Commit c59753b5 authored by Sietse Ringers's avatar Sietse Ringers

refactor: push nonrevocation proof checking to gabi

parent 7e7ff2a1
...@@ -91,16 +91,20 @@ func (session *session) issuanceHandleRevocation( ...@@ -91,16 +91,20 @@ func (session *session) issuanceHandleRevocation(
} }
db, err := session.conf.IrmaConfiguration.RevocationStorage.DB(cred.CredentialTypeID) db, err := session.conf.IrmaConfiguration.RevocationStorage.DB(cred.CredentialTypeID)
if err != nil { if err != nil || !db.Enabled() {
return return
} }
if !db.Enabled() {
records, err := db.LatestRecords(1)
if err != nil {
return return
} }
if witness, err = sk.RevocationGenerateWitness(&db.Current); err != nil { if witness, err = sk.RevocationGenerateWitness(&db.Current); err != nil {
return return
} }
witness.Record = records[len(records)-1]
witness.Nu = nil // don't send to irmaclient, it will reconstruct it from witness.Record
witness.Index = 0 // same
nonrevAttr = witness.E nonrevAttr = witness.E
issrecord := &irma.IssuanceRecord{ issrecord := &irma.IssuanceRecord{
Key: cred.RevocationKey, Key: cred.RevocationKey,
......
...@@ -380,25 +380,30 @@ func TestRevocation(t *testing.T) { ...@@ -380,25 +380,30 @@ func TestRevocation(t *testing.T) {
require.Nil(t, result.Err) require.Nil(t, result.Err)
// perform disclosure session (of cred1) with nonrevocation proof // perform disclosure session (of cred1) with nonrevocation proof
logger.Info("step 1")
result = revocationSession(t, client) result = revocationSession(t, client)
require.Equal(t, irma.ProofStatusValid, result.ProofStatus) require.Equal(t, irma.ProofStatusValid, result.ProofStatus)
require.NotEmpty(t, result.Disclosed) require.NotEmpty(t, result.Disclosed)
// revoke cred0 // revoke cred0
logger.Info("step 2")
cred := revocationIssuanceRequest.Credentials[0].CredentialTypeID cred := revocationIssuanceRequest.Credentials[0].CredentialTypeID
require.NoError(t, revocationServer.Revoke(cred, "cred0")) require.NoError(t, revocationServer.Revoke(cred, "cred0"))
// perform another disclosure session with nonrevocation proof to see that cred1 still works // perform another disclosure session with nonrevocation proof to see that cred1 still works
// client updates its witness to the new accumulator first // client updates its witness to the new accumulator first
logger.Info("step 3")
result = revocationSession(t, client) result = revocationSession(t, client)
require.Equal(t, irma.ProofStatusValid, result.ProofStatus) require.Equal(t, irma.ProofStatusValid, result.ProofStatus)
require.NotEmpty(t, result.Disclosed) require.NotEmpty(t, result.Disclosed)
// revoke cred1 // revoke cred1
logger.Info("step 4")
require.NoError(t, revocationServer.Revoke(cred, "cred1")) require.NoError(t, revocationServer.Revoke(cred, "cred1"))
// try to perform session with revoked credential // try to perform session with revoked credential
// client notices that is credential is revoked and aborts // client notices that is credential is revoked and aborts
logger.Info("step 5")
result = revocationSession(t, client, sessionOptionIgnoreClientError) result = revocationSession(t, client, sessionOptionIgnoreClientError)
require.Equal(t, result.Status, server.StatusCancelled) require.Equal(t, result.Status, server.StatusCancelled)
} }
...@@ -74,16 +74,9 @@ func (cred *credential) NonrevPrepare(conf *irma.Configuration, request irma.Ses ...@@ -74,16 +74,9 @@ func (cred *credential) NonrevPrepare(conf *irma.Configuration, request irma.Ses
// NonrevApplyUpdates updates the credential's nonrevocation witness using the specified messages, // NonrevApplyUpdates updates the credential's nonrevocation witness using the specified messages,
// if they all verify and if their indices are ahead and adjacent to that of our witness. // if they all verify and if their indices are ahead and adjacent to that of our witness.
func (cred *credential) NonrevApplyUpdates(messages []*revocation.Record, rs *irma.RevocationStorage) (bool, error) { func (cred *credential) NonrevApplyUpdates(messages []*revocation.Record, rs *irma.RevocationStorage) (bool, error) {
var err error
var pk *revocation.PublicKey
oldindex := cred.NonRevocationWitness.Index oldindex := cred.NonRevocationWitness.Index
for _, msg := range messages { if err := cred.NonRevocationWitness.Update(rs.Keystore(cred.CredentialType().IssuerIdentifier()), messages); err != nil {
if pk, err = rs.PublicKey(cred.CredentialType().IssuerIdentifier(), msg.PublicKeyIndex); err != nil { return false, err
return false, err
}
if err = cred.NonRevocationWitness.Update(pk, msg.Message); err != nil {
return false, err
}
} }
return cred.NonRevocationWitness.Index != oldindex, cred.NonrevPrepareCache() return cred.NonRevocationWitness.Index != oldindex, cred.NonrevPrepareCache()
......
