linux-sgx-trts-modified/external/epid-sdk/epid/verifier/1.1/unittests/verify-test.cc

/*############################################################################
# Copyright 2016-2017 Intel Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
############################################################################*/

/*!
* \file
* \brief Epid11Verify unit tests.
*/

#include "epid/common-testhelper/epid_gtest-testhelper.h"
#include "gtest/gtest.h"

extern "C" {
#include "epid/common/src/endian_convert.h"
#include "epid/verifier/1.1/api.h"
}

#include "epid/common-testhelper/1.1/verifier_wrapper-testhelper.h"
#include "epid/common-testhelper/errors-testhelper.h"
#include "epid/verifier/1.1/unittests/verifier-testhelper.h"

namespace {

TEST_F(Epid11VerifierTest, VerifyFailsGivenNullParameters) {
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
  auto msg = this->kMsg0;

  EXPECT_EQ(kEpidBadArgErr,
            Epid11Verify(nullptr, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
  EXPECT_EQ(kEpidBadArgErr, Epid11Verify(verifier, nullptr, sig.size(),
                                         msg.data(), msg.size()));
  EXPECT_EQ(kEpidBadArgErr,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), nullptr, msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyFailsGivenTooShortSigLen) {
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
  auto msg = this->kMsg0;

  EXPECT_EQ(kEpidBadArgErr,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 0,
                         msg.data(), msg.size()));
  EXPECT_EQ(kEpidBadArgErr,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sizeof(Epid11Signature) - sizeof(Epid11NrProof) - 1,
                         msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyFailsGivenSigLenTooShortForRlCount) {
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  Epid11VerifierSetSigRl(verifier, (Epid11SigRl const*)this->kSigRl.data(),
                         this->kSigRl.size());
  auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
  auto n2 = ntohl(((Epid11SigRl const*)this->kSigRl.data())->n2.data);
  sig.resize(sizeof(Epid11Signature) +
             (n2 - 2) * sizeof(((Epid11Signature*)0)->sigma));
  auto msg = this->kMsg0;

  EXPECT_EQ(kEpidBadArgErr,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyFailsGivenSigLenTooLongForRlCount) {
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  Epid11VerifierSetSigRl(verifier, (Epid11SigRl const*)this->kSigRl.data(),
                         this->kSigRl.size());
  auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
  auto n2 = ntohl(((Epid11SigRl const*)this->kSigRl.data())->n2.data);
  sig.resize(sizeof(Epid11Signature) +
             n2 * sizeof(((Epid11Signature*)0)->sigma));
  auto msg = this->kMsg0;

  EXPECT_EQ(kEpidBadArgErr,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

#if (SIZE_MAX <= 0xFFFFFFFF)  // When size_t value is 32 bit or lower
TEST_F(Epid11VerifierTest, VerifyFailsGivenRlCountTooBig) {
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  Epid11VerifierSetSigRl(verifier, (Epid11SigRl const*)this->kSigRl.data(),
                         this->kSigRl.size());
  auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
  uint32_t n2 = SIZE_MAX / sizeof(Epid11NrProof) + 1;
  uint32_t n2_ = ntohl(n2);
  Epid11Signature* sig_struct = (Epid11Signature*)sig.data();
  sig_struct->n2 = *(OctStr32*)&n2_;
  sig.resize(sizeof(Epid11Signature) + (n2 - 1) * sizeof(Epid11NrProof));
  auto msg = this->kMsg0;

  EXPECT_EQ(kEpidBadArgErr,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}
#endif

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 1 - We use the following variables T1, T2, R1, R2,
//                  t1, t2 (elements of G1), R4, t3 (elements of GT),
//                  B, K, R3, t5 (elements of G3), c, sx, sy, sa, sb,
//                  salpha, sbeta, nc, nc', nsx, syalpha,
//                  t4 (256-bit big integers), nd (80-bit big integer),
//                  and sf (600-bit big integer).
// This Step is not testable

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 2 - The verifier reads the verifier pre-computation
//                  blob (gid, e12, e22, e2w) from its storage.
//                  Refer to Section 3.4 for the computation of
//                  these values.
// This Step is not testable

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 3 - The verifier verifies gid in the public key,
//                  PRIV-RL, and SIG-RL (if provided) and the verifier
//                  pre-computation blob all match.
// This step tested with SetPrivRl, SetSigRl and ReadPrecomp functions tests
/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 4 - The verifier verifies the signatures of PRIV-RL,
//                  SIG-RL (if provided), and Group-RL (if provided)
//                  using IVK.
// This Step is not testable

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 5 - If Group-RL is provided as input, the verifier
//                  verifies that gid has not been revoked, i.e.,
//                  gid does not match any entry in Group-RL.

TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlSingleEntry) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& grp_rl = this->kGrpRlRevokedGrpXSingleEntry;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
      verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInGroupRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlFirstEntry) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& grp_rl = this->kGrpRlRevokedGrpXFirstEntry;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
      verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInGroupRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlMiddleEntry) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& grp_rl = this->kGrpRlRevokedGrpXMiddleEntry;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
      verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInGroupRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlLastEntry) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& grp_rl = this->kGrpRlRevokedGrpXLastEntry;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
      verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInGroupRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 6 - If SIG-RL is provided as input, the verifier
//                  verifies that RLver and n2 values in s match with
//                  the values in SIG-RL. If SIG-RL is not provided
//                  as input, but the input signature is a not basic
//                  signature, the verifier aborts and outputs false.

TEST_F(Epid11VerifierTest, VerifyFailsOnSigRlverNotMatchSigRlRlver) {
  // The verifier verifies that RLver in Sigma and in SigRL
  // match. If mismatch, abort and output "operation failed".
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  auto msg = this->kMsg0;
  auto bsn = this->kBsn0;
  auto sig_rl = this->kGrpXSigRlMember0Bsn0Msg0SingleEntry;
  auto sig_rl_size = sig_rl.size();
  auto sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  Epid11SigRl sig_rl_wrong_ver = *(Epid11SigRl const*)sig_rl.data();
  sig_rl_wrong_ver.version.data[0]++;
  THROW_ON_EPIDERR(
      Epid11VerifierSetSigRl(verifier, &sig_rl_wrong_ver, sig_rl_size));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidErr, Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                                   sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyFailsOnSigN2NotMatchSigRlN2) {
  // The verifier verifies that n2 in Sigma and in SigRL
  // match. If mismatch, abort and output "operation failed".
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  auto msg = this->kMsg0;
  auto bsn = this->kBsn0;
  auto* sig_rl =
      (Epid11SigRl const*)this->kGrpXSigRlMember0Bsn0Msg0MiddleEntry.data();
  size_t sig_rl_size = this->kGrpXSigRlMember0Bsn0Msg0MiddleEntry.size();
  auto sig_raw = this->kSigGrpXMember0Sha256Bsn0Msg0SingleEntry;
  Epid11Signature* sig = (Epid11Signature*)sig_raw.data();
  sig->rl_ver = sig_rl->version;
  THROW_ON_EPIDERR(Epid11VerifierSetSigRl(verifier, sig_rl, sig_rl_size));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidBadArgErr, Epid11Verify(verifier, sig, sig_raw.size(),
                                         msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyFailsSigIsNotBasicAndSigRlIsNotProvided) {
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  auto msg = this->kMsg0;
  auto bsn = this->kBsn0;
  auto sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry;
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidBadArgErr,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 7 - The verifier verifies that G3.isIdentity(B) is false.
//
TEST_F(Epid11VerifierTest, VerifyRejectsIdentityB) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256Bsn0Msg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256Bsn0Msg0.size();
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  memset(&sig.sigma0.B, 0, sizeof(sig.sigma0.B));

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 8 - If bsnSize = 0, the verifier verifies G3.inGroup(B) = true.
//
TEST_F(Epid11VerifierTest, VerifyRejectsBNotInG3) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.B.x.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 9 - If bsnSize > 0, the verifier verifies B = G3.hash(bsn).
//
TEST_F(Epid11VerifierTest, VerifyRejectsBNotMatchingBasename) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256Bsn0Msg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256Bsn0Msg0.size();
  auto msg = this->kMsg0;
  auto bsn = this->kBsn0;
  bsn.push_back('x');

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 10 - The verifier verifies G3.inGroup(K) = true.
//
TEST_F(Epid11VerifierTest, VerifyRejectsKNotInG3) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.K.x.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 11 - The verifier verifies G1.inGroup(T1) = true.
//
TEST_F(Epid11VerifierTest, VerifyRejectsT1NotInG1) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.T1.x.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 12 - The verifier verifies G1.inGroup(T2) = true.
//
TEST_F(Epid11VerifierTest, VerifyRejectsT2NotInG1) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.T2.x.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 13 - The verifier verifies sx, sy, sa, sb, salpha, sbeta
//                   in [0, p-1].
//
TEST_F(Epid11VerifierTest, VerifyRejectsSxNotInFp) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.sx.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSyNotInFp) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.sy.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSaNotInFp) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.sa.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSbNotInFp) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.sb.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSalphaNotInFp) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.salpha.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSbetaNotInFp) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  sig.sigma0.sbeta.data.data[0] = 0xEE;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 14 - The verifier verifies that sf is an (at-most) 593-bit
//                   unsigned integer, in other words, sf < 2^593.
//
TEST_F(Epid11VerifierTest, VerifyRejectsSfMoreThan592Bits) {
  auto& pub_key = this->kPubKeyStr;
  Epid11Signature sig = {0};
  sig.sigma0 =
      *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto& msg = this->kMsg0;
  memset(&sig.sigma0.sf, 0, sizeof(sig.sigma0.sf));
  sig.sigma0.sf.data[593 / CHAR_BIT] = 1 << ((593 % CHAR_BIT) - 1);

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 15 - The verifier computes nc = (-c) mod p.
//   4.1.2 step 16 - The verifier computes nc' = (-c) mod p'.
//   4.1.2 step 17 - The verifier computes nsx = (-sx) mod p.
//   4.1.2 step 18 - The verifier computes syalpha = (sy + salpha) mod p.
//   4.1.2 step 19 - The verifier computes R1 = G1.multiexp(h1, sa, h2, sb, T2,
//   nc).
//   4.1.2 step 20 - The verifier computes R2 = G1.multiexp(h1, salpha, h2,
//   sbeta, T2, nsx).
//   4.1.2 step 21 - The verifier computes R3 = G3.multiexp(B, sf, K, nc').
//   4.1.2 step 22 - The verifier computes t1 = G1.multiexp(T1, nsx, g1, c).
//   4.1.2 step 23 - The verifier computes t2 = G1.exp(T1, nc).
//   4.1.2 step 24 - The verifier computes R4 = pairing(t1, g2).
//   4.1.2 step 25 - The verifier computes t3 = pairing(t2, w).
//   4.1.2 step 26 - The verifier computes R4 = GT.mul(R4, t3).
//   4.1.2 step 27 - The verifier compute t3 = GT.multiexp(e12, sf, e22,
//                   syalpha, e2w, sa).
//   4.1.2 step 28 - The verifier compute R4 = GT.mul(R4, t3).
//   4.1.2 step 29 - The verifier compute t4 = Hash(p || g1 || g2 || g3
//                                                  || h1 || h2 || w || B || K
//                                                  || T1 || T2 || R1 || R2
//                                                  || R3 || R4).
// These steps are not testable

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 30 - The verifier verifies c = H(t4 || nd || mSize || m).
// It is not  practical to test all inputs to this hash
TEST_F(Epid11VerifierTest, VerifyRejectsSigWithMismatchedMsg) {
  auto& pub_key = this->kPubKeyStr;
  auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
  size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
  auto msg = this->kMsg0;
  msg.push_back('x');

