOT_SUPPORT_SELECTIVE_DISCLOSURE);
         }
@@ -1570,13 +1575,18 @@ private ErrorCode checkInputArgs(
         String signature = presentationE.getSignature();
         errorCode =
             DataToolUtils
-                .verifySignatureFromWeId(presentationE.toRawData(), signature, weIdDocument);
+                .verifySecp256k1SignatureFromWeId(presentationE.toRawData(), signature,
+                    weIdDocument);
         if (errorCode.getCode() != ErrorCode.SUCCESS.getCode()) {
-            logger.error(
-                "[verify] verify presentation signature failed, error message : {}.",
-                errorCode.getCodeDesc()
-            );
-            return ErrorCode.PRESENTATION_SIGNATURE_MISMATCH;
+            errorCode = DataToolUtils
+                .verifySignatureFromWeId(presentationE.toRawData(), signature, weIdDocument);
+            if (errorCode.getCode() != ErrorCode.SUCCESS.getCode()) {
+                logger.error(
+                    "[verify] verify presentation signature failed, error message : {}.",
+                    errorCode.getCodeDesc()
+                );
+                return ErrorCode.PRESENTATION_SIGNATURE_MISMATCH;
+            }
         }
         return ErrorCode.SUCCESS;
     }
@@ -1910,9 +1920,9 @@ private void generatePresentationProof(
         presentation.putProofValue(ParamKeyConstant.PROOF_VERIFICATION_METHOD, weIdPublicKeyId);
         presentation.putProofValue(ParamKeyConstant.PROOF_NONCE, challenge.getNonce());
         String signature =
-            DataToolUtils.sign(
+            DataToolUtils.secp256k1Sign(
                 presentation.toRawData(),
-                weIdAuthentication.getWeIdPrivateKey().getPrivateKey()
+                new BigInteger(weIdAuthentication.getWeIdPrivateKey().getPrivateKey())
             );
         presentation.putProofValue(ParamKeyConstant.PROOF_SIGNATURE, signature);
     }
@@ -1956,6 +1966,9 @@ public ResponseData<CredentialPojo> createTrustedTimestamp(
 
         String rawData = CredentialPojoUtils
             .getEmbeddedCredentialThumbprintWithoutSig(credentialList);
+        if (StringUtils.isEmpty(rawData)) {
+            return new ResponseData<>(null, ErrorCode.ILLEGAL_INPUT);
+        }
         ResponseData<HashMap<String, Object>> claimResp = TimestampUtils
             .createWeSignTimestamp(rawData);
         if (claimResp.getResult() == null) {
@@ -1969,7 +1982,7 @@ public ResponseData<CredentialPojo> createTrustedTimestamp(
         // For embedded signature, salt here is totally meaningless - hence we left it blank
         Map<String, Object> saltMap = DataToolUtils.clone(claim);
         CredentialPojoUtils.clearMap(saltMap);
-        String signature = DataToolUtils.sign(rawData, privateKey);
+        String signature = DataToolUtils.secp256k1Sign(rawData, new BigInteger(privateKey));
 
         credential.putProofValue(ParamKeyConstant.PROOF_CREATED, credential.getIssuanceDate());
 

src/main/java/com/webank/weid/service/impl/CredentialServiceImpl.java

@@ -498,15 +498,22 @@ private ResponseData<Boolean> verifySignature(
                 } else {
                     WeIdDocument weIdDocument = innerResponseData.getResult();
                     ErrorCode errorCode = DataToolUtils
-                        .verifySignatureFromWeId(rawData, signatureData, weIdDocument);
+                        .verifySecp256k1SignatureFromWeId(rawData, credential.getSignature(),
+                            weIdDocument);
                     if (errorCode.getCode() != ErrorCode.SUCCESS.getCode()) {
-                        return new ResponseData<>(false, errorCode);
+                        errorCode = DataToolUtils
+                            .verifySignatureFromWeId(rawData, signatureData, weIdDocument);
+                        if (errorCode.getCode() != ErrorCode.SUCCESS.getCode()) {
+                            return new ResponseData<>(false, errorCode);
+                        }
                     }
                     return new ResponseData<>(true, ErrorCode.SUCCESS);
                 }
             } else {
                 boolean result =
-                    DataToolUtils
+                    DataToolUtils.verifySecp256k1Signature(rawData,
+                        credential.getSignature(), new BigInteger(publicKey))
+                        || DataToolUtils
                         .verifySignature(rawData, signatureData, new BigInteger(publicKey));
                 if (!result) {
                     return new ResponseData<>(false, ErrorCode.CREDENTIAL_VERIFY_FAIL);

src/main/java/com/webank/weid/service/impl/EvidenceServiceImpl.java

@@ -26,7 +26,6 @@
 import com.google.common.base.Charsets;
 import com.google.common.io.Files;
 import org.apache.commons.lang3.StringUtils;
-import org.bcos.web3j.crypto.Sign;
 import org.bcos.web3j.crypto.Sign.SignatureData;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -45,7 +44,6 @@
 import com.webank.weid.rpc.WeIdService;
 import com.webank.weid.service.impl.engine.EngineFactory;
 import com.webank.weid.service.impl.engine.EvidenceServiceEngine;
-import com.webank.weid.service.impl.inner.PropertiesService;
 import com.webank.weid.util.BatchTransactionUtils;
 import com.webank.weid.util.DataToolUtils;
 import com.webank.weid.util.DateUtils;
@@ -61,21 +59,21 @@ public class EvidenceServiceImpl extends AbstractService implements EvidenceServ
     private static final Logger logger = LoggerFactory.getLogger(EvidenceServiceImpl.class);
 
     private WeIdService weIdService = new WeIdServiceImpl();
-    
+
     private ProcessingMode processingMode = ProcessingMode.IMMEDIATE;
-    
+
     private EvidenceServiceEngine evidenceServiceEngine;
-    
+
     private Integer groupId;
-    
+
     public EvidenceServiceImpl() {
         super();
         initEvidenceServiceEngine(masterGroupId);
     }
-    
+
     /**
      * 传入processingMode来决定上链模式.
-     * 
+     *
      * @param processingMode 上链模式
      * @param groupId 群组编号
      */
@@ -258,11 +256,7 @@ private ResponseData<String> getHashValue(Hashable object) {
     private ResponseData<String> hashToNewEvidence(String hashValue, String privateKey,
         String extra) {
         try {
-            Sign.SignatureData sigData =
-                DataToolUtils.signMessage(hashValue, privateKey);
-            String signature = new String(
-                DataToolUtils.base64Encode(DataToolUtils.simpleSignatureSerialization(sigData)),
-                StandardCharsets.UTF_8);
+            String signature = DataToolUtils.secp256k1Sign(hashValue, new BigInteger(privateKey));
             Long timestamp = DateUtils.getCurrentTimeStamp();
             if (processingMode == ProcessingMode.PERIODIC_AND_BATCH) {
                 String[] args = new String[6];
@@ -396,16 +390,27 @@ public ResponseData<Boolean> verifySigner(
                 DataToolUtils.base64Decode(signature.getBytes(StandardCharsets.UTF_8))
             );
         if (StringUtils.isEmpty(publicKey)) {
-            return verifySignatureToSigner(
+            ResponseData<Boolean> verifyResp = verifySecp256k1SignatureToSigner(
                 evidenceInfo.getCredentialHash(),
                 WeIdUtils.convertAddressToWeId(weId),
-                signatureData
-            );
+                signature);
+            if (verifyResp.getResult()) {
+                return verifyResp;
+            } else {
+                return verifySignatureToSigner(
+                    evidenceInfo.getCredentialHash(),
+                    WeIdUtils.convertAddressToWeId(weId),
+                    signatureData
+                );
+            }
         } else {
             try {
                 boolean result = DataToolUtils
+                    .verifySecp256k1Signature(evidenceInfo.getCredentialHash(), signature,
+                        new BigInteger(publicKey)) || DataToolUtils
                     .verifySignature(evidenceInfo.getCredentialHash(), signatureData,
                         new BigInteger(publicKey));
+
                 if (!result) {
                     logger.error("Public key does not match signature.");
                     return new ResponseData<>(false, ErrorCode.CREDENTIAL_SIGNATURE_BROKEN);
@@ -418,6 +423,33 @@ public ResponseData<Boolean> verifySigner(
         }
     }
 
+    private ResponseData<Boolean> verifySecp256k1SignatureToSigner(
+        String rawData,
+        String signerWeId,
+        String secp256k1sig
+    ) {
+        try {
+            ResponseData<WeIdDocument> innerResponseData =
+                weIdService.getWeIdDocument(signerWeId);
+            if (innerResponseData.getErrorCode() != ErrorCode.SUCCESS.getCode()) {
+                logger.error(
+                    "Error occurred when fetching WeIdentity DID document for: {}, msg: {}",
+                    signerWeId, innerResponseData.getErrorMessage());
+                return new ResponseData<>(false, ErrorCode.CREDENTIAL_WEID_DOCUMENT_ILLEGAL);
+            }
+            WeIdDocument weIdDocument = innerResponseData.getResult();
+            ErrorCode errorCode = DataToolUtils
+                .verifySecp256k1SignatureFromWeId(rawData, secp256k1sig, weIdDocument);
+            if (errorCode.getCode() != ErrorCode.SUCCESS.getCode()) {
+                return new ResponseData<>(false, errorCode);
+            }
+            return new ResponseData<>(true, ErrorCode.SUCCESS);
+        } catch (Exception e) {
+            logger.error("error occurred during verifying signatures from chain: ", e);
+            return new ResponseData<>(false, ErrorCode.CREDENTIAL_EVIDENCE_BASE_ERROR);
+        }
+    }
+
     /* (non-Javadoc)
      * @see com.webank.weid.rpc.EvidenceService#createEvidenceWithLogAndCustomKey(
      * com.webank.weid.protocol.inf.Hashable, com.webank.weid.protocol.base.WeIdPrivateKey,
@@ -458,13 +490,9 @@ public ResponseData<String> createEvidenceWithLogAndCustomKey(
         }
         String privateKey = weIdPrivateKey.getPrivateKey();
         try {
-            Sign.SignatureData sigData =
-                DataToolUtils.signMessage(hashValue, privateKey);
-            String signature = new String(
-                DataToolUtils.base64Encode(DataToolUtils.simpleSignatureSerialization(sigData)),
-                StandardCharsets.UTF_8);
+            String signature = DataToolUtils.secp256k1Sign(hashValue, new BigInteger(privateKey));
             Long timestamp = DateUtils.getCurrentTimeStamp();
-            
+
             if (processingMode == ProcessingMode.PERIODIC_AND_BATCH) {
                 String[] args = new String[7];
                 args[0] = hashValue;

src/main/java/com/webank/weid/service/impl/callback/KeyManagerCallback.java

@@ -145,11 +145,18 @@ private boolean checkAuthority(GetEncryptKeyArgs arg, Map<String, Object> keyMap
             domRes.getResult()
         );
         if (errorCode.getCode() != ErrorCode.SUCCESS.getCode()) {
-            logger.info(
-                "[checkAuthority] the data is be changed, this weid is {}.",
-                arg.getWeId()
+            errorCode = DataToolUtils.verifySecp256k1SignatureFromWeId(
+                arg.getKeyId(),
+                arg.getSignValue(),
+                domRes.getResult()
             );
-            return false;
+            if (errorCode.getCode() != ErrorCode.SUCCESS.getCode()) {
+                logger.info(
+                    "[checkAuthority] the data is be changed, this weid is {}.",
+                    arg.getWeId()
+                );
+                return false;
+            }
         }
         return true;
     }

src/main/java/com/webank/weid/service/impl/callback/RequestVerifyChallengeCallback.java

@@ -40,6 +40,7 @@
 
 /**
  * amop callback for verifying challenge.
+ *
  * @author tonychen 2020年3月10日
  */
 public class RequestVerifyChallengeCallback extends AmopCallback {
@@ -75,12 +76,16 @@ public RequestVerifyChallengeResponse onPush(RequestVerifyChallengeArgs args) {
         String rawData = challenge.toJson();
         ResponseData<WeIdDocument> weIdDocResp = weIdService.getWeIdDocument(weId);
         ErrorCode errorCode = DataToolUtils
-            .verifySignatureFromWeId(rawData, signData, weIdDocResp.getResult());
+            .verifySecp256k1SignatureFromWeId(rawData, signData, weIdDocResp.getResult());
         if (errorCode.getCode() != ErrorCode.SUCCESS.getCode()) {
-            logger.error("[RequestVerifyChallengeCallback] verify challenge signature failed.");
-            result.setErrorCode(errorCode.getCode());
-            result.setErrorMessage(errorCode.getCodeDesc());
-            return result;
+            errorCode = DataToolUtils
+                .verifySignatureFromWeId(rawData, signData, weIdDocResp.getResult());
+            if (errorCode.getCode() != ErrorCode.SUCCESS.getCode()) {
+                logger.error("[RequestVerifyChallengeCallback] verify challenge signature failed.");
+                result.setErrorCode(errorCode.getCode());
+                result.setErrorMessage(errorCode.getCodeDesc());
+                return result;
+            }
         }
 
         result.setErrorCode(ErrorCode.SUCCESS.getCode());

src/main/java/com/webank/weid/service/impl/callback/WeIdAuthAmopCallback.java

@@ -19,6 +19,7 @@
 
 package com.webank.weid.service.impl.callback;
 
+import java.math.BigInteger;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -76,7 +77,7 @@ public GetWeIdAuthResponse onPush(GetWeIdAuthArgs args) {
         Challenge challenge = args.getChallenge();
         String rawData = challenge.toJson();
         String privateKey = weIdAuth.getWeIdPrivateKey().getPrivateKey();
-        String challengeSign = DataToolUtils.sign(rawData, privateKey);
+        String challengeSign = DataToolUtils.secp256k1Sign(rawData, new BigInteger(privateKey));
         dataMap.put(ParamKeyConstant.WEID_AUTH_SIGN_DATA, challengeSign);
 
         ResponseData<WeIdDocument> weIdDocResp = weIdService.getWeIdDocument(fromWeId);