Verifier functionality. More...

Data Structures
struct	VerifierPrecomp
	Pre-computed member settings. More...

Functions
EpidStatus	EpidVerifierCreate (GroupPubKey const pub_key, VerifierPrecomp const precomp, VerifierCtx **ctx)
	Creates a new verifier context. More...

void	EpidVerifierDelete (VerifierCtx **ctx)
	Deletes an existing verifier context. More...

EpidStatus	EpidVerifierWritePrecomp (VerifierCtx const ctx, VerifierPrecomp precomp)
	Serializes the pre-computed verifier settings. More...

EpidStatus	EpidVerifierSetPrivRl (VerifierCtx ctx, PrivRl const priv_rl, size_t priv_rl_size)
	Sets the private key based revocation list. More...

EpidStatus	EpidVerifierSetSigRl (VerifierCtx ctx, SigRl const sig_rl, size_t sig_rl_size)
	Sets the signature based revocation list. More...

EpidStatus	EpidVerifierSetGroupRl (VerifierCtx ctx, GroupRl const grp_rl, size_t grp_rl_size)
	Sets the group based revocation list. More...

EpidStatus	EpidVerifierSetVerifierRl (VerifierCtx ctx, VerifierRl const ver_rl, size_t ver_rl_size)
	Sets the verifier revocation list. More...

EpidStatus	EpidVerifierSetHashAlg (VerifierCtx *ctx, HashAlg hash_alg)
	Sets the hash algorithm to be used by a verifier. More...

EpidStatus	EpidVerify (VerifierCtx const ctx, EpidSignature const sig, size_t sig_len, void const msg, size_t msg_len, void const basename, size_t basename_len)
	Verifies a signature and checks revocation status. More...

bool	EpidAreSigsLinked (BasicSignature const sig1, BasicSignature const sig2)
	Determines if two signatures are linked. More...

EpidStatus	EpidVerifyBasicSig (VerifierCtx const ctx, BasicSignature const sig, void const msg, size_t msg_len, void const basename, size_t basename_len)
	Verifies a member signature without revocation checks. More...

EpidStatus	EpidNrVerify (VerifierCtx const ctx, BasicSignature const sig, void const msg, size_t msg_len, SigRlEntry const sigrl_entry, NrProof const *proof)
	Verifies the non-revoked proof for a single signature based revocation list entry. More...

EpidStatus	EpidCheckPrivRlEntry (VerifierCtx const ctx, BasicSignature const sig, FpElemStr const *f)
	Verifies a signature has not been revoked in the private key based revocation list. More...

Detailed Description

Verifier functionality.

Defines the APIs needed by Intel(R) EPID verifiers. Each verifier context (VerifierCtx) represents a verifier for a single group.

Function Documentation

bool EpidAreSigsLinked	(	BasicSignature const *	sig1,
		BasicSignature const *	sig2
	)

Determines if two signatures are linked.

The Intel(R) EPID scheme allows signatures to be linked. If basename option is specified when signing, signatures with the same basename are linkable. This linking capability allows the verifier, or anyone, to know whether two Intel(R) EPID signatures are generated by the same member.

Parameters

[in]	sig1	A basic signature.
[in]	sig2	A basic signature.

Returns: bool

Return values

true	if the signatures were generated by the same member
false	if it couldn't be determined if the signatures were generated by the same member

Note: The input signatures should be verified using EpidVerifyBasicSig() before invocation. Behavior is undefined if either of the signatures cannot be verified.

See also: EpidVerifyBasicSig; EpidSignBasic; EpidSign

EpidStatus EpidCheckPrivRlEntry	(	VerifierCtx const *	ctx,
		BasicSignature const *	sig,
		FpElemStr const *	f
	)

Verifies a signature has not been revoked in the private key based revocation list.

Used in constrained environments where, due to limited memory, it may not be possible to process through a large and potentially unbounded revocation list.

Parameters

[in]	ctx	The verifier context.
[in]	sig	The basic signature.
[in]	f	The private key based revocation list entry.

Note: Sig should be verified using EpidVerifyBasicSig() before invocation. Behavior is undefined if sig cannot be verified.; This function should be used in conjunction with EpidNrVerify() and EpidVerifyBasicSig().; If the result is not kEpidNoErr the verify should be considered to have failed.

Returns: EpidStatus

See also: EpidVerifierCreate; EpidNrVerify; EpidVerifyBasicSig

EpidStatus EpidNrVerify	(	VerifierCtx const *	ctx,
		BasicSignature const *	sig,
		void const *	msg,
		size_t	msg_len,
		SigRlEntry const *	sigrl_entry,
		NrProof const *	proof
	)

Verifies the non-revoked proof for a single signature based revocation list entry.

