refactor: push nonrevocation proof checking to gabi

internal/servercore/helpers.go

@@ -91,16 +91,20 @@ func (session *session) issuanceHandleRevocation(
 	}
 
 	db, err := session.conf.IrmaConfiguration.RevocationStorage.DB(cred.CredentialTypeID)
-	if err != nil {
+	if err != nil || !db.Enabled() {
 		return
 	}
-	if !db.Enabled() {
+
+	records, err := db.LatestRecords(1)
+	if err != nil {
 		return
 	}
-
 	if witness, err = sk.RevocationGenerateWitness(&db.Current); err != nil {
 		return
 	}
+	witness.Record = records[len(records)-1]
+	witness.Nu = nil  // don't send to irmaclient, it will reconstruct it from witness.Record
+	witness.Index = 0 // same
 	nonrevAttr = witness.E
 	issrecord := &irma.IssuanceRecord{
 		Key:        cred.RevocationKey,

internal/sessiontest/requestor_test.go

@@ -380,25 +380,30 @@ func TestRevocation(t *testing.T) {
 	require.Nil(t, result.Err)
 
 	// perform disclosure session (of cred1) with nonrevocation proof
+	logger.Info("step 1")
 	result = revocationSession(t, client)
 	require.Equal(t, irma.ProofStatusValid, result.ProofStatus)
 	require.NotEmpty(t, result.Disclosed)
 
 	// revoke cred0
+	logger.Info("step 2")
 	cred := revocationIssuanceRequest.Credentials[0].CredentialTypeID
 	require.NoError(t, revocationServer.Revoke(cred, "cred0"))
 
 	// perform another disclosure session with nonrevocation proof to see that cred1 still works
 	// client updates its witness to the new accumulator first
+	logger.Info("step 3")
 	result = revocationSession(t, client)
 	require.Equal(t, irma.ProofStatusValid, result.ProofStatus)
 	require.NotEmpty(t, result.Disclosed)
 
 	// revoke cred1
+	logger.Info("step 4")
 	require.NoError(t, revocationServer.Revoke(cred, "cred1"))
 
 	// try to perform session with revoked credential
 	// client notices that is credential is revoked and aborts
+	logger.Info("step 5")
 	result = revocationSession(t, client, sessionOptionIgnoreClientError)
 	require.Equal(t, result.Status, server.StatusCancelled)
 }

irmaclient/credential.go

@@ -74,16 +74,9 @@ func (cred *credential) NonrevPrepare(conf *irma.Configuration, request irma.Ses
 // NonrevApplyUpdates updates the credential's nonrevocation witness using the specified messages,
 // if they all verify and if their indices are ahead and adjacent to that of our witness.
 func (cred *credential) NonrevApplyUpdates(messages []*revocation.Record, rs *irma.RevocationStorage) (bool, error) {
-	var err error
-	var pk *revocation.PublicKey
 	oldindex := cred.NonRevocationWitness.Index
-	for _, msg := range messages {
-		if pk, err = rs.PublicKey(cred.CredentialType().IssuerIdentifier(), msg.PublicKeyIndex); err != nil {
-			return false, err
-		}
-		if err = cred.NonRevocationWitness.Update(pk, msg.Message); err != nil {
-			return false, err
-		}
+	if err := cred.NonRevocationWitness.Update(rs.Keystore(cred.CredentialType().IssuerIdentifier()), messages); err != nil {
+		return false, err
 	}
 
 	return cred.NonRevocationWitness.Index != oldindex, cred.NonrevPrepareCache()

revocation.go

@@ -136,6 +136,7 @@ func (rdb *DB) AddRecords(records []*revocation.Record) error {
 	return nil
 }
 
+// TODO this should use revocation.Record.UnmarshalVerify
 func (rdb *DB) Add(updateMsg signed.Message, counter uint) error {
 	var err error
 	var update revocation.AccumulatorUpdate
@@ -267,7 +268,7 @@ func (rdb *DB) OnChange(handler func(*revocation.Record)) {
 
 func (rs *RevocationStorage) loadDB(credid CredentialTypeIdentifier) (*DB, error) {
 	path := filepath.Join(rs.conf.RevocationPath, credid.String())
-	keystore := rs.keystore(credid.IssuerIdentifier())
+	keystore := rs.Keystore(credid.IssuerIdentifier())
 
 	b, err := bolthold.Open(path, 0600, &bolthold.Options{Options: &bolt.Options{Timeout: 1 * time.Second}})
 	if err != nil {
@@ -447,7 +448,7 @@ func (rs *RevocationStorage) Close() error {
 	return merr.ErrorOrNil()
 }
 
-func (rs *RevocationStorage) keystore(issuerid IssuerIdentifier) revocation.Keystore {
+func (rs *RevocationStorage) Keystore(issuerid IssuerIdentifier) revocation.Keystore {
 	return func(counter uint) (*revocation.PublicKey, error) {
 		return rs.PublicKey(issuerid, counter)
 	}

verify.go

@@ -171,7 +171,7 @@ func (pl ProofList) VerifyProofs(
 		// by ProofList.Verify() above, so all that remains here is to check if all expected
 		// nonrevocation proofs are present, and against the expected accumulator value:
 		// the last one in the update message set we provided along with the session request,
-		// OR the last (newer) one that the client included in its reply (TODO).
+		// OR a newer one included in the proofs itself.
 		r := revRecords[id]
 		if len(r) == 0 { // no nonrevocation proof was requested for this credential
 			return true, nil
@@ -179,14 +179,7 @@ func (pl ProofList) VerifyProofs(
 		if !proofd.HasNonRevocationProof() {
 			return false, nil
 		}
-
-		// grab last message from accumulator update message set in request
-		keystore := configuration.RevocationStorage.keystore(typ.Identifier().IssuerIdentifier())
-		msg, err := r[len(r)-1].UnmarshalVerify(keystore)
-		if err != nil {
-			return false, err
-		}
-		if msg.Accumulator.Nu.Cmp(proofd.NonRevocationProof.Nu) != 0 {
+		if proofd.NonRevocationProof.Accumulator.Index < r[len(r)-1].EndIndex {
 			return false, errors.New("nonrevocation proof used wrong accumulator")
 		}
 	}