credential.go 3.43 KB
Newer Older
1
2
3
package irmaclient

import (
4
	"github.com/privacybydesign/gabi"
5
	"github.com/privacybydesign/gabi/revocation"
6
	"github.com/privacybydesign/irmago"
7
8
9
10
11
12
)

// credential represents an IRMA credential, whose zeroth attribute
// is always the secret key and the first attribute the metadata attribute.
type credential struct {
	*gabi.Credential
13
14
	*irma.MetadataAttribute
	attrs *irma.AttributeList
15
16
}

17
18
func newCredential(gabicred *gabi.Credential, conf *irma.Configuration) (*credential, error) {
	meta := irma.MetadataFromInt(gabicred.Attributes[1], conf)
19
20
21
22
	cred := &credential{
		Credential:        gabicred,
		MetadataAttribute: meta,
	}
23
24
25
26
27
28

	if cred.CredentialType() == nil {
		// Unknown credtype, populate Pk field later
		return cred, nil
	}

29
	var err error
30
	cred.Pk, err = conf.PublicKey(meta.CredentialType().IssuerIdentifier(), cred.KeyCounter())
31
32
33
34
35
36
	if err != nil {
		return nil, err
	}
	return cred, nil
}

37
func (cred *credential) AttributeList() *irma.AttributeList {
38
	if cred.attrs == nil {
39
		cred.attrs = irma.NewAttributeListFromInts(cred.Credential.Attributes[1:], cred.MetadataAttribute.Conf)
40
41
42
	}
	return cred.attrs
}
43

44
45
46
47
48
49
// prepareNonrevocation attempts to update the credential's nonrevocation witness from
// 1) the session request, and then 2) the revocation server if our witness is too far out of date.
// Returns whether or not a nonrevocation proof should be included for this credential, and whether
// or not the credential's nonrevocation state was updated. If so the caller should persist the
// updated credential to storage.
func (cred *credential) prepareNonrevocation(conf *irma.Configuration, request irma.SessionRequest) (bool, bool, error) {
50
51
52
53
54
	// If the requestor wants us to include a nonrevocation proof,
	// it will have sent us the latest revocation update messages
	m := request.Base().RevocationUpdates
	credtype := cred.CredentialType().Identifier()
	if len(m) == 0 || len(m[credtype]) == 0 {
55
		return false, false, nil
56
57
58
59
	}

	revupdates := m[credtype]
	nonrev := len(revupdates) > 0
60
61
62
	updated, err := cred.updateNonrevWitness(revupdates, conf.RevocationStorage)
	if err != nil {
		return false, updated, err
63
64
65
	} else if updated {
		cred.DiscardRevocationCache()
	}
66
67
68

	// TODO (in both branches): attach our newer updates to response
	if nonrev && cred.NonRevocationWitness.Index >= revupdates[len(revupdates)-1].EndIndex {
69
		return nonrev, updated, nil
70
	}
71
72
73

	// nonrevocation witness is still out of date after applying the updates from the request,
	// i.e. we were too far behind. Update from revocation server.
74
	revupdates, err = conf.RevocationStorage.GetUpdates(credtype, cred.NonRevocationWitness.Index+1)
75
	if err != nil {
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
		return nonrev, updated, err
	}
	updated, err = cred.updateNonrevWitness(revupdates, conf.RevocationStorage)
	return nonrev, updated, err
}

// updateNonrevWitness updates the credential's nonrevocation witness using the specified messages,
// if they all verify and if their indices are ahead and adjacent to that of our witness.
func (cred *credential) updateNonrevWitness(messages []*irma.RevocationRecord, rs *irma.RevocationStorage) (bool, error) {
	var err error
	var pk *revocation.PublicKey
	oldindex := cred.NonRevocationWitness.Index
	for _, msg := range messages {
		if pk, err = rs.PublicKey(cred.CredentialType().IssuerIdentifier(), msg.PublicKeyIndex); err != nil {
			return false, err
		}
		if err = cred.NonRevocationWitness.Update(pk, msg.Message); err != nil {
			return false, err
		}
95
	}
96
	return cred.NonRevocationWitness.Index == oldindex, err
97
}