proofcarryingdata · ichub · Nov 13, 2024
diff --git a/apps/passport-server/src/services.ts b/apps/passport-server/src/services.ts
@@ -39,7 +39,10 @@ export async function startServices(
     rollbarService,
     discordService
   );
-  const credentialSubservice = await startCredentialSubservice(context.dbPool);
+  const credentialSubservice = await startCredentialSubservice(
+    context.dbPool,
+    multiprocessService
+  );
   const provingService = await startProvingService(rollbarService);
   const emailService = startEmailService(context, apis.emailAPI);
   const emailTokenService = startEmailTokenService();

diff --git a/apps/passport-server/src/services/generic-issuance/subservices/CredentialSubservice.ts b/apps/passport-server/src/services/generic-issuance/subservices/CredentialSubservice.ts
@@ -9,6 +9,7 @@ import {
 import { LRUCache } from "lru-cache";
 import { Pool } from "postgres-pool";
 import { loadZupassEdDSAPublicKey } from "../../issuanceService";
+import { MultiProcessService } from "../../multiProcessService";
 import { traced } from "../../telemetryService";
 
 /**
@@ -22,11 +23,17 @@ export class CredentialSubservice {
   private verificationCache: LRUCache<string, Promise<VerifiedCredential>>;
   private zupassPublicKey: EdDSAPublicKey;
   private dbPool: Pool | undefined;
+  private multiProcessService: MultiProcessService;
 
-  public constructor(zupassPublicKey: EdDSAPublicKey, dbPool?: Pool) {
+  public constructor(
+    zupassPublicKey: EdDSAPublicKey,
+    multiProcessService: MultiProcessService,
+    dbPool?: Pool
+  ) {
     this.verificationCache = new LRUCache({ max: 20000 });
     this.zupassPublicKey = zupassPublicKey;
     this.dbPool = dbPool;
+    this.multiProcessService = multiProcessService;
   }
 
   public tryVerify(
@@ -46,7 +53,10 @@ export class CredentialSubservice {
     if (cached) {
       return cached;
     }
-    const promise = verifyCredential(credential).catch((err) => {
+    const promise = verifyCredential(
+      credential,
+      this.multiProcessService.verifySignaturePCD
+    ).catch((err) => {
       this.verificationCache.delete(key);
       throw err;
     });
@@ -105,13 +115,18 @@ export class CredentialSubservice {
 }
 
 export async function startCredentialSubservice(
-  dbPool: Pool
+  dbPool: Pool,
+  multiProcessService: MultiProcessService
 ): Promise<CredentialSubservice> {
   const zupassEddsaPublicKey = await loadZupassEdDSAPublicKey();
 
   if (!zupassEddsaPublicKey) {
     throw new Error("Missing generic issuance zupass public key");
   }
 
-  return new CredentialSubservice(zupassEddsaPublicKey, dbPool);
+  return new CredentialSubservice(
+    zupassEddsaPublicKey,
+    multiProcessService,
+    dbPool
+  );
 }
diff --git a/apps/passport-server/test/generic-issuance/credentialSubservice.spec.ts b/apps/passport-server/test/generic-issuance/credentialSubservice.spec.ts
@@ -18,6 +18,7 @@ import "mocha";
 import { step } from "mocha-steps";
 import MockDate from "mockdate";
 import { CredentialSubservice } from "../../src/services/generic-issuance/subservices/CredentialSubservice";
+import { MultiProcessService } from "../../src/services/multiProcessService";
 import { overrideEnvironment, testingEnv } from "../util/env";
 import { startTestingApp } from "../util/startTestingApplication";
 import { expectToExist } from "../util/util";
@@ -50,7 +51,10 @@ describe("generic issuance - credential subservice", function () {
     });
 
     await startTestingApp({});
-    credentialSubservice = new CredentialSubservice(zupassPublicKey);
+    credentialSubservice = new CredentialSubservice(
+      zupassPublicKey,
+      new MultiProcessService()
+    );
   });
 
   this.afterAll(() => {

diff --git a/packages/lib/passport-interface/src/Credential.ts b/packages/lib/passport-interface/src/Credential.ts
@@ -105,15 +105,26 @@ export class VerificationError extends Error {}
  * application code has access to but library code such as this does not).
  */
 export async function verifyCredential(
-  credential: Credential
+  credential: Credential,
+  verifySignature?: (
+    signature: SerializedPCD<SemaphoreSignaturePCD>
+  ) => Promise<boolean>
 ): Promise<VerifiedCredential> {
   if (credential.type !== SemaphoreSignaturePCDPackage.name) {
     throw new VerificationError(`Credential is not a Semaphore Signature PCD`);
   }
-  // Ensure that the signature part of the credential verifies.
+
   const pcd = await SemaphoreSignaturePCDPackage.deserialize(credential.pcd);
-  if (!(await SemaphoreSignaturePCDPackage.verify(pcd))) {
-    throw new VerificationError(`Could not verify signature PCD`);
+
+  // Ensure that the signature part of the credential verifies.
+  if (verifySignature) {
+    if (!(await verifySignature(credential))) {
+      throw new VerificationError(`Could not verify signature PCD`);
+    }
+  } else {
+    if (!(await SemaphoreSignaturePCDPackage.verify(pcd))) {
+      throw new VerificationError(`Could not verify signature PCD`);
+    }
   }
 
   // Parse data from the Semaphore Signature claim. Will throw if the message