Commit 28336521 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

fix: disclosures consisting of 0 credentials are now invalid

parent 43bbf0a6
......@@ -280,7 +280,7 @@
"safeprime",
]
pruneopts = "UT"
revision = "d24df08b9fc496d1a375a674be2e6d0e64b5e578"
revision = "a5a01cfeac1cf9781b73016f7f5492fd1bfca2ff"
[[projects]]
digest = "1:69b1cc331fca23d702bd72f860c6a647afd0aa9fcbc1d0659b1365e26546dd70"
......
......@@ -44,7 +44,11 @@ func (sm *SignedMessage) Disclosure() *Disclosure {
// where serverNonce is the nonce sent by the signature requestor.
func ASN1ConvertSignatureNonce(message string, nonce *big.Int, timestamp *atum.Timestamp) *big.Int {
msgHash := sha256.Sum256([]byte(message))
tohash := []interface{}{nonce.Value(), new(gobig.Int).SetBytes(msgHash[:])}
n := nonce.Value()
if n == nil {
n = gobig.NewInt(0)
}
tohash := []interface{}{n, new(gobig.Int).SetBytes(msgHash[:])}
if timestamp != nil {
tohash = append(tohash, timestamp.Sig.Data)
}
......
......@@ -354,6 +354,12 @@ func TestVerifyInValidNonce(t *testing.T) {
require.Equal(t, status, ProofStatusInvalid)
}
func TestEmptySignature(t *testing.T) {
msg := &SignedMessage{}
_, status, _ := msg.Verify(&Configuration{}, nil)
require.NotEqual(t, ProofStatusValid, status)
}
// Test attribute decoding with both old and new metadata versions
func TestAttributeDecoding(t *testing.T) {
expected := "male"
......
......@@ -342,13 +342,6 @@ func (sm *SignedMessage) Verify(configuration *Configuration, request *Signature
message = sm.Message
}
// Verify the timestamp
if sm.Timestamp != nil {
if err := sm.VerifyTimestamp(message, configuration); err != nil {
return nil, ProofStatusInvalidTimestamp, nil
}
}
// Now, cryptographically verify the IRMA disclosure proofs in the signature
var required AttributeDisjunctionList
if request != nil {
......@@ -359,17 +352,21 @@ func (sm *SignedMessage) Verify(configuration *Configuration, request *Signature
return result, status, err
}
// Check if a credential is expired
var t time.Time
// Next, verify the timestamp
t := time.Now()
if sm.Timestamp != nil {
if err := sm.VerifyTimestamp(message, configuration); err != nil {
return nil, ProofStatusInvalidTimestamp, nil
}
t = time.Unix(sm.Timestamp.Time, 0)
}
// Check if a credential was expired at creation time, according to the timestamp
if expired := ProofList(sm.Signature).Expired(configuration, &t); expired {
// The ABS contains attributes that were expired at the time of creation of the ABS.
return result, ProofStatusExpired, nil
}
// All disjunctions satisfied and nothing expired, proof is valid!
// The attributes were valid, nonexpired, and the request was satisfied
return result, ProofStatusValid, nil
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment