Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
IRMA
Github mirrors
irmago
Commits
c59753b5
Commit
c59753b5
authored
Oct 16, 2019
by
Sietse Ringers
Browse files
refactor: push nonrevocation proof checking to gabi
parent
7e7ff2a1
Changes
5
Hide whitespace changes
Inline
Side-by-side
internal/servercore/helpers.go
View file @
c59753b5
...
@@ -91,16 +91,20 @@ func (session *session) issuanceHandleRevocation(
...
@@ -91,16 +91,20 @@ func (session *session) issuanceHandleRevocation(
}
}
db
,
err
:=
session
.
conf
.
IrmaConfiguration
.
RevocationStorage
.
DB
(
cred
.
CredentialTypeID
)
db
,
err
:=
session
.
conf
.
IrmaConfiguration
.
RevocationStorage
.
DB
(
cred
.
CredentialTypeID
)
if
err
!=
nil
{
if
err
!=
nil
||
!
db
.
Enabled
()
{
return
return
}
}
if
!
db
.
Enabled
()
{
records
,
err
:=
db
.
LatestRecords
(
1
)
if
err
!=
nil
{
return
return
}
}
if
witness
,
err
=
sk
.
RevocationGenerateWitness
(
&
db
.
Current
);
err
!=
nil
{
if
witness
,
err
=
sk
.
RevocationGenerateWitness
(
&
db
.
Current
);
err
!=
nil
{
return
return
}
}
witness
.
Record
=
records
[
len
(
records
)
-
1
]
witness
.
Nu
=
nil
// don't send to irmaclient, it will reconstruct it from witness.Record
witness
.
Index
=
0
// same
nonrevAttr
=
witness
.
E
nonrevAttr
=
witness
.
E
issrecord
:=
&
irma
.
IssuanceRecord
{
issrecord
:=
&
irma
.
IssuanceRecord
{
Key
:
cred
.
RevocationKey
,
Key
:
cred
.
RevocationKey
,
...
...
internal/sessiontest/requestor_test.go
View file @
c59753b5
...
@@ -380,25 +380,30 @@ func TestRevocation(t *testing.T) {
...
@@ -380,25 +380,30 @@ func TestRevocation(t *testing.T) {
require
.
Nil
(
t
,
result
.
Err
)
require
.
Nil
(
t
,
result
.
Err
)
// perform disclosure session (of cred1) with nonrevocation proof
// perform disclosure session (of cred1) with nonrevocation proof
logger
.
Info
(
"step 1"
)
result
=
revocationSession
(
t
,
client
)
result
=
revocationSession
(
t
,
client
)
require
.
Equal
(
t
,
irma
.
ProofStatusValid
,
result
.
ProofStatus
)
require
.
Equal
(
t
,
irma
.
ProofStatusValid
,
result
.
ProofStatus
)
require
.
NotEmpty
(
t
,
result
.
Disclosed
)
require
.
NotEmpty
(
t
,
result
.
Disclosed
)
// revoke cred0
// revoke cred0
logger
.
Info
(
"step 2"
)
cred
:=
revocationIssuanceRequest
.
Credentials
[
0
]
.
CredentialTypeID
cred
:=
revocationIssuanceRequest
.
Credentials
[
0
]
.
CredentialTypeID
require
.
NoError
(
t
,
revocationServer
.
Revoke
(
cred
,
"cred0"
))
require
.
NoError
(
t
,
revocationServer
.
Revoke
(
cred
,
"cred0"
))
// perform another disclosure session with nonrevocation proof to see that cred1 still works
// perform another disclosure session with nonrevocation proof to see that cred1 still works
// client updates its witness to the new accumulator first
// client updates its witness to the new accumulator first
logger
.
Info
(
"step 3"
)
result
=
revocationSession
(
t
,
client
)
result
=
revocationSession
(
t
,
client
)
require
.
Equal
(
t
,
irma
.
ProofStatusValid
,
result
.
ProofStatus
)
require
.
Equal
(
t
,
irma
.
ProofStatusValid
,
result
.
ProofStatus
)
require
.
NotEmpty
(
t
,
result
.
Disclosed
)
require
.
NotEmpty
(
t
,
result
.
Disclosed
)
// revoke cred1
// revoke cred1
logger
.
Info
(
"step 4"
)
require
.
NoError
(
t
,
revocationServer
.
Revoke
(
cred
,
"cred1"
))
require
.
NoError
(
t
,
revocationServer
.
Revoke
(
cred
,
"cred1"
))
// try to perform session with revoked credential
// try to perform session with revoked credential
// client notices that is credential is revoked and aborts
// client notices that is credential is revoked and aborts
logger
.
Info
(
"step 5"
)
result
=
revocationSession
(
t
,
client
,
sessionOptionIgnoreClientError
)
result
=
revocationSession
(
t
,
client
,
sessionOptionIgnoreClientError
)
require
.
Equal
(
t
,
result
.
Status
,
server
.
StatusCancelled
)
require
.
Equal
(
t
,
result
.
Status
,
server
.
StatusCancelled
)
}
}
irmaclient/credential.go
View file @
c59753b5
...
@@ -74,16 +74,9 @@ func (cred *credential) NonrevPrepare(conf *irma.Configuration, request irma.Ses
...
@@ -74,16 +74,9 @@ func (cred *credential) NonrevPrepare(conf *irma.Configuration, request irma.Ses
// NonrevApplyUpdates updates the credential's nonrevocation witness using the specified messages,
// NonrevApplyUpdates updates the credential's nonrevocation witness using the specified messages,
// if they all verify and if their indices are ahead and adjacent to that of our witness.
// if they all verify and if their indices are ahead and adjacent to that of our witness.
func
(
cred
*
credential
)
NonrevApplyUpdates
(
messages
[]
*
revocation
.
Record
,
rs
*
irma
.
RevocationStorage
)
(
bool
,
error
)
{
func
(
cred
*
credential
)
NonrevApplyUpdates
(
messages
[]
*
revocation
.
Record
,
rs
*
irma
.
RevocationStorage
)
(
bool
,
error
)
{
var
err
error
var
pk
*
revocation
.
PublicKey
oldindex
:=
cred
.
NonRevocationWitness
.
Index
oldindex
:=
cred
.
NonRevocationWitness
.
Index
for
_
,
msg
:=
range
messages
{
if
err
:=
cred
.
NonRevocationWitness
.
Update
(
rs
.
Keystore
(
cred
.
CredentialType
()
.
IssuerIdentifier
()),
messages
);
err
!=
nil
{
if
pk
,
err
=
rs
.
PublicKey
(
cred
.
CredentialType
()
.
IssuerIdentifier
(),
msg
.
PublicKeyIndex
);
err
!=
nil
{
return
false
,
err
return
false
,
err
}
if
err
=
cred
.
NonRevocationWitness
.
Update
(
pk
,
msg
.
Message
);
err
!=
nil
{
return
false
,
err
}
}
}
return
cred
.
NonRevocationWitness
.
Index
!=
oldindex
,
cred
.
NonrevPrepareCache
()
return
cred
.
NonRevocationWitness
.
Index
!=
oldindex
,
cred
.
NonrevPrepareCache
()
...
...
revocation.go
View file @
c59753b5
...
@@ -136,6 +136,7 @@ func (rdb *DB) AddRecords(records []*revocation.Record) error {
...
@@ -136,6 +136,7 @@ func (rdb *DB) AddRecords(records []*revocation.Record) error {
return
nil
return
nil
}
}
// TODO this should use revocation.Record.UnmarshalVerify
func
(
rdb
*
DB
)
Add
(
updateMsg
signed
.
Message
,
counter
uint
)
error
{
func
(
rdb
*
DB
)
Add
(
updateMsg
signed
.
Message
,
counter
uint
)
error
{
var
err
error
var
err
error
var
update
revocation
.
AccumulatorUpdate
var
update
revocation
.
AccumulatorUpdate
...
@@ -267,7 +268,7 @@ func (rdb *DB) OnChange(handler func(*revocation.Record)) {
...
@@ -267,7 +268,7 @@ func (rdb *DB) OnChange(handler func(*revocation.Record)) {
func
(
rs
*
RevocationStorage
)
loadDB
(
credid
CredentialTypeIdentifier
)
(
*
DB
,
error
)
{
func
(
rs
*
RevocationStorage
)
loadDB
(
credid
CredentialTypeIdentifier
)
(
*
DB
,
error
)
{
path
:=
filepath
.
