credential.go 3.3 KB
Newer Older
1
2
3
package irmaclient

import (
4
5
	"errors"

6
	"github.com/privacybydesign/gabi"
7
	"github.com/privacybydesign/gabi/revocation"
8
	"github.com/privacybydesign/irmago"
9
10
11
12
13
14
)

// credential represents an IRMA credential, whose zeroth attribute
// is always the secret key and the first attribute the metadata attribute.
type credential struct {
	*gabi.Credential
15
16
	*irma.MetadataAttribute
	attrs *irma.AttributeList
17
18
}

19
20
func newCredential(gabicred *gabi.Credential, conf *irma.Configuration) (*credential, error) {
	meta := irma.MetadataFromInt(gabicred.Attributes[1], conf)
21
22
23
24
	cred := &credential{
		Credential:        gabicred,
		MetadataAttribute: meta,
	}
25
26
27
28
29
30

	if cred.CredentialType() == nil {
		// Unknown credtype, populate Pk field later
		return cred, nil
	}

31
	var err error
32
	cred.Pk, err = conf.PublicKey(meta.CredentialType().IssuerIdentifier(), cred.KeyCounter())
33
34
35
36
37
38
	if err != nil {
		return nil, err
	}
	return cred, nil
}

39
func (cred *credential) AttributeList() *irma.AttributeList {
40
	if cred.attrs == nil {
41
		cred.attrs = irma.NewAttributeListFromInts(cred.Credential.Attributes[1:], cred.MetadataAttribute.Conf)
42
43
44
	}
	return cred.attrs
}
45

46
// NonrevPrepare attempts to update the credential's nonrevocation witness from
47
// 1) the session request, and then 2) the revocation server if our witness is too far out of date.
48
49
// Returns whether or not the credential's nonrevocation state was updated. If so the caller should
// persist the updated credential to storage.
50
func (cred *credential) NonrevPrepare(conf *irma.Configuration, request irma.SessionRequest) (bool, error) {
51
	credtype := cred.CredentialType().Identifier()
52
53
	if !request.Base().RequestsRevocation(credtype) {
		return false, nil
54
55
	}

56
57
	// first try to update witness by applying the revocation update messages attached to the session request
	keys := irma.RevocationKeys{Conf: conf}
58
	revupdates := request.Base().RevocationUpdates[credtype]
59
	updated, err := cred.NonrevApplyUpdates(revupdates, keys)
60
	if err != nil {
61
		return updated, err
62
	}
63
64
	if cred.NonRevocationWitness.Index >= revupdates[len(revupdates)-1].EndIndex {
		return updated, nil
65
	}
66

67
68
69
	// nonrevocation witness is still out of date after applying the updates from the request:
	// we were too far behind. Update from revocation server.
	revupdates, err = irma.RevocationClient{Conf: conf}.FetchRevocationRecords(credtype, cred.NonRevocationWitness.Index+1)
70
	if err != nil {
71
		return updated, err
72
	}
73
	return cred.NonrevApplyUpdates(revupdates, keys)
74
75
}

76
// NonrevApplyUpdates updates the credential's nonrevocation witness using the specified messages,
77
// if they all verify and if their indices are ahead and adjacent to that of our witness.
78
func (cred *credential) NonrevApplyUpdates(messages []*irma.RevocationRecord, keys irma.RevocationKeys) (bool, error) {
79
	oldindex := cred.NonRevocationWitness.Index
80
81
82
83
84
85
86
87
88
89
90
91
92

	var err error
	var pk *revocation.PublicKey
	for _, record := range messages {
		if cred.CredentialType().IssuerIdentifier() != record.CredType.IssuerIdentifier() {
			return false, errors.New("cannot apply revocation record of other credential type")
		}
		if pk, err = keys.PublicKey(cred.CredentialType().IssuerIdentifier(), record.PublicKeyIndex); err != nil {
			return false, err
		}
		if err = cred.NonRevocationWitness.Update(pk, &record.Record); err != nil {
			return false, err
		}
93
	}
94

95
	return cred.NonRevocationWitness.Index != oldindex, nil
96
}