verify-test.cc 49 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196
  1. /*############################################################################
  2. # Copyright 2016 Intel Corporation
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License");
  5. # you may not use this file except in compliance with the License.
  6. # You may obtain a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS,
  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. # See the License for the specific language governing permissions and
  14. # limitations under the License.
  15. ############################################################################*/
  16. /*!
  17. * \file
  18. * \brief Verify unit tests.
  19. */
  20. #include "gtest/gtest.h"
  21. extern "C" {
  22. #include "epid/verifier/api.h"
  23. #include "epid/common/src/endian_convert.h"
  24. }
  25. #include "epid/verifier/unittests/verifier-testhelper.h"
  26. #include "epid/common-testhelper/verifier_wrapper-testhelper.h"
  27. #include "epid/common-testhelper/errors-testhelper.h"
  28. namespace {
  29. /////////////////////////////////////////////////////////////////////////
  30. // Simple Errors
  31. TEST_F(EpidVerifierTest, VerifyFailsGivenNullParameters) {
  32. VerifierCtxObj verifier(this->kGrp01Key);
  33. auto& sig = this->kSigGrp01Member0Sha256RandombaseTest0;
  34. auto& msg = this->kTest0;
  35. EXPECT_EQ(kEpidBadArgErr,
  36. EpidVerify(nullptr, (EpidSignature const*)sig.data(), sig.size(),
  37. msg.data(), msg.size()));
  38. EXPECT_EQ(kEpidBadArgErr,
  39. EpidVerify(verifier, nullptr, sig.size(), msg.data(), msg.size()));
  40. EXPECT_EQ(kEpidBadArgErr,
  41. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  42. nullptr, msg.size()));
  43. }
  44. TEST_F(EpidVerifierTest, VerifyFailsGivenSigLenTooShortForRlCount) {
  45. VerifierCtxObj verifier(this->kGrp01Key);
  46. EpidVerifierSetSigRl(verifier, (SigRl const*)this->kGrp01SigRl.data(),
  47. this->kGrp01SigRl.size());
  48. auto sig = this->kSigGrp01Member0Sha256RandombaseTest0;
  49. auto n2 = this->kGrp01SigRlN2;
  50. sig.resize(sizeof(EpidSignature) +
  51. (n2 - 2) * sizeof(((EpidSignature*)0)->sigma));
  52. auto& msg = this->kTest0;
  53. EXPECT_EQ(kEpidBadArgErr,
  54. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  55. msg.data(), msg.size()));
  56. }
  57. TEST_F(EpidVerifierTest, VerifyFailsGivenSigLenTooLongForRlCount) {
  58. VerifierCtxObj verifier(this->kGrp01Key);
  59. EpidVerifierSetSigRl(verifier, (SigRl const*)this->kGrp01SigRl.data(),
  60. this->kGrp01SigRl.size());
  61. auto sig = this->kSigGrp01Member0Sha256RandombaseTest0;
  62. auto n2 = this->kGrp01SigRlN2;
  63. sig.resize(sizeof(EpidSignature) + n2 * sizeof(((EpidSignature*)0)->sigma));
  64. auto& msg = this->kTest0;
  65. EXPECT_EQ(kEpidBadArgErr,
  66. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  67. msg.data(), msg.size()));
  68. }
  69. #if (SIZE_MAX <= 0xFFFFFFFF) // When size_t value is 32 bit or lower
  70. TEST_F(EpidVerifierTest, VerifyFailsGivenRlCountTooBig) {
  71. VerifierCtxObj verifier(this->kGrp01Key);
  72. EpidVerifierSetSigRl(verifier, (SigRl const*)this->kGrp01SigRl.data(),
  73. this->kGrp01SigRl.size());
  74. auto sig = this->kSigGrp01Member0Sha256RandombaseTest0;
  75. uint32_t n2 = SIZE_MAX / sizeof(NrProof) + 1;
  76. uint32_t n2_ = ntohl(n2);
  77. EpidSignature* sig_struct = (EpidSignature*)sig.data();
  78. sig_struct->n2 = *(OctStr32*)&n2_;
  79. sig.resize(sizeof(EpidSignature) + (n2 - 1) * sizeof(NrProof));
  80. auto& msg = this->kTest0;
  81. EXPECT_EQ(kEpidBadArgErr,
  82. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  83. msg.data(), msg.size()));
  84. }
  85. #endif
  86. /////////////////////////////////////////////////////////////////////
  87. //
  88. // 4.1.2 step 1 - The verifier reads the pre-computed (e12, e22, e2w, eg12).
  89. // Refer to Section 3.6 for the computation of these values.
  90. // This Step is not testable
  91. /////////////////////////////////////////////////////////////////////
  92. // Non-Revocation List Reject
  93. // 4.1.2 step 2 - The verifier verifies the basic signature Sigma0 as
  94. // follows:
  95. TEST_F(EpidVerifierTest, VerifyRejectsSigWithBNotInG1) {
  96. // * 4.1.2 step 2.a - The verifier verifies G1.inGroup(B) = true.
  97. // result must be kEpidSigInvalid
  98. VerifierCtxObj verifier(this->kGrp01Key);
  99. auto& msg = this->kTest0;
  100. size_t size = this->kSigGrp01Member0Sha256RandombaseTest0.size();
  101. EpidSignature sig = *(
  102. const EpidSignature*)(this->kSigGrp01Member0Sha256RandombaseTest0.data());
  103. sig.sigma0.B.x.data.data[31]++;
  104. EXPECT_EQ(kEpidSigInvalid,
  105. EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
  106. }
  107. TEST_F(EpidVerifierTest, VerifyRejectsSigWithBIdentityOfG1) {
  108. // * 4.1.2 step 2.b - The verifier verifies that G1.isIdentity(B) is false.