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigInvalid,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(), sig_len,
                         msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 31 - For i = 0, ..., n1-1, the verifier computes
//                   t5 = G3.exp(B, f[i]) and verifies that
//                   G3.isEqual(t5, K) = false.
//
TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlSingleEntry) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& priv_rl = this->kGrpXPrivRlSingleEntry;
  auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0;
  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
      verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInPrivRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlFirstEntry) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& priv_rl = this->kGrpXPrivRl;
  auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0;
  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
      verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInPrivRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlMiddleEntry) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& priv_rl = this->kGrpXPrivRl;
  auto& sig = this->kSigGrpXRevokedPrivKey001Sha256Bsn0Msg0;
  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
      verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInPrivRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlLastEntry) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& priv_rl = this->kGrpXPrivRl;
  auto& sig = this->kSigGrpXRevokedPrivKey002Sha256Bsn0Msg0;
  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
      verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInPrivRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSigUsingCorruptedPrivRlEntry) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& priv_rl = this->kGrpXCorruptedPrivRl;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
      verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInPrivRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 32 - For i = 0, ..., n2-1, the verifier verifies
//                   nr-verify(B, K, B[i], K[i], s[i]) = true.
//                   The details of nr-verify will be given in the
//                   next subsection.

TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlSingleEntry) {
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0SingleEntry;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0SingleEntry;
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
      verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInSigRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlFirstEntry) {
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0FirstEntry;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry;
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
      verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInSigRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlMiddleEntry) {
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0MiddleEntry;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry;
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
      verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInSigRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlLastEntry) {
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0LastEntry;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry;
  Epid11VerifierCtxObj verifier(this->kPubKeyStr);
  THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
      verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigRevokedInSigRl,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

/////////////////////////////////////////////////////////////////////
//
//   4.1.2 step 33 - If all the above verifications succeed, the
//                   verifier outputs true. If any of the above
//                   verifications fails, the verifier immediately
//                   aborts and outputs false.

TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithBaseNameNoRl) {
  auto& pub_key = this->kPubKeyStr;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
  EXPECT_EQ(kEpidSigValid,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithBaseNameAllRl) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& bsn = this->kBsn0;
  auto& grp_rl = this->kGroupRlEmptyBuf;
  auto& priv_rl = this->kGrpXPrivRl;
  auto& sig_rl = this->kEmptySigRl;
  auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
      verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
      verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
      verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));

  EXPECT_EQ(kEpidSigValid,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithRandomBaseNameNoRl) {
  auto& pub_key = this->kPubKeyStr;
  auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
  auto& msg = this->kMsg0;

  Epid11VerifierCtxObj verifier(pub_key);
  EXPECT_EQ(kEpidSigValid,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRl) {
  auto& pub_key = this->kPubKeyStr;
  auto& msg = this->kMsg0;
  auto& grp_rl = this->kGroupRlEmptyBuf;
  auto& priv_rl = this->kGrpXPrivRl;
  auto& sig_rl = this->kEmptySigRl;
  auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
      verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
      verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
      verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
  EXPECT_EQ(kEpidSigValid,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

TEST_F(Epid11VerifierTest, VerifyAcceptsSigGivenMsgContainingAllPossibleBytes) {
  auto& pub_key = this->kPubKeyStrForMsg0_255;
  auto& msg = this->kData_0_255;
  auto& grp_rl = this->kGroupRlEmptyBuf;
  auto& priv_rl = this->kGrpXPrivRl;
  auto& sig = this->kSigGrp01Member0Sha256kBsn0Data_0_255;

  Epid11VerifierCtxObj verifier(pub_key);
  THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
      verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
      verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
  THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
      verifier, (Epid11SigRl const*)this->kSigRlForMsg0_255.data(),
      this->kSigRlForMsg0_255.size()));

  EXPECT_EQ(kEpidSigValid,
            Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
                         sig.size(), msg.data(), msg.size()));
}

}  // namespace