diff --git a/contracts/contracts/IdentityVerificationHubImplV2.sol b/contracts/contracts/IdentityVerificationHubImplV2.sol index 584db230f..b866f88d0 100644 --- a/contracts/contracts/IdentityVerificationHubImplV2.sol +++ b/contracts/contracts/IdentityVerificationHubImplV2.sol @@ -624,6 +624,7 @@ contract IdentityVerificationHubImplV2 is ImplRoot { // Scope 2: Root and date checks { _performRootCheck(header.attestationId, vcAndDiscloseProof, indices); + _performOfacCheck(header.attestationId, vcAndDiscloseProof, indices); if (header.attestationId == AttestationId.AADHAAR) { _performNumericCurrentDateCheck(vcAndDiscloseProof, indices); } else { @@ -705,11 +706,11 @@ contract IdentityVerificationHubImplV2 is ImplRoot { } } else if (attestationId == AttestationId.AADHAAR) { uint256 timestamp = registerCircuitProof.pubSignals[CircuitConstantsV2.AADHAAR_TIMESTAMP_INDEX]; - if (timestamp < block.timestamp - 20 minutes) { + if (timestamp < (block.timestamp - 20 minutes)) { revert InvalidUidaiTimestamp(); } - if (timestamp > block.timestamp + 20 minutes) { + if (timestamp > (block.timestamp + 20 minutes)) { revert InvalidUidaiTimestamp(); } @@ -884,6 +885,46 @@ contract IdentityVerificationHubImplV2 is ImplRoot { } } + function _performOfacCheck( + bytes32 attestationId, + GenericProofStruct memory vcAndDiscloseProof, + CircuitConstantsV2.DiscloseIndices memory indices + ) internal view { + IdentityVerificationHubStorage storage $ = _getIdentityVerificationHubStorage(); + + if (attestationId == AttestationId.E_PASSPORT) { + if ( + !IIdentityRegistryV1($._registries[attestationId]).checkOfacRoots( + vcAndDiscloseProof.pubSignals[indices.passportNoSmtRootIndex], + vcAndDiscloseProof.pubSignals[indices.namedobSmtRootIndex], + vcAndDiscloseProof.pubSignals[indices.nameyobSmtRootIndex] + ) + ) { + revert InvalidOfacRoots(); + } + } else if (attestationId == AttestationId.EU_ID_CARD) { + if ( + !IIdentityRegistryIdCardV1($._registries[attestationId]).checkOfacRoots( + vcAndDiscloseProof.pubSignals[indices.namedobSmtRootIndex], + vcAndDiscloseProof.pubSignals[indices.nameyobSmtRootIndex] + ) + ) { + revert InvalidOfacRoots(); + } + } else if (attestationId == AttestationId.AADHAAR) { + if ( + !IIdentityRegistryAadhaarV1($._registries[attestationId]).checkOfacRoots( + vcAndDiscloseProof.pubSignals[indices.namedobSmtRootIndex], + vcAndDiscloseProof.pubSignals[indices.nameyobSmtRootIndex] + ) + ) { + revert InvalidOfacRoots(); + } + } else { + revert InvalidAttestationId(); + } + } + /** * @notice Performs current date validation */ diff --git a/contracts/contracts/interfaces/IIdentityRegistryAadhaarV1.sol b/contracts/contracts/interfaces/IIdentityRegistryAadhaarV1.sol index ed05b140b..f59a4960d 100644 --- a/contracts/contracts/interfaces/IIdentityRegistryAadhaarV1.sol +++ b/contracts/contracts/interfaces/IIdentityRegistryAadhaarV1.sol @@ -77,16 +77,9 @@ interface IIdentityRegistryAadhaarV1 { * @notice Checks if the provided OFAC roots match the stored OFAC roots. * @param nameAndDobRoot The name and date of birth OFAC root to verify. * @param nameAndYobRoot The name and year of birth OFAC root to verify. - * @param nameAndDobReverseRoot The name and date of birth OFAC root to verify. - * @param nameAndYobReverseRoot The name and year of birth OFAC root to verify. * @return True if all provided roots match the stored values, false otherwise. */ - function checkOfacRoots( - uint256 nameAndDobRoot, - uint256 nameAndYobRoot, - uint256 nameAndDobReverseRoot, - uint256 nameAndYobReverseRoot - ) external view returns (bool); + function checkOfacRoots(uint256 nameAndDobRoot, uint256 nameAndYobRoot) external view returns (bool); /** * @notice Checks if the provided UIDAI pubkey is stored in the registry and also if it's not expired. diff --git a/contracts/contracts/registry/IdentityRegistryAadhaarImplV1.sol b/contracts/contracts/registry/IdentityRegistryAadhaarImplV1.sol index 1e48288d5..6a66fa411 100644 --- a/contracts/contracts/registry/IdentityRegistryAadhaarImplV1.sol +++ b/contracts/contracts/registry/IdentityRegistryAadhaarImplV1.sol @@ -64,12 +64,6 @@ abstract contract IdentityRegistryAadhaarStorageV1 is ImplRoot { /// @notice Current name and year of birth OFAC root. uint256 internal _nameAndYobOfacRoot; - - /// @notice Current name and date of birth reverse OFAC root. - uint256 internal _nameAndDobReverseOfacRoot; - - /// @notice Current name and year of birth reverse OFAC root. - uint256 internal _nameAndYobReverseOfacRoot; } /** @@ -253,33 +247,15 @@ contract IdentityRegistryAadhaarImplV1 is IdentityRegistryAadhaarStorageV1, IIde return _nameAndYobOfacRoot; } - /// @notice Retrieves the current name and date of birth reverse OFAC root. - /// @return The current name and date of birth reverse OFAC root value. - function getNameAndDobReverseOfacRoot() external view virtual onlyProxy returns (uint256) { - return _nameAndDobReverseOfacRoot; - } - - /// @notice Retrieves the current name and year of birth reverse OFAC root. - /// @return The current name and year of birth reverse OFAC root value. - function getNameAndYobReverseOfacRoot() external view virtual onlyProxy returns (uint256) { - return _nameAndYobReverseOfacRoot; - } - /// @notice Validates whether the provided OFAC roots match the stored values. /// @param nameAndDobRoot The name and date of birth OFAC root to validate. /// @param nameAndYobRoot The name and year of birth OFAC root to validate. /// @return True if all provided roots match the stored values, false otherwise. function checkOfacRoots( uint256 nameAndDobRoot, - uint256 nameAndYobRoot, - uint256 nameAndDobReverseRoot, - uint256 nameAndYobReverseRoot + uint256 nameAndYobRoot ) external view virtual onlyProxy returns (bool) { - return - _nameAndDobOfacRoot == nameAndDobRoot && - _nameAndYobOfacRoot == nameAndYobRoot && - _nameAndDobReverseOfacRoot == nameAndDobReverseRoot && - _nameAndYobReverseOfacRoot == nameAndYobReverseRoot; + return _nameAndDobOfacRoot == nameAndDobRoot && _nameAndYobOfacRoot == nameAndYobRoot; } /// @notice Checks if the provided UIDAI pubkey is stored in the registry and also if it's not expired. @@ -337,22 +313,6 @@ contract IdentityRegistryAadhaarImplV1 is IdentityRegistryAadhaarStorageV1, IIde emit NameAndYobOfacRootUpdated(newNameAndYobOfacRoot); } - /// @notice Updates the name and date of birth reverse OFAC root. - /// @dev Callable only via a proxy and restricted to the contract owner. - /// @param newNameAndDobReverseOfacRoot The new name and date of birth reverse OFAC root value. - function updateNameAndDobReverseOfacRoot(uint256 newNameAndDobReverseOfacRoot) external onlyProxy onlyOwner { - _nameAndDobReverseOfacRoot = newNameAndDobReverseOfacRoot; - emit NameAndDobReverseOfacRootUpdated(newNameAndDobReverseOfacRoot); - } - - /// @notice Updates the name and year of birth reverse OFAC root. - /// @dev Callable only via a proxy and restricted to the contract owner. - /// @param newNameAndYobReverseOfacRoot The new name and year of birth reverse OFAC root value. - function updateNameAndYobReverseOfacRoot(uint256 newNameAndYobReverseOfacRoot) external onlyProxy onlyOwner { - _nameAndYobReverseOfacRoot = newNameAndYobReverseOfacRoot; - emit NameAndYobReverseOfacRootUpdated(newNameAndYobReverseOfacRoot); - } - /// @notice Registers a new UIDAI pubkey commitment. /// @dev Callable only via a proxy and restricted to the contract owner. /// @param commitment The UIDAI pubkey commitment to register.