Longfellow ZK 0290cb32
Loading...
Searching...
No Matches
jwt_witness.h
1// Copyright 2025 Google LLC.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_JWT_JWT_WITNESS_H_
16#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_JWT_JWT_WITNESS_H_
17
18#include <cstddef>
19#include <cstdint>
20#include <cstdio>
21#include <string>
22#include <vector>
23
24#include "arrays/dense.h"
25#include "circuits/base64/decode_util.h"
26#include "circuits/ecdsa/verify_witness.h"
27#include "circuits/jwt/jwt_constants.h"
28#include "circuits/logic/bit_plucker_encoder.h"
29#include "circuits/sha/flatsha256_witness.h"
30#include "util/log.h"
31
32namespace proofs {
33
34/* This struct allows a verifier to express which attribute and value the prover
35 * must claim. */
36struct OpenedAttribute {
37 uint8_t id[32];
38 uint8_t value[64];
39 size_t id_len, value_len;
40};
41
42template <class EC, class ScalarField>
43class JWTWitness {
44 using Field = typename EC::Field;
45 using Elt = typename Field::Elt;
46 using Nat = typename Field::N;
47 using EcdsaWitness = VerifyWitness3<EC, ScalarField>;
48 const EC& ec_;
49
50 public:
51 Elt e_, r_, s_;
52 EcdsaWitness sig_;
53
54 uint8_t preimage_[64 * kMaxJWTSHABlocks];
55 uint8_t e_bits_[256];
56 FlatSHA256Witness::BlockWitness sha_bw_[kMaxJWTSHABlocks];
57 uint8_t numb_; /* Number of the correct sha block. */
58 uint8_t na_; /* Number of attributes. */
59 size_t payload_ind_, payload_len_;
60 std::vector<size_t> attr_ind_;
61 std::vector<size_t> attr_id_len_;
62 std::vector<size_t> attr_value_len_;
63
64 explicit JWTWitness(const EC& ec, const ScalarField& Fn)
65 : ec_(ec), sig_(Fn, ec) {}
66
67 void fill_witness(DenseFiller<Field>& filler) const {
68 filler.push_back(r_);
69 filler.push_back(s_);
70 filler.push_back(e_);
71 sig_.fill_witness(filler);
72
73 // Write the message.
74 for (size_t i = 0; i < 64 * kMaxJWTSHABlocks; ++i) {
75 filler.push_back(preimage_[i], 8, ec_.f_);
76 }
77
78 for (size_t i = 0; i < 256; ++i) {
79 filler.push_back(e_bits_[i], 1, ec_.f_);
80 }
81
82 for (size_t j = 0; j < kMaxJWTSHABlocks; ++j) {
83 fill_sha(filler, sha_bw_[j]);
84 }
85
86 filler.push_back(numb_, 8, ec_.f_);
87
88 for (size_t i = 0; i < na_; ++i) {
89 filler.push_back(attr_ind_[i], kJWTIndexBits, ec_.f_);
90 filler.push_back(attr_id_len_[i], 8, ec_.f_);
91 filler.push_back(attr_value_len_[i], 8, ec_.f_);
92 }
93
94 filler.push_back(payload_ind_, kJWTIndexBits, ec_.f_);
95 filler.push_back(payload_len_, kJWTIndexBits, ec_.f_);
96 }
97
98 void fill_sha(DenseFiller<Field>& filler,
99 const FlatSHA256Witness::BlockWitness& bw) const {
100 BitPluckerEncoder<Field, kSHAJWTPluckerBits> BPENC(ec_.f_);
101 for (size_t k = 0; k < 48; ++k) {
102 filler.push_back(BPENC.mkpacked_v32(bw.outw[k]));
103 }
104 for (size_t k = 0; k < 64; ++k) {
105 filler.push_back(BPENC.mkpacked_v32(bw.oute[k]));
106 filler.push_back(BPENC.mkpacked_v32(bw.outa[k]));
107 }
108 for (size_t k = 0; k < 8; ++k) {
109 filler.push_back(BPENC.mkpacked_v32(bw.h1[k]));
110 }
111 }
112
113 // Transform from u32 be (i.e., be[0] is the most significant nibble)
114 // into nat form, which requires first converting to le byte order.
115 Nat nat_from_u32(const uint32_t be[]) const {
116 uint8_t tmp[Nat::kBytes];
117 const size_t top = Nat::kBytes / 4;
118 for (size_t i = 0; i < Nat::kBytes; ++i) {
119 tmp[i] = (be[top - i / 4 - 1] >> ((i % 4) * 8)) & 0xff;
120 }
121 return Nat::of_bytes(tmp);
122 }
123
124 // Transform from u8 be (i.e., be[31] is the most significant byte) into
125 // nat form, which requires first converting to le byte order.