Join
(
rs
.
conf
.
RevocationPath
,
credid
.
String
())
path
:=
filepath
.
Join
(
rs
.
conf
.
RevocationPath
,
credid
.
String
())
keystore
:=
rs
.
k
eystore
(
credid
.
IssuerIdentifier
())
keystore
:=
rs
.
K
eystore
(
credid
.
IssuerIdentifier
())
b
,
err
:=
bolthold
.
Open
(
path
,
0600
,
&
bolthold
.
Options
{
Options
:
&
bolt
.
Options
{
Timeout
:
1
*
time
.
Second
}})
b
,
err
:=
bolthold
.
Open
(
path
,
0600
,
&
bolthold
.
Options
{
Options
:
&
bolt
.
Options
{
Timeout
:
1
*
time
.
Second
}})
if
err
!=
nil
{
if
err
!=
nil
{
...
@@ -447,7 +448,7 @@ func (rs *RevocationStorage) Close() error {
...
@@ -447,7 +448,7 @@ func (rs *RevocationStorage) Close() error {
return
merr
.
ErrorOrNil
()
return
merr
.
ErrorOrNil
()
}
}
func
(
rs
*
RevocationStorage
)
k
eystore
(
issuerid
IssuerIdentifier
)
revocation
.
Keystore
{
func
(
rs
*
RevocationStorage
)
K
eystore
(
issuerid
IssuerIdentifier
)
revocation
.
Keystore
{
return
func
(
counter
uint
)
(
*
revocation
.
PublicKey
,
error
)
{
return
func
(
counter
uint
)
(
*
revocation
.
PublicKey
,
error
)
{
return
rs
.
PublicKey
(
issuerid
,
counter
)
return
rs
.
PublicKey
(
issuerid
,
counter
)
}
}
...
...
verify.go
View file @
c59753b5
...
@@ -171,7 +171,7 @@ func (pl ProofList) VerifyProofs(
...
@@ -171,7 +171,7 @@ func (pl ProofList) VerifyProofs(
// by ProofList.Verify() above, so all that remains here is to check if all expected
// by ProofList.Verify() above, so all that remains here is to check if all expected
// nonrevocation proofs are present, and against the expected accumulator value:
// nonrevocation proofs are present, and against the expected accumulator value:
// the last one in the update message set we provided along with the session request,
// the last one in the update message set we provided along with the session request,
// OR
the last (
newer
)
one
that the client included in its reply (TODO)
.
// OR
a
newer one
included in the proofs itself
.
r
:=
revRecords
[
id
]
r
:=
revRecords
[
id
]
if
len
(
r
)
==
0
{
// no nonrevocation proof was requested for this credential
if
len
(
r
)
==
0
{
// no nonrevocation proof was requested for this credential
return
true
,
nil
return
true
,
nil
...
@@ -179,14 +179,7 @@ func (pl ProofList) VerifyProofs(
...
@@ -179,14 +179,7 @@ func (pl ProofList) VerifyProofs(
if
!
proofd
.
HasNonRevocationProof
()
{
if
!
proofd
.
HasNonRevocationProof
()
{
return
false
,
nil
return
false
,
nil
}
}
if
proofd
.
NonRevocationProof
.
Accumulator
.
Index
<
r
[
len
(
r
)
-
1
]
.
EndIndex
{
// grab last message from accumulator update message set in request
keystore
:=
configuration
.
RevocationStorage
.
keystore
(
typ
.
Identifier
()
.
IssuerIdentifier
())
msg
,
err
:=
r
[
len
(
r
)
-
1
]
.
UnmarshalVerify
(
keystore
)
if
err
!=
nil
{
return
false
,
err
}
if
msg
.
Accumulator
.
Nu
.
Cmp
(
proofd
.
NonRevocationProof
.
Nu
)
!=
0
{
return
false
,
errors
.
New
(
"nonrevocation proof used wrong accumulator"
)
return
false
,
errors
.
New
(
"nonrevocation proof used wrong accumulator"
)
}
}
}
}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment