Introducing Smart Contracts to BlockCerts

README.md

@@ -8,24 +8,22 @@ Library for verifying blockchain certificates.
 
 The most common way to use this is to add the [latest cert-verifier pypi package](https://badge.fury.io/py/cert-verifier) to your project dependencies. 
 
-## Verify a certificate by command line
-
-1. Ensure you have an python environment. [Recommendations](https://github.com/blockchain-certificates/cert-issuer/blob/master/docs/virtualenv.md)
+## Configuration
 
-2. Git clone the repository and change to the directory
-
-  ```bash
-  git clone https://github.com/blockchain-certificates/cert-verifier.git && cd cert-verifier
-  ```
+Set the ethereum node you want to use in the verification processes in ``` cert-verifier/cert_verifier/config.ini ```.
 
-3. Run cert-viewer setup
+The Provided ones can also be used and should work out of the box, but keep in mind that they are only recommendations.
 
-  ```bash
-  pip install .
-  ```
-
-4. Run the main program
+If you want to change the ens nodes as well you can use the ```conf_sample.ini``` schema as a structure guideline.
+## Verify a certificate by command line
 
+1. Ensure you have an python environment. [Recommendations](https://github.com/blockchain-certificates/cert-issuer/blob/master/docs/virtualenv.md)
+1. Git clone the repository and change to the directory 
+   ``` 
+   bash git clone https://github.com/blockchain-certificates/cert-verifier.git && cd cert-verifier
+   ```
+1. Run cert-viewer setup ```bash pip install . ```
+1. Run the main program
   ```bash
   cd cert_verifier
   python verifier.py

cert_verifier/__init__.py

@@ -14,6 +14,8 @@
 
 unhexlify = binascii.unhexlify
 hexlify = binascii.hexlify
+
+
 if sys.version > '3':
     def unhexlify(h): return binascii.unhexlify(h.encode('utf8'))
 

cert_verifier/checks.py

@@ -1,20 +1,24 @@
+import hashlib
 import json
 import logging
 from datetime import datetime
+from json import JSONDecodeError
 from threading import Lock
 
 import bitcoin
-import hashlib
 import pytz
 from bitcoin.signmessage import BitcoinMessage, VerifyMessage
-from cert_schema import BlockcertValidationError
-from cert_schema import normalize_jsonld
 from cert_core import BlockcertVersion, Chain
 from cert_core import chain_to_bitcoin_network
 from cert_core.cert_model.model import SignatureType
-from chainpoint.chainpoint import Chainpoint
+from cert_schema import BlockcertValidationError
+from cert_schema import normalize_jsonld
+from chainpoint3 import Chainpoint
+from ens import ENS
 
 from cert_verifier import StepStatus
+from cert_verifier import config
+from cert_verifier.connectors import ContractConnection, MakeW3
 from cert_verifier.errors import InvalidCertificateError
 
 lock = Lock()
@@ -29,6 +33,30 @@ def hashes_match(actual_hash, expected_hash):
     return actual_hash in expected_hash or actual_hash == expected_hash
 
 
+def verify_hash(hash_val, certificate_model, is_batch_hash=False):
+    try:
+        sc = ContractConnection(certificate_model)
+    except (KeyError, JSONDecodeError):
+        print("Could not load smart contract")
+    cert_status = sc.functions.call("hashes", hash_val)
+    if cert_status == 0:
+        if not is_batch_hash:
+            result = True
+        else:
+            result = False
+        return {"validity": result,
+                "name": "ethcheck",
+                "status": " hash is not issued"}
+    elif cert_status == 1:
+        return {"validity": True,
+                "name": "ethcheck",
+                "status": " hash is valid on"}
+    elif cert_status == 2:
+        return {"validity": False,
+                "name": "ethcheck",
+                "status": " hash is revoked on"}
+
+
 class VerificationCheck(object):
     """Individual task involved in verification"""
 
@@ -219,6 +247,41 @@ def do_execute(self):
             return False
 
 
+class EnsChecker(VerificationCheck):
+    def __init__(self, cert_model):
+        self.ens_name = cert_model.certificate_json["signature"]["anchors"][0]["ens_name"]
+        self.contract_address = cert_model.certificate_json["signature"]["anchors"][0]["contract_address"]
+        self.chain = cert_model.certificate_json["signature"]["anchors"][0]["chain"]
+
+    def do_execute(self):
+        registry = config.get_registry()
+        w3_factory = MakeW3(self.chain)
+        w3 = w3_factory.get_w3_obj()
+        ns = ENS.fromWeb3(w3, registry)
+        address = ns.address(self.ens_name)
+        return address == self.contract_address
+
+
+class HashValidityChecker(VerificationCheck):
+    def __init__(self, merkle_root, target_hash, certificate_model):
+        self.merkle_root = merkle_root
+        self.target_hash = target_hash
+        self.certificate_model = certificate_model
+
+    def do_execute(self):
+        if self.merkle_root == self.target_hash:
+            targethashverif = verify_hash(self.target_hash, self.certificate_model, True)
+            validity = targethashverif["validity"]
+        else:
+            merkleverif = verify_hash(self.merkle_root, self.certificate_model, True)
+            validity = merkleverif["validity"]
+
+            targethashverif = verify_hash(self.target_hash, self.certificate_model)
+            validity &= targethashverif["validity"]