  109. // result must be kEpidSigInvalid
  110. VerifierCtxObj verifier(this->kGrp01Key);
  111. auto& msg = this->kTest0;
  112. EpidSignature sig = *(
  113. const EpidSignature*)(this->kSigGrp01Member0Sha256RandombaseTest0.data());
  114. sig.sigma0.B = this->kG1IdentityStr;
  115. size_t size = this->kSigGrp01Member0Sha256RandombaseTest0.size();
  116. EXPECT_EQ(kEpidSigInvalid,
  117. EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
  118. }
  119. TEST_F(EpidVerifierTest, VerifyRejectsSigWithDiffBaseNameSameHashAlg) {
  120. // * 4.1.2 step 2.c - If bsn is provided, the verifier verifies
  121. // B = G1.hash(bsn).
  122. // result must be kEpidSigInvalid
  123. auto& pub_key = this->kGrpXKey;
  124. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  125. auto& msg = this->kMsg0;
  126. auto& bsn = this->kBasename1;
  127. VerifierCtxObj verifier(pub_key);
  128. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  129. EXPECT_EQ(kEpidSigInvalid,
  130. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  131. msg.data(), msg.size()));
  132. }
  133. TEST_F(EpidVerifierTest, VerifyRejectsSigWithSameBaseNameDiffHashAlg) {
  134. // * 4.1.2 step 2.c - If bsn is provided, the verifier verifies
  135. // B = G1.hash(bsn).
  136. // result must be kEpidSigInvalid
  137. auto& pub_key = this->kGrpXKey;
  138. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  139. auto& msg = this->kMsg0;
  140. auto& bsn = this->kBsn0;
  141. VerifierCtxObj verifier(pub_key);
  142. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
  143. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  144. EXPECT_EQ(kEpidSigInvalid,
  145. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  146. msg.data(), msg.size()));
  147. }
  148. TEST_F(EpidVerifierTest, VerifyRejectsSigWithKNotInG1) {
  149. // * 4.1.2 step 2.d - The verifier verifies G1.inGroup(K) = true.
  150. // result must be kEpidSigInvalid
  151. VerifierCtxObj verifier(this->kGrp01Key);
  152. auto& msg = this->kTest0;
  153. EpidSignature sig = *(
  154. const EpidSignature*)(this->kSigGrp01Member0Sha256RandombaseTest0.data());
  155. sig.sigma0.K.x.data.data[31]++;
  156. size_t size = this->kSigGrp01Member0Sha256RandombaseTest0.size();
  157. EXPECT_EQ(kEpidSigInvalid,
  158. EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
  159. }
  160. TEST_F(EpidVerifierTest, VerifyRejectsSigWithTNotInG1) {
  161. // * 4.1.2 step 2.e - The verifier verifies G1.inGroup(T) = true.
  162. // result must be kEpidSigInvalid
  163. VerifierCtxObj verifier(this->kGrp01Key);
  164. auto& msg = this->kTest0;
  165. EpidSignature sig = *(
  166. const EpidSignature*)(this->kSigGrp01Member0Sha256RandombaseTest0.data());
  167. sig.sigma0.T.x.data.data[31]++;
  168. size_t size = this->kSigGrp01Member0Sha256RandombaseTest0.size();
  169. EXPECT_EQ(kEpidSigInvalid,
  170. EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
  171. }
  172. TEST_F(EpidVerifierTest, VerifyRejectsSigWithCNotInRange) {
  173. // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
  174. // result must be kEpidSigInvalid
  175. VerifierCtxObj verifier(this->kGrp01Key);
  176. auto& msg = this->kTest0;
  177. EpidSignature sig = *(
  178. const EpidSignature*)(this->kSigGrp01Member0Sha256RandombaseTest0.data());
  179. sig.sigma0.c.data = this->kParamsStr.p.data;
  180. size_t size = this->kSigGrp01Member0Sha256RandombaseTest0.size();
  181. EXPECT_EQ(kEpidSigInvalid,
  182. EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
  183. }
  184. TEST_F(EpidVerifierTest, VerifyRejectsSigWithSxNotInRange) {
  185. // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
  186. // result must be kEpidSigInvalid
  187. VerifierCtxObj verifier(this->kGrp01Key);
  188. auto& msg = this->kTest0;
  189. EpidSignature sig = *(
  190. const EpidSignature*)(this->kSigGrp01Member0Sha256RandombaseTest0.data());
  191. sig.sigma0.sx.data = this->kParamsStr.p.data;
  192. size_t size = this->kSigGrp01Member0Sha256RandombaseTest0.size();
  193. EXPECT_EQ(kEpidSigInvalid,
  194. EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
  195. }
  196. TEST_F(EpidVerifierTest, VerifyRejectsSigWithSfNotInRange) {
  197. // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
  198. // result must be kEpidSigInvalid
  199. VerifierCtxObj verifier(this->kGrp01Key);
  200. auto& msg = this->kTest0;
  201. EpidSignature sig = *(
  202. const EpidSignature*)(this->kSigGrp01Member0Sha256RandombaseTest0.data());
  203. sig.sigma0.sf.data = this->kParamsStr.p.data;
  204. size_t size = this->kSigGrp01Member0Sha256RandombaseTest0.size();
  205. EXPECT_EQ(kEpidSigInvalid,
  206. EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
  207. }
  208. TEST_F(EpidVerifierTest, VerifyRejectsSigWithSaNotInRange) {
  209. // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
  210. // result must be kEpidSigInvalid
  211. VerifierCtxObj verifier(this->kGrp01Key);
  212. auto& msg = this->kTest0;
  213. EpidSignature sig = *(
  214. const EpidSignature*)(this->kSigGrp01Member0Sha256RandombaseTest0.data());
  215. sig.sigma0.sa.data = this->kParamsStr.p.data;
  216. size_t size = this->kSigGrp01Member0Sha256RandombaseTest0.size();
  217. EXPECT_EQ(kEpidSigInvalid,
  218. EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
  219. }
  220. TEST_F(EpidVerifierTest, VerifyRejectsSigWithSbNotInRange) {
  221. // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
  222. // result must be kEpidSigInvalid
  223. VerifierCtxObj verifier(this->kGrp01Key);
  224. auto& msg = this->kTest0;
  225. EpidSignature sig = *(
  226. const EpidSignature*)(this->kSigGrp01Member0Sha256RandombaseTest0.data());
  227. sig.sigma0.sb.data = this->kParamsStr.p.data;
  228. size_t size = this->kSigGrp01Member0Sha256RandombaseTest0.size();
  229. EXPECT_EQ(kEpidSigInvalid,
  230. EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
  231. }
  232. // 4.1.2 step 2.g - The verifier computes nc = (-c) mod p.
