1 /*############################################################################ 2 # Copyright 2016-2017 Intel Corporation 3 # 4 # Licensed under the Apache License, Version 2.0 (the "License"); 5 # you may not use this file except in compliance with the License. 6 # You may obtain a copy of the License at 7 # 8 # http://www.apache.org/licenses/LICENSE-2.0 9 # 10 # Unless required by applicable law or agreed to in writing, software 11 # distributed under the License is distributed on an "AS IS" BASIS, 12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 # See the License for the specific language governing permissions and 14 # limitations under the License. 15 ############################################################################*/ 16 17 /*! 18 * \file 19 * \brief Epid11Verify unit tests. 20 */ 21 22 #include "epid/common-testhelper/epid_gtest-testhelper.h" 23 #include "gtest/gtest.h" 24 25 extern "C" { 26 #include "epid/common/src/endian_convert.h" 27 #include "epid/verifier/1.1/api.h" 28 } 29 30 #include "epid/common-testhelper/1.1/verifier_wrapper-testhelper.h" 31 #include "epid/common-testhelper/errors-testhelper.h" 32 #include "epid/verifier/1.1/unittests/verifier-testhelper.h" 33 34 namespace { 35 36 TEST_F(Epid11VerifierTest, VerifyFailsGivenNullParameters) { 37 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 38 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0; 39 auto msg = this->kMsg0; 40 41 EXPECT_EQ(kEpidBadArgErr, 42 Epid11Verify(nullptr, (Epid11Signature const*)sig.data(), 43 sig.size(), msg.data(), msg.size())); 44 EXPECT_EQ(kEpidBadArgErr, Epid11Verify(verifier, nullptr, sig.size(), 45 msg.data(), msg.size())); 46 EXPECT_EQ(kEpidBadArgErr, 47 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 48 sig.size(), nullptr, msg.size())); 49 } 50 51 TEST_F(Epid11VerifierTest, VerifyFailsGivenTooShortSigLen) { 52 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 53 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0; 54 auto msg = this->kMsg0; 55 56 EXPECT_EQ(kEpidBadArgErr, 57 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 0, 58 msg.data(), msg.size())); 59 EXPECT_EQ(kEpidBadArgErr, 60 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 61 sizeof(Epid11Signature) - sizeof(Epid11NrProof) - 1, 62 msg.data(), msg.size())); 63 } 64 65 TEST_F(Epid11VerifierTest, VerifyFailsGivenSigLenTooShortForRlCount) { 66 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 67 Epid11VerifierSetSigRl(verifier, (Epid11SigRl const*)this->kSigRl.data(), 68 this->kSigRl.size()); 69 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0; 70 auto n2 = ntohl(((Epid11SigRl const*)this->kSigRl.data())->n2.data); 71 sig.resize(sizeof(Epid11Signature) + 72 (n2 - 2) * sizeof(((Epid11Signature*)0)->sigma)); 73 auto msg = this->kMsg0; 74 75 EXPECT_EQ(kEpidBadArgErr, 76 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 77 sig.size(), msg.data(), msg.size())); 78 } 79 80 TEST_F(Epid11VerifierTest, VerifyFailsGivenSigLenTooLongForRlCount) { 81 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 82 Epid11VerifierSetSigRl(verifier, (Epid11SigRl const*)this->kSigRl.data(), 83 this->kSigRl.size()); 84 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0; 85 auto n2 = ntohl(((Epid11SigRl const*)this->kSigRl.data())->n2.data); 86 sig.resize(sizeof(Epid11Signature) + 87 n2 * sizeof(((Epid11Signature*)0)->sigma)); 88 auto msg = this->kMsg0; 89 90 EXPECT_EQ(kEpidBadArgErr, 91 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 92 sig.size(), msg.data(), msg.size())); 93 } 94 95 #if (SIZE_MAX <= 0xFFFFFFFF) // When size_t value is 32 bit or lower 96 TEST_F(Epid11VerifierTest, VerifyFailsGivenRlCountTooBig) { 97 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 98 Epid11VerifierSetSigRl(verifier, (Epid11SigRl const*)this->kSigRl.data(), 99 this->kSigRl.size()); 100 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0; 101 uint32_t n2 = SIZE_MAX / sizeof(Epid11NrProof) + 1; 102 uint32_t n2_ = ntohl(n2); 103 Epid11Signature* sig_struct = (Epid11Signature*)sig.data(); 104 sig_struct->n2 = *(OctStr32*)&n2_; 105 sig.resize(sizeof(Epid11Signature) + (n2 - 1) * sizeof(Epid11NrProof)); 106 auto msg = this->kMsg0; 107 108 EXPECT_EQ(kEpidBadArgErr, 109 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 110 sig.size(), msg.data(), msg.size())); 111 } 112 #endif 113 114 ///////////////////////////////////////////////////////////////////// 115 // 116 // 4.1.2 step 1 - We use the following variables T1, T2, R1, R2, 117 // t1, t2 (elements of G1), R4, t3 (elements of GT), 118 // B, K, R3, t5 (elements of G3), c, sx, sy, sa, sb, 119 // salpha, sbeta, nc, nc', nsx, syalpha, 120 // t4 (256-bit big integers), nd (80-bit big integer), 121 // and sf (600-bit big integer). 122 // This Step is not testable 123 124 ///////////////////////////////////////////////////////////////////// 125 // 126 // 4.1.2 step 2 - The verifier reads the verifier pre-computation 127 // blob (gid, e12, e22, e2w) from its storage. 128 // Refer to Section 3.4 for the computation of 129 // these values. 130 // This Step is not testable 131 132 ///////////////////////////////////////////////////////////////////// 133 // 134 // 4.1.2 step 3 - The verifier verifies gid in the public key, 135 // PRIV-RL, and SIG-RL (if provided) and the verifier 136 // pre-computation blob all match. 137 // This step tested with SetPrivRl, SetSigRl and ReadPrecomp functions tests 138 ///////////////////////////////////////////////////////////////////// 139 // 140 // 4.1.2 step 4 - The verifier verifies the signatures of PRIV-RL, 141 // SIG-RL (if provided), and Group-RL (if provided) 142 // using IVK. 143 // This Step is not testable 144 145 ///////////////////////////////////////////////////////////////////// 146 // 147 // 4.1.2 step 5 - If Group-RL is provided as input, the verifier 148 // verifies that gid has not been revoked, i.e., 149 // gid does not match any entry in Group-RL. 150 151 TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlSingleEntry) { 152 auto& pub_key = this->kPubKeyStr; 153 auto& msg = this->kMsg0; 154 auto& bsn = this->kBsn0; 155 auto& grp_rl = this->kGrpRlRevokedGrpXSingleEntry; 156 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0; 157 158 Epid11VerifierCtxObj verifier(pub_key); 159 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl( 160 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size())); 161 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 162 EXPECT_EQ(kEpidSigRevokedInGroupRl, 163 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 164 sig.size(), msg.data(), msg.size())); 165 } 166 167 TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlFirstEntry) { 168 auto& pub_key = this->kPubKeyStr; 169 auto& msg = this->kMsg0; 170 auto& bsn = this->kBsn0; 171 auto& grp_rl = this->kGrpRlRevokedGrpXFirstEntry; 172 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0; 173 174 Epid11VerifierCtxObj verifier(pub_key); 175 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl( 176 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size())); 177 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 178 EXPECT_EQ(kEpidSigRevokedInGroupRl, 179 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 180 sig.size(), msg.data(), msg.size())); 181 } 182 183 TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlMiddleEntry) { 184 auto& pub_key = this->kPubKeyStr; 185 auto& msg = this->kMsg0; 186 auto& bsn = this->kBsn0; 187 auto& grp_rl = this->kGrpRlRevokedGrpXMiddleEntry; 188 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0; 189 190 Epid11VerifierCtxObj verifier(pub_key); 191 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl( 192 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size())); 193 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 194 EXPECT_EQ(kEpidSigRevokedInGroupRl, 195 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 196 sig.size(), msg.data(), msg.size())); 197 } 198 199 TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlLastEntry) { 200 auto& pub_key = this->kPubKeyStr; 201 auto& msg = this->kMsg0; 202 auto& bsn = this->kBsn0; 203 auto& grp_rl = this->kGrpRlRevokedGrpXLastEntry; 204 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0; 205 206 Epid11VerifierCtxObj verifier(pub_key); 207 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl( 208 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size())); 209 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 210 EXPECT_EQ(kEpidSigRevokedInGroupRl, 211 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 212 sig.size(), msg.data(), msg.size())); 213 } 214 215 ///////////////////////////////////////////////////////////////////// 216 // 217 // 4.1.2 step 6 - If SIG-RL is provided as input, the verifier 218 // verifies that RLver and n2 values in s match with 219 // the values in SIG-RL. If SIG-RL is not provided 220 // as input, but the input signature is a not basic 221 // signature, the verifier aborts and outputs false. 222 223 TEST_F(Epid11VerifierTest, VerifyFailsOnSigRlverNotMatchSigRlRlver) { 224 // The verifier verifies that RLver in Sigma and in SigRL 225 // match. If mismatch, abort and output "operation failed". 226 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 227 auto msg = this->kMsg0; 228 auto bsn = this->kBsn0; 229 auto sig_rl = this->kGrpXSigRlMember0Bsn0Msg0SingleEntry; 230 auto sig_rl_size = sig_rl.size(); 231 auto sig = this->kSigGrpXMember0Sha256Bsn0Msg0; 232 Epid11SigRl sig_rl_wrong_ver = *(Epid11SigRl const*)sig_rl.data(); 233 sig_rl_wrong_ver.version.data[0]++; 234 THROW_ON_EPIDERR( 235 Epid11VerifierSetSigRl(verifier, &sig_rl_wrong_ver, sig_rl_size)); 236 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 237 EXPECT_EQ(kEpidErr, Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 238 sig.size(), msg.data(), msg.size())); 239 } 240 241 TEST_F(Epid11VerifierTest, VerifyFailsOnSigN2NotMatchSigRlN2) { 242 // The verifier verifies that n2 in Sigma and in SigRL 243 // match. If mismatch, abort and output "operation failed". 244 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 245 auto msg = this->kMsg0; 246 auto bsn = this->kBsn0; 247 auto* sig_rl = 248 (Epid11SigRl const*)this->kGrpXSigRlMember0Bsn0Msg0MiddleEntry.data(); 249 size_t sig_rl_size = this->kGrpXSigRlMember0Bsn0Msg0MiddleEntry.size(); 250 auto sig_raw = this->kSigGrpXMember0Sha256Bsn0Msg0SingleEntry; 251 Epid11Signature* sig = (Epid11Signature*)sig_raw.data(); 252 sig->rl_ver = sig_rl->version; 253 THROW_ON_EPIDERR(Epid11VerifierSetSigRl(verifier, sig_rl, sig_rl_size)); 254 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 255 EXPECT_EQ(kEpidBadArgErr, Epid11Verify(verifier, sig, sig_raw.size(), 256 msg.data(), msg.size())); 257 } 258 259 TEST_F(Epid11VerifierTest, VerifyFailsSigIsNotBasicAndSigRlIsNotProvided) { 260 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 261 auto msg = this->kMsg0; 262 auto bsn = this->kBsn0; 263 auto sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry; 264 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 265 EXPECT_EQ(kEpidBadArgErr, 266 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 267 sig.size(), msg.data(), msg.size())); 268 } 269 270 ///////////////////////////////////////////////////////////////////// 271 // 272 // 4.1.2 step 7 - The verifier verifies that G3.isIdentity(B) is false. 273 // 274 TEST_F(Epid11VerifierTest, VerifyRejectsIdentityB) { 275 auto& pub_key = this->kPubKeyStr; 276 Epid11Signature sig = {0}; 277 sig.sigma0 = 278 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256Bsn0Msg0.data()); 279 size_t sig_len = this->kSigGrpXMember0Sha256Bsn0Msg0.size(); 280 auto& msg = this->kMsg0; 281 auto& bsn = this->kBsn0; 282 memset(&sig.sigma0.B, 0, sizeof(sig.sigma0.B)); 283 284 Epid11VerifierCtxObj verifier(pub_key); 285 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 286 EXPECT_EQ(kEpidSigInvalid, 287 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 288 } 289 290 ///////////////////////////////////////////////////////////////////// 291 // 292 // 4.1.2 step 8 - If bsnSize = 0, the verifier verifies G3.inGroup(B) = true. 293 // 294 TEST_F(Epid11VerifierTest, VerifyRejectsBNotInG3) { 295 auto& pub_key = this->kPubKeyStr; 296 Epid11Signature sig = {0}; 297 sig.sigma0 = 298 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 299 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 300 auto& msg = this->kMsg0; 301 sig.sigma0.B.x.data.data[0] = 0xEE; 302 303 Epid11VerifierCtxObj verifier(pub_key); 304 EXPECT_EQ(kEpidSigInvalid, 305 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 306 } 307 308 ///////////////////////////////////////////////////////////////////// 309 // 310 // 4.1.2 step 9 - If bsnSize > 0, the verifier verifies B = G3.hash(bsn). 311 // 312 TEST_F(Epid11VerifierTest, VerifyRejectsBNotMatchingBasename) { 313 auto& pub_key = this->kPubKeyStr; 314 Epid11Signature sig = {0}; 315 sig.sigma0 = 316 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256Bsn0Msg0.data()); 317 size_t sig_len = this->kSigGrpXMember0Sha256Bsn0Msg0.size(); 318 auto msg = this->kMsg0; 319 auto bsn = this->kBsn0; 320 bsn.push_back('x'); 321 322 Epid11VerifierCtxObj verifier(pub_key); 323 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 324 EXPECT_EQ(kEpidSigInvalid, 325 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 326 } 327 328 ///////////////////////////////////////////////////////////////////// 329 // 330 // 4.1.2 step 10 - The verifier verifies G3.inGroup(K) = true. 331 // 332 TEST_F(Epid11VerifierTest, VerifyRejectsKNotInG3) { 333 auto& pub_key = this->kPubKeyStr; 334 Epid11Signature sig = {0}; 335 sig.sigma0 = 336 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 337 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 338 auto& msg = this->kMsg0; 339 sig.sigma0.K.x.data.data[0] = 0xEE; 340 341 Epid11VerifierCtxObj verifier(pub_key); 342 EXPECT_EQ(kEpidSigInvalid, 343 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 344 } 345 346 ///////////////////////////////////////////////////////////////////// 347 // 348 // 4.1.2 step 11 - The verifier verifies G1.inGroup(T1) = true. 349 // 350 TEST_F(Epid11VerifierTest, VerifyRejectsT1NotInG1) { 351 auto& pub_key = this->kPubKeyStr; 352 Epid11Signature sig = {0}; 353 sig.sigma0 = 354 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 355 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 356 auto& msg = this->kMsg0; 357 sig.sigma0.T1.x.data.data[0] = 0xEE; 358 359 Epid11VerifierCtxObj verifier(pub_key); 360 EXPECT_EQ(kEpidSigInvalid, 361 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 362 } 363 364 ///////////////////////////////////////////////////////////////////// 365 // 366 // 4.1.2 step 12 - The verifier verifies G1.inGroup(T2) = true. 367 // 368 TEST_F(Epid11VerifierTest, VerifyRejectsT2NotInG1) { 369 auto& pub_key = this->kPubKeyStr; 370 Epid11Signature sig = {0}; 371 sig.sigma0 = 372 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 373 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 374 auto& msg = this->kMsg0; 375 sig.sigma0.T2.x.data.data[0] = 0xEE; 376 377 Epid11VerifierCtxObj verifier(pub_key); 378 EXPECT_EQ(kEpidSigInvalid, 379 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 380 } 381 382 ///////////////////////////////////////////////////////////////////// 383 // 384 // 4.1.2 step 13 - The verifier verifies sx, sy, sa, sb, salpha, sbeta 385 // in [0, p-1]. 386 // 387 TEST_F(Epid11VerifierTest, VerifyRejectsSxNotInFp) { 388 auto& pub_key = this->kPubKeyStr; 389 Epid11Signature sig = {0}; 390 sig.sigma0 = 391 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 392 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 393 auto& msg = this->kMsg0; 394 sig.sigma0.sx.data.data[0] = 0xEE; 395 396 Epid11VerifierCtxObj verifier(pub_key); 397 EXPECT_EQ(kEpidSigInvalid, 398 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 399 } 400 401 TEST_F(Epid11VerifierTest, VerifyRejectsSyNotInFp) { 402 auto& pub_key = this->kPubKeyStr; 403 Epid11Signature sig = {0}; 404 sig.sigma0 = 405 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 406 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 407 auto& msg = this->kMsg0; 408 sig.sigma0.sy.data.data[0] = 0xEE; 409 410 Epid11VerifierCtxObj verifier(pub_key); 411 EXPECT_EQ(kEpidSigInvalid, 412 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 413 } 414 415 TEST_F(Epid11VerifierTest, VerifyRejectsSaNotInFp) { 416 auto& pub_key = this->kPubKeyStr; 417 Epid11Signature sig = {0}; 418 sig.sigma0 = 419 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 420 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 421 auto& msg = this->kMsg0; 422 sig.sigma0.sa.data.data[0] = 0xEE; 423 424 Epid11VerifierCtxObj verifier(pub_key); 425 EXPECT_EQ(kEpidSigInvalid, 426 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 427 } 428 429 TEST_F(Epid11VerifierTest, VerifyRejectsSbNotInFp) { 430 auto& pub_key = this->kPubKeyStr; 431 Epid11Signature sig = {0}; 432 sig.sigma0 = 433 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 434 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 435 auto& msg = this->kMsg0; 436 sig.sigma0.sb.data.data[0] = 0xEE; 437 438 Epid11VerifierCtxObj verifier(pub_key); 439 EXPECT_EQ(kEpidSigInvalid, 440 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 441 } 442 443 TEST_F(Epid11VerifierTest, VerifyRejectsSalphaNotInFp) { 444 auto& pub_key = this->kPubKeyStr; 445 Epid11Signature sig = {0}; 446 sig.sigma0 = 447 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 448 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 449 auto& msg = this->kMsg0; 450 sig.sigma0.salpha.data.data[0] = 0xEE; 451 452 Epid11VerifierCtxObj verifier(pub_key); 453 EXPECT_EQ(kEpidSigInvalid, 454 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 455 } 456 457 TEST_F(Epid11VerifierTest, VerifyRejectsSbetaNotInFp) { 458 auto& pub_key = this->kPubKeyStr; 459 Epid11Signature sig = {0}; 460 sig.sigma0 = 461 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 462 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 463 auto& msg = this->kMsg0; 464 sig.sigma0.sbeta.data.data[0] = 0xEE; 465 466 Epid11VerifierCtxObj verifier(pub_key); 467 EXPECT_EQ(kEpidSigInvalid, 468 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 469 } 470 471 ///////////////////////////////////////////////////////////////////// 472 // 473 // 4.1.2 step 14 - The verifier verifies that sf is an (at-most) 593-bit 474 // unsigned integer, in other words, sf < 2^593. 475 // 476 TEST_F(Epid11VerifierTest, VerifyRejectsSfMoreThan592Bits) { 477 auto& pub_key = this->kPubKeyStr; 478 Epid11Signature sig = {0}; 479 sig.sigma0 = 480 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data()); 481 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 482 auto& msg = this->kMsg0; 483 memset(&sig.sigma0.sf, 0, sizeof(sig.sigma0.sf)); 484 sig.sigma0.sf.data[593 / CHAR_BIT] = 1 << ((593 % CHAR_BIT) - 1); 485 486 Epid11VerifierCtxObj verifier(pub_key); 487 EXPECT_EQ(kEpidSigInvalid, 488 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size())); 489 } 490 491 ///////////////////////////////////////////////////////////////////// 492 // 493 // 4.1.2 step 15 - The verifier computes nc = (-c) mod p. 494 // 4.1.2 step 16 - The verifier computes nc' = (-c) mod p'. 495 // 4.1.2 step 17 - The verifier computes nsx = (-sx) mod p. 496 // 4.1.2 step 18 - The verifier computes syalpha = (sy + salpha) mod p. 497 // 4.1.2 step 19 - The verifier computes R1 = G1.multiexp(h1, sa, h2, sb, T2, 498 // nc). 499 // 4.1.2 step 20 - The verifier computes R2 = G1.multiexp(h1, salpha, h2, 500 // sbeta, T2, nsx). 501 // 4.1.2 step 21 - The verifier computes R3 = G3.multiexp(B, sf, K, nc'). 502 // 4.1.2 step 22 - The verifier computes t1 = G1.multiexp(T1, nsx, g1, c). 503 // 4.1.2 step 23 - The verifier computes t2 = G1.exp(T1, nc). 504 // 4.1.2 step 24 - The verifier computes R4 = pairing(t1, g2). 505 // 4.1.2 step 25 - The verifier computes t3 = pairing(t2, w). 506 // 4.1.2 step 26 - The verifier computes R4 = GT.mul(R4, t3). 507 // 4.1.2 step 27 - The verifier compute t3 = GT.multiexp(e12, sf, e22, 508 // syalpha, e2w, sa). 509 // 4.1.2 step 28 - The verifier compute R4 = GT.mul(R4, t3). 510 // 4.1.2 step 29 - The verifier compute t4 = Hash(p || g1 || g2 || g3 511 // || h1 || h2 || w || B || K 512 // || T1 || T2 || R1 || R2 513 // || R3 || R4). 514 // These steps are not testable 515 516 ///////////////////////////////////////////////////////////////////// 517 // 518 // 4.1.2 step 30 - The verifier verifies c = H(t4 || nd || mSize || m). 519 // It is not practical to test all inputs to this hash 520 TEST_F(Epid11VerifierTest, VerifyRejectsSigWithMismatchedMsg) { 521 auto& pub_key = this->kPubKeyStr; 522 auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0; 523 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size(); 524 auto msg = this->kMsg0; 525 msg.push_back('x'); 526 527 Epid11VerifierCtxObj verifier(pub_key); 528 EXPECT_EQ(kEpidSigInvalid, 529 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), sig_len, 530 msg.data(), msg.size())); 531 } 532 533 ///////////////////////////////////////////////////////////////////// 534 // 535 // 4.1.2 step 31 - For i = 0, ..., n1-1, the verifier computes 536 // t5 = G3.exp(B, f[i]) and verifies that 537 // G3.isEqual(t5, K) = false. 538 // 539 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlSingleEntry) { 540 auto& pub_key = this->kPubKeyStr; 541 auto& msg = this->kMsg0; 542 auto& bsn = this->kBsn0; 543 auto& priv_rl = this->kGrpXPrivRlSingleEntry; 544 auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0; 545 Epid11VerifierCtxObj verifier(pub_key); 546 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl( 547 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size())); 548 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 549 EXPECT_EQ(kEpidSigRevokedInPrivRl, 550 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 551 sig.size(), msg.data(), msg.size())); 552 } 553 554 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlFirstEntry) { 555 auto& pub_key = this->kPubKeyStr; 556 auto& msg = this->kMsg0; 557 auto& bsn = this->kBsn0; 558 auto& priv_rl = this->kGrpXPrivRl; 559 auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0; 560 Epid11VerifierCtxObj verifier(pub_key); 561 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl( 562 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size())); 563 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 564 EXPECT_EQ(kEpidSigRevokedInPrivRl, 565 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 566 sig.size(), msg.data(), msg.size())); 567 } 568 569 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlMiddleEntry) { 570 auto& pub_key = this->kPubKeyStr; 571 auto& msg = this->kMsg0; 572 auto& bsn = this->kBsn0; 573 auto& priv_rl = this->kGrpXPrivRl; 574 auto& sig = this->kSigGrpXRevokedPrivKey001Sha256Bsn0Msg0; 575 Epid11VerifierCtxObj verifier(pub_key); 576 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl( 577 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size())); 578 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 579 EXPECT_EQ(kEpidSigRevokedInPrivRl, 580 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 581 sig.size(), msg.data(), msg.size())); 582 } 583 584 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlLastEntry) { 585 auto& pub_key = this->kPubKeyStr; 586 auto& msg = this->kMsg0; 587 auto& bsn = this->kBsn0; 588 auto& priv_rl = this->kGrpXPrivRl; 589 auto& sig = this->kSigGrpXRevokedPrivKey002Sha256Bsn0Msg0; 590 Epid11VerifierCtxObj verifier(pub_key); 591 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl( 592 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size())); 593 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 594 EXPECT_EQ(kEpidSigRevokedInPrivRl, 595 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 596 sig.size(), msg.data(), msg.size())); 597 } 598 599 TEST_F(Epid11VerifierTest, VerifyRejectsSigUsingCorruptedPrivRlEntry) { 600 auto& pub_key = this->kPubKeyStr; 601 auto& msg = this->kMsg0; 602 auto& bsn = this->kBsn0; 603 auto& priv_rl = this->kGrpXCorruptedPrivRl; 604 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0; 605 Epid11VerifierCtxObj verifier(pub_key); 606 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl( 607 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size())); 608 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 609 EXPECT_EQ(kEpidSigRevokedInPrivRl, 610 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 611 sig.size(), msg.data(), msg.size())); 612 } 613 614 ///////////////////////////////////////////////////////////////////// 615 // 616 // 4.1.2 step 32 - For i = 0, ..., n2-1, the verifier verifies 617 // nr-verify(B, K, B[i], K[i], s[i]) = true. 618 // The details of nr-verify will be given in the 619 // next subsection. 620 621 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlSingleEntry) { 622 auto& msg = this->kMsg0; 623 auto& bsn = this->kBsn0; 624 auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0SingleEntry; 625 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0SingleEntry; 626 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 627 THROW_ON_EPIDERR(Epid11VerifierSetSigRl( 628 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size())); 629 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 630 EXPECT_EQ(kEpidSigRevokedInSigRl, 631 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 632 sig.size(), msg.data(), msg.size())); 633 } 634 635 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlFirstEntry) { 636 auto& msg = this->kMsg0; 637 auto& bsn = this->kBsn0; 638 auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0FirstEntry; 639 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry; 640 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 641 THROW_ON_EPIDERR(Epid11VerifierSetSigRl( 642 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size())); 643 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 644 EXPECT_EQ(kEpidSigRevokedInSigRl, 645 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 646 sig.size(), msg.data(), msg.size())); 647 } 648 649 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlMiddleEntry) { 650 auto& msg = this->kMsg0; 651 auto& bsn = this->kBsn0; 652 auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0MiddleEntry; 653 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry; 654 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 655 THROW_ON_EPIDERR(Epid11VerifierSetSigRl( 656 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size())); 657 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 658 EXPECT_EQ(kEpidSigRevokedInSigRl, 659 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 660 sig.size(), msg.data(), msg.size())); 661 } 662 663 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlLastEntry) { 664 auto& msg = this->kMsg0; 665 auto& bsn = this->kBsn0; 666 auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0LastEntry; 667 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry; 668 Epid11VerifierCtxObj verifier(this->kPubKeyStr); 669 THROW_ON_EPIDERR(Epid11VerifierSetSigRl( 670 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size())); 671 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 672 EXPECT_EQ(kEpidSigRevokedInSigRl, 673 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 674 sig.size(), msg.data(), msg.size())); 675 } 676 677 ///////////////////////////////////////////////////////////////////// 678 // 679 // 4.1.2 step 33 - If all the above verifications succeed, the 680 // verifier outputs true. If any of the above 681 // verifications fails, the verifier immediately 682 // aborts and outputs false. 683 684 TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithBaseNameNoRl) { 685 auto& pub_key = this->kPubKeyStr; 686 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0; 687 auto& msg = this->kMsg0; 688 auto& bsn = this->kBsn0; 689 690 Epid11VerifierCtxObj verifier(pub_key); 691 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 692 EXPECT_EQ(kEpidSigValid, 693 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 694 sig.size(), msg.data(), msg.size())); 695 } 696 697 TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithBaseNameAllRl) { 698 auto& pub_key = this->kPubKeyStr; 699 auto& msg = this->kMsg0; 700 auto& bsn = this->kBsn0; 701 auto& grp_rl = this->kGroupRlEmptyBuf; 702 auto& priv_rl = this->kGrpXPrivRl; 703 auto& sig_rl = this->kEmptySigRl; 704 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0; 705 706 Epid11VerifierCtxObj verifier(pub_key); 707 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl( 708 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size())); 709 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl( 710 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size())); 711 THROW_ON_EPIDERR(Epid11VerifierSetSigRl( 712 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size())); 713 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size())); 714 715 EXPECT_EQ(kEpidSigValid, 716 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 717 sig.size(), msg.data(), msg.size())); 718 } 719 720 TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithRandomBaseNameNoRl) { 721 auto& pub_key = this->kPubKeyStr; 722 auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0; 723 auto& msg = this->kMsg0; 724 725 Epid11VerifierCtxObj verifier(pub_key); 726 EXPECT_EQ(kEpidSigValid, 727 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 728 sig.size(), msg.data(), msg.size())); 729 } 730 731 TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRl) { 732 auto& pub_key = this->kPubKeyStr; 733 auto& msg = this->kMsg0; 734 auto& grp_rl = this->kGroupRlEmptyBuf; 735 auto& priv_rl = this->kGrpXPrivRl; 736 auto& sig_rl = this->kEmptySigRl; 737 auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0; 738 739 Epid11VerifierCtxObj verifier(pub_key); 740 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl( 741 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size())); 742 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl( 743 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size())); 744 THROW_ON_EPIDERR(Epid11VerifierSetSigRl( 745 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size())); 746 EXPECT_EQ(kEpidSigValid, 747 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 748 sig.size(), msg.data(), msg.size())); 749 } 750 751 TEST_F(Epid11VerifierTest, VerifyAcceptsSigGivenMsgContainingAllPossibleBytes) { 752 auto& pub_key = this->kPubKeyStrForMsg0_255; 753 auto& msg = this->kData_0_255; 754 auto& grp_rl = this->kGroupRlEmptyBuf; 755 auto& priv_rl = this->kGrpXPrivRl; 756 auto& sig = this->kSigGrp01Member0Sha256kBsn0Data_0_255; 757 758 Epid11VerifierCtxObj verifier(pub_key); 759 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl( 760 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size())); 761 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl( 762 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size())); 763 THROW_ON_EPIDERR(Epid11VerifierSetSigRl( 764 verifier, (Epid11SigRl const*)this->kSigRlForMsg0_255.data(), 765 this->kSigRlForMsg0_255.size())); 766 767 EXPECT_EQ(kEpidSigValid, 768 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 769 sig.size(), msg.data(), msg.size())); 770 } 771 772 } // namespace 773