Investigate issue with proof verification

It seems that the proof verification endpoint may have a bug where it accepts changes to the credentialSubject attribute without returning validation error, even though the original document for which the proof was created has different values for the credentialSubject attribute.

If this turns out to be, this would be a fatal critical bug and must be fixed.

added Backlog Bug labels

assigned to @lyuben.penkovski

Original proofed presentation:

{
   "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://w3id.org/security/suites/jws-2020/v1",
        "https://www.w3.org/2018/credentials/examples/v1"
    ],
    "id": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation",
    "proof": {
        "created": "2022-07-24T05:02:32.283709636Z",
        "jws": "eyJhbGciOiJKc29uV2ViU2lnbmF0dXJlMjAyMCIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..MEUCIQCzUne2tVQAwCJ_FJsytpC2nFEhOZmYFoIQWR-ai3W5kwIgeZp3N_wyGGjrcX13teITSIR-ortwQCxhNwo0BuudKcg",
        "proofPurpose": "assertionMethod",
        "type": "JsonWebSignature2020",
        "verificationMethod": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation#key1"
    },
    "type": "VerifiablePresentation",
    "verifiableCredential": [
        {
            "@context": [
                "https://www.w3.org/2018/credentials/v1",
                "https://w3id.org/security/suites/jws-2020/v1",
                "https://www.w3.org/2018/credentials/examples/v1"
            ],
            "credentialSubject": {
                "allow": true,
                "id": "example/examplePolicy/1.0"
            },
            "issuanceDate": "2022-07-21T10:24:36.203848291Z",
            "issuer": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation",
            "type": "VerifiableCredential"
        },
        {
            "@context": [
                "https://www.w3.org/2018/credentials/v1",
                "https://w3id.org/security/suites/jws-2020/v1",
                "https://www.w3.org/2018/credentials/examples/v1"
            ],
            "credentialSubject": {
                "allow": true,
                "id": "example/ProofRequestResponse/1.0"
            },
            "issuanceDate": "2022-07-21T10:24:36.203861194Z",
            "issuer": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation",
            "type": "VerifiableCredential"
        }
    ]
}

Modified presentation (verifiableCredential.credentialSubject.allow=true->false):

{
    "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://w3id.org/security/suites/jws-2020/v1",
        "https://www.w3.org/2018/credentials/examples/v1"
    ],
    "id": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation",
    "proof": {
        "created": "2022-07-21T14:28:09.071187173Z",
        "jws": "eyJhbGciOiJKc29uV2ViU2lnbmF0dXJlMjAyMCIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..MEQCIFkavr6XpAYbdurBmQXNei-hI8WHAcnEYkZ6J3i4d3FKAiA4BtVCAixsAypaJ5dcBxn96Ju1OGfi7Kw1QRZMlMumhg",
        "proofPurpose": "assertionMethod",
        "type": "JsonWebSignature2020",
        "verificationMethod": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation#key1"
    },
    "type": "VerifiablePresentation",
    "verifiableCredential": [
        {
            "@context": [
                "https://www.w3.org/2018/credentials/v1",
                "https://w3id.org/security/suites/jws-2020/v1",
                "https://www.w3.org/2018/credentials/examples/v1"
            ],
            "credentialSubject": {
                "allow": true,
                "id": "example/examplePolicy/1.0"
            },
            "issuanceDate": "2022-07-21T10:24:36.203848291Z",
            "issuer": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation",
            "type": "VerifiableCredential"
        },
        {
            "@context": [
                "https://www.w3.org/2018/credentials/v1",
                "https://w3id.org/security/suites/jws-2020/v1",
                "https://www.w3.org/2018/credentials/examples/v1"
            ],
            "credentialSubject": {
                "allow": false,
                "id": "example/ProofRequestResponse/1.0"
            },
            "issuanceDate": "2022-07-21T10:24:36.203861194Z",
            "issuer": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation",
            "type": "VerifiableCredential"
        }
    ]
}

Response when verified:

HTTP/1.1 200 OK
date: Sun, 24 Jul 2022 05:02:33 GMT
content-type: application/json
content-length: 15
strict-transport-security: max-age=15724800; includeSubDomains
{
    "valid": true
}

Also happens when changing the following field:

{
            "credentialSubject": {
                "allow": false,
-                "id": "example/ProofRequestResponse/1.0"
+                "id": "example/ProofRequestResponse/2.0"
            },
}

mentioned in merge request tests!29 (merged)

changed title from Investigate possible issue with proof verification to Investigate issue with proof verification

removed Backlog label

added DevInProgress label

mentioned in merge request !18 (merged)

closed with merge request !18 (merged)

mentioned in commit 397dd48c

marked this issue as related to #18 (closed)

mentioned in commit tests@aa0b04cf

mentioned in commit tests@5554d205

mentioned in commit tests@f425a3a3

mentioned in commit d0464c62