github/self
1
1
Fork 0
mirror of https://github.com/selfxyz/self.git synced 2026-04-27 03:01:15 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
96390041a6ea10c63664bbcd61afc159a9d91dcb
self/circuits/circuits/gcp_jwt_verifier
History
Nesopie e77247f372 Feat/kyc (#1623) 
* feat: selfrica circuit and tests

* chore: remove unused code

* feat: test for ofac,date and olderthan

* fix: public signal constant

* feat: add contract tests

* feat: helper function to gen TEE input

* feat: gen circuit inputs with signature

* feat: seralized base64

* fix: DateIsLessFullYear componenet

* feat: register circuit for selfrica

* feat: selfrica disclose circuit and test

* fix: common module error

* feat: add more test and fix constant

* fix: commitment calculation

* feat: selfrica contracts

* test: selfrica register using unified circuit

* feat: register persona and selfrica circuit

* feat: selfrica circuit and tests

* chore: remove unused code

* feat: test for ofac,date and olderthan

* fix: public signal constant

* feat: add contract tests

* feat: helper function to gen TEE input

* feat: gen circuit inputs with signature

* feat: seralized base64

* fix: DateIsLessFullYear componenet

* feat: register circuit for selfrica

* feat: selfrica disclose circuit and test

* fix: common module error

* feat: add more test and fix constant

* fix: commitment calculation

* feat: selfrica contracts

* test: selfrica register using unified circuit

* feat: register persona and selfrica circuit

* refactor: contract size reduction for IdentityVerificationHubImplV2

export function logic to external libs, reduce compiler runs to 200, update deploy scripts to link new libs

* feat: disclose circuit for persona

* feat: update  persona ofac trees

* feat; register circuit for selfper

* feat: disclose test for selfper

* chore: refactor

* chore : remove unused circuits

* chore: rename selfper to kyc

* chore: update comments

* feat: constrain s to be 251 bit

* feat: add range check on majority ASCII and comments

* feat: range check on neg_r_inv

* chore: remove is pk zero constrain

* merge dev

* feat: add registerPubkey function to Selfrica with GCPJWT Verification

* test: add testing for GCPJWT verification on Selfrica

* fix: script that calls register_selfrica circuits (ptau:14 -> ptau:15)

* fix: get remaining Selfrica tests working with proper import paths

* refactor: store pubkeys as string

also add some comment code for registerPubkey function

* refactor: remove registerPubkeyCommitment function

some tests now skipped as awaiting changes to how pubkeys are stored (string instead of uint256)

* feat: use hex decoding for the pubkey commitment

* test: adjust tests for pubkey being string again

* fix: remove old references to registerPubkey

* docs: add full natspec for IdentityRegistrySelfricaImplV1

* docs: update files in rest of the repo for Selfrica attestation type

* test: fix broken tests

* fix: builds and move to kyc from selfrica

* fix: constrain r_inv, Rx, s, T

* feat: eddsa

* feat: add onlyTEE check to registerPubkeyCommitment

onlyOwner is able to change onlyTEE

* refactor: update gcpRootCAPubkeyHash to be changeable by owner

* feat: add events for update functions

* style: move functions to be near other similar functions

* fix: kyc happy flow

* fix: all contract tests passing

| fix: timestamp conversion with Date(), migrate to V2 for endToEnd test, scope formatting, fix register aadhaar issue by using block.timestamp instead of Date.now(), fix changed getter function name, enable MockGCPJWTVerifier with updated file paths, add missing LeanIMT import, fix user identifier format

* audit: bind key offset-value offset and ensure image_digest only occurs once in the payload