Used in constrained environments where, due to limited memory, it may not be possible to process through a large and potentially unbounded revocation list.

Parameters

[in]	ctx	The verifier context.
[in]	sig	The basic signature.
[in]	msg	The message that was signed.
[in]	msg_len	The size of msg in bytes.
[in]	sigrl_entry	The signature based revocation list entry.
[in]	proof	The non-revoked proof.

Returns: EpidStatus

Note: Sig should be verified using EpidVerifyBasicSig() before invocation. Behavior is undefined if sig cannot be verified.; This function should be used in conjunction with EpidVerifyBasicSig() and EpidCheckPrivRlEntry().; If the result is not kEpidNoErr, the verification should be considered to have failed.

See also: EpidVerifierCreate; EpidVerifyBasicSig; EpidCheckPrivRlEntry

EpidStatus EpidVerifierCreate	(	GroupPubKey const *	pub_key,
		VerifierPrecomp const *	precomp,
		VerifierCtx **	ctx
	)

Creates a new verifier context.

Must be called to create the verifier context that is used by other "Verifier" APIs.

Allocates memory for the context, then initializes it.

EpidVerifierDelete() must be called to safely release the member context.

Parameters

[in]	pub_key	The group certificate.
[in]	precomp	Optional pre-computed data. If NULL the value is computed internally and is readable using EpidVerifierWritePrecomp().
[out]	ctx	Newly constructed verifier context.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the content of ctx is undefined.

See also: EpidVerifierDelete; EpidVerifierWritePrecomp

Examples:: verifysig.c.

void EpidVerifierDelete ( VerifierCtx ** ctx )

Deletes an existing verifier context.

Must be called to safely release a verifier context created using EpidVerifierCreate().

De-initializes the context, frees memory used by the context, and sets the context pointer to NULL.

Parameters

[in,out] ctx The verifier context. Can be NULL.

See also: EpidVerifierCreate

Examples:: verifysig.c.

EpidStatus EpidVerifierSetGroupRl	(	VerifierCtx *	ctx,
		GroupRl const *	grp_rl,
		size_t	grp_rl_size
	)

Sets the group based revocation list.

The caller is responsible for insuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call fails if trying to set an older version of the revocation list than was last set.

Attention: The memory pointed to by grp_rl is accessed directly by the verifier until a new list is set or the verifier is destroyed. Do not modify the contents of this memory. The behavior of subsequent operations that rely on the revocation list is undefined if the memory is modified.; It is the responsibility of the caller to free the memory pointed to by grp_rl after the verifier is no longer using it.

Parameters

[in,out]	ctx	The verifier context.
[in]	grp_rl	The group based revocation list.
[in]	grp_rl_size	The size of the group based revocation list in bytes.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the group based revocation list pointed to by the verifier is undefined.

See also: EpidVerifierCreate

Examples:: verifysig.c.

EpidStatus EpidVerifierSetHashAlg	(	VerifierCtx *	ctx,
		HashAlg	hash_alg
	)

Sets the hash algorithm to be used by a verifier.

Parameters

[in]	ctx	The verifier context.
[in]	hash_alg	The hash algorithm to use.

Returns: EpidStatus

Note: If the result is not kEpidNoErr, the hash algorithm used by the verifier is undefined.

See also: EpidVerifierCreate; HashAlg

Examples:: verifysig.c.

EpidStatus EpidVerifierSetPrivRl	(	VerifierCtx *	ctx,
		PrivRl const *	priv_rl,
		size_t	priv_rl_size
	)

Sets the private key based revocation list.

The caller is responsible for insuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call fails if trying to set an older version of the revocation list than was last set.

Attention: The memory pointed to by priv_rl is accessed directly by the verifier until a new list is set or the verifier is destroyed. Do not modify the contents of this memory. The behavior of subsequent operations that rely on the revocation list is undefined if the memory is modified.; It is the responsibility of the caller to free the memory pointed to by priv_rl after the verifier is no longer using it.

Parameters

[in,out]	ctx	The verifier context.
[in]	priv_rl	The private key based revocation list.
[in]	priv_rl_size	The size of the private key based revocation list in bytes.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the private key based revocation list pointed to by the verifier is undefined.

See also: EpidVerifierCreate

Examples:: verifysig.c.

EpidStatus EpidVerifierSetSigRl	(	VerifierCtx *	ctx,
		SigRl const *	sig_rl,
		size_t	sig_rl_size
	)

Sets the signature based revocation list.