126 Nat nat_from_be(const uint8_t be[/* Nat::kBytes */]) {
127 uint8_t tmp[Nat::kBytes];
128 // Transform into byte-wise le representation.
129 for (size_t i = 0; i < Nat::kBytes; ++i) {
130 tmp[i] = be[Nat::kBytes - i - 1];
131 }
132 return Nat::of_bytes(tmp);
133 }
134
135 bool compute_witness(std::string jwt, Elt pkX, Elt pkY,
136 std::vector<OpenedAttribute> attrs) {
137 size_t dot = jwt.find_first_of('.');
138 size_t dot2 = jwt.find_first_of('.', dot + 1);
139 if (dot == std::string::npos || dot2 == std::string::npos) {
140 log(ERROR, "JWT is not in the format of header.payload.signature");
141 return false;
142 }
143 auto hdr = jwt.substr(0, dot);
144 auto pld = jwt.substr(dot + 1, dot2 - dot - 1);
145 auto rest = jwt.substr(dot2 + 1);
146 auto msg = jwt.substr(0, dot2);
147 payload_len_ = pld.size();
148 payload_ind_ = dot + 1;
149
150 if (payload_len_ > kMaxJWTSHABlocks * 64) {
151 log(ERROR, "JWT payload is too large");
152 return false;
153 }
154
155 size_t tilde = rest.find_first_of('~');
156 if (tilde == std::string::npos) {
157 log(ERROR, "JWT is not in the format of header.payload.signature~epoch");
158 return false;
159 }
160 auto sig = rest.substr(0, tilde);
161 auto claims = rest.substr(tilde + 1);
162
163 FlatSHA256Witness::transform_and_witness_message(
164 msg.size(), reinterpret_cast<const uint8_t*>(msg.data()),
165 kMaxJWTSHABlocks, numb_, preimage_, sha_bw_);
166
167 Nat ne = nat_from_u32(sha_bw_[numb_ - 1].h1);
168 e_ = ec_.f_.to_montgomery(ne);
169
170 std::vector<uint8_t> sigb;
171 sigb.reserve(ec_.f_.kBytes * 2);
172 if (!base64_decode_url(sig, sigb) || sigb.size() < ec_.f_.kBytes * 2) {
173 log(ERROR, "signature is not in the format of base64url");
174 return false;
175 }
176 Nat nr = nat_from_be(&sigb[0]);
177 Nat ns = nat_from_be(&sigb[ec_.f_.kBytes]);
178
179 r_ = ec_.f_.to_montgomery(nr);
180 s_ = ec_.f_.to_montgomery(ns);
181 if (!sig_.compute_witness(pkX, pkY, ne, nr, ns)) {
182 log(ERROR, "signature verification failed");
183 return false;
184 }
185
186 for (size_t i = 0; i < 256; ++i) {
187 e_bits_[i] = ne.bit(i);
188 }
189
190 // Find the positions of each of the attributes.
191 na_ = attrs.size();
192 std::vector<uint8_t> payload;
193 payload.reserve(pld.size());
194 if (!base64_decode_url(pld, payload)) {
195 log(ERROR, "JWT payload is not in the format of base64url");
196 return false;
197 }
198 std::string str((const char*)payload.data(), payload.size());
199 for (size_t i = 0; i < na_; ++i) {
200 size_t ind = str.find((const char*)attrs[i].id, 0, attrs[i].id_len);
201 if (ind == std::string::npos) {
202 log(ERROR, "Could not find attribute %.*s", attrs[i].id_len,
203 attrs[i].id);
204 return false;
205 }
206 size_t vstart = ind + attrs[i].id_len + 3;
207 size_t vind =
208 str.find((const char*)attrs[i].value, vstart, attrs[i].value_len);
209 if (vind == std::string::npos || vind != vstart) {
210 log(ERROR, "Could not find attribute value %.*s", attrs[i].value_len,
211 attrs[i].value);
212 return false;
213 }
214 attr_ind_.push_back(ind);
215 attr_id_len_.push_back(attrs[i].id_len);
216 attr_value_len_.push_back(attrs[i].value_len);
217 }
218
219 return true;
220 }
221};
222
223} // namespace proofs
224
225#endif // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_JWT_JWT_WITNESS_H_
proofs::BitPluckerEncoder
Definition bit_plucker_encoder.h:27
proofs::DenseFiller
Definition dense.h:153
proofs::VerifyWitness3
Definition verify_witness.h:30
proofs::FlatSHA256Witness::BlockWitness
Definition flatsha256_witness.h:27
proofs::GF2_128::Elt
Definition gf2_128.h:63
proofs::OpenedAttribute
Definition jwt_witness.h:36
Generated by doxygen 1.15.0