  233. // This Step is not testable
  234. // 4.1.2 step 2.h - The verifier computes nsx = (-sx) mod p.
  235. // This Step is not testable
  236. // 4.1.2 step 2.i - The verifier computes R1 = G1.multiExp(B, sf, K, nc).
  237. // This Step is not testable
  238. // 4.1.2 step 2.j - The verifier computes t1 = G2.multiExp(g2, nsx, w, nc).
  239. // This Step is not testable
  240. // 4.1.2 step 2.k - The verifier computes R2 = pairing(T, t1).
  241. // This Step is not testable
  242. // 4.1.2 step 2.l - The verifier compute t2 = GT.multiExp(e12, sf, e22, sb,
  243. // e2w, sa, eg12, c).
  244. // This Step is not testable
  245. // 4.1.2 step 2.m - The verifier compute R2 = GT.mul(R2, t2).
  246. // This Step is not testable
  247. // 4.1.2 step 2.n - The verifier compute t3 = Fp.hash(p || g1 || g2 || h1
  248. // || h2 || w || B || K || T || R1 || R2).
  249. // Refer to Section 7.1 for hash operation over a prime
  250. // field.
  251. // This Step is not testable
  252. TEST_F(EpidVerifierTest, VerifyRejectsSigDifferingOnlyInMsg) {
  253. // * 4.1.2 step 2.o - The verifier verifies c = Fp.hash(t3 || m).
  254. // result must be kEpidSigInvalid
  255. VerifierCtxObj verifier(this->kGrp01Key);
  256. auto& sig = this->kSigGrp01Member0Sha256RandombaseTest0;
  257. auto msg = this->kTest0;
  258. msg[0]++;
  259. EXPECT_EQ(kEpidSigInvalid,
  260. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  261. msg.data(), msg.size()));
  262. }
  263. TEST_F(EpidVerifierTest, VerifyRejectsSigDifferingOnlyInBaseName) {
  264. // * 4.1.2 step 2.o - The verifier verifies c = Fp.hash(t3 || m).
  265. // result must be kEpidSigInvalid
  266. VerifierCtxObj verifier(this->kGrp01Key);
  267. // copy sig data to a local buffer
  268. auto sig_data = this->kSigGrpXMember0Sha256Bsn0Msg0;
  269. EpidSignature* sig = (EpidSignature*)sig_data.data();
  270. // simulate change to basename
  271. sig->sigma0.B.x.data.data[0] += 1;
  272. auto msg = this->kTest1;
  273. EXPECT_EQ(kEpidSigInvalid,
  274. EpidVerify(verifier, sig, sig_data.size(), msg.data(), msg.size()));
  275. }
  276. TEST_F(EpidVerifierTest, VerifyRejectsSigDifferingOnlyInGroup) {
  277. // * 4.1.2 step 2.o - The verifier verifies c = Fp.hash(t3 || m).
  278. // result must be kEpidSigInvalid
  279. VerifierCtxObj verifier(this->kGrp01Key);
  280. // copy sig data to a local buffer
  281. auto sig_data = this->kSigGrpXMember0Sha256Bsn0Msg0;
  282. EpidSignature* sig = (EpidSignature*)sig_data.data();
  283. // simulate change to h1
  284. sig->sigma0.T.x.data.data[0] += 1;
  285. auto msg = this->kTest1;
  286. EXPECT_EQ(kEpidSigInvalid,
  287. EpidVerify(verifier, sig, sig_data.size(), msg.data(), msg.size()));
  288. }
  289. TEST_F(EpidVerifierTest, VerifyRejectsSigDifferingOnlyInHashAlg) {
  290. // * 4.1.2 step 2.o - The verifier verifies c = Fp.hash(t3 || m).
  291. // result must be kEpidSigInvalid
  292. VerifierCtxObj verifier(this->kGrp01Key);
  293. auto& msg = this->kTest0;
  294. auto& sig = this->kSigGrp01Member0Sha256RandombaseTest0;
  295. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
  296. EXPECT_EQ(kEpidSigInvalid,
  297. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  298. msg.data(), msg.size()));
  299. }
  300. // 4.1.2 step 2.p - If any of the above verifications fails, the verifier
  301. // aborts and outputs 1.
  302. // This Step is an aggregate of the above steps
  303. /////////////////////////////////////////////////////////////////////
  304. // Group Based Revocation List Reject
  305. // 4.1.2 step 3 - If GroupRL is provided
  306. TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlSingleEntry) {
  307. // * 4.1.2 step 3.a - The verifier verifies that gid does not match any entry
  308. // in GroupRL.
  309. // result must be kEpidSigRevokedInGroupRl
  310. auto& pub_key = this->kGrpXKey;
  311. auto& msg = this->kMsg0;
  312. auto& bsn = this->kBsn0;
  313. auto& grp_rl = this->kGrpRlRevokedGrpXOnlyEntry;
  314. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  315. VerifierCtxObj verifier(pub_key);
  316. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  317. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  318. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  319. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  320. EXPECT_EQ(kEpidSigRevokedInGroupRl,
  321. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  322. msg.data(), msg.size()));
  323. }
  324. TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlFirstEntry) {
  325. // * 4.1.2 step 3.a - The verifier verifies that gid does not match any entry
  326. // in GroupRL.
  327. // result must be kEpidSigRevokedInGroupRl
  328. auto& pub_key = this->kGrpXKey;
  329. auto& msg = this->kMsg0;
  330. auto& bsn = this->kBsn0;
  331. auto& grp_rl = this->kGrpRlRevokedGrpXFirstEntry;
  332. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  333. VerifierCtxObj verifier(pub_key);
  334. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  335. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  336. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  337. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  338. EXPECT_EQ(kEpidSigRevokedInGroupRl,
  339. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  340. msg.data(), msg.size()));
  341. }
  342. TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlFirstEntryUsingIkgfData) {
  343. // result must be kEpidSigRevokedInGroupRl
  344. auto& pub_key = this->kPubKeyRevGroupIkgfStr;
  345. auto& msg = this->kMsg0;
  346. auto& bsn = this->kBsn0;
  347. auto& grp_rl = this->kGrpRlIkgf;
  348. auto& sig = this->kRevGroupSigMember0Sha256Bsn0Msg0Ikgf;
  349. VerifierCtxObj verifier(pub_key);
  350. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  351. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  352. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  353. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  354. EXPECT_EQ(kEpidSigRevokedInGroupRl,
  355. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  356. msg.data(), msg.size()));
  357. }
  358. TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlMiddleEntry) {
  359. // * 4.1.2 step 3.a - The verifier verifies that gid does not match any entry
  360. // in GroupRL.
  361. // result must be kEpidSigRevokedInGroupRl
  362. auto& pub_key = this->kGrpXKey;
  363. auto& msg = this->kMsg0;
  364. auto& bsn = this->kBsn0;
  365. auto& grp_rl = this->kGrpRlRevokedGrpXMiddleEntry;
  366. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  367. VerifierCtxObj verifier(pub_key);
  368. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  369. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  370. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  371. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  372. EXPECT_EQ(kEpidSigRevokedInGroupRl,
  373. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  374. msg.data(), msg.size()));
  375. }
  376. TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlLastEntry) {
  377. // * 4.1.2 step 3.a - The verifier verifies that gid does not match any entry
  378. // in GroupRL.
  379. // result must be kEpidSigRevokedInGroupRl
  380. auto& pub_key = this->kGrpXKey;
  381. auto& msg = this->kMsg0;
  382. auto& bsn = this->kBsn0;
  383. auto& grp_rl = this->kGrpRlRevokedGrpXLastEntry;
  384. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  385. VerifierCtxObj verifier(pub_key);
  386. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  387. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  388. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  389. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  390. EXPECT_EQ(kEpidSigRevokedInGroupRl,
  391. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  392. msg.data(), msg.size()));
  393. }
  394. // 4.1.2 step 3.b - If gid matches an entry in GroupRL, aborts and returns 2.
  395. // This Step is an aggregate of the above steps
  396. /////////////////////////////////////////////////////////////////////
  397. // Private Based Revocation List Reject
  398. // 4.1.2 step 4 - If PrivRL is provided
  399. // * 4.1.2 step 4.a - The verifier verifies that gid in the public key and in
  400. // PrivRL match. If mismatch, abort and return
  401. // "operation failed".
  402. // Not possible, checked in EpidVerifierSetPrivRl
  403. TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlSingleEntry) {
  404. // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
  405. // the verifier computes t4 =G1.exp(B, f[i])
  406. // and verifies that G1.isEqual(t4, K) = false.
  407. // A faster private-key revocation check algorithm is
  408. // provided in Section 4.5.
  409. // result must be kEpidSigRevokedInPrivRl
  410. auto& pub_key = this->kGrpXKey;
  411. auto& msg = this->kMsg0;
  412. auto& bsn = this->kBsn0;
  413. auto& priv_rl = this->kGrpXPrivRlRevokedPrivKey000OnlyEntry;
  414. auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0;
  415. VerifierCtxObj verifier(pub_key);
  416. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  417. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  418. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  419. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  420. EXPECT_EQ(kEpidSigRevokedInPrivRl,
  421. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  422. msg.data(), msg.size()));
  423. }
  424. TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlFirstEntry) {
  425. // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
  426. // the verifier computes t4 =G1.exp(B, f[i])
  427. // and verifies that G1.isEqual(t4, K) = false.
  428. // A faster private-key revocation check algorithm is
  429. // provided in Section 4.5.
  430. // result must be kEpidSigRevokedInPrivRl
  431. auto& pub_key = this->kGrpXKey;
  432. auto& msg = this->kMsg0;
  433. auto& bsn = this->kBsn0;
  434. auto& priv_rl = this->kGrpXPrivRl;
  435. auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0;
  436. VerifierCtxObj verifier(pub_key);
  437. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  438. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  439. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  440. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  441. EXPECT_EQ(kEpidSigRevokedInPrivRl,
  442. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  443. msg.data(), msg.size()));
  444. }
  445. TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlFirstEntryUsingIkgfData) {
  446. // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
  447. // the verifier computes t4 =G1.exp(B, f[i])
  448. // and verifies that G1.isEqual(t4, K) = false.
  449. // A faster private-key revocation check algorithm is
  450. // provided in Section 4.5.
  451. // result must be kEpidSigRevokedInPrivRl
  452. auto& pub_key = this->kPubKeyIkgfStr;
  453. auto& msg = this->kMsg0;
  454. auto& bsn = this->kBsn0;
  455. auto& priv_rl = this->kPrivRlIkgf;
  456. auto& sig = this->kSigRevokedPrivKeySha256Bsn0Msg0Ikgf;
  457. VerifierCtxObj verifier(pub_key);
  458. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  459. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  460. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  461. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  462. EXPECT_EQ(kEpidSigRevokedInPrivRl,
  463. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  464. msg.data(), msg.size()));
  465. }
  466. TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlMiddleEntry) {
  467. // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
  468. // the verifier computes t4 =G1.exp(B, f[i])
  469. // and verifies that G1.isEqual(t4, K) = false.
  470. // A faster private-key revocation check algorithm is
  471. // provided in Section 4.5.
