revocation.go 11.1 KB
Newer Older
1 2 3 4 5 6 7 8 9
package irma

import (
	"fmt"
	"path/filepath"
	"time"

	"github.com/go-errors/errors"
	"github.com/hashicorp/go-multierror"
10
	"github.com/privacybydesign/gabi/big"
11
	"github.com/privacybydesign/gabi/revocation"
12
	"github.com/privacybydesign/gabi/signed"
13 14
	"github.com/timshannon/bolthold"
	bolt "go.etcd.io/bbolt"
15 16
)

17 18
type (
	// DB is a bolthold database storing revocation state for a particular accumulator
19
	// (Record instances, and IssuanceRecord instances if used by an issuer).
20 21 22
	DB struct {
		Current  revocation.Accumulator
		Updated  time.Time
23
		onChange []func(*revocation.Record)
24
		bolt     *bolthold.Store
25
		keystore revocation.Keystore
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
	}

	RevocationStorage struct {
		dbs  map[CredentialTypeIdentifier]*DB
		conf *Configuration
	}

	TimeRecord struct {
		Index      uint64
		Start, End int64
	}

	// IssuanceRecord contains information generated during issuance, needed for later revocation.
	IssuanceRecord struct {
		Key        string
		Attr       *big.Int
		Issued     int64
		ValidUntil int64
		RevokedAt  int64 // 0 if not currently revoked
	}

	currentRecord struct {
		Index uint64
	}
)

const boltCurrentIndexKey = "currentIndex"

func (rdb *DB) EnableRevocation(sk *revocation.PrivateKey) error {
	msg, acc, err := revocation.NewAccumulator(sk)
	if err != nil {
		return err
	}
	if err = rdb.Add(msg, sk.Counter); err != nil {
		return err
	}
62
	rdb.Current = *acc
63
	rdb.Updated = time.Now()
64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
	return nil
}

// Revoke revokes the credential specified specified by key if found within the current database,
// by updating its revocation time to now, adding its revocation attribute to the current accumulator,
// and updating the revocation database on disk.
func (rdb *DB) Revoke(sk *revocation.PrivateKey, key []byte) error {
	return rdb.bolt.Bolt().Update(func(tx *bolt.Tx) error {
		var err error
		cr := IssuanceRecord{}
		if err = rdb.bolt.TxGet(tx, key, &cr); err != nil {
			return err
		}
		cr.RevokedAt = time.Now().UnixNano()
		if err = rdb.bolt.TxUpdate(tx, key, &cr); err != nil {
			return err
		}
		return rdb.revokeAttr(sk, cr.Attr, tx)
	})
}

// Get returns all records that a client requires to update its revocation state if it is currently
// at the specified index, that is, all records whose end index is greater than or equal to
// the specified index.
88 89
func (rdb *DB) RevocationRecords(index int) ([]*revocation.Record, error) {
	var records []*revocation.Record
90 91 92 93 94 95
	if err := rdb.bolt.Find(&records, bolthold.Where(bolthold.Key).Ge(uint64(index))); err != nil {
		return nil, err
	}
	return records, nil
}

96
func (rdb *DB) LatestRecords(count int) ([]*revocation.Record, error) {
97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127
	c := int(rdb.Current.Index) - count + 1
	if c < 0 {
		c = 0
	}
	return rdb.RevocationRecords(c)
}

func (rdb *DB) IssuanceRecordExists(key []byte) (bool, error) {
	_, err := rdb.IssuanceRecord(key)
	switch err {
	case nil:
		return true, nil
	case bolthold.ErrNotFound:
		return false, nil
	default:
		return false, err
	}
}

func (rdb *DB) AddIssuanceRecord(r *IssuanceRecord) error {
	return rdb.bolt.Insert([]byte(r.Key), r)
}

func (rdb *DB) IssuanceRecord(key []byte) (*IssuanceRecord, error) {
	r := &IssuanceRecord{}
	if err := rdb.bolt.Get(key, r); err != nil {
		return nil, err
	}
	return r, nil
}

128
func (rdb *DB) AddRecords(records []*revocation.Record) error {
129 130 131 132 133 134 135 136 137 138
	var err error
	for _, r := range records {
		if err = rdb.Add(r.Message, r.PublicKeyIndex); err != nil {
			return err
		}
	}
	rdb.Updated = time.Now() // TODO update this in add()?
	return nil
}

139
// TODO this should use revocation.Record.UnmarshalVerify
140 141 142 143
func (rdb *DB) Add(updateMsg signed.Message, counter uint) error {
	var err error
	var update revocation.AccumulatorUpdate

144
	pk, err := rdb.keystore(counter)
145 146 147 148 149 150 151 152 153 154 155 156 157 158 159
	if err != nil {
		return err
	}

	if err = signed.UnmarshalVerify(pk.ECDSA, updateMsg, &update); err != nil {
		return err
	}

	return rdb.bolt.Bolt().Update(func(tx *bolt.Tx) error {
		return rdb.add(update, updateMsg, counter, tx)
	})
}

func (rdb *DB) add(update revocation.AccumulatorUpdate, updateMsg signed.Message, pkCounter uint, tx *bolt.Tx) error {
	var err error
160
	record := &revocation.Record{
161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211
		StartIndex:     update.StartIndex,
		EndIndex:       update.Accumulator.Index,
		PublicKeyIndex: pkCounter,
		Message:        updateMsg,
	}
	if err = rdb.bolt.TxInsert(tx, update.Accumulator.Index, record); err != nil {
		return err
	}

	if update.Accumulator.Index != 0 {
		var tr TimeRecord
		if err = rdb.bolt.TxGet(tx, update.Accumulator.Index-1, &tr); err == nil {
			tr.End = time.Now().UnixNano()
			if err = rdb.bolt.TxUpdate(tx, update.Accumulator.Index-1, &tr); err != nil {
				return err
			}
		}
	}
	if err = rdb.bolt.TxInsert(tx, update.Accumulator.Index, &TimeRecord{
		Index: update.Accumulator.Index,
		Start: time.Now().UnixNano(),
	}); err != nil {
		return err
	}

	if err = rdb.bolt.TxUpsert(tx, boltCurrentIndexKey, &currentRecord{update.Accumulator.Index}); err != nil {
		return err
	}

	for _, f := range rdb.onChange {
		f(record)
	}

	rdb.Current = update.Accumulator
	return nil
}

func (rdb *DB) Enabled() bool {
	var currentIndex currentRecord
	err := rdb.bolt.Get(boltCurrentIndexKey, &currentIndex)
	return err == nil
}

func (rdb *DB) loadCurrent() error {
	var currentIndex currentRecord
	if err := rdb.bolt.Get(boltCurrentIndexKey, &currentIndex); err == bolthold.ErrNotFound {
		return errors.New("revocation database not initialized")
	} else if err != nil {
		return err
	}

212
	var record revocation.Record
213 214 215
	if err := rdb.bolt.Get(currentIndex.Index, &record); err != nil {
		return err
	}
216
	pk, err := rdb.keystore(record.PublicKeyIndex)
217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264
	if err != nil {
		return err
	}
	var u revocation.AccumulatorUpdate
	if err = signed.UnmarshalVerify(pk.ECDSA, record.Message, &u); err != nil {
		return err
	}
	rdb.Current = u.Accumulator
	return nil
}

func (rdb *DB) RevokeAttr(sk *revocation.PrivateKey, e *big.Int) error {
	return rdb.bolt.Bolt().Update(func(tx *bolt.Tx) error {
		return rdb.revokeAttr(sk, e, tx)
	})
}

func (rdb *DB) revokeAttr(sk *revocation.PrivateKey, e *big.Int, tx *bolt.Tx) error {
	// don't update rdb.Current until after all possible errors are handled
	newAcc, err := rdb.Current.Remove(sk, e)
	if err != nil {
		return err
	}
	update := revocation.AccumulatorUpdate{
		Accumulator: *newAcc,
		StartIndex:  newAcc.Index,
		Revoked:     []*big.Int{e},
		Time:        time.Now().UnixNano(),
	}
	updateMsg, err := signed.MarshalSign(sk.ECDSA, update)
	if err != nil {
		return err
	}
	if err = rdb.add(update, updateMsg, sk.Counter, tx); err != nil {
		return err
	}
	rdb.Current = *newAcc
	return nil
}

func (rdb *DB) Close() error {
	rdb.onChange = nil
	if rdb.bolt != nil {
		return rdb.bolt.Close()
	}
	return nil
}

265
func (rdb *DB) OnChange(handler func(*revocation.Record)) {
266 267 268
	rdb.onChange = append(rdb.onChange, handler)
}

269
func (rs *RevocationStorage) loadDB(credid CredentialTypeIdentifier) (*DB, error) {
270
	path := filepath.Join(rs.conf.RevocationPath, credid.String())
271
	keystore := rs.Keystore(credid.IssuerIdentifier())
272 273 274 275 276 277 278 279

	b, err := bolthold.Open(path, 0600, &bolthold.Options{Options: &bolt.Options{Timeout: 1 * time.Second}})
	if err != nil {
		return nil, err
	}
	db := &DB{
		bolt:     b,
		keystore: keystore,
280
		Updated:  time.Unix(0, 0),
281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305
	}
	if db.Enabled() {
		if err = db.loadCurrent(); err != nil {
			_ = db.Close()
			return nil, err
		}
	}
	return db, nil
}

func (rs *RevocationStorage) PublicKey(issid IssuerIdentifier, counter uint) (*revocation.PublicKey, error) {
	pk, err := rs.conf.PublicKey(issid, int(counter))
	if err != nil {
		return nil, err
	}
	if pk == nil {
		return nil, errors.Errorf("unknown public key: %s-%d", issid, counter)
	}
	revpk, err := pk.RevocationKey()
	if err != nil {
		return nil, err
	}
	return revpk, nil
}

306 307
func (rs *RevocationStorage) GetUpdates(credid CredentialTypeIdentifier, index uint64) ([]*revocation.Record, error) {
	var records []*revocation.Record
308
	err := NewHTTPTransport(rs.conf.CredentialTypes[credid].RevocationServer).
309 310 311 312 313 314 315
		Get(fmt.Sprintf("-/revocation/records/%s/%d", credid, index), &records)
	if err != nil {
		return nil, err
	}
	return records, nil
}

316
func (rs *RevocationStorage) UpdateAll() error {
317
	var err error
318
	for credid := range rs.dbs {
319
		if err = rs.UpdateDB(credid); err != nil {
320 321 322 323 324 325
			return err
		}
	}
	return nil
}

326
func (rs *RevocationStorage) SetRecords(b *BaseRequest) error {
327 328 329
	if len(b.Revocation) == 0 {
		return nil
	}
330
	b.RevocationUpdates = make(map[CredentialTypeIdentifier][]*revocation.Record, len(b.Revocation))
331
	for _, credid := range b.Revocation {
332
		db, err := rs.DB(credid)
333 334 335
		if err != nil {
			return err
		}
336
		if err = rs.updateDelayed(credid, db); err != nil {
337 338 339 340 341 342 343 344 345 346
			return err
		}
		b.RevocationUpdates[credid], err = db.LatestRecords(revocationUpdateCount)
		if err != nil {
			return err
		}
	}
	return nil
}

347 348
func (rs *RevocationStorage) UpdateDB(credid CredentialTypeIdentifier) error {
	db, err := rs.DB(credid)
349 350 351 352 353 354 355
	if err != nil {
		return err
	}
	var index uint64
	if db.Enabled() {
		index = db.Current.Index + 1
	}
356
	records, err := rs.GetUpdates(credid, index)
357 358 359 360 361 362
	if err != nil {
		return err
	}
	return db.AddRecords(records)
}

363
func (rs *RevocationStorage) DB(credid CredentialTypeIdentifier) (*DB, error) {
364
	if _, known := rs.conf.CredentialTypes[credid]; !known {
365 366
		return nil, errors.New("unknown credential type")
	}
367 368
	if rs.dbs == nil {
		rs.dbs = make(map[CredentialTypeIdentifier]*DB)
369
	}
370
	if rs.dbs[credid] == nil {
371
		var err error
372
		db, err := rs.loadDB(credid)
373 374 375
		if err != nil {
			return nil, err
		}
376
		rs.dbs[credid] = db
377
	}
378
	return rs.dbs[credid], nil
379 380
}

381
func (rs *RevocationStorage) updateDelayed(credid CredentialTypeIdentifier, db *DB) error {
382
	if db.Updated.Before(time.Now().Add(-5 * time.Minute)) {
383
		if err := rs.UpdateDB(credid); err != nil {
384 385 386 387 388 389
			return err
		}
	}
	return nil
}

390
func (rs *RevocationStorage) SendIssuanceRecord(cred CredentialTypeIdentifier, rec *IssuanceRecord) error {
391
	credtype := rs.conf.CredentialTypes[cred]
392 393 394 395 396 397
	if credtype == nil {
		return errors.New("unknown credential type")
	}
	if credtype.RevocationServer == "" {
		return errors.New("credential type has no revocation server")
	}
398
	sk, err := rs.conf.PrivateKey(cred.IssuerIdentifier())
399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418
	if err != nil {
		return err
	}
	if sk == nil {
		return errors.New("private key not found")
	}
	revsk, err := sk.RevocationKey()
	if err != nil {
		return err
	}

	message, err := signed.MarshalSign(revsk.ECDSA, rec)
	if err != nil {
		return err
	}
	return NewHTTPTransport(credtype.RevocationServer).Post(
		fmt.Sprintf("-/revocation/issuancerecord/%s/%d", cred, sk.Counter), nil, []byte(message),
	)
}

419 420
func (rs *RevocationStorage) Revoke(credid CredentialTypeIdentifier, key string) error {
	sk, err := rs.conf.PrivateKey(credid.IssuerIdentifier())
421 422 423 424 425 426 427 428 429 430 431
	if err != nil {
		return err
	}
	if sk == nil {
		return errors.New("private key not found")
	}
	rsk, err := sk.RevocationKey()
	if err != nil {
		return err
	}

432
	db, err := rs.DB(credid)
433 434 435 436 437 438
	if err != nil {
		return err
	}
	return db.Revoke(rsk, []byte(key))
}

439
func (rs *RevocationStorage) Close() error {
440 441
	merr := &multierror.Error{}
	var err error
442
	for _, db := range rs.dbs {
443 444 445 446
		if err = db.Close(); err != nil {
			merr = multierror.Append(merr, err)
		}
	}
447
	rs.dbs = nil
448 449
	return merr.ErrorOrNil()
}
450

451
func (rs *RevocationStorage) Keystore(issuerid IssuerIdentifier) revocation.Keystore {
452
	return func(counter uint) (*revocation.PublicKey, error) {
453
		return rs.PublicKey(issuerid, counter)
454 455
	}
}