cardano-foundation · matiwinnetou · Nov 6, 2024 · Sep 29, 2024 · Oct 2, 2024 · Oct 2, 2024
diff --git a/backend-services/voting-app/build.gradle.kts b/backend-services/voting-app/build.gradle.kts
@@ -78,7 +78,7 @@ dependencies {
     runtimeOnly("org.postgresql:postgresql")
 
     implementation("org.cardanofoundation:merkle-tree-java:0.0.7")
-    implementation("org.cardanofoundation:cip30-data-signature-parser:0.0.11")
+    implementation("org.cardanofoundation:cip30-data-signature-parser:0.0.12")
 
     implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:2.2.0")
 

diff --git a/...d-services/voting-app/src/main/java/org/cardano/foundation/voting/domain/entity/Vote.java b/...d-services/voting-app/src/main/java/org/cardano/foundation/voting/domain/entity/Vote.java
@@ -60,7 +60,7 @@ public class Vote extends AbstractTimestampEntity {
     private String signature;
 
     @Column(name = "payload", nullable = false, columnDefinition = "text", length = 2048)
-    @Nullable
+    @Nullable // TODO remove nullable since payload is now always required
     private String payload;
 
     @Column(name = "public_key")

diff --git a/...ing-app/src/main/java/org/cardano/foundation/voting/service/auth/DefaultLoginService.java b/...ing-app/src/main/java/org/cardano/foundation/voting/service/auth/DefaultLoginService.java
@@ -81,7 +81,7 @@ public Either<Problem, LoginResult> login(Web3AuthenticationToken web3Authentica
     }
 
     private Either<Problem, LoginEnvelope> unwrapLoginVoteEnvelope(Web3ConcreteDetails concreteDetails) {
-        val jsonBody = concreteDetails.getSignedJson();
+        val jsonBody = concreteDetails.getPayload();
 
         val jsonPayloadE = jsonService.decodeCIP93LoginEnvelope(jsonBody);
         if (jsonPayloadE.isLeft()) {

diff --git a/...app/src/main/java/org/cardano/foundation/voting/service/auth/web3/CardanoWeb3Details.java b/...app/src/main/java/org/cardano/foundation/voting/service/auth/web3/CardanoWeb3Details.java
@@ -21,6 +21,7 @@ public class CardanoWeb3Details implements Web3ConcreteDetails {
     private Cip30VerificationResult cip30VerificationResult;
     private CIP93Envelope<Map<String, Object>> envelope;
     private SignedCIP30 signedCIP30;
+    private String payload;
 
     public String getUri() {
         return envelope.getUri();
@@ -40,8 +41,12 @@ public String getSignature() {
         return signedCIP30.getSignature();
     }
 
-    public Optional<String> getPayload() {
-        return Optional.empty();
+    public String getPayload() {
+        if (cip30VerificationResult.isHashed()) {
+            return payload;
+        }
+
+        return cip30VerificationResult.getMessage(MessageFormat.TEXT);
     }
 
     public Optional<String> getPublicKey() {

diff --git a/...-app/src/main/java/org/cardano/foundation/voting/service/auth/web3/CardanoWeb3Filter.java b/...-app/src/main/java/org/cardano/foundation/voting/service/auth/web3/CardanoWeb3Filter.java
@@ -30,10 +30,12 @@
 import java.util.List;
 import java.util.Optional;
 
+import static com.bloxbean.cardano.client.crypto.Blake2bUtil.blake2bHash224;
+import static com.bloxbean.cardano.client.util.HexUtil.decodeHexString;
+import static com.bloxbean.cardano.client.util.HexUtil.encodeHexString;
 import static org.cardano.foundation.voting.domain.Role.VOTER;
 import static org.cardano.foundation.voting.domain.web3.WalletType.CARDANO;
-import static org.cardano.foundation.voting.resource.Headers.X_Ballot_PublicKey;
-import static org.cardano.foundation.voting.resource.Headers.X_Ballot_Signature;
+import static org.cardano.foundation.voting.resource.Headers.*;
 import static org.cardano.foundation.voting.service.auth.LoginSystem.CARDANO_CIP93;
 import static org.cardano.foundation.voting.service.auth.web3.MoreFilters.sendBackProblem;
 import static org.cardano.foundation.voting.utils.MoreNumber.isNumeric;
@@ -77,6 +79,7 @@ protected void doFilterInternal(HttpServletRequest req,
 
         val signatureM = Optional.ofNullable(req.getHeader(X_Ballot_Signature));
         val publicKey = req.getHeader(X_Ballot_PublicKey);
+        val payloadM = Optional.ofNullable(req.getHeader(X_Ballot_Payload));
 
         if (signatureM.isEmpty()) {
             val problem = Problem.builder()
@@ -122,7 +125,37 @@ protected void doFilterInternal(HttpServletRequest req,
 
         val walletId = maybeAddress.orElseThrow();
 