  472. // result must be kEpidSigRevokedInPrivRl
  473. auto& pub_key = this->kGrpXKey;
  474. auto& msg = this->kMsg0;
  475. auto& bsn = this->kBsn0;
  476. auto& priv_rl = this->kGrpXPrivRl;
  477. auto& sig = this->kSigGrpXRevokedPrivKey001Sha256Bsn0Msg0;
  478. VerifierCtxObj verifier(pub_key);
  479. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  480. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  481. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  482. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  483. EXPECT_EQ(kEpidSigRevokedInPrivRl,
  484. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  485. msg.data(), msg.size()));
  486. }
  487. TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlLastEntry) {
  488. // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
  489. // the verifier computes t4 =G1.exp(B, f[i])
  490. // and verifies that G1.isEqual(t4, K) = false.
  491. // A faster private-key revocation check algorithm is
  492. // provided in Section 4.5.
  493. // result must be kEpidSigRevokedInPrivRl
  494. auto& pub_key = this->kGrpXKey;
  495. auto& msg = this->kMsg0;
  496. auto& bsn = this->kBsn0;
  497. auto& priv_rl = this->kGrpXPrivRl;
  498. auto& sig = this->kSigGrpXRevokedPrivKey002Sha256Bsn0Msg0;
  499. VerifierCtxObj verifier(pub_key);
  500. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  501. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  502. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  503. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  504. EXPECT_EQ(kEpidSigRevokedInPrivRl,
  505. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  506. msg.data(), msg.size()));
  507. }
  508. TEST_F(EpidVerifierTest, VerifyAcceptsSigFromEmptyPrivRlUsingIkgfData) {
  509. auto& pub_key = this->kPubKeyIkgfStr;
  510. auto& msg = this->kMsg0;
  511. auto& bsn = this->kBsn0;
  512. auto& priv_rl = this->kEmptyPrivRlIkgf;
  513. auto& sig = this->kSigMember0Sha256Bsn0Msg0NoSigRlIkgf;
  514. VerifierCtxObj verifier(pub_key);
  515. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  516. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  517. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  518. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  519. EXPECT_EQ(kEpidNoErr, EpidVerify(verifier, (EpidSignature const*)sig.data(),
  520. sig.size(), msg.data(), msg.size()));
  521. }
  522. // 4.1.2 step 4.c - If the above step fails, the verifier aborts and
  523. // output 3.
  524. // This Step is an aggregate of the above steps
  525. /////////////////////////////////////////////////////////////////////
  526. // Signature Based Revocation List Reject
  527. // 4.1.2 step 5 - If SigRL is provided
  528. // * 4.1.2 step 5.a - The verifier verifies that gid in the public key and in
  529. // SigRL match. If mismatch, abort and return
  530. // "operation failed".
  531. // Not possible, checked in EpidVerifierSetSigRl
  532. TEST_F(EpidVerifierTest, VerifyFailsOnSigRlverNotMatchSigRlRlver) {
  533. // * 4.1.2 step 5.b - The verifier verifies that RLver in Sigma and in SigRL
  534. // match. If mismatch, abort and output "operation failed".
  535. // result must be "operation failed" (not kEpidSig*)
  536. auto& pub_key = this->kGrpXKey;
  537. auto& msg = this->kMsg0;
  538. auto& bsn = this->kBsn0;
  539. auto& sig_rl = this->kGrpXSigRlVersion2;
  540. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  541. VerifierCtxObj verifier(pub_key);
  542. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  543. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  544. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  545. sig_rl.size()));
  546. EXPECT_EQ(kEpidBadArgErr,
  547. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  548. msg.data(), msg.size()));
  549. }
  550. TEST_F(EpidVerifierTest, VerifyFailsOnSigN2NotMatchSigRlN2) {
  551. // * 4.1.2 step 5.c - The verifier verifies that n2 in Sigma and in SigRL
  552. // match. If mismatch, abort and output "operation failed".
  553. // result must be "operation failed" (not kEpidSig*)
  554. auto& pub_key = this->kGrpXKey;
  555. auto& msg = this->kMsg0;
  556. auto& bsn = this->kBsn0;
  557. auto& sig_rl = this->kGrpXSigRlMember0Sha256Bsn0Msg0OnlyEntry;
  558. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  559. VerifierCtxObj verifier(pub_key);
  560. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  561. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  562. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  563. sig_rl.size()));
  564. EXPECT_EQ(kEpidBadArgErr,
  565. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  566. msg.data(), msg.size()));
  567. }
  568. TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlSingleEntry) {
  569. // * 4.1.2 step 5.d - For i = 0, ..., n2-1, the verifier verifies
  570. // nrVerify(B, K, B[i], K[i], Sigma[i]) = true. The details
  571. // of nrVerify() will be given in the next subsection.
  572. // result must be kEpidSigRevokedInSigRl
  573. auto& pub_key = this->kGrpXKey;
  574. auto& msg = this->kMsg0;
  575. auto& bsn = this->kBsn0;
  576. auto& sig_rl = this->kGrpXSigRlMember0Sha256Bsn0Msg0OnlyEntry;
  577. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0SingleEntrySigRl;
  578. VerifierCtxObj verifier(pub_key);
  579. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  580. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  581. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  582. sig_rl.size()));
  583. EXPECT_EQ(kEpidSigRevokedInSigRl,
  584. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  585. msg.data(), msg.size()));
  586. }
  587. TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlFirstEntry) {
  588. // * 4.1.2 step 5.d - For i = 0, ..., n2-1, the verifier verifies
  589. // nrVerify(B, K, B[i], K[i], Sigma[i]) = true. The details
  590. // of nrVerify() will be given in the next subsection.