The caller is responsible for insuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call fails if trying to set an older version of the revocation list than was last set.

Attention: The memory pointed to by sig_rl is accessed directly by the verifier until a new list is set or the verifier is destroyed. Do not modify the contents of this memory. The behavior of subsequent operations that rely on the revocation list is undefined if the memory is modified.; It is the responsibility of the caller to free the memory pointed to by sig_rl after the verifier is no longer using it.

Parameters

[in,out]	ctx	The verifier context.
[in]	sig_rl	The signature based revocation list.
[in]	sig_rl_size	The size of the signature based revocation list in bytes.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the signature based revocation list pointed to by the verifier is undefined.

See also: EpidVerifierCreate

Examples:: verifysig.c.

EpidStatus EpidVerifierSetVerifierRl	(	VerifierCtx *	ctx,
		VerifierRl const *	ver_rl,
		size_t	ver_rl_size
	)

Sets the verifier revocation list.

The caller is responsible for insuring the revocation list is authorized, e.g signed by the issuer. The caller is also responsible checking the version of the revocation list. The call fails if trying to set an older version of the revocation list than was last set.

Attention: The memory pointed to by ver_rl is accessed directly by the verifier until a new list is set or the verifier is destroyed. Do not modify the contents of this memory. The behavior of subsequent operations that rely on the revocation list is undefined if the memory is modified.; It is the responsibility of the caller to free the memory pointed to by ver_rl after the verifier is no longer using it.

Parameters

[in,out]	ctx	The verifier context.
[in]	ver_rl	The verifier revocation list.
[in]	ver_rl_size	The size of the verifier revocation list in bytes.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the verifier revocation list pointed to by the verifier is undefined.

See also: EpidVerifierCreate

Examples:: verifysig.c.

EpidStatus EpidVerifierWritePrecomp	(	VerifierCtx const *	ctx,
		VerifierPrecomp *	precomp
	)

Serializes the pre-computed verifier settings.

Parameters

[in]	ctx	The verifier context.
[out]	precomp	The Serialized pre-computed verifier settings.

Returns: EpidStatus

Note: If the result is not kEpidNoErr the content of precomp is undefined.

Examples:: verifysig.c.

EpidStatus EpidVerify	(	VerifierCtx const *	ctx,
		EpidSignature const *	sig,
		size_t	sig_len,
		void const *	msg,
		size_t	msg_len,
		void const *	basename,
		size_t	basename_len
	)

Verifies a signature and checks revocation status.

Parameters

[in]	ctx	The verifier context.
[in]	sig	The signature.
[in]	sig_len	The size of sig in bytes.
[in]	msg	The message that was signed.
[in]	msg_len	The size of msg in bytes.
[in]	basename	The basename. Pass NULL if not specified
[in]	basename_len	Number of bytes in basename buffer. Must be 0 if basename is NULL.

Returns: EpidStatus

Return values

kEpidSigValid	Signature validated successfully
kEpidSigInvalid	Signature is invalid
kEpidSigRevokedinGroupRl	Signature revoked in GroupRl
kEpidSigRevokedinPrivRl	Signature revoked in PrivRl
kEpidSigRevokedinSigRl	Signature revoked in SigRl
kEpidSigRevokedinVerifierRl	Signature revoked in VerifierRl

Note: If the result is not kEpidNoErr or one of the values listed above the verify should be considered to have failed.

See also: EpidVerifierCreate; EpidSignBasic; EpidSign

Examples:: verifysig.c.

EpidStatus EpidVerifyBasicSig	(	VerifierCtx const *	ctx,
		BasicSignature const *	sig,
		void const *	msg,
		size_t	msg_len,
		void const *	basename,
		size_t	basename_len
	)

Verifies a member signature without revocation checks.

Used in constrained environments where, due to limited memory, it may not be possible to process through a large and potentially unbounded revocation list.

Parameters

[in]	ctx	The verifier context.
[in]	sig	The basic signature.
[in]	msg	The message that was signed.
[in]	msg_len	The size of msg in bytes.
[in]	basename	The basename. Pass NULL if not specified
[in]	basename_len	Number of bytes in basename buffer. Must be 0 if basename is NULL.

Returns: EpidStatus

Note: This function should be used in conjunction with EpidNrVerify() and EpidCheckPrivRlEntry().; If the result is not kEpidNoErr the verify should be considered to have failed.

See also: EpidVerifierCreate; EpidSignBasic; EpidSign

Data Structures

Functions

Detailed Description

Function Documentation