-        val cipBody = cipVerificationResult.getMessage(MessageFormat.TEXT);
+        var cipBody = cipVerificationResult.getMessage(MessageFormat.TEXT);
+        if (cipVerificationResult.isHashed() && payloadM.isEmpty()) {
+            val problem = Problem.builder()
+                    .withTitle("HASHED_CONTENT_NO_PAYLOAD")
+                    .withDetail("Payload was not sent along with the request and CIP-30 signature contains is hashed!")
+                    .withStatus(BAD_REQUEST)
+                    .build();
+
+            sendBackProblem(objectMapper, res, problem);
+            return;
+        }
+
+        if (cipVerificationResult.isHashed()) {
+            val cipBodyHash = cipVerificationResult.getMessage(MessageFormat.HEX);
+            val payload = payloadM.orElseThrow();
+
+            val payloadHash = encodeHexString(blake2bHash224(decodeHexString(payload)));
+
+            if (!cipBodyHash.equals(payloadHash)) {
+                val problem = Problem.builder()
+                        .withTitle("CIP_30_HASH_MISMATCH")
+                        .withDetail("Signed hash does not match our precalculated hash!")
+                        .withStatus(BAD_REQUEST)
+                        .build();
+
+                sendBackProblem(objectMapper, res, problem);
+                return;
+            }
+
+            cipBody = new String(decodeHexString(payload)); // flip cipBody to be payload for further processing
+        }
 
         val cip93EnvelopeE = jsonService.decodeGenericCIP93(cipBody);
         if (cip93EnvelopeE.isEmpty()) {
@@ -318,6 +351,7 @@ protected void doFilterInternal(HttpServletRequest req,
                 .web3CommonDetails(commonWeb3Details)
                 .envelope(genericEnvelope)
                 .signedCIP30(signedWeb3Request)
+                .payload(cipBody)
                 .cip30VerificationResult(cipVerificationResult)
                 .build();
 

diff --git a/...ng-app/src/main/java/org/cardano/foundation/voting/service/auth/web3/KeriWeb3Details.java b/...ng-app/src/main/java/org/cardano/foundation/voting/service/auth/web3/KeriWeb3Details.java
@@ -40,8 +40,8 @@ public String getSignature() {
     }
 
     @Override
-    public Optional<String> getPayload() {
-        return Optional.of(signedKERI.getPayload());
+    public String getPayload() {
+        return signedKERI.getPayload();
     }
 
     @Override

diff --git a/...pp/src/main/java/org/cardano/foundation/voting/service/auth/web3/Web3ConcreteDetails.java b/...pp/src/main/java/org/cardano/foundation/voting/service/auth/web3/Web3ConcreteDetails.java
@@ -16,7 +16,7 @@ public interface Web3ConcreteDetails {
 
     String getSignature();
 
-    Optional<String> getPayload();
+    String getPayload();
 
     Optional<String> getPublicKey();
 

diff --git a/...ting-app/src/main/java/org/cardano/foundation/voting/service/vote/DefaultVoteService.java b/...ting-app/src/main/java/org/cardano/foundation/voting/service/vote/DefaultVoteService.java
@@ -28,9 +28,9 @@
 import org.zalando.problem.Problem;
 
 import java.util.List;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.UUID;
-import java.util.Objects;
 
 import static com.bloxbean.cardano.client.util.HexUtil.encodeHexString;
 import static org.cardano.foundation.voting.domain.VoteReceipt.Status.*;
@@ -306,7 +306,7 @@ public Either<Problem, Vote> castVote(Web3AuthenticationToken web3Authentication
             existingVote.setVotedAtSlot(castVote.getVotedAtSlot());
             existingVote.setWalletType(walletType);
             existingVote.setSignature(concreteDetails.getSignature());
-            existingVote.setPayload(concreteDetails.getPayload());
+            existingVote.setPayload(Optional.of(concreteDetails.getPayload()));
             existingVote.setPublicKey(concreteDetails.getPublicKey());
 
             return Either.right(voteRepository.saveAndFlush(existingVote));
@@ -321,7 +321,7 @@ public Either<Problem, Vote> castVote(Web3AuthenticationToken web3Authentication
         vote.setWalletType(walletType);
         vote.setVotedAtSlot(castVote.getVotedAtSlot());
         vote.setSignature(concreteDetails.getSignature());
-        vote.setPayload(concreteDetails.getPayload());
+        vote.setPayload(Optional.of(concreteDetails.getPayload()));
         vote.setPublicKey(concreteDetails.getPublicKey());
         vote.setIdNumericHash(UUID.fromString(voteId).hashCode() & 0xFFFFFFF);
 
@@ -412,7 +412,7 @@ public Either<Problem, Vote> castVote(Web3AuthenticationToken web3Authentication
     }
 
     private Either<Problem, ViewVoteReceiptEnvelope> unwrapViewVoteReceiptEnvelope(Web3ConcreteDetails concreteDetails) {
-        val signedJson = concreteDetails.getSignedJson();
+        val signedJson = concreteDetails.getPayload();
 
         switch (concreteDetails) {
             case CardanoWeb3Details cardanoWeb3Details -> {
@@ -455,7 +455,7 @@ private Either<Problem, ViewVoteReceiptEnvelope> unwrapViewVoteReceiptEnvelope(W
     }
 
     private Either<Problem, VoteEnvelope> unwrapCastCoteEnvelope(Web3ConcreteDetails concreteDetails) {
-        val signedJson = concreteDetails.getSignedJson();
+        val signedJson = concreteDetails.getPayload();
 
         switch (concreteDetails) {
             case CardanoWeb3Details cardanoWeb3Details -> {