  591. // result must be kEpidSigRevokedInSigRl
  592. auto& pub_key = this->kGrpXKey;
  593. auto& msg = this->kMsg0;
  594. auto& bsn = this->kBsn0;
  595. auto& sig_rl = this->kGrpXSigRlMember0Sha256Bsn0Msg0FirstEntry;
  596. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  597. VerifierCtxObj verifier(pub_key);
  598. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  599. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  600. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  601. sig_rl.size()));
  602. EXPECT_EQ(kEpidSigRevokedInSigRl,
  603. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  604. msg.data(), msg.size()));
  605. }
  606. TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlFirstEntryUsingIkgfData) {
  607. auto& pub_key = this->kPubKeyIkgfStr;
  608. auto& msg = this->kMsg0;
  609. auto& bsn = this->kBsn0;
  610. auto& sig_rl = this->kSigRlIkgf;
  611. auto& sig = this->kSigRevSigMember0Sha256Bsn0Msg0Ikgf;
  612. VerifierCtxObj verifier(pub_key);
  613. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  614. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  615. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  616. sig_rl.size()));
  617. EXPECT_EQ(kEpidSigRevokedInSigRl,
  618. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  619. msg.data(), msg.size()));
  620. }
  621. TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlMiddleEntry) {
  622. // * 4.1.2 step 5.d - For i = 0, ..., n2-1, the verifier verifies
  623. // nrVerify(B, K, B[i], K[i], Sigma[i]) = true. The details
  624. // of nrVerify() will be given in the next subsection.
  625. // result must be kEpidSigRevokedInSigRl
  626. auto& pub_key = this->kGrpXKey;
  627. auto& msg = this->kMsg0;
  628. auto& bsn = this->kBsn0;
  629. auto& sig_rl = this->kGrpXSigRlMember0Sha256Bsn0Msg0MiddleEntry;
  630. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  631. VerifierCtxObj verifier(pub_key);
  632. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  633. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  634. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  635. sig_rl.size()));
  636. EXPECT_EQ(kEpidSigRevokedInSigRl,
  637. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  638. msg.data(), msg.size()));
  639. }
  640. TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlLastEntry) {
  641. // * 4.1.2 step 5.d - For i = 0, ..., n2-1, the verifier verifies
  642. // nrVerify(B, K, B[i], K[i], Sigma[i]) = true. The details
  643. // of nrVerify() will be given in the next subsection.
  644. // result must be kEpidSigRevokedInSigRl
  645. auto& pub_key = this->kGrpXKey;
  646. auto& msg = this->kMsg0;
  647. auto& bsn = this->kBsn0;
  648. auto& sig_rl = this->kGrpXSigRlMember0Sha256Bsn0Msg0LastEntry;
  649. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  650. VerifierCtxObj verifier(pub_key);
  651. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  652. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  653. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  654. sig_rl.size()));
  655. EXPECT_EQ(kEpidSigRevokedInSigRl,
  656. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  657. msg.data(), msg.size()));
  658. }
  659. TEST_F(EpidVerifierTest,
  660. RejectsSigFromNonemptySigRlGivenEmptySigRlUsingIkgfData) {
  661. auto& pub_key = this->kPubKeyIkgfStr;
  662. auto& msg = this->kMsg0;
  663. auto& bsn = this->kBsn0;
  664. auto& sig_rl = this->kEmptySigRlIkgf;
  665. auto& sig = this->kSigMember0Sha256Bsn0Msg0Ikgf;
  666. VerifierCtxObj verifier(pub_key);
  667. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  668. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  669. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  670. sig_rl.size()));
  671. EXPECT_EQ(kEpidBadArgErr,
  672. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  673. msg.data(), msg.size()));
  674. }
  675. TEST_F(EpidVerifierTest, VerifyAcceptsSigFromEmptySigRlUsingIkgfData) {
  676. auto& pub_key = this->kPubKeyIkgfStr;
  677. auto& msg = this->kMsg0;
  678. auto& bsn = this->kBsn0;
  679. auto& sig_rl = this->kEmptySigRlIkgf;
  680. auto& sig = this->kSigMember0Sha256Bsn0Msg0EmptySigRlIkgf;
  681. VerifierCtxObj verifier(pub_key);
  682. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  683. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  684. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  685. sig_rl.size()));
  686. EXPECT_EQ(kEpidNoErr, EpidVerify(verifier, (EpidSignature const*)sig.data(),
  687. sig.size(), msg.data(), msg.size()));
  688. }
  689. // 4.1.2 step 5.e - If the above step fails, the verifier aborts and
  690. // output 4.
  691. // This Step is an aggregate of the above steps
  692. /////////////////////////////////////////////////////////////////////
  693. // Verifier Based Revocation List Reject
  694. // 4.1.2 step 6 - If VerifierRL is provided
  695. // * 4.1.2 step 6.a - The verifier verifies that gid in the public key and in
  696. // VerifierRL match. If mismatch, abort and return
  697. // "operation failed".
  698. // Not possible, checked in EpidVerifierSetVerifierRl
  699. // * 4.1.2 step 6.b - The verifier verifies that B in the signature and in
  700. // VerifierRL match. If mismatch, go to step 7.
  701. // result must be "operation failed" (not kEpidSig*)
  702. // Not possible, checked in EpidVerifierSetVerifierRl
  703. TEST_F(EpidVerifierTest, VerifyRejectsSigFromVerifierRlSingleEntry) {
  704. // * 4.1.2 step 6.c - For i = 0, ..., n4-1, the verifier verifies that
  705. // K != K[i].
  706. // result must be kEpidSigRevokedInVerifierRl
  707. auto& pub_key = this->kGrpXKey;
  708. auto& msg = this->kMsg0;
  709. auto& bsn = this->kBsn0;
  710. auto& grp_rl = this->kGrpRl;
  711. auto& priv_rl = this->kGrpXPrivRl;
  712. auto& sig_rl = this->kGrpXSigRl;
  713. auto& ver_rl = this->kGrpXBsn0VerRlSingleEntry;
  714. auto& sig = this->kSigGrpXVerRevokedMember0Sha256Bsn0Msg0;
  715. VerifierCtxObj verifier(pub_key);
  716. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  717. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  718. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  719. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  720. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  721. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  722. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  723. sig_rl.size()));
  724. THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
  725. verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
  726. EXPECT_EQ(kEpidSigRevokedInVerifierRl,
  727. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  728. msg.data(), msg.size()));
  729. }
  730. TEST_F(EpidVerifierTest, VerifyRejectsSigFromVerifierRlFirstEntry) {
  731. // * 4.1.2 step 6.c - For i = 0, ..., n4-1, the verifier verifies that
  732. // K != K[i].
