Verifying proof results in true even if proof is manipulated

Im playing around with proof requests, proofs and their verification. I noticed that the current java wrapper verifies a manipulated proof to true, althoug it should be false.

For manipulation I changed the raw value in:

“requested_proof”: {
“predicates”: {},
“self_attested_attrs”: {},
“revealed_attrs”: {
“attr1_referent”: {
“raw”: “L2ZKT17Q2”,
“sub_proof_index”: 0,
“encoded”: “1405580844876701323570”
“unrevealed_attrs”: {}

to another value, which was not issued with the credential.

I also noticed that encoding attributes in the credential affects the verification of a generated proof. E.g. hasing a given string with sha-256 to a hex string and then convertig it to big int results in an indy exception. Encoding the same value with smaller numbers gives no errors.

Has someone notices the same? how do you encode raw values?

My libindy: 1.90

andditional info: I tried to replace random numbers in the original proof and the false proof also gets verified to true.

I noticed this, also, so what I did as a workaround was to create a signed hash of the credential and included that in the presented credential. Then on a proof request I recreated the signed hash and compared it against the original … that way I was able to detect if anyone had altered the data.

Can you please share a code snippet or github gist for reproducing the issue?

Yes, ill make a small test project tomorrow which reproduces the issue. I’ll post a link to github here.

Ok here it is:

There is small java file and within a single main.

Thanks @jsh4rk. This is a bug in libindy and i have verified using a failing test that you can see in this commit. Both raw and encoded of the proof are ignored. Added a ticket in jira here. Please raise such issues in rocketchat channel to get a faster response.