From fe4eb3786afb54a70a953a1d333b78c3b87bf688 Mon Sep 17 00:00:00 2001 From: Nesopie <87437291+Nesopie@users.noreply.github.com> Date: Mon, 30 Mar 2026 21:43:41 +0530 Subject: [PATCH] fix: use raw bytes for KYC register circuit inputs (#1888) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: use raw bytes for KYC register circuit inputs instead of deserialize+reserialize The deserialize→reserialize path strips the namespace prefix from id_type, producing different bytes than what the TEE signed. This causes EdDSA signature verification to fail in the circuit. Use raw base64-decoded bytes directly, matching the TEE's signed data. Co-Authored-By: Claude Opus 4.6 (1M context) * fix: use raw bytes for KYC register circuit inputs in common and new-common The deserialize→reserialize path strips the namespace prefix from id_type (\x05didit), producing different bytes than what the TEE signed. This causes EdDSA signature verification to fail in the register_kyc circuit. Use raw base64-decoded bytes directly in both common/ and new-common/. Co-Authored-By: Claude Opus 4.6 (1M context) --------- Co-authored-by: Claude Opus 4.6 (1M context) --- common/src/utils/kyc/generateInputs.ts | 10 +++++----- new-common/src/circuits/inputs/register-kyc.ts | 11 ++++++----- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/common/src/utils/kyc/generateInputs.ts b/common/src/utils/kyc/generateInputs.ts index d33874787..67cc5086f 100644 --- a/common/src/utils/kyc/generateInputs.ts +++ b/common/src/utils/kyc/generateInputs.ts @@ -251,16 +251,16 @@ export const generateKycRegisterInput = async ( pubkeyStr: [string, string], secret: string ) => { - const applicantInfo = deserializeApplicantInfo(applicantInfoBase64); const signature = deserializeSignature(signatureBase64); const pubkey = [BigInt(pubkeyStr[0]), BigInt(pubkeyStr[1])] as [bigint, bigint]; - const serializedData = serializeKycData(applicantInfo).padEnd(KYC_MAX_LENGTH, '\0'); - - const msgPadded = Array.from(serializedData, (x) => x.charCodeAt(0)); + // Use raw bytes directly — deserialize→reserialize strips the namespace prefix + // from id_type, producing different bytes than the TEE signed. + const raw = Buffer.from(applicantInfoBase64, 'base64'); + const dataPadded = [...Array.from(raw, (b) => Number(b)), ...new Array(Math.max(0, KYC_MAX_LENGTH - raw.length)).fill(0)]; const kycRegisterInput: KycRegisterInput = { - data_padded: msgPadded, + data_padded: dataPadded, s: signature.s, R: signature.R, pubKey: pubkey, diff --git a/new-common/src/circuits/inputs/register-kyc.ts b/new-common/src/circuits/inputs/register-kyc.ts index 9d9feb6c8..ec8c6114b 100644 --- a/new-common/src/circuits/inputs/register-kyc.ts +++ b/new-common/src/circuits/inputs/register-kyc.ts @@ -1,6 +1,6 @@ import { Base8, inCurve, mulPointEscalar, subOrder } from '@zk-kit/baby-jubjub'; -import { deserializeApplicantInfo, deserializeSignature } from '../../documents/kyc/api.js'; +import { deserializeSignature } from '../../documents/kyc/api.js'; import { KYC_MAX_LENGTH } from '../../documents/kyc/constants.js'; import type { KycRegisterInput } from '../../documents/kyc/types.js'; import { serializeKycData } from '../../documents/kyc/types.js'; @@ -13,15 +13,16 @@ export function generateKycRegisterInputs( pubkeyStr: [string, string], secret: string, ): KycRegisterInput { - const applicantInfo = deserializeApplicantInfo(applicantInfoBase64); const signature = deserializeSignature(signatureBase64); const pubkey = [BigInt(pubkeyStr[0]), BigInt(pubkeyStr[1])] as [bigint, bigint]; - const serializedData = serializeKycData(applicantInfo).padEnd(KYC_MAX_LENGTH, '\0'); - const msgPadded = Array.from(serializedData, x => x.charCodeAt(0)); + // Use raw bytes directly — deserialize→reserialize strips the namespace prefix + // from id_type, producing different bytes than the TEE signed. + const raw = Buffer.from(applicantInfoBase64, 'base64'); + const dataPadded = [...Array.from(raw, b => Number(b)), ...new Array(Math.max(0, KYC_MAX_LENGTH - raw.length)).fill(0)]; return { - data_padded: msgPadded, + data_padded: dataPadded, s: signature.s, R: signature.R, pubKey: pubkey,