  733. // result must be kEpidSigRevokedInVerifierRl
  734. auto& pub_key = this->kGrpXKey;
  735. auto& msg = this->kMsg0;
  736. auto& bsn = this->kBsn0;
  737. auto& grp_rl = this->kGrpRl;
  738. auto& priv_rl = this->kGrpXPrivRl;
  739. auto& sig_rl = this->kGrpXSigRl;
  740. auto& ver_rl = this->kGrpXBsn0Sha256VerRl;
  741. auto& sig = this->kSigGrpXVerRevokedMember0Sha256Bsn0Msg0;
  742. VerifierCtxObj verifier(pub_key);
  743. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  744. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  745. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  746. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  747. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  748. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  749. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  750. sig_rl.size()));
  751. THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
  752. verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
  753. EXPECT_EQ(kEpidSigRevokedInVerifierRl,
  754. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  755. msg.data(), msg.size()));
  756. }
  757. TEST_F(EpidVerifierTest, VerifyRejectsSigFromVerifierRlMiddleEntry) {
  758. // * 4.1.2 step 6.c - For i = 0, ..., n4-1, the verifier verifies that
  759. // K != K[i].
  760. // result must be kEpidSigRevokedInVerifierRl
  761. auto& pub_key = this->kGrpXKey;
  762. auto& msg = this->kMsg0;
  763. auto& bsn = this->kBsn0;
  764. auto& grp_rl = this->kGrpRl;
  765. auto& priv_rl = this->kGrpXPrivRl;
  766. auto& sig_rl = this->kGrpXSigRl;
  767. auto& ver_rl = this->kGrpXBsn0Sha256VerRl;
  768. auto& sig = this->kSigGrpXVerRevokedMember1Sha256Bsn0Msg0;
  769. VerifierCtxObj verifier(pub_key);
  770. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  771. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  772. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  773. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  774. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  775. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  776. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  777. sig_rl.size()));
  778. THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
  779. verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
  780. EXPECT_EQ(kEpidSigRevokedInVerifierRl,
  781. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  782. msg.data(), msg.size()));
  783. }
  784. TEST_F(EpidVerifierTest, VerifyRejectsSigFromVerifierRlLastEntry) {
  785. // * 4.1.2 step 6.c - For i = 0, ..., n4-1, the verifier verifies that
  786. // K != K[i].
  787. // result must be kEpidSigRevokedInVerifierRl
  788. auto& pub_key = this->kGrpXKey;
  789. auto& msg = this->kMsg0;
  790. auto& bsn = this->kBsn0;
  791. auto& grp_rl = this->kGrpRl;
  792. auto& priv_rl = this->kGrpXPrivRl;
  793. auto& sig_rl = this->kGrpXSigRl;
  794. auto& ver_rl = this->kGrpXBsn0Sha256VerRl;
  795. auto& sig = this->kSigGrpXVerRevokedMember2Sha256Bsn0Msg0;
  796. VerifierCtxObj verifier(pub_key);
  797. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  798. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  799. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  800. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  801. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  802. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  803. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  804. sig_rl.size()));
  805. THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
  806. verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
  807. EXPECT_EQ(kEpidSigRevokedInVerifierRl,
  808. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  809. msg.data(), msg.size()));
  810. }
  811. // 4.1.2 step 6.d - If the above step fails, the verifier aborts and
  812. // output 5
  813. // This Step is an aggregate of the above steps
  814. /////////////////////////////////////////////////////////////////////
  815. // Accept
  816. // 4.1.2 step 7 - If all the above verifications succeed, the verifier
  817. // outputs 0
  818. TEST_F(EpidVerifierTest, VerifyAcceptsSigWithBaseNameNoRlSha256) {
  819. auto& pub_key = this->kGrpXKey;
  820. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  821. auto& msg = this->kMsg0;
  822. auto& bsn = this->kBsn0;
  823. VerifierCtxObj verifier(pub_key);
  824. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  825. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  826. EXPECT_EQ(kEpidSigValid,
  827. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  828. msg.data(), msg.size()));
  829. }
  830. TEST_F(EpidVerifierTest, VerifyAcceptsSigWithBaseNameAllRlSha256) {
  831. auto& pub_key = this->kGrpXKey;
  832. auto& msg = this->kMsg0;
  833. auto& bsn = this->kBsn0;
  834. auto& grp_rl = this->kGrpRl;
  835. auto& priv_rl = this->kGrpXPrivRl;
  836. auto& sig_rl = this->kGrpXSigRl;
  837. auto& ver_rl = this->kGrpXBsn0Sha256VerRl;
  838. auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  839. VerifierCtxObj verifier(pub_key);
  840. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  841. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  842. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  843. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  844. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  845. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  846. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  847. sig_rl.size()));
  848. THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
  849. verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
  850. EXPECT_EQ(kEpidSigValid,
  851. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  852. msg.data(), msg.size()));
  853. }
  854. TEST_F(EpidVerifierTest, VerifyAcceptsSigWithRandomBaseNameNoRlSha256) {
  855. auto& pub_key = this->kGrpXKey;
  856. auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
  857. auto& msg = this->kMsg0;
  858. VerifierCtxObj verifier(pub_key);
  859. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  860. EXPECT_EQ(kEpidSigValid,
  861. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  862. msg.data(), msg.size()));
  863. }
  864. TEST_F(EpidVerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRlSha256) {
  865. auto& pub_key = this->kGrpXKey;
  866. auto& msg = this->kMsg0;
  867. auto& grp_rl = this->kGrpRl;
  868. auto& priv_rl = this->kGrpXPrivRl;
  869. auto& sig_rl = this->kGrpXSigRl;
  870. auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
  871. VerifierCtxObj verifier(pub_key);
  872. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  873. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  874. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  875. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  876. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  877. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  878. sig_rl.size()));
  879. EXPECT_EQ(kEpidSigValid,
  880. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  881. msg.data(), msg.size()));
  882. }
