search

eclipse-tractusx / managed-identity-wallet

Apache License 2.0
9 stars 22 forks source link

BUG: self issue a verifiable credential without expiration date #221

Closed mustafasalfiti closed 8 months ago

mustafasalfiti commented 9 months ago

I have that bug when i try to Issue a verifiable credential using the holder API controller i get this error

2023-12-18T12:36:13.902+01:00 WARN 16856 --- [p-nio-80-exec-3] .m.m.a.ExceptionHandlerExceptionResolver : Resolved [java.lang.NullPointerException: Cannot invoke "java.time.Instant.toEpochMilli()" because "instant" is null]

Code block that causing this BUG

HoldersCredentialService.java


    public VerifiableCredential issueCredential(Map<String, Object> data, String callerBpn) {
**We are creating a VC without checking the validating the values that came from the call**

        VerifiableCredential verifiableCredential = new VerifiableCredential(data);
        Wallet issuerWallet = commonService.getWalletByIdentifier(verifiableCredential.getIssuer().toString());

        //validate BPN access, Holder must be caller of API
        Validate.isFalse(callerBpn.equals(issuerWallet.getBpn())).launch(new ForbiddenException(BASE_WALLET_BPN_IS_NOT_MATCHING_WITH_REQUEST_BPN_FROM_TOKEN));

        // get Key
        byte[] privateKeyBytes = walletKeyService.getPrivateKeyByWalletIdentifierAsBytes(issuerWallet.getId());

        // Create Credential

     **We are getting the expirationDate without checking if there is a date at the first place which will cause the bug to happen**

        HoldersCredential credential = CommonUtils.getHoldersCredential(verifiableCredential.getCredentialSubject().get(0),
                verifiableCredential.getTypes(), issuerWallet.getDidDocument(),
                privateKeyBytes, issuerWallet.getDid(),
                verifiableCredential.getContext(), Date.from(verifiableCredential.getExpirationDate()), true);

        //Store Credential in holder table
        credential = create(credential);

        log.debug("VC type of {} issued to bpn ->{}", StringEscapeUtils.escapeJava(verifiableCredential.getTypes().toString()), StringEscapeUtils.escapeJava(callerBpn));
        // Return VC
        return credential.getData();
    }

Solutions

We could first check the data that comes from the client and create a valid VC using that