Intel(R) EPID 1.1 Verifier functionality. More...

Data Structures
struct	Epid11VerifierPrecomp
	Intel(R) EPID 1.1 Pre-computed verifier settings. More...

Typedefs
typedef struct Epid11VerifierCtx	Epid11VerifierCtx
	Internal context of Intel(R) EPID 1.1 verifier.

Functions
EpidStatus	Epid11VerifierCreate (Epid11GroupPubKey const pub_key, Epid11VerifierPrecomp const precomp, Epid11VerifierCtx **ctx)
	Creates a new Intel(R) EPID 1.1 verifier context. More...

void	Epid11VerifierDelete (Epid11VerifierCtx **ctx)
	Deletes an existing Intel(R) EPID 1.1 verifier context. More...

EpidStatus	Epid11VerifierWritePrecomp (Epid11VerifierCtx const ctx, Epid11VerifierPrecomp precomp)
	Serializes the pre-computed Intel(R) EPID 1.1 verifier settings. More...

EpidStatus	Epid11VerifierSetPrivRl (Epid11VerifierCtx ctx, Epid11PrivRl const priv_rl, size_t priv_rl_size)
	Sets the Intel(R) EPID 1.1 private key based revocation list. More...

EpidStatus	Epid11VerifierSetSigRl (Epid11VerifierCtx ctx, Epid11SigRl const sig_rl, size_t sig_rl_size)
	Sets the Intel(R) EPID 1.1 signature based revocation list. More...

EpidStatus	Epid11VerifierSetGroupRl (Epid11VerifierCtx ctx, Epid11GroupRl const grp_rl, size_t grp_rl_size)
	Sets the Intel(R) EPID 1.1 group based revocation list. More...

EpidStatus	Epid11VerifierSetBasename (Epid11VerifierCtx ctx, void const basename, size_t basename_len)
	Sets the basename to be used by a verifier. More...

EpidStatus	Epid11Verify (Epid11VerifierCtx const ctx, Epid11Signature const sig, size_t sig_len, void const *msg, size_t msg_len)
	Verifies an Intel(R) EPID 1.1 signature and checks revocation status. More...

bool	Epid11AreSigsLinked (Epid11BasicSignature const sig1, Epid11BasicSignature const sig2)
	Determines if two Intel(R) EPID 1.1 signatures are linked. More...

EpidStatus	Epid11VerifyBasicSig (Epid11VerifierCtx const ctx, Epid11BasicSignature const sig, void const *msg, size_t msg_len)
	Verifies an Intel(R) EPID 1.1 member signature without revocation checks. More...

EpidStatus	Epid11NrVerify (Epid11VerifierCtx const ctx, Epid11BasicSignature const sig, void const msg, size_t msg_len, Epid11SigRlEntry const sigrl_entry, Epid11NrProof const *proof)
	Verifies the non-revoked proof for a single Intel(R) EPID 1.1 signature based revocation list entry. More...

EpidStatus	Epid11CheckPrivRlEntry (Epid11VerifierCtx const ctx, Epid11BasicSignature const sig, FpElemStr const *f)
	Verifies an Intel(R) EPID 1.1 signature has not been revoked in the private key based revocation list. More...

Detailed Description

Intel(R) EPID 1.1 Verifier functionality.

To verify signatures coming from member devices that belong to an Intel® EPID 1.1 group, you need to use Intel® EPID 1.1 verifier APIs.

If you are acting as a verifier for both Intel® EPID 1.1 and 2.0 members, you can determine if you need version 1.1 or 2.0 verification by checking the Intel® EPID version field in the group public key file (see EpidParseFileHeader). You can also check the version in other binary issuer material, such as the GroupRL and SigRL.

The 1.1 verifier APIs take a verifier context as input. Each verifier context (Epid11VerifierCtx) represents a verifier for a single group.

The Intel® EPID 1.1 specification does not provide hash algorithm selection and verifier blacklist revocation. Therefore, APIs such as EpidVerifierSetHashAlg and EpidVerifierSetVerifierRl are not available.

You can find the Intel® EPID 1.1 API headers in the 1.1 directories, for example, epid/verifier/1.1/api.h.

Intel® EPID 1.1 APIs and data structures are indicated with the "Epid11" prefix. For example, the Intel® EPID 1.1 version of EpidParseGroupPubKeyFile is called Epid11ParseGroupPubKeyFile, and the Intel® EPID 1.1 version of GroupRl is Epid11GroupRl.

Function Documentation

◆ Epid11AreSigsLinked()

bool Epid11AreSigsLinked	(	Epid11BasicSignature const *	sig1,
		Epid11BasicSignature const *	sig2
	)

Determines if two Intel(R) EPID 1.1 signatures are linked.

The Intel(R) EPID scheme allows signatures to be linked. If basename option is specified when signing signatures with the same basename will be linkable. This linking capability allows the verifier, or anyone, to know whether two Intel(R) EPID signatures are generated by the same member.

This API supports Intel(R) EPID 1.1 verification.

Parameters

[in]	sig1	A basic signature.
[in]	sig2	A basic signature.

Returns: bool

Return values

true	if the signatures were generated by the same member
false	if it couldn't be determined if the signatures were generated by the same member

Note: The input signatures should be verified using Epid11VerifyBasicSig() before invocation. Behavior is undefined if either of the signatures cannot be verified.

See also: Epid11VerifyBasicSig; Intel(R) EPID 1.1 support

◆ Epid11CheckPrivRlEntry()

EpidStatus Epid11CheckPrivRlEntry	(	Epid11VerifierCtx const *	ctx,
		Epid11BasicSignature const *	sig,
		FpElemStr const *	f
	)

Verifies an Intel(R) EPID 1.1 signature has not been revoked in the private key based revocation list.

Used in constrained environments where, due to limited memory, it may not be possible to process through a large and potentially unbounded revocation list.

This API supports Intel(R) EPID 1.1 verification.

Parameters

[in]	ctx	The verifier context.
[in]	sig	The basic signature.
[in]	f	The private key based revocation list entry.

Note: Sig should be verified using Epid11VerifyBasicSig() before invocation. Behavior is undefined if sig cannot be verified.; This function should be used in conjunction with Epid11NrVerify() and Epid11VerifyBasicSig().; If the result is not kEpidNoErr the verify should de considered to have failed.

Returns: EpidStatus

See also: Epid11VerifierCreate; Epid11NrVerify; Epid11VerifyBasicSig; Intel(R) EPID 1.1 support

◆ Epid11NrVerify()

EpidStatus Epid11NrVerify	(	Epid11VerifierCtx const *	ctx,
		Epid11BasicSignature const *	sig,
		void const *	msg,
		size_t	msg_len,
		Epid11SigRlEntry const *	sigrl_entry,
		Epid11NrProof const *	proof
	)

Verifies the non-revoked proof for a single Intel(R) EPID 1.1 signature based revocation list entry.

Used in constrained environments where, due to limited memory, it may not be possible to process through a large and potentially unbounded revocation list.

This API supports Intel(R) EPID 1.1 verification.

Parameters

[in]	ctx	The verifier context.
[in]	sig	The basic signature.
[in]	msg	The message that was signed.
[in]	msg_len	The size of msg in bytes.
[in]	sigrl_entry	The signature based revocation list entry.
[in]	proof	The non-revoked proof.

Returns: EpidStatus

Note: Sig should be verified using Epid11VerifyBasicSig() before invocation. Behavior is undefined if sig cannot be verified.; This function should be used in conjunction with Epid11VerifyBasicSig() and Epid11CheckPrivRlEntry().; If the result is not kEpidNoErr the verify should de considered to have failed.

See also: Epid11VerifierCreate; Epid11VerifyBasicSig; Epid11CheckPrivRlEntry; Intel(R) EPID 1.1 support

◆ Epid11VerifierCreate()

EpidStatus Epid11VerifierCreate	(	Epid11GroupPubKey const *	pub_key,
		Epid11VerifierPrecomp const *	precomp,
		Epid11VerifierCtx **	ctx
	)

Creates a new Intel(R) EPID 1.1 verifier context.

Must be called to create the verifier context that is used by other "Verifier" APIs.

Allocates memory for the context, then initialize it.

Epid11VerifierDelete() must be called to safely release the member context.

Parameters

[in]	pub_key	The group certificate.
[in]	precomp	Optional pre-computed data. If NULL the value is computed internally and is readable using Epid11VerifierWritePrecomp().
[out]	ctx	Newly constructed verifier context.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the content of ctx is undefined.

See also: Epid11VerifierDelete; Epid11VerifierWritePrecomp; Intel(R) EPID 1.1 support

◆ Epid11VerifierDelete()

void Epid11VerifierDelete ( Epid11VerifierCtx ** ctx )

Deletes an existing Intel(R) EPID 1.1 verifier context.

Must be called to safely release a verifier context created using Epid11VerifierCreate().

De-initializes the context, frees memory used by the context, and sets the context pointer to NULL.

Parameters

[in,out] ctx The verifier context. Can be NULL.

See also: Epid11VerifierCreate; Intel(R) EPID 1.1 support

◆ Epid11VerifierSetBasename()

EpidStatus Epid11VerifierSetBasename	(	Epid11VerifierCtx *	ctx,
		void const *	basename,
		size_t	basename_len
	)

Sets the basename to be used by a verifier.

This API allows setting a zero length base name.

Warning: Not all members in the Intel(R) EPID 1.1 ecosystem may support zero length basenames. They may interpret a zero length basename as random base.

Parameters

[in,out]	ctx	The verifier context.
[in]	basename	The basename. Pass NULL for random base.
[in]	basename_len	Number of bytes in basename buffer. Must be 0 if basename is NULL.

Returns: EpidStatus

See also: Epid11VerifierCreate

◆ Epid11VerifierSetGroupRl()

EpidStatus Epid11VerifierSetGroupRl	(	Epid11VerifierCtx *	ctx,
		Epid11GroupRl const *	grp_rl,
		size_t	grp_rl_size
	)

Sets the Intel(R) EPID 1.1 group based revocation list.

The caller is responsible to for ensuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call will fail if trying to set an older version of the revocation list than was last set.

This API supports Intel(R) EPID 1.1 verification.

Attention: The memory pointed to by grp_rl will be accessed directly by the verifier until a new list is set or the verifier is destroyed. Do not modify the contents of this memory. The behavior of subsequent operations that rely on the revocation list will be undefined if the memory is modified.; It is the responsibility of the caller to free the memory pointed to by grp_rl after the verifier is no longer using it.

Parameters

[in,out]	ctx	The verifier context.
[in]	grp_rl	The group based revocation list.
[in]	grp_rl_size	The size of the group based revocation list in bytes.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the group based revocation list pointed to by the verifier is undefined.

See also: Epid11VerifierCreate; Intel(R) EPID 1.1 support

◆ Epid11VerifierSetPrivRl()

EpidStatus Epid11VerifierSetPrivRl	(	Epid11VerifierCtx *	ctx,
		Epid11PrivRl const *	priv_rl,
		size_t	priv_rl_size
	)

Sets the Intel(R) EPID 1.1 private key based revocation list.

The caller is responsible to for ensuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call will fail if trying to set an older version of the revocation list than was last set.

This API supports Intel(R) EPID 1.1 verification.

Attention: The memory pointed to by priv_rl will be accessed directly by the verifier until a new list is set or the verifier is destroyed. Do not modify the contents of this memory. The behavior of subsequent operations that rely on the revocation list will be undefined if the memory is modified.; It is the responsibility of the caller to free the memory pointed to by priv_rl after the verifier is no longer using it.

Parameters

[in,out]	ctx	The verifier context.
[in]	priv_rl	The private key based revocation list.
[in]	priv_rl_size	The size of the private key based revocation list in bytes.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the private key based revocation list pointed to by the verifier is undefined.

See also: Epid11VerifierCreate; Intel(R) EPID 1.1 support

◆ Epid11VerifierSetSigRl()

EpidStatus Epid11VerifierSetSigRl	(	Epid11VerifierCtx *	ctx,
		Epid11SigRl const *	sig_rl,
		size_t	sig_rl_size
	)

Sets the Intel(R) EPID 1.1 signature based revocation list.

The caller is responsible to for ensuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call will fail if trying to set an older version of the revocation list than was last set.

This API supports Intel(R) EPID 1.1 verification.

Attention: The memory pointed to by sig_rl will be accessed directly by the verifier until a new list is set or the verifier is destroyed. Do not modify the contents of this memory. The behavior of subsequent operations that rely on the revocation list will be undefined if the memory is modified.; It is the responsibility of the caller to free the memory pointed to by sig_rl after the verifier is no longer using it.

Parameters

[in,out]	ctx	The verifier context.
[in]	sig_rl	The signature based revocation list.
[in]	sig_rl_size	The size of the signature based revocation list in bytes.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the signature based revocation list pointed to by the verifier is undefined.

See also: Epid11VerifierCreate; SdkOverview_11Verifier; Intel(R) EPID 1.1 support

◆ Epid11VerifierWritePrecomp()

EpidStatus Epid11VerifierWritePrecomp	(	Epid11VerifierCtx const *	ctx,
		Epid11VerifierPrecomp *	precomp
	)

Serializes the pre-computed Intel(R) EPID 1.1 verifier settings.

Parameters

[in]	ctx	The verifier context.
[out]	precomp	The Serialized pre-computed verifier settings.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the content of precomp is undefined.

See also: Intel(R) EPID 1.1 support

◆ Epid11Verify()

EpidStatus Epid11Verify	(	Epid11VerifierCtx const *	ctx,
		Epid11Signature const *	sig,
		size_t	sig_len,
		void const *	msg,
		size_t	msg_len
	)

Verifies an Intel(R) EPID 1.1 signature and checks revocation status.

Parameters

[in]	ctx	The verifier context.
[in]	sig	The signature.
[in]	sig_len	The size of sig in bytes.
[in]	msg	The message that was signed.
[in]	msg_len	The size of msg in bytes.

Returns: EpidStatus

Return values

kEpidSigValid	Signature validated successfully
kEpidSigInvalid	Signature is invalid
kEpidSigRevokedInGroupRl	Signature revoked in GroupRl
kEpidSigRevokedInPrivRl	Signature revoked in PrivRl
kEpidSigRevokedInSigRl	Signature revoked in SigRl

Note: If the result is not kEpidNoErr or one of the values listed above the verify should de considered to have failed.

See also: Epid11VerifierCreate; Intel(R) EPID 1.1 support

◆ Epid11VerifyBasicSig()

EpidStatus Epid11VerifyBasicSig	(	Epid11VerifierCtx const *	ctx,
		Epid11BasicSignature const *	sig,
		void const *	msg,
		size_t	msg_len
	)

Verifies an Intel(R) EPID 1.1 member signature without revocation checks.

Used in constrained environments where, due to limited memory, it may not be possible to process through a large and potentially unbounded revocation list.

Parameters

[in]	ctx	The verifier context.
[in]	sig	The basic signature.
[in]	msg	The message that was signed.
[in]	msg_len	The size of msg in bytes.

Returns: EpidStatus

Note: This function should be used in conjunction with Epid11NrVerify() and Epid11CheckPrivRlEntry().; If the result is not kEpidNoErr the verify should be considered to have failed.

See also: Epid11VerifierCreate; Intel(R) EPID 1.1 support

Data Structures

Typedefs

Functions

Detailed Description

Function Documentation

◆ Epid11AreSigsLinked()

◆ Epid11CheckPrivRlEntry()

◆ Epid11NrVerify()

◆ Epid11VerifierCreate()

◆ Epid11VerifierDelete()

◆ Epid11VerifierSetBasename()

◆ Epid11VerifierSetGroupRl()

◆ Epid11VerifierSetPrivRl()

◆ Epid11VerifierSetSigRl()

◆ Epid11VerifierWritePrecomp()

◆ Epid11Verify()

◆ Epid11VerifyBasicSig()