  883. TEST_F(EpidVerifierTest,
  884. VerifyAcceptsSigWithRandomBaseNameAllRlSha256UsingIkgfData) {
  885. auto& pub_key = this->kPubKeyIkgfStr;
  886. auto& msg = this->kMsg0;
  887. auto& grp_rl = this->kGrpRlIkgf;
  888. auto& priv_rl = this->kPrivRlIkgf;
  889. auto& sig_rl = this->kSigRlIkgf;
  890. auto& sig = this->kSigMember0Sha256RandbaseMsg0Ikgf;
  891. VerifierCtxObj verifier(pub_key);
  892. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
  893. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  894. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  895. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  896. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  897. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  898. sig_rl.size()));
  899. EXPECT_EQ(kEpidSigValid,
  900. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  901. msg.data(), msg.size()));
  902. }
  903. TEST_F(EpidVerifierTest, VerifyAcceptsSigWithBaseNameAllRlSha384) {
  904. auto& pub_key = this->kGrpXKey;
  905. auto& msg = this->kMsg0;
  906. auto& bsn = this->kBsn0;
  907. auto& grp_rl = this->kGrpRl;
  908. auto& priv_rl = this->kGrpXPrivRl;
  909. auto& sig_rl = this->kGrpXSigRl;
  910. auto& ver_rl = this->kGrpXBsn0Sha384VerRl;
  911. auto& sig = this->kSigGrpXMember0Sha384Bsn0Msg0;
  912. VerifierCtxObj verifier(pub_key);
  913. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha384));
  914. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  915. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  916. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  917. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  918. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  919. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  920. sig_rl.size()));
  921. THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
  922. verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
  923. EXPECT_EQ(kEpidSigValid,
  924. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  925. msg.data(), msg.size()));
  926. }
  927. TEST_F(EpidVerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRlSha384) {
  928. auto& pub_key = this->kGrpXKey;
  929. auto& msg = this->kMsg0;
  930. auto& grp_rl = this->kGrpRl;
  931. auto& priv_rl = this->kGrpXPrivRl;
  932. auto& sig_rl = this->kGrpXSigRl;
  933. auto& sig = this->kSigGrpXMember0Sha384RandbaseMsg0;
  934. VerifierCtxObj verifier(pub_key);
  935. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha384));
  936. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  937. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  938. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  939. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  940. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  941. sig_rl.size()));
  942. EXPECT_EQ(kEpidSigValid,
  943. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  944. msg.data(), msg.size()));
  945. }
  946. TEST_F(EpidVerifierTest, VerifyAcceptsSigWithBaseNameAllRlSha512) {
  947. auto& pub_key = this->kGrpXKey;
  948. auto& msg = this->kMsg0;
  949. auto& bsn = this->kBsn0;
  950. auto& grp_rl = this->kGrpRl;
  951. auto& priv_rl = this->kGrpXPrivRl;
  952. auto& sig_rl = this->kGrpXSigRl;
  953. auto& ver_rl = this->kGrpXBsn0Sha512VerRl;
  954. auto& sig = this->kSigGrpXMember0Sha512Bsn0Msg0;
  955. VerifierCtxObj verifier(pub_key);
  956. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
  957. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  958. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  959. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  960. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  961. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  962. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  963. sig_rl.size()));
  964. THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
  965. verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
  966. EXPECT_EQ(kEpidSigValid,
  967. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  968. msg.data(), msg.size()));
  969. }
  970. TEST_F(EpidVerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRlSha512) {
  971. auto& pub_key = this->kGrpXKey;
  972. auto& msg = this->kMsg0;
  973. auto& grp_rl = this->kGrpRl;
  974. auto& priv_rl = this->kGrpXPrivRl;
  975. auto& sig_rl = this->kGrpXSigRl;
  976. auto& sig = this->kSigGrpXMember0Sha512RandbaseMsg0;
  977. VerifierCtxObj verifier(pub_key);
  978. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
  979. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  980. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  981. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  982. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  983. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  984. sig_rl.size()));
  985. EXPECT_EQ(kEpidSigValid,
  986. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  987. msg.data(), msg.size()));
  988. }
  989. TEST_F(EpidVerifierTest, DISABLED_VerifyAcceptsSigWithBaseNameAllRlSha512256) {
  990. auto& pub_key = this->kGrpXKey;
  991. auto& msg = this->kMsg0;
  992. auto& bsn = this->kBsn0;
  993. auto& grp_rl = this->kGrpRl;
  994. auto& priv_rl = this->kGrpXPrivRl;
  995. auto& sig_rl = this->kGrpXSigRl;
  996. auto& ver_rl = this->kGrpXBsn0Sha512256VerRl;
  997. auto& sig = this->kSigGrpXMember0Sha512256Bsn0Msg0;
  998. VerifierCtxObj verifier(pub_key);
  999. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512_256));
  1000. THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
  1001. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  1002. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  1003. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  1004. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  1005. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  1006. sig_rl.size()));
  1007. THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
  1008. verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
  1009. EXPECT_EQ(kEpidSigValid,
  1010. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  1011. msg.data(), msg.size()));
  1012. }
  1013. TEST_F(EpidVerifierTest,
  1014. DISABLED_VerifyAcceptsSigWithRandomBaseNameAllRlSha512256) {
  1015. auto& pub_key = this->kGrpXKey;
  1016. auto& msg = this->kMsg0;
  1017. auto& grp_rl = this->kGrpRl;
  1018. auto& priv_rl = this->kGrpXPrivRl;
  1019. auto& sig_rl = this->kGrpXSigRl;
  1020. auto& sig = this->kSigGrpXMember0Sha512256RandbaseMsg0;
  1021. VerifierCtxObj verifier(pub_key);
  1022. THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512_256));
  1023. THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
  1024. verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
  1025. THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
  1026. verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
  1027. THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
  1028. sig_rl.size()));
  1029. EXPECT_EQ(kEpidSigValid,
  1030. EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
  1031. msg.data(), msg.size()));
  1032. }
  1033. } // namespace