Verifier functionality. More...
Modules | |
Intel(R) EPID 1.1 support | |
Intel(R) EPID 1.1 Verifier functionality. | |
Data Structures | |
struct | VerifierPrecomp |
Pre-computed verifier settings. More... | |
Typedefs | |
typedef struct VerifierCtx | VerifierCtx |
Internal context of verifier. | |
Functions | |
EpidStatus | EpidVerifierCreate (GroupPubKey const *pub_key, VerifierPrecomp const *precomp, VerifierCtx **ctx) |
Creates a new verifier context. More... | |
void | EpidVerifierDelete (VerifierCtx **ctx) |
Deletes an existing verifier context. More... | |
EpidStatus | EpidVerifierWritePrecomp (VerifierCtx const *ctx, VerifierPrecomp *precomp) |
Serializes the pre-computed verifier settings. More... | |
EpidStatus | EpidVerifierSetPrivRl (VerifierCtx *ctx, PrivRl const *priv_rl, size_t priv_rl_size) |
Sets the private key based revocation list. More... | |
EpidStatus | EpidVerifierSetSigRl (VerifierCtx *ctx, SigRl const *sig_rl, size_t sig_rl_size) |
Sets the signature based revocation list. More... | |
EpidStatus | EpidVerifierSetGroupRl (VerifierCtx *ctx, GroupRl const *grp_rl, size_t grp_rl_size) |
Sets the group based revocation list. More... | |
EpidStatus | EpidVerifierSetVerifierRl (VerifierCtx *ctx, VerifierRl const *ver_rl, size_t ver_rl_size) |
Sets the verifier revocation list. More... | |
EpidStatus | EpidVerifierSetHashAlg (VerifierCtx *ctx, HashAlg hash_alg) |
Sets the hash algorithm to be used by a verifier. More... | |
EpidStatus | EpidVerifierSetBasename (VerifierCtx *ctx, void const *basename, size_t basename_len) |
Sets the basename to be used by a verifier. More... | |
EpidStatus | EpidVerify (VerifierCtx const *ctx, EpidSignature const *sig, size_t sig_len, void const *msg, size_t msg_len) |
Verifies a signature and checks revocation status. More... | |
bool | EpidAreSigsLinked (BasicSignature const *sig1, BasicSignature const *sig2) |
Determines if two signatures are linked. More... | |
EpidStatus | EpidVerifyBasicSig (VerifierCtx const *ctx, BasicSignature const *sig, void const *msg, size_t msg_len) |
Verifies a member signature without revocation checks. More... | |
EpidStatus | EpidNrVerify (VerifierCtx const *ctx, BasicSignature const *sig, void const *msg, size_t msg_len, SigRlEntry const *sigrl_entry, NrProof const *proof) |
Verifies the non-revoked proof for a single signature based revocation list entry. More... | |
EpidStatus | EpidCheckPrivRlEntry (VerifierCtx const *ctx, BasicSignature const *sig, FpElemStr const *f) |
Verifies a signature has not been revoked in the private key based revocation list. More... | |
size_t | EpidGetVerifierRlSize (VerifierCtx const *ctx) |
Returns the number of bytes required to serialize the verifier blacklist. More... | |
EpidStatus | EpidWriteVerifierRl (VerifierCtx const *ctx, VerifierRl *ver_rl, size_t ver_rl_size) |
Serializes the verifier blacklist to a buffer. More... | |
EpidStatus | EpidBlacklistSig (VerifierCtx *ctx, EpidSignature const *sig, size_t sig_len, void const *msg, size_t msg_len) |
Adds a valid name-based signature to the verifier blacklist. More... | |
Verifier functionality.
Defines the APIs needed by Intel(R) EPID verifiers. Each verifier context (VerifierCtx) represents a verifier for a single group.
To use this module, include the header epid/verifier/api.h.
bool EpidAreSigsLinked | ( | BasicSignature const * | sig1, |
BasicSignature const * | sig2 | ||
) |
Determines if two signatures are linked.
The Intel(R) EPID scheme allows signatures to be linked. If basename option is specified when signing, signatures with the same basename are linkable. This linking capability allows the verifier, or anyone, to know whether two Intel(R) EPID signatures are generated by the same member.