* fix: constrain bracket

* chore: update comment

* audit: hardcode attestation id

* audit: make sure R and pubkey are on the curve

* audit: ensure pubkey is within bounds

* fix: all contract tests passing

* feat: change max length to 99 from 74

* audit: don't check sha256 padding

* audit: check the last window as well

* audit: single occurance for eat_nonce and image_digest

* audit: check if the certs are expired

* audit: add the timestamp check to the contract

* audit: make sure the person is less than 255 years of age

* audit fixes

* chore: yarn.lock

* fix: build fixes

* fix: aadhaar timestamp

* lint

* fix: types

* format

---------

Co-authored-by: vishal <vishalkoolkarni0045@gmail.com>
Co-authored-by: Evi Nova <tranquil_flow@protonmail.com>
2026-01-19 15:54:37 +05:30
..
example_jwt_fail.txt
Feat/kyc (#1623)
2026-01-19 15:54:37 +05:30
example_jwt.txt
feat(circuits): add GCP JWT verifier with TEE attestation claims extraction (#1317)
2025-11-10 19:57:36 +05:30
gcp_jwt_verifier.circom
Feat/kyc (#1623)
2026-01-19 15:54:37 +05:30
jwt_verifier.circom
Feat/kyc (#1623)
2026-01-19 15:54:37 +05:30
prepare.ts
Feat/kyc (#1623)
2026-01-19 15:54:37 +05:30
README.md
feat: 2.9 (#1325)
2025-11-11 10:37:05 -08:00

README.md

GCP JWT Verifier Circuit

Zero-knowledge circuits for verifying Google Cloud Platform Confidential Space JWT attestations with complete X.509 certificate chain validation.

Warning

: This circuit uses zk-jwt which is not yet audited (as of October 2025).

Overview

This circuit verifies GCP Confidential Space JWT attestations by validating the complete chain of trust:

  1. JWT Signature: Verifies the JWT was signed by the leaf certificate (x5c[0])
  2. Leaf Certificate: Verifies x5c[0] was signed by the intermediate CA (x5c[1])
  3. Intermediate Certificate: Verifies x5c[1] was signed by the root CA (x5c[2])

Public Outputs

The circuit exposes the following data as public outputs:

  • publicKeyHash, Poseidon hash of leaf certificate public key
  • header, Decoded JWT header
  • payload, Decoded JWT payload
  • eat_nonce_0_b64_output, Base64URL encoded EAT nonce
  • image_hash, Container image SHA256 hash

Architecture

The main circuit does:

  1. JWT signature verification (using x5c[0] pubkey)
  2. x5c[0] pubkey extraction and validation
  3. x5c[0] certificate signature verification (using x5c[1] pubkey)
  4. x5c[1] pubkey extraction and validation
  5. x5c[1] certificate signature verification (using x5c[2] pubkey)
  6. x5c[2] pubkey extraction and validation
  7. EAT nonce extraction and validation
  8. Container image digest extraction and validation

Usage

1. Prepare Circuit Inputs

Extract data from a GCP JWT attestation:

cd circuits
yarn tsx circuits/gcp_jwt_verifier/prepare.ts \
  circuits/gcp_jwt_verifier/example_jwt.txt \
  circuit_inputs.json

The prepare.ts script:

  • Parses the JWT header and payload
  • Extracts all 3 x5c certificates from the header
  • Extracts public keys and signatures from each certificate
  • Computes certificate hashes with proper padding
  • Locates EAT nonce and image digest in the payload
  • Converts all data to circuit-compatible format

2. Build Circuit

Compile the circuit and generate proving/verification keys:

yarn build-gcp-jwt-verifier

This runs scripts/build/build_gcp_jwt_verifier.sh which:

  • Compiles the circuit to R1CS and WASM
  • Generates zkey (proving key)
  • Exports verification key

3. Generate & Verify Proof

# Generate witness
node build/gcp/gcp_jwt_verifier/gcp_jwt_verifier_js/generate_witness.js \
  build/gcp/gcp_jwt_verifier/gcp_jwt_verifier_js/gcp_jwt_verifier.wasm \
  circuit_inputs.json \
  witness.wtns

# Generate proof
snarkjs groth16 prove \
  build/gcp/gcp_jwt_verifier/gcp_jwt_verifier_final.zkey \
  witness.wtns \
  proof.json \
  public.json

# Verify proof
snarkjs groth16 verify \
  build/gcp/gcp_jwt_verifier/gcp_jwt_verifier_vkey.json \
  public.json \
  proof.json

References

Reference in New Issue View Git Blame Copy Permalink