feat: client checks consistency of revocation and revocationUpdates fields of session request

irmaclient/credential.go

@@ -49,13 +49,18 @@ func (cred *credential) AttributeList() *irma.AttributeList {
 // persist the updated credential to storage.
 func (cred *credential) NonrevPrepare(conf *irma.Configuration, request irma.SessionRequest) (bool, error) {
 	credtype := cred.CredentialType().Identifier()
-	if !request.Base().RequestsRevocation(credtype) {
+	base := request.Base()
+	if !base.RequestsRevocation(credtype) {
 		return false, nil
 	}
 
+	if err := base.RevocationConsistent(); err != nil {
+		return false, err
+	}
+
 	// first try to update witness by applying the revocation update messages attached to the session request
 	keys := irma.RevocationKeys{Conf: conf}
-	revupdates := request.Base().RevocationUpdates[credtype]
+	revupdates := base.RevocationUpdates[credtype]
 	updated, err := cred.NonrevApplyUpdates(revupdates, keys)
 	if err != nil {
 		return updated, err

requests.go

@@ -239,6 +239,18 @@ func (b *BaseRequest) RequestsRevocation(id CredentialTypeIdentifier) bool {
 	return len(b.RevocationUpdates) > 0 && len(b.RevocationUpdates[id]) > 0
 }
 
+func (b *BaseRequest) RevocationConsistent() error {
+	if len(b.Revocation) != len(b.RevocationUpdates) {
+		return errors.New("revocation and revocationUpdates do not have the same length")
+	}
+	for _, typ := range b.Revocation {
+		if _, present := b.RevocationUpdates[typ]; !present {
+			return errors.Errorf("type %s not present in revocationUpdates", typ)
+		}
+	}
+	return nil
+}
+
 // CredentialTypes returns an array of all credential types occuring in this conjunction.
 func (c AttributeCon) CredentialTypes() []CredentialTypeIdentifier {
 	var result []CredentialTypeIdentifier