Commit 0934e1cb authored by Sietse Ringers's avatar Sietse Ringers
Browse files

fix: disclosures consisting of 0 credentials are now invalid

parent 8bac42af
......@@ -280,7 +280,7 @@
"safeprime",
]
pruneopts = "UT"
revision = "aaea3165ae62f1b76480d714813b1c6341a3512e"
revision = "a5a01cfeac1cf9781b73016f7f5492fd1bfca2ff"
[[projects]]
digest = "1:69b1cc331fca23d702bd72f860c6a647afd0aa9fcbc1d0659b1365e26546dd70"
......
......@@ -43,7 +43,11 @@ func (sm *SignedMessage) Disclosure() *Disclosure {
// where serverNonce is the nonce sent by the signature requestor.
func ASN1ConvertSignatureNonce(message string, nonce *big.Int, timestamp *atum.Timestamp) *big.Int {
msgHash := sha256.Sum256([]byte(message))
tohash := []interface{}{nonce.Value(), new(gobig.Int).SetBytes(msgHash[:])}
n := nonce.Value()
if n == nil {
n = gobig.NewInt(0)
}
tohash := []interface{}{n, new(gobig.Int).SetBytes(msgHash[:])}
if timestamp != nil {
tohash = append(tohash, timestamp.Sig.Data)
}
......
......@@ -237,6 +237,12 @@ func TestVerifyInValidNonce(t *testing.T) {
require.Equal(t, status, ProofStatusInvalid)
}
func TestEmptySignature(t *testing.T) {
msg := &SignedMessage{}
_, status, _ := msg.Verify(&Configuration{}, nil)
require.NotEqual(t, ProofStatusValid, status)
}
// Test attribute decoding with both old and new metadata versions
func TestAttributeDecoding(t *testing.T) {
expected := "male"
......
......@@ -283,11 +283,6 @@ func (sm *SignedMessage) Verify(configuration *Configuration, request *Signature
message = sm.Message
}
// Verify the timestamp
if err := sm.VerifyTimestamp(message, configuration); err != nil {
return nil, ProofStatusInvalidTimestamp, nil
}
// Now, cryptographically verify the IRMA disclosure proofs in the signature
var required AttributeConDisCon
if request != nil {
......@@ -298,14 +293,18 @@ func (sm *SignedMessage) Verify(configuration *Configuration, request *Signature
return result, status, err
}
// Check if a credential is expired
// Next, verify the timestamp
if err := sm.VerifyTimestamp(message, configuration); err != nil {
return nil, ProofStatusInvalidTimestamp, nil
}
t := time.Unix(sm.Timestamp.Time, 0)
// Check if a credential was expired at creation time, according to the timestamp
if expired := ProofList(sm.Signature).Expired(configuration, &t); expired {
// The ABS contains attributes that were expired at the time of creation of the ABS.
return result, ProofStatusExpired, nil
}
// All disjunctions satisfied and nothing expired, proof is valid!
// The attributes were valid, nonexpired, and the request was satisfied
return result, ProofStatusValid, nil
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment