1 /*############################################################################
2 # Copyright 2016-2017 Intel Corporation
3 #
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7 #
8 # http://www.apache.org/licenses/LICENSE-2.0
9 #
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15 ############################################################################*/
16
17 /*!
18 * \file
19 * \brief Epid11Verify implementation.
20 */
21
22 #include <string.h>
23 #include "epid/common/src/endian_convert.h"
24 #include "epid/verifier/1.1/api.h"
25 #include "epid/verifier/1.1/src/context.h"
26
Epid11GetSignatureRlCount(Epid11Signature const * sig)27 static size_t Epid11GetSignatureRlCount(Epid11Signature const* sig) {
28 return (!sig) ? 0 : ntohl(sig->n2);
29 }
30
Epid11GetGroupRlCount(Epid11GroupRl const * rl)31 static size_t Epid11GetGroupRlCount(Epid11GroupRl const* rl) {
32 return (!rl) ? 0 : ntohl(rl->n3);
33 }
34
Epid11GetSigRlCount(Epid11SigRl const * rl)35 static size_t Epid11GetSigRlCount(Epid11SigRl const* rl) {
36 return (!rl) ? 0 : ntohl(rl->n2);
37 }
38
Epid11GetPrivRlCount(Epid11PrivRl const * rl)39 static size_t Epid11GetPrivRlCount(Epid11PrivRl const* rl) {
40 return (!rl) ? 0 : ntohl(rl->n1);
41 }
42
43 /// Check PrivRL status of a signature for one PrivRl entry
44 /*!
45 computes t5 =G3.exp(B, f[i]) and verifies that G3.isEqual(t5, K) = false.
46
47 \param[in] ctx
48 The verifier context.
49 \param[in] sig
50 The basic signature.
51 \param[in] f_str
52 priv_rl entry to check.
53
54 \returns ::EpidStatus
55
56 \retval ::kEpidNoErr
57 Signature was not revoked
58 \retval ::kEpidSigRevokedInPrivRl
59 Signature revoked in PrivRl
60 */
Epid11PrVerify(Epid11VerifierCtx const * ctx,Epid11BasicSignature const * sig,BigNumStr * f_str)61 EpidStatus Epid11PrVerify(Epid11VerifierCtx const* ctx,
62 Epid11BasicSignature const* sig, BigNumStr* f_str) {
63 EpidStatus sts = kEpidErr;
64 EcPoint* B = NULL;
65 EcPoint* K = NULL;
66 EcPoint* t5 = NULL;
67 FfElement* f = NULL;
68 EcGroup* G3 = ctx->epid11_params->G3;
69 FiniteField* Fp = ctx->epid11_params->Fp;
70 bool eq = false;
71 do {
72 sts = NewFfElement(Fp, &f);
73 if (kEpidNoErr != sts) {
74 sts = kEpidMathErr;
75 break;
76 }
77 sts = NewEcPoint(G3, &B);
78 if (kEpidNoErr != sts) {
79 sts = kEpidMathErr;
80 break;
81 }
82 sts = NewEcPoint(G3, &K);
83 if (kEpidNoErr != sts) {
84 sts = kEpidMathErr;
85 break;
86 }
87 sts = NewEcPoint(G3, &t5);
88 if (kEpidNoErr != sts) {
89 sts = kEpidMathErr;
90 break;
91 }
92 // ReadFfElement checks that the value f_str is in the field
93 sts = ReadFfElement(Fp, f_str, sizeof(BigNumStr), f);
94 if (kEpidNoErr != sts) {
95 sts = kEpidMathErr;
96 break;
97 }
98 sts = ReadEcPoint(G3, &sig->B, sizeof(sig->B), B);
99 if (kEpidNoErr != sts) {
100 sts = kEpidMathErr;
101 break;
102 }
103 sts = ReadEcPoint(G3, &sig->K, sizeof(sig->K), K);
104 if (kEpidNoErr != sts) {
105 sts = kEpidMathErr;
106 break;
107 }
108 sts = EcExp(G3, B, f_str, t5);
109 if (kEpidNoErr != sts) {
110 sts = kEpidMathErr;
111 break;
112 }
113 sts = EcIsEqual(G3, t5, K, &eq);
114 if (kEpidNoErr != sts) {
115 sts = kEpidMathErr;
116 break;
117 }
118 if (eq) {
119 sts = kEpidSigRevokedInPrivRl;
120 } else {
121 sts = kEpidNoErr;
122 }
123 } while (0);
124 DeleteFfElement(&f);
125 DeleteEcPoint(&t5);
126 DeleteEcPoint(&K);
127 DeleteEcPoint(&B);
128 return sts;
129 }
130
Epid11Verify(Epid11VerifierCtx const * ctx,Epid11Signature const * sig,size_t sig_len,void const * msg,size_t msg_len)131 EpidStatus Epid11Verify(Epid11VerifierCtx const* ctx,
132 Epid11Signature const* sig, size_t sig_len,
133 void const* msg, size_t msg_len) {
134 // Step 1. Setup
135 size_t const sig_header_len =
136 (sizeof(Epid11Signature) - sizeof(Epid11NrProof));
137 EpidStatus sts = kEpidErr;
138 size_t rl_count = 0;
139 size_t i;
140 if (!sig || !ctx || !ctx->epid11_params || !ctx->pub_key) {
141 return kEpidBadArgErr;
142 }
143 if (!msg && (0 != msg_len)) {
144 // if message is non-empty it must have both length and content
145 return kEpidBadArgErr;
146 }
147 if (sig_len < sig_header_len) {
148 return kEpidBadArgErr;
149 }
150 rl_count = Epid11GetSignatureRlCount(sig);
151 if (rl_count > (SIZE_MAX - sig_header_len) / sizeof(sig->sigma[0]) ||
152 (rl_count * sizeof(sig->sigma[0])) + sig_header_len != sig_len) {
153 return kEpidBadArgErr;
154 }
155 // Check if signature has NrPoofs but SigRl is not set
156 if (0 < rl_count && !ctx->sig_rl) {
157 return kEpidBadArgErr;
158 }
159
160 // Step 3. The verifier verifies gid in the public key, PRIV-RL, and
161 // SIG-RL (if provided) and the verifier pre-computation blob all match.
162 if (ctx->priv_rl) {
163 if (0 != memcmp(&ctx->pub_key->gid, &ctx->priv_rl->gid,
164 sizeof(ctx->pub_key->gid))) {
165 return kEpidBadArgErr;
166 }
167 }
168
169 if (ctx->sig_rl) {
170 if (0 != memcmp(&ctx->pub_key->gid, &ctx->sig_rl->gid,
171 sizeof(ctx->pub_key->gid))) {
172 return kEpidBadArgErr;
173 }
174 }
175 // Verification of gid value in precomputation blob
176 // and public key is done in ReadPrecomp
177
178 // Step 4. The verifier verifies the signatures of PRIV-RL,
179 // SIG-RL (if provided), and Group-RL (if provided) using IVK.
180 // Data is already verified.
181
182 // Step 5. If GroupRL is provided as input,...
183 if (ctx->group_rl) {
184 // ...the verifier verifies that gid has not been revoked, i.e.,
185 // gid does not match any entry in Group-RL.
186 size_t grouprl_count = Epid11GetGroupRlCount(ctx->group_rl);
187 for (i = 0; i < grouprl_count; ++i) {
188 if (0 == memcmp(&ctx->pub_key->gid, &ctx->group_rl->gid[i],
189 sizeof(ctx->pub_key->gid))) {
190 return kEpidSigRevokedInGroupRl;
191 }
192 }
193 }
194
195 // Step 6. If SIG-RL is provided as input,...
196 if (ctx->sig_rl) {
197 size_t sigrl_count = Epid11GetSigRlCount(ctx->sig_rl);
198
199 // ...the verifier verifies that RLver and n2
200 // values in s match with the values in SIG-RL....
201 if (0 != memcmp(&ctx->sig_rl->version, &sig->rl_ver,
202 sizeof(ctx->sig_rl->version))) {
203 return kEpidErr;
204 }
205
206 if (sigrl_count != rl_count) {
207 return kEpidBadArgErr;
208 }
209 }
210
211 // Step 7-30. The verifier verifies the basic signature.
212 sts = Epid11VerifyBasicSig(ctx, &sig->sigma0, msg, msg_len);
213 if (sts != kEpidNoErr) {
214 return kEpidSigInvalid;
215 }
216
217 // Step 31. For i = 0, ..., n1-1, the verifier computes t5 =G3.exp(B, f[i])
218 // and verifies that G3.isEqual(t5, K) = false.
219 if (ctx->priv_rl) {
220 size_t privrl_count = Epid11GetPrivRlCount(ctx->priv_rl);
221 for (i = 0; i < privrl_count; ++i) {
222 sts = Epid11PrVerify(ctx, &sig->sigma0, (BigNumStr*)&ctx->priv_rl->f[i]);
223 if (sts != kEpidNoErr) {
224 return kEpidSigRevokedInPrivRl;
225 }
226 }
227 }
228
229 // Step 32. For i = 0, ..., n2-1, the verifier verifies nrVerify(B, K, B[i],
230 // K[i], Sigma[i]) = true. The details of nrVerify() will be given in the
231 // next subsection.
232 if (ctx->sig_rl) {
233 size_t sigrl_count = Epid11GetSigRlCount(ctx->sig_rl);
234
235 for (i = 0; i < sigrl_count; ++i) {
236 sts = Epid11NrVerify(ctx, &sig->sigma0, msg, msg_len, &ctx->sig_rl->bk[i],
237 &sig->sigma[i]);
238 if (sts != kEpidNoErr) {
239 return kEpidSigRevokedInSigRl;
240 }
241 }
242 }
243
244 // Step 33. If all the above verifications succeed, the verifier outputs true.
245 return kEpidSigValid;
246 }
247