Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
I
irmago
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
IRMA
Github mirrors
irmago
Commits
c59753b5
Commit
c59753b5
authored
Oct 16, 2019
by
Sietse Ringers
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
refactor: push nonrevocation proof checking to gabi
parent
7e7ff2a1
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
19 additions
and
23 deletions
+19
-23
internal/servercore/helpers.go
internal/servercore/helpers.go
+7
-3
internal/sessiontest/requestor_test.go
internal/sessiontest/requestor_test.go
+5
-0
irmaclient/credential.go
irmaclient/credential.go
+2
-9
revocation.go
revocation.go
+3
-2
verify.go
verify.go
+2
-9
No files found.
internal/servercore/helpers.go
View file @
c59753b5
...
...
@@ -91,16 +91,20 @@ func (session *session) issuanceHandleRevocation(
}
db
,
err
:=
session
.
conf
.
IrmaConfiguration
.
RevocationStorage
.
DB
(
cred
.
CredentialTypeID
)
if
err
!=
nil
{
if
err
!=
nil
||
!
db
.
Enabled
()
{
return
}
if
!
db
.
Enabled
()
{
records
,
err
:=
db
.
LatestRecords
(
1
)
if
err
!=
nil
{
return
}
if
witness
,
err
=
sk
.
RevocationGenerateWitness
(
&
db
.
Current
);
err
!=
nil
{
return
}
witness
.
Record
=
records
[
len
(
records
)
-
1
]
witness
.
Nu
=
nil
// don't send to irmaclient, it will reconstruct it from witness.Record
witness
.
Index
=
0
// same
nonrevAttr
=
witness
.
E
issrecord
:=
&
irma
.
IssuanceRecord
{
Key
:
cred
.
RevocationKey
,
...
...
internal/sessiontest/requestor_test.go
View file @
c59753b5
...
...
@@ -380,25 +380,30 @@ func TestRevocation(t *testing.T) {
require
.
Nil
(
t
,
result
.
Err
)
// perform disclosure session (of cred1) with nonrevocation proof
logger
.
Info
(
"step 1"
)
result
=
revocationSession
(
t
,
client
)
require
.
Equal
(
t
,
irma
.
ProofStatusValid
,
result
.
ProofStatus
)
require
.
NotEmpty
(
t
,
result
.
Disclosed
)
// revoke cred0
logger
.
Info
(
"step 2"
)
cred
:=
revocationIssuanceRequest
.
Credentials
[
0
]
.
CredentialTypeID
require
.
NoError
(
t
,
revocationServer
.
Revoke
(
cred
,
"cred0"
))
// perform another disclosure session with nonrevocation proof to see that cred1 still works
// client updates its witness to the new accumulator first
logger
.
Info
(
"step 3"
)
result
=
revocationSession
(
t
,
client
)
require
.
Equal
(
t
,
irma
.
ProofStatusValid
,
result
.
ProofStatus
)
require
.
NotEmpty
(
t
,
result
.
Disclosed
)
// revoke cred1
logger
.
Info
(
"step 4"
)
require
.
NoError
(
t
,
revocationServer
.
Revoke
(
cred
,
"cred1"
))
// try to perform session with revoked credential
// client notices that is credential is revoked and aborts
logger
.
Info
(
"step 5"
)
result
=
revocationSession
(
t
,
client
,
sessionOptionIgnoreClientError
)
require
.
Equal
(
t
,
result
.
Status
,
server
.
StatusCancelled
)
}
irmaclient/credential.go
View file @
c59753b5
...
...
@@ -74,16 +74,9 @@ func (cred *credential) NonrevPrepare(conf *irma.Configuration, request irma.Ses
// NonrevApplyUpdates updates the credential's nonrevocation witness using the specified messages,
// if they all verify and if their indices are ahead and adjacent to that of our witness.
func
(
cred
*
credential
)
NonrevApplyUpdates
(
messages
[]
*
revocation
.
Record
,
rs
*
irma
.
RevocationStorage
)
(
bool
,
error
)
{
var
err
error
var
pk
*
revocation
.
PublicKey
oldindex
:=
cred
.
NonRevocationWitness
.
Index
for
_
,
msg
:=
range
messages
{
if
pk
,
err
=
rs
.
PublicKey
(
cred
.
CredentialType
()
.
IssuerIdentifier
(),
msg
.
PublicKeyIndex
);
err
!=
nil
{
return
false
,
err
}
if
err
=
cred
.
NonRevocationWitness
.
Update
(
pk
,
msg
.
Message
);
err
!=
nil
{
return
false
,
err
}
if
err
:=
cred
.
NonRevocationWitness
.
Update
(
rs
.
Keystore
(
cred
.
CredentialType
()
.
IssuerIdentifier
()),
messages
);
err
!=
nil
{
return
false
,
err
}
return
cred
.
NonRevocationWitness
.
Index
!=
oldindex
,
cred
.
NonrevPrepareCache
()
...
...
revocation.go
View file @
c59753b5
...
...
@@ -136,6 +136,7 @@ func (rdb *DB) AddRecords(records []*revocation.Record) error {
return
nil
}
// TODO this should use revocation.Record.UnmarshalVerify
func
(
rdb
*
DB
)
Add
(
updateMsg
signed
.
Message
,
counter
uint
)
error
{
var
err
error
var
update
revocation
.
AccumulatorUpdate
...
...
@@ -267,7 +268,7 @@ func (rdb *DB) OnChange(handler func(*revocation.Record)) {
func
(
rs
*
RevocationStorage
)
loadDB
(
credid
CredentialTypeIdentifier
)
(
*
DB
,
error
)
{
path
:=
filepath
.
Join
(
rs
.
conf
.
RevocationPath
,
credid
.
String
())
keystore
:=
rs
.
k
eystore
(
credid
.
IssuerIdentifier
())
keystore
:=
rs
.
K
eystore
(
credid
.
IssuerIdentifier
())
b
,
err
:=
bolthold
.
Open
(
path
,
0600
,
&
bolthold
.
Options
{
Options
:
&
bolt
.
Options
{
Timeout
:
1
*
time
.
Second
}})
if
err
!=
nil
{
...
...
@@ -447,7 +448,7 @@ func (rs *RevocationStorage) Close() error {
return
merr
.
ErrorOrNil
()
}
func
(
rs
*
RevocationStorage
)
k
eystore
(
issuerid
IssuerIdentifier
)
revocation
.
Keystore
{
func
(
rs
*
RevocationStorage
)
K
eystore
(
issuerid
IssuerIdentifier
)
revocation
.
Keystore
{
return
func
(
counter
uint
)
(
*
revocation
.
PublicKey
,
error
)
{
return
rs
.
PublicKey
(
issuerid
,
counter
)
}
...
...
verify.go
View file @
c59753b5
...
...
@@ -171,7 +171,7 @@ func (pl ProofList) VerifyProofs(
// by ProofList.Verify() above, so all that remains here is to check if all expected
// nonrevocation proofs are present, and against the expected accumulator value:
// the last one in the update message set we provided along with the session request,
// OR
the last (newer) one that the client included in its reply (TODO)
.
// OR
a newer one included in the proofs itself
.
r
:=
revRecords
[
id
]
if
len
(
r
)
==
0
{
// no nonrevocation proof was requested for this credential
return
true
,
nil
...
...
@@ -179,14 +179,7 @@ func (pl ProofList) VerifyProofs(
if
!
proofd
.
HasNonRevocationProof
()
{
return
false
,
nil
}
// grab last message from accumulator update message set in request
keystore
:=
configuration
.
RevocationStorage
.
keystore
(
typ
.
Identifier
()
.
IssuerIdentifier
())
msg
,
err
:=
r
[
len
(
r
)
-
1
]
.
UnmarshalVerify
(
keystore
)
if
err
!=
nil
{
return
false
,
err
}
if
msg
.
Accumulator
.
Nu
.
Cmp
(
proofd
.
NonRevocationProof
.
Nu
)
!=
0
{
if
proofd
.
NonRevocationProof
.
Accumulator
.
Index
<
r
[
len
(
r
)
-
1
]
.
EndIndex
{
return
false
,
errors
.
New
(
"nonrevocation proof used wrong accumulator"
)
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment