Proof of multiple permissions not verifiable with multiple attestations

[ddreyer]

Running the below script that creates 2 attestations with different permissions results in a proof that is not able to be verified, but from my understanding this should be possible? The result of running this is:

panic: (912: proof is well formed but grants insufficient permissions)

goroutine 1 [running]:
main.main()
    /home/sgx/wave-verify-sgx2/enclave_plus_app_src/test_verify.go:1289 +0x1b6b
exit status 2

conn, err := grpc.Dial("127.0.0.1:410", grpc.WithInsecure(), grpc.FailOnNonTempDialError(true), grpc.WithBlock())
if err != nil {
    fmt.Printf("failed to connect to agent: %v\n", err)
    os.Exit(1)
}
waveconn = pb.NewWAVEClient(conn)
Src, err = waveconn.CreateEntity(context.Background(), &pb.CreateEntityParams{})
if err != nil {
    panic(err)
}
if Src.Error != nil {
    panic(Src.Error.Message)
}
Dst, err = waveconn.CreateEntity(context.Background(), &pb.CreateEntityParams{})
if err != nil {
    panic(err)
}
if Dst.Error != nil {
    panic(Dst.Error.Message)
}
srcresp, err := waveconn.PublishEntity(context.Background(), &pb.PublishEntityParams{
    DER: Src.PublicDER,
    Location: &pb.Location{
        AgentLocation: "default",
    },
})
if err != nil {
    panic(err)
}
if srcresp.Error != nil {
    panic(srcresp.Error.Message)
}
dstresp, err := waveconn.PublishEntity(context.Background(), &pb.PublishEntityParams{
    DER: Dst.PublicDER,
    Location: &pb.Location{
        AgentLocation: "default",
    },
})
if err != nil {
    panic(err)
}
if dstresp.Error != nil {
    panic(dstresp.Error.Message)
}
attresp, err := waveconn.CreateAttestation(context.Background(), &pb.CreateAttestationParams{
    Perspective: &pb.Perspective{
        EntitySecret: &pb.EntitySecret{
            DER: Src.SecretDER,
        },
        Location: &pb.Location{
            AgentLocation: "default",
        },
    },
    BodyScheme:  eapi.BodySchemeWaveRef1,
    SubjectHash: Dst.Hash,
    SubjectLocation: &pb.Location{
        AgentLocation: "default",
    },
    Policy: &pb.Policy{
        RTreePolicy: &pb.RTreePolicy{
            Namespace:    Src.Hash,
            Indirections: 4,
            Statements: []*pb.RTreePolicyStatement{
                &pb.RTreePolicyStatement{
                    PermissionSet: Src.Hash,
                    Permissions:   []string{"default"},
                    Resource:      "default",
                },
            },
        },
    },
})
if err != nil {
    panic(err)
}
if attresp.Error != nil {
    panic(attresp.Error.Message)
}
attpub, err := waveconn.PublishAttestation(context.Background(), &pb.PublishAttestationParams{
    DER: attresp.DER,
})
if err != nil {
    panic(err)
}
if attpub.Error != nil {
    panic(attpub.Error.Message)
}
attresp, err = waveconn.CreateAttestation(context.Background(), &pb.CreateAttestationParams{
    Perspective: &pb.Perspective{
        EntitySecret: &pb.EntitySecret{
            DER: Src.SecretDER,
        },
        Location: &pb.Location{
            AgentLocation: "default",
        },
    },
    BodyScheme:  eapi.BodySchemeWaveRef1,
    SubjectHash: Dst.Hash,
    SubjectLocation: &pb.Location{
        AgentLocation: "default",
    },
    Policy: &pb.Policy{
        RTreePolicy: &pb.RTreePolicy{
            Namespace:    Src.Hash,
            Indirections: 4,
            Statements: []*pb.RTreePolicyStatement{
                &pb.RTreePolicyStatement{
                    PermissionSet: Src.Hash,
                    Permissions:   []string{"default2"},
                    Resource:      "default",
                },
            },
        },
    },
})
if err != nil {
    panic(err)
}
if attresp.Error != nil {
    panic(attresp.Error.Message)
}
attpub, err = waveconn.PublishAttestation(context.Background(), &pb.PublishAttestationParams{
    DER: attresp.DER,
})
if err != nil {
    panic(err)
}
if attpub.Error != nil {
    panic(attpub.Error.Message)
}

waveconn.ResyncPerspectiveGraph(context.Background(), &pb.ResyncPerspectiveGraphParams{
    Perspective: &pb.Perspective{
        EntitySecret: &pb.EntitySecret{
            DER: Dst.SecretDER,
        },
    },
})
cl, err := waveconn.WaitForSyncComplete(context.Background(), &pb.SyncParams{
    Perspective: &pb.Perspective{
        EntitySecret: &pb.EntitySecret{
            DER: Dst.SecretDER,
        },
    },
})
if err != nil {
    panic(err)
}
for {
    _, err := cl.Recv()
    if err == io.EOF {
        break
    }
}
proofresp, err := waveconn.BuildRTreeProof(context.Background(), &pb.BuildRTreeProofParams{
    Perspective: &pb.Perspective{
        EntitySecret: &pb.EntitySecret{
            DER: Dst.SecretDER,
        },
        Location: &pb.Location{
            AgentLocation: "default",
        },
    },
    SubjectHash: Dst.Hash,
    Namespace:   Src.Hash,
    Statements: []*pb.RTreePolicyStatement{
        &pb.RTreePolicyStatement{
            PermissionSet: Src.Hash,
            Permissions:   []string{"default", "default2"},
            Resource:      "default",
        },
    },
})
if err != nil {
    panic(err)
}
if proofresp.Error != nil {
    panic(proofresp.Error.Message)
}

verifyresp, err := waveconn.VerifyProof(context.Background(), &pb.VerifyProofParams{
    ProofDER: proofresp.ProofDER,
    Subject:  Dst.Hash,
    RequiredRTreePolicy: &pb.RTreePolicy{
        Namespace: Src.Hash,
        Statements: []*pb.RTreePolicyStatement{
            &pb.RTreePolicyStatement{
                PermissionSet: Src.Hash,
                Permissions:   []string{"default", "default2"},
                Resource:      "default",
            },
        },
    },
})
if err != nil {
    panic(err)
}
if verifyresp.Error != nil {
    panic(verifyresp.Error.Message)
}

[immesys]

In the DER of the proof that is returned, does it include both attestations? I.e is this a verify bug rather than a build bug?

[ddreyer]

Yes, the built proof includes both attestations. However, I just tried the same workflow on the command line and it seemed to work so I'm scratching my head. Wondering if you can reproduce this?

[ddreyer]

ah, just realized the issue. I needed 2 separate policy statements in VerifyProofParams instead of 1. I'll close this now.