...@@ -136,6 +136,7 @@ func (rdb *DB) AddRecords(records []*revocation.Record) error { ...@@ -136,6 +136,7 @@ func (rdb *DB) AddRecords(records []*revocation.Record) error {
return nil return nil
} }
// TODO this should use revocation.Record.UnmarshalVerify
func (rdb *DB) Add(updateMsg signed.Message, counter uint) error { func (rdb *DB) Add(updateMsg signed.Message, counter uint) error {
var err error var err error
var update revocation.AccumulatorUpdate var update revocation.AccumulatorUpdate
...@@ -267,7 +268,7 @@ func (rdb *DB) OnChange(handler func(*revocation.Record)) { ...@@ -267,7 +268,7 @@ func (rdb *DB) OnChange(handler func(*revocation.Record)) {
func (rs *RevocationStorage) loadDB(credid CredentialTypeIdentifier) (*DB, error) { func (rs *RevocationStorage) loadDB(credid CredentialTypeIdentifier) (*DB, error) {
path := filepath.Join(rs.conf.RevocationPath, credid.String()) path := filepath.Join(rs.conf.RevocationPath, credid.String())
keystore := rs.keystore(credid.IssuerIdentifier()) keystore := rs.Keystore(credid.IssuerIdentifier())
b, err := bolthold.Open(path, 0600, &bolthold.Options{Options: &bolt.Options{Timeout: 1 * time.Second}}) b, err := bolthold.Open(path, 0600, &bolthold.Options{Options: &bolt.Options{Timeout: 1 * time.Second}})
if err != nil { if err != nil {
...@@ -447,7 +448,7 @@ func (rs *RevocationStorage) Close() error { ...@@ -447,7 +448,7 @@ func (rs *RevocationStorage) Close() error {
return merr.ErrorOrNil() return merr.ErrorOrNil()
} }
func (rs *RevocationStorage) keystore(issuerid IssuerIdentifier) revocation.Keystore { func (rs *RevocationStorage) Keystore(issuerid IssuerIdentifier) revocation.Keystore {
return func(counter uint) (*revocation.PublicKey, error) { return func(counter uint) (*revocation.PublicKey, error) {
return rs.PublicKey(issuerid, counter) return rs.PublicKey(issuerid, counter)
} }
......
...@@ -171,7 +171,7 @@ func (pl ProofList) VerifyProofs( ...@@ -171,7 +171,7 @@ func (pl ProofList) VerifyProofs(
// by ProofList.Verify() above, so all that remains here is to check if all expected // by ProofList.Verify() above, so all that remains here is to check if all expected
// nonrevocation proofs are present, and against the expected accumulator value: // nonrevocation proofs are present, and against the expected accumulator value:
// the last one in the update message set we provided along with the session request, // the last one in the update message set we provided along with the session request,
// OR the last (newer) one that the client included in its reply (TODO). // OR a newer one included in the proofs itself.
r := revRecords[id] r := revRecords[id]
if len(r) == 0 { // no nonrevocation proof was requested for this credential if len(r) == 0 { // no nonrevocation proof was requested for this credential
return true, nil return true, nil
...@@ -179,14 +179,7 @@ func (pl ProofList) VerifyProofs( ...@@ -179,14 +179,7 @@ func (pl ProofList) VerifyProofs(
if !proofd.HasNonRevocationProof() { if !proofd.HasNonRevocationProof() {
return false, nil return false, nil
} }
if proofd.NonRevocationProof.Accumulator.Index < r[len(r)-1].EndIndex {
// grab last message from accumulator update message set in request
keystore := configuration.RevocationStorage.keystore(typ.Identifier().IssuerIdentifier())
msg, err := r[len(r)-1].UnmarshalVerify(keystore)
if err != nil {
return false, err
}
if msg.Accumulator.Nu.Cmp(proofd.NonRevocationProof.Nu) != 0 {
return false, errors.New("nonrevocation proof used wrong accumulator") return false, errors.New("nonrevocation proof used wrong accumulator")
} }
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment