Commit dd577dca authored by Sietse Ringers's avatar Sietse Ringers
Browse files

feat: remove necessity to enable revocation for a credential type

parent a4fd3be7
......@@ -154,16 +154,6 @@ func (s *Server) validateIssuanceRequest(request *irma.IssuanceRequest) error {
return err
}
if s.conf.IrmaConfiguration.CredentialTypes[cred.CredentialTypeID].SupportsRevocation() {
enabled, err := s.conf.IrmaConfiguration.Revocation.RevocationEnabled(cred.CredentialTypeID)
if err != nil {
return err
}
if !enabled {
s.conf.Logger.WithFields(logrus.Fields{"cred": cred.CredentialTypeID}).Warn("revocation supported in scheme but not enabled")
}
}
// Ensure the credential has an expiry date
defaultValidity := irma.Timestamp(time.Now().AddDate(0, 6, 0))
if cred.Validity == nil {
......
......@@ -377,19 +377,11 @@ func startRevocationServer(t *testing.T) {
require.NoError(t, g.AutoMigrate((*irma.IssuanceRecord)(nil)).Error)
require.NoError(t, g.Close())
// Start revocation server
if revocationConfiguration == nil {
revocationConfiguration = revocationConf(t)
}
irmaconf := revocationConfiguration.IrmaConfiguration
// Enable revocation for our credential type
sk, err := irmaconf.Revocation.Keys.PrivateKeyLatest(revocationTestCred.IssuerIdentifier())
require.NoError(t, err)
require.NoError(t, irmaconf.Revocation.EnableRevocation(revocationTestCred, sk))
// Start revocation server
revocationServer, err = irmaserver.New(revocationConfiguration)
revocationConfiguration = revocationConfiguration
require.NoError(t, err)
mux := http.NewServeMux()
mux.HandleFunc("/", revocationServer.HandlerFunc())
......
package cmd
import (
irma "github.com/privacybydesign/irmago"
"github.com/spf13/cobra"
)
var revokeEnableCmd = &cobra.Command{
Use: "enable CREDENTIALTYPE URL",
Short: "Enable revocation for a credential type",
Long: `Enable revocation for a given credential type.
Must be done (and can only be done) by the issuer of the specified credential type, if enable in the
scheme.`,
Args: cobra.ExactArgs(2),
Run: func(cmd *cobra.Command, args []string) {
flags := cmd.Flags()
schemespath, _ := flags.GetString("schemes-path")
authmethod, _ := flags.GetString("auth-method")
key, _ := flags.GetString("key")
name, _ := flags.GetString("name")
verbosity, _ := cmd.Flags().GetCount("verbose")
url := args[1]
request := &irma.RevocationRequest{
LDContext: irma.LDContextRevocationRequest,
CredentialType: irma.NewCredentialTypeIdentifier(args[0]),
Enable: true,
}
postRevocation(request, url, schemespath, authmethod, key, name, verbosity)
},
}
func init() {
flags := revokeEnableCmd.Flags()
flags.StringP("schemes-path", "s", irma.DefaultSchemesPath(), "path to irma_configuration")
flags.StringP("auth-method", "a", "none", "Authentication method to server (none, token, rsa, hmac)")
flags.String("key", "", "Key to sign request with")
flags.String("name", "", "Requestor name")
flags.CountP("verbose", "v", "verbose (repeatable)")
revocationCmd.AddCommand(revokeEnableCmd)
}
......@@ -201,7 +201,6 @@ type RevocationRequest struct {
LDContext string `json:"@context,omitempty"`
CredentialType CredentialTypeIdentifier `json:"type"`
Key string `json:"revocationKey,omitempty"`
Enable bool `json:"enable,omitempty"`
}
func (r *RevocationRequest) Validate() error {
......
......@@ -138,7 +138,7 @@ const (
// only way to create such an initial accumulator and it must be called before anyone can use
// revocation for this credential type. Requires the issuer private key.
func (rs *RevocationStorage) EnableRevocation(typ CredentialTypeIdentifier, sk *revocation.PrivateKey) error {
enabled, err := rs.RevocationEnabled(typ)
enabled, err := rs.Exists(typ)
if err != nil {
return err
}
......@@ -157,9 +157,8 @@ func (rs *RevocationStorage) EnableRevocation(typ CredentialTypeIdentifier, sk *
return nil
}
// RevocationEnabled returns whether or not revocation is enabled for the given credential type,
// by checking if any revocation record exists in the database.
func (rs *RevocationStorage) RevocationEnabled(typ CredentialTypeIdentifier) (bool, error) {
// Exists returns whether or not an accumulator exists in the database for the given credential type.
func (rs *RevocationStorage) Exists(typ CredentialTypeIdentifier) (bool, error) {
if rs.sqlMode {
return rs.db.Exists((*EventRecord)(nil), nil)
} else {
......
......@@ -228,16 +228,22 @@ func (conf *Configuration) verifyRevocation() error {
}
if settings.Mode == irma.RevocationModeServer {
enabled, err := conf.IrmaConfiguration.Revocation.RevocationEnabled(credid)
sk, err := conf.IrmaConfiguration.Revocation.Keys.PrivateKeyLatest(credid.IssuerIdentifier())
if err != nil {
return LogError(errors.WrapPrefix(err, "failed to check if revocation is enabled for "+credid.String(), 0))
}
if !enabled {
return LogError(errors.Errorf("revocation not enabled for %s", credid.String()))
return LogError(errors.WrapPrefix(err, "failed to load private key of "+credid.IssuerIdentifier().String()+" (required for revocation)", 0))
}
_, err = conf.IrmaConfiguration.Revocation.Keys.PrivateKeyLatest(credid.IssuerIdentifier())
rev := conf.IrmaConfiguration.Revocation
exists, err := rev.Exists(credid)
if err != nil {
return LogError(errors.WrapPrefix(err, "failed to load private key of "+credid.IssuerIdentifier().String()+" (required for revocation)", 0))
return LogError(errors.WrapPrefix(err, "failed to check if accumulator exists for "+credid.String(), 0))
}
conf.Logger.Info("revocation server mode enabled for " + credid.String())
if !exists {
conf.Logger.Warn("Creating initial accumulator for " + credid.String())
conf.Logger.Warn("Being the revocation server for a credential type comes with special responsibilities, a.o. that this server is always reachable online for any IRMA participant, and that the contents of the database to which the initial accumulator was just written is never deleted. Please read more at https://irma.app/docs/revocation/#issuer-responsibilities.")
if err = rev.EnableRevocation(credid, sk); err != nil {
return LogError(errors.WrapPrefix(err, "failed to create initial accumulator record for "+credid.String(), 0))
}
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment