1 /*############################################################################ 2 # Copyright 2016-2017 Intel Corporation 3 # 4 # Licensed under the Apache License, Version 2.0 (the "License"); 5 # you may not use this file except in compliance with the License. 6 # You may obtain a copy of the License at 7 # 8 # http://www.apache.org/licenses/LICENSE-2.0 9 # 10 # Unless required by applicable law or agreed to in writing, software 11 # distributed under the License is distributed on an "AS IS" BASIS, 12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 # See the License for the specific language governing permissions and 14 # limitations under the License. 15 ############################################################################*/ 16 17 /*! 18 * \file 19 * \brief Epid11Verify implementation. 20 */ 21 22 #include <string.h> 23 #include "epid/common/src/endian_convert.h" 24 #include "epid/verifier/1.1/api.h" 25 #include "epid/verifier/1.1/src/context.h" 26 27 static size_t Epid11GetSignatureRlCount(Epid11Signature const* sig) { 28 return (!sig) ? 0 : ntohl(sig->n2); 29 } 30 31 static size_t Epid11GetGroupRlCount(Epid11GroupRl const* rl) { 32 return (!rl) ? 0 : ntohl(rl->n3); 33 } 34 35 static size_t Epid11GetSigRlCount(Epid11SigRl const* rl) { 36 return (!rl) ? 0 : ntohl(rl->n2); 37 } 38 39 static size_t Epid11GetPrivRlCount(Epid11PrivRl const* rl) { 40 return (!rl) ? 0 : ntohl(rl->n1); 41 } 42 43 /// Check PrivRL status of a signature for one PrivRl entry 44 /*! 45 computes t5 =G3.exp(B, f[i]) and verifies that G3.isEqual(t5, K) = false. 46 47 \param[in] ctx 48 The verifier context. 49 \param[in] sig 50 The basic signature. 51 \param[in] f_str 52 priv_rl entry to check. 53 54 \returns ::EpidStatus 55 56 \retval ::kEpidNoErr 57 Signature was not revoked 58 \retval ::kEpidSigRevokedInPrivRl 59 Signature revoked in PrivRl 60 */ 61 EpidStatus Epid11PrVerify(Epid11VerifierCtx const* ctx, 62 Epid11BasicSignature const* sig, BigNumStr* f_str) { 63 EpidStatus sts = kEpidErr; 64 EcPoint* B = NULL; 65 EcPoint* K = NULL; 66 EcPoint* t5 = NULL; 67 FfElement* f = NULL; 68 EcGroup* G3 = ctx->epid11_params->G3; 69 FiniteField* Fp = ctx->epid11_params->Fp; 70 bool eq = false; 71 do { 72 sts = NewFfElement(Fp, &f); 73 if (kEpidNoErr != sts) { 74 sts = kEpidMathErr; 75 break; 76 } 77 sts = NewEcPoint(G3, &B); 78 if (kEpidNoErr != sts) { 79 sts = kEpidMathErr; 80 break; 81 } 82 sts = NewEcPoint(G3, &K); 83 if (kEpidNoErr != sts) { 84 sts = kEpidMathErr; 85 break; 86 } 87 sts = NewEcPoint(G3, &t5); 88 if (kEpidNoErr != sts) { 89 sts = kEpidMathErr; 90 break; 91 } 92 // ReadFfElement checks that the value f_str is in the field 93 sts = ReadFfElement(Fp, f_str, sizeof(BigNumStr), f); 94 if (kEpidNoErr != sts) { 95 sts = kEpidMathErr; 96 break; 97 } 98 sts = ReadEcPoint(G3, &sig->B, sizeof(sig->B), B); 99 if (kEpidNoErr != sts) { 100 sts = kEpidMathErr; 101 break; 102 } 103 sts = ReadEcPoint(G3, &sig->K, sizeof(sig->K), K); 104 if (kEpidNoErr != sts) { 105 sts = kEpidMathErr; 106 break; 107 } 108 sts = EcExp(G3, B, f_str, t5); 109 if (kEpidNoErr != sts) { 110 sts = kEpidMathErr; 111 break; 112 } 113 sts = EcIsEqual(G3, t5, K, &eq); 114 if (kEpidNoErr != sts) { 115 sts = kEpidMathErr; 116 break; 117 } 118 if (eq) { 119 sts = kEpidSigRevokedInPrivRl; 120 } else { 121 sts = kEpidNoErr; 122 } 123 } while (0); 124 DeleteFfElement(&f); 125 DeleteEcPoint(&t5); 126 DeleteEcPoint(&K); 127 DeleteEcPoint(&B); 128 return sts; 129 } 130 131 EpidStatus Epid11Verify(Epid11VerifierCtx const* ctx, 132 Epid11Signature const* sig, size_t sig_len, 133 void const* msg, size_t msg_len) { 134 // Step 1. Setup 135 size_t const sig_header_len = 136 (sizeof(Epid11Signature) - sizeof(Epid11NrProof)); 137 EpidStatus sts = kEpidErr; 138 size_t rl_count = 0; 139 size_t i; 140 if (!sig || !ctx || !ctx->epid11_params || !ctx->pub_key) { 141 return kEpidBadArgErr; 142 } 143 if (!msg && (0 != msg_len)) { 144 // if message is non-empty it must have both length and content 145 return kEpidBadArgErr; 146 } 147 if (sig_len < sig_header_len) { 148 return kEpidBadArgErr; 149 } 150 rl_count = Epid11GetSignatureRlCount(sig); 151 if (rl_count > (SIZE_MAX - sig_header_len) / sizeof(sig->sigma[0]) || 152 (rl_count * sizeof(sig->sigma[0])) + sig_header_len != sig_len) { 153 return kEpidBadArgErr; 154 } 155 // Check if signature has NrPoofs but SigRl is not set 156 if (0 < rl_count && !ctx->sig_rl) { 157 return kEpidBadArgErr; 158 } 159 160 // Step 3. The verifier verifies gid in the public key, PRIV-RL, and 161 // SIG-RL (if provided) and the verifier pre-computation blob all match. 162 if (ctx->priv_rl) { 163 if (0 != memcmp(&ctx->pub_key->gid, &ctx->priv_rl->gid, 164 sizeof(ctx->pub_key->gid))) { 165 return kEpidBadArgErr; 166 } 167 } 168 169 if (ctx->sig_rl) { 170 if (0 != memcmp(&ctx->pub_key->gid, &ctx->sig_rl->gid, 171 sizeof(ctx->pub_key->gid))) { 172 return kEpidBadArgErr; 173 } 174 } 175 // Verification of gid value in precomputation blob 176 // and public key is done in ReadPrecomp 177 178 // Step 4. The verifier verifies the signatures of PRIV-RL, 179 // SIG-RL (if provided), and Group-RL (if provided) using IVK. 180 // Data is already verified. 181 182 // Step 5. If GroupRL is provided as input,... 183 if (ctx->group_rl) { 184 // ...the verifier verifies that gid has not been revoked, i.e., 185 // gid does not match any entry in Group-RL. 186 size_t grouprl_count = Epid11GetGroupRlCount(ctx->group_rl); 187 for (i = 0; i < grouprl_count; ++i) { 188 if (0 == memcmp(&ctx->pub_key->gid, &ctx->group_rl->gid[i], 189 sizeof(ctx->pub_key->gid))) { 190 return kEpidSigRevokedInGroupRl; 191 } 192 } 193 } 194 195 // Step 6. If SIG-RL is provided as input,... 196 if (ctx->sig_rl) { 197 size_t sigrl_count = Epid11GetSigRlCount(ctx->sig_rl); 198 199 // ...the verifier verifies that RLver and n2 200 // values in s match with the values in SIG-RL.... 201 if (0 != memcmp(&ctx->sig_rl->version, &sig->rl_ver, 202 sizeof(ctx->sig_rl->version))) { 203 return kEpidErr; 204 } 205 206 if (sigrl_count != rl_count) { 207 return kEpidBadArgErr; 208 } 209 } 210 211 // Step 7-30. The verifier verifies the basic signature. 212 sts = Epid11VerifyBasicSig(ctx, &sig->sigma0, msg, msg_len); 213 if (sts != kEpidNoErr) { 214 return kEpidSigInvalid; 215 } 216 217 // Step 31. For i = 0, ..., n1-1, the verifier computes t5 =G3.exp(B, f[i]) 218 // and verifies that G3.isEqual(t5, K) = false. 219 if (ctx->priv_rl) { 220 size_t privrl_count = Epid11GetPrivRlCount(ctx->priv_rl); 221 for (i = 0; i < privrl_count; ++i) { 222 sts = Epid11PrVerify(ctx, &sig->sigma0, (BigNumStr*)&ctx->priv_rl->f[i]); 223 if (sts != kEpidNoErr) { 224 return kEpidSigRevokedInPrivRl; 225 } 226 } 227 } 228 229 // Step 32. For i = 0, ..., n2-1, the verifier verifies nrVerify(B, K, B[i], 230 // K[i], Sigma[i]) = true. The details of nrVerify() will be given in the 231 // next subsection. 232 if (ctx->sig_rl) { 233 size_t sigrl_count = Epid11GetSigRlCount(ctx->sig_rl); 234 235 for (i = 0; i < sigrl_count; ++i) { 236 sts = Epid11NrVerify(ctx, &sig->sigma0, msg, msg_len, &ctx->sig_rl->bk[i], 237 &sig->sigma[i]); 238 if (sts != kEpidNoErr) { 239 return kEpidSigRevokedInSigRl; 240 } 241 } 242 } 243 244 // Step 33. If all the above verifications succeed, the verifier outputs true. 245 return kEpidSigValid; 246 } 247