[in] | sig1 | A basic signature. |
[in] | sig2 | A basic signature. |
true | if the signatures were generated by the same member |
false | if it couldn't be determined if the signatures were generated by the same member |
EpidStatus EpidBlacklistSig | ( | VerifierCtx * | ctx, |
EpidSignature const * | sig, | ||
size_t | sig_len, | ||
void const * | msg, | ||
size_t | msg_len | ||
) |
Adds a valid name-based signature to the verifier blacklist.
If the signature is not valid it will not be added to the blacklist.
[in] | ctx | The verifier context. |
[in] | sig | The name-based signature to revoke. |
[in] | sig_len | The size of sig in bytes. |
[in] | msg | The message that was signed. |
[in] | msg_len | The size of msg in bytes. |
EpidStatus EpidCheckPrivRlEntry | ( | VerifierCtx const * | ctx, |
BasicSignature const * | sig, | ||
FpElemStr const * | f | ||
) |
Verifies a signature has not been revoked in the private key based revocation list.
Used in constrained environments where, due to limited memory, it may not be possible to process through a large and potentially unbounded revocation list.
[in] | ctx | The verifier context. |
[in] | sig | The basic signature. |
[in] | f | The private key based revocation list entry. |
size_t EpidGetVerifierRlSize | ( | VerifierCtx const * | ctx | ) |
Returns the number of bytes required to serialize the verifier blacklist.
Use this function to determine the buffer size required by EpidWriteVerifierRl.
[in] | ctx | The verifier context. |
EpidStatus EpidNrVerify | ( | VerifierCtx const * | ctx, |
BasicSignature const * | sig, | ||
void const * | msg, | ||
size_t | msg_len, | ||
SigRlEntry const * | sigrl_entry, | ||
NrProof const * | proof | ||
) |
Verifies the non-revoked proof for a single signature based revocation list entry.
Used in constrained environments where, due to limited memory, it may not be possible to process through a large and potentially unbounded revocation list.
[in] | ctx | The verifier context. |
[in] | sig | The basic signature. |
[in] | msg | The message that was signed. |
[in] | msg_len | The size of msg in bytes. |
[in] | sigrl_entry | The signature based revocation list entry. |
[in] | proof | The non-revoked proof. |
EpidStatus EpidVerifierCreate | ( | GroupPubKey const * | pub_key, |
VerifierPrecomp const * | precomp, | ||
VerifierCtx ** | ctx | ||
) |
Creates a new verifier context.
Must be called to create the verifier context that is used by other "Verifier" APIs.
Allocates memory for the context, then initializes it.
EpidVerifierDelete() must be called to safely release the member context.
[in] | pub_key | The group certificate. |
[in] | precomp | Optional pre-computed data. If NULL the value is computed internally and is readable using EpidVerifierWritePrecomp(). |
[out] | ctx | Newly constructed verifier context. |
Example
void EpidVerifierDelete | ( | VerifierCtx ** | ctx | ) |
Deletes an existing verifier context.
Must be called to safely release a verifier context created using EpidVerifierCreate().
De-initializes the context, frees memory used by the context, and sets the context pointer to NULL.
[in,out] | ctx | The verifier context. Can be NULL. |
Example
EpidStatus EpidVerifierSetBasename | ( | VerifierCtx * | ctx, |
void const * | basename, | ||
size_t | basename_len | ||
) |
Sets the basename to be used by a verifier.
[in,out] | ctx | The verifier context. |
[in] | basename | The basename. Pass NULL for random base. |
[in] | basename_len | Number of bytes in basename buffer. Must be 0 if basename is NULL. |
Example
EpidStatus EpidVerifierSetGroupRl | ( | VerifierCtx * | ctx, |
GroupRl const * | grp_rl, | ||
size_t | grp_rl_size | ||
) |
Sets the group based revocation list.
The caller is responsible for ensuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call fails if trying to set an older version of the revocation list than was last set.
[in,out] | ctx | The verifier context. |
[in] | grp_rl | The group based revocation list. |
[in] | grp_rl_size | The size of the group based revocation list in bytes. |
Example
EpidStatus EpidVerifierSetHashAlg | ( | VerifierCtx * | ctx, |
HashAlg | hash_alg | ||
) |
Sets the hash algorithm to be used by a verifier.
[in] | ctx | The verifier context. |
[in] | hash_alg | The hash algorithm to use. |
Example
EpidStatus EpidVerifierSetPrivRl | ( | VerifierCtx * | ctx, |
PrivRl const * | priv_rl, | ||
size_t | priv_rl_size | ||
) |
Sets the private key based revocation list.
The caller is responsible for ensuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call fails if trying to set an older version of the revocation list than was last set.
[in,out] | ctx | The verifier context. |
[in] | priv_rl | The private key based revocation list. |
[in] | priv_rl_size | The size of the private key based revocation list in bytes. |
Example
EpidStatus EpidVerifierSetSigRl | ( | VerifierCtx * | ctx, |
SigRl const * | sig_rl, | ||
size_t | sig_rl_size | ||
) |
Sets the signature based revocation list.
The caller is responsible for ensuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call fails if trying to set an older version of the revocation list than was last set.
[in,out] | ctx | The verifier context. |
[in] | sig_rl | The signature based revocation list. |
[in] | sig_rl_size | The size of the signature based revocation list in bytes. |
Example
EpidStatus EpidVerifierSetVerifierRl | ( | VerifierCtx * | ctx, |
VerifierRl const * | ver_rl, | ||
size_t | ver_rl_size | ||
) |
Sets the verifier revocation list.
The caller is responsible for ensuring the revocation list is authorized. The caller is also responsible for checking the version of the revocation list. The call fails if trying to set an older version of the same revocation list than was last set.
Once EpidVerifierSetVerifierRl returns, callers are free to release the memory pointed to by ver_rl.
[in,out] | ctx | The verifier context. |
[in] | ver_rl | The verifier revocation list. |
[in] | ver_rl_size | The size of the verifier revocation list in bytes. |
Example
EpidStatus EpidVerifierWritePrecomp | ( | VerifierCtx const * | ctx, |
VerifierPrecomp * | precomp | ||
) |
Serializes the pre-computed verifier settings.
[in] | ctx | The verifier context. |
[out] | precomp | The Serialized pre-computed verifier settings. |
Example
EpidStatus EpidVerify | ( | VerifierCtx const * | ctx, |
EpidSignature const * | sig, | ||
size_t | sig_len, | ||
void const * | msg, | ||
size_t | msg_len | ||
) |
Verifies a signature and checks revocation status.
[in] | ctx | The verifier context. |
[in] | sig | The signature. |
[in] | sig_len | The size of sig in bytes. |
[in] | msg | The message that was signed. |
[in] | msg_len | The size of msg in bytes. |
kEpidSigValid | Signature validated successfully |
kEpidSigInvalid | Signature is invalid |
kEpidSigRevokedInGroupRl | Signature revoked in GroupRl |
kEpidSigRevokedInPrivRl | Signature revoked in PrivRl |
kEpidSigRevokedInSigRl | Signature revoked in SigRl |
kEpidSigRevokedInVerifierRl | Signature revoked in VerifierRl |
Example
EpidStatus EpidVerifyBasicSig | ( | VerifierCtx const * | ctx, |
BasicSignature const * | sig, | ||
void const * | msg, | ||
size_t | msg_len | ||
) |
Verifies a member signature without revocation checks.
Used in constrained environments where, due to limited memory, it may not be possible to process through a large and potentially unbounded revocation list.
[in] | ctx | The verifier context. |
[in] | sig | The basic signature. |
[in] | msg | The message that was signed. |
[in] | msg_len | The size of msg in bytes. |
EpidStatus EpidWriteVerifierRl | ( | VerifierCtx const * | ctx, |
VerifierRl * | ver_rl, | ||
size_t | ver_rl_size | ||
) |
Serializes the verifier blacklist to a buffer.
If the current blacklist is empty or not set a valid empty verifier blacklist will be serialized.
Use EpidGetVerifierRlSize to determine the buffer size required to serialize the verifier blacklist.
[in] | ctx | The verifier context. |
[out] | ver_rl | An existing buffer in which to write the verifier revocation list. |
[in] | ver_rl_size | The size of the caller allocated output buffer in bytes. |