+
+        return validity
+
+
 # Verification group creators
 
 def create_embedded_signature_verification_group(signatures, transaction_info, chain):
@@ -232,26 +295,37 @@ def create_embedded_signature_verification_group(signatures, transaction_info, c
     return VerificationGroup(steps=[signature_check], name='Checking issuer signature')
 
 
-def create_anchored_data_verification_group(signatures, chain, transaction_info, detect_unmapped_fields=False):
+def create_anchored_data_verification_group(certificate_model, chain, transaction_info=None,
+                                            detect_unmapped_fields=False, is_issued_on_smartcontract=False):
     anchored_data_verification = None
+    signatures = certificate_model.signatures
     for s in signatures:
-        if s.signature_type == SignatureType.signed_transaction:
-            if s.merkle_proof:
-                steps = [ReceiptIntegrityChecker(s.merkle_proof.proof_json),
-                         NormalizedJsonLdIntegrityChecker(s.content_to_verify, s.merkle_proof.target_hash,
-                                                          detect_unmapped_fields=detect_unmapped_fields)]
-                if chain != Chain.mockchain and chain != Chain.bitcoin_regtest:
-                    steps.append(MerkleRootIntegrityChecker(s.merkle_proof.merkle_root, transaction_info.op_return))
-
-                anchored_data_verification = VerificationGroup(
-                    steps=steps,
-                    name='Checking certificate has not been tampered with')
-            else:
-                anchored_data_verification = VerificationGroup(
-                    steps=[BinaryFileIntegrityChecker(s.content_to_verify, transaction_info)],
-                    name='Checking certificate has not been tampered with')
-
-            break
+        if is_issued_on_smartcontract:
+            steps = [ReceiptIntegrityChecker(s.merkle_proof.proof_json),
+                     NormalizedJsonLdIntegrityChecker(s.content_to_verify,
+                                                      s.merkle_proof.target_hash,
+                                                      detect_unmapped_fields=detect_unmapped_fields)]
+            anchored_data_verification = VerificationGroup(
+                steps=steps,
+                name='Checking certificate has not been tampered with')
+        else:
+            if s.signature_type == SignatureType.signed_transaction:
+                if s.merkle_proof:
+                    steps = [ReceiptIntegrityChecker(s.merkle_proof.proof_json),
+                             NormalizedJsonLdIntegrityChecker(s.content_to_verify, s.merkle_proof.target_hash,
+                                                              detect_unmapped_fields=detect_unmapped_fields)]
+                    if chain != Chain.mockchain and chain != Chain.bitcoin_regtest:
+                        steps.append(MerkleRootIntegrityChecker(s.merkle_proof.merkle_root, transaction_info.op_return))
+
+                    anchored_data_verification = VerificationGroup(
+                        steps=steps,
+                        name='Checking certificate has not been tampered with')
+                else:
+                    anchored_data_verification = VerificationGroup(
+                        steps=[BinaryFileIntegrityChecker(s.content_to_verify, transaction_info)],
+                        name='Checking certificate has not been tampered with')
+                break
+            pass
     return anchored_data_verification
 
 
@@ -267,13 +341,13 @@ def create_revocation_verification_group(certificate_model, issuer_info, transac
     return VerificationGroup(steps=[revocation_check], name='Checking not revoked by issuer')
 
 
-def create_verification_steps(certificate_model, transaction_info, issuer_info, chain):
+def create_verification_steps(certificate_model, transaction_info=None, issuer_info=None, chain=None,
+                              is_issued_on_smartcontract=False):
     steps = []
-
     v2ish = certificate_model.version == BlockcertVersion.V2 or certificate_model.version == BlockcertVersion.V2_ALPHA
 
     # embedded signature: V1.1. and V1.2 must have this
-    if not v2ish:
+    if not v2ish and not is_issued_on_smartcontract:
         embedded_signature_group = create_embedded_signature_verification_group(certificate_model.signatures,
                                                                                 transaction_info, chain)
         if not embedded_signature_group:
@@ -282,10 +356,12 @@ def create_verification_steps(certificate_model, transaction_info, issuer_info,
 
     # transaction-anchored data. All versions must have this. In V2 we add an extra check for unmapped fields
     detect_unmapped_fields = v2ish
-    transaction_signature_group = create_anchored_data_verification_group(certificate_model.signatures,
-                                                                          chain,
-                                                                          transaction_info,
-                                                                          detect_unmapped_fields)
+    transaction_signature_group = create_anchored_data_verification_group(certificate_model=certificate_model,
+                                                                          chain=chain,
+                                                                          transaction_info=transaction_info,
+                                                                          detect_unmapped_fields=detect_unmapped_fields,
+                                                                          is_issued_on_smartcontract=is_issued_on_smartcontract)
+
     if not transaction_signature_group:
         raise InvalidCertificateError('Did not find transaction verification info in certificate')
     steps.append(transaction_signature_group)
@@ -295,18 +371,31 @@ def create_verification_steps(certificate_model, transaction_info, issuer_info,
     steps.append(VerificationGroup(steps=[expired_group],
                                    name='Checking certificate has not expired'))
 
-    # revocation check. All versions have this
-    revocation_group = create_revocation_verification_group(certificate_model, issuer_info, transaction_info)
-    steps.append(revocation_group)
-
-    # authenticity check
-    if chain != Chain.mockchain and chain != Chain.bitcoin_regtest:
-        key_map = {k.public_key: k for k in issuer_info.issuer_keys}
-        authenticity_checker = AuthenticityChecker(transaction_info.signing_key, transaction_info.date_time_utc,
-                                                   key_map)
-        steps.append(VerificationGroup(steps=[authenticity_checker],
-                                       name='Checking authenticity'))
-
-    if chain == Chain.mockchain or chain == Chain.bitcoin_regtest:
-        return VerificationGroup(steps=steps, name='Validation', success_status=StepStatus.mock_passed)
+    if is_issued_on_smartcontract:
+        for s in certificate_model.signatures:
+            # check if certificates hash is really issued and has not been revoked
+            hash_group = HashValidityChecker(s.merkle_proof.merkle_root,
+                                             s.merkle_proof.target_hash,
+                                             certificate_model)
+            steps.append(VerificationGroup(steps=[hash_group],
+                                           name='Checking if certificate is valid and has not been revoked'))
+
+        # ens check -> checks if smartcontract in signatures really belongs to the ens entry
+        ens_group = EnsChecker(certificate_model)
+        steps.append(VerificationGroup(steps=[ens_group], name='Checking if certificate is really issued by ens owner'))
+    else:
+        # revocation check. All versions have this
+        revocation_group = create_revocation_verification_group(certificate_model, issuer_info, transaction_info)
+        steps.append(revocation_group)
+
+        # authenticity check
+        if chain != Chain.mockchain and chain != Chain.bitcoin_regtest:
+            key_map = {k.public_key: k for k in issuer_info.issuer_keys}
+            authenticity_checker = AuthenticityChecker(transaction_info.signing_key, transaction_info.date_time_utc,
+                                                       key_map)
+            steps.append(VerificationGroup(steps=[authenticity_checker],
+                                           name='Checking authenticity'))
+
+        if chain == Chain.mockchain or chain == Chain.bitcoin_regtest:
+            return VerificationGroup(steps=steps, name='Validation', success_status=StepStatus.mock_passed)
     return VerificationGroup(steps=steps, name='Validation')

cert_verifier/config.ini

@@ -0,0 +1,3 @@
+# the node addresses which should be used to connect to the ethereum blockchain
+node_ropsten = https://ropsten.infura.io/v3/a70de76e3fd748cbb6dbb2ed49dda183
+node_mainnet = https://mainnet.infura.io/v3/a70de76e3fd748cbb6dbb2ed49dda183

cert_verifier/config.py

@@ -0,0 +1,54 @@
+import os
+import configargparse
+from web3 import Web3, HTTPProvider
+
+_CWD = None
+_CONFIG = None
+
+
+def add_arguments(p):
+    p.add('-c', '--my-config', required=False, env_var='CONFIG_FILE',
+          is_config_file=True, help='config file path')
+    p.add_argument('--node_ropsten', help='infura ropsten', env_var='INFURA_ROPSTEN')
+    p.add_argument('--node_mainnet', help='infura mainnet', env_var='INFURA_MAINNET')
+    p.add_argument('--ens_registry', required=False, default="0x00000000000C2E074eC69A0dFb2997BA6C7d2e1e",
+                   help='mainnet', env_var='REGISTRY')
+
+
+def read_config():
+    p = configargparse.getArgumentParser(default_config_files=[os.path.join(_CWD, 'config.ini')])
+    add_arguments(p)
+    parsed_config, _ = p.parse_known_args()
+    return vars(parsed_config)
+
+
+def init_config():
+    global _CONFIG
+    if _CONFIG is None:
+        _CONFIG = read_config()
+    else:
+        return _CONFIG
+
+
+def init_cwd(cwd):
+    global _CWD
+    if _CWD is None:
+        _CWD = cwd
+    else:
+        return _CWD
+
+
+def get_infura(chain):
+    init_config()
+    global _CONFIG
+    if chain == "ethereumMainnet":
+        return _CONFIG["node_mainnet"]
+    else:
+        return _CONFIG["node_ropsten"]
+
+
+def get_registry():
+    init_config()
+    global _CONFIG
+    w3 = Web3(HTTPProvider())
+    return w3.toChecksumAddress(_CONFIG["ens_registry"])