1 /*############################################################################
2 # Copyright 2016-2017 Intel Corporation
3 #
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7 #
8 # http://www.apache.org/licenses/LICENSE-2.0
9 #
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15 ############################################################################*/
16
17 /*!
18 * \file
19 * \brief Epid11Verify unit tests.
20 */
21
22 #include "epid/common-testhelper/epid_gtest-testhelper.h"
23 #include "gtest/gtest.h"
24
25 extern "C" {
26 #include "epid/common/src/endian_convert.h"
27 #include "epid/verifier/1.1/api.h"
28 }
29
30 #include "epid/common-testhelper/1.1/verifier_wrapper-testhelper.h"
31 #include "epid/common-testhelper/errors-testhelper.h"
32 #include "epid/verifier/1.1/unittests/verifier-testhelper.h"
33
34 namespace {
35
TEST_F(Epid11VerifierTest,VerifyFailsGivenNullParameters)36 TEST_F(Epid11VerifierTest, VerifyFailsGivenNullParameters) {
37 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
38 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
39 auto msg = this->kMsg0;
40
41 EXPECT_EQ(kEpidBadArgErr,
42 Epid11Verify(nullptr, (Epid11Signature const*)sig.data(),
43 sig.size(), msg.data(), msg.size()));
44 EXPECT_EQ(kEpidBadArgErr, Epid11Verify(verifier, nullptr, sig.size(),
45 msg.data(), msg.size()));
46 EXPECT_EQ(kEpidBadArgErr,
47 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
48 sig.size(), nullptr, msg.size()));
49 }
50
TEST_F(Epid11VerifierTest,VerifyFailsGivenTooShortSigLen)51 TEST_F(Epid11VerifierTest, VerifyFailsGivenTooShortSigLen) {
52 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
53 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
54 auto msg = this->kMsg0;
55
56 EXPECT_EQ(kEpidBadArgErr,
57 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), 0,
58 msg.data(), msg.size()));
59 EXPECT_EQ(kEpidBadArgErr,
60 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
61 sizeof(Epid11Signature) - sizeof(Epid11NrProof) - 1,
62 msg.data(), msg.size()));
63 }
64
TEST_F(Epid11VerifierTest,VerifyFailsGivenSigLenTooShortForRlCount)65 TEST_F(Epid11VerifierTest, VerifyFailsGivenSigLenTooShortForRlCount) {
66 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
67 Epid11VerifierSetSigRl(verifier, (Epid11SigRl const*)this->kSigRl.data(),
68 this->kSigRl.size());
69 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
70 auto n2 = ntohl(((Epid11SigRl const*)this->kSigRl.data())->n2.data);
71 sig.resize(sizeof(Epid11Signature) +
72 (n2 - 2) * sizeof(((Epid11Signature*)0)->sigma));
73 auto msg = this->kMsg0;
74
75 EXPECT_EQ(kEpidBadArgErr,
76 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
77 sig.size(), msg.data(), msg.size()));
78 }
79
TEST_F(Epid11VerifierTest,VerifyFailsGivenSigLenTooLongForRlCount)80 TEST_F(Epid11VerifierTest, VerifyFailsGivenSigLenTooLongForRlCount) {
81 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
82 Epid11VerifierSetSigRl(verifier, (Epid11SigRl const*)this->kSigRl.data(),
83 this->kSigRl.size());
84 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
85 auto n2 = ntohl(((Epid11SigRl const*)this->kSigRl.data())->n2.data);
86 sig.resize(sizeof(Epid11Signature) +
87 n2 * sizeof(((Epid11Signature*)0)->sigma));
88 auto msg = this->kMsg0;
89
90 EXPECT_EQ(kEpidBadArgErr,
91 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
92 sig.size(), msg.data(), msg.size()));
93 }
94
95 #if (SIZE_MAX <= 0xFFFFFFFF) // When size_t value is 32 bit or lower
TEST_F(Epid11VerifierTest,VerifyFailsGivenRlCountTooBig)96 TEST_F(Epid11VerifierTest, VerifyFailsGivenRlCountTooBig) {
97 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
98 Epid11VerifierSetSigRl(verifier, (Epid11SigRl const*)this->kSigRl.data(),
99 this->kSigRl.size());
100 auto sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
101 uint32_t n2 = SIZE_MAX / sizeof(Epid11NrProof) + 1;
102 uint32_t n2_ = ntohl(n2);
103 Epid11Signature* sig_struct = (Epid11Signature*)sig.data();
104 sig_struct->n2 = *(OctStr32*)&n2_;
105 sig.resize(sizeof(Epid11Signature) + (n2 - 1) * sizeof(Epid11NrProof));
106 auto msg = this->kMsg0;
107
108 EXPECT_EQ(kEpidBadArgErr,
109 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
110 sig.size(), msg.data(), msg.size()));
111 }
112 #endif
113
114 /////////////////////////////////////////////////////////////////////
115 //
116 // 4.1.2 step 1 - We use the following variables T1, T2, R1, R2,
117 // t1, t2 (elements of G1), R4, t3 (elements of GT),
118 // B, K, R3, t5 (elements of G3), c, sx, sy, sa, sb,
119 // salpha, sbeta, nc, nc', nsx, syalpha,
120 // t4 (256-bit big integers), nd (80-bit big integer),
121 // and sf (600-bit big integer).
122 // This Step is not testable
123
124 /////////////////////////////////////////////////////////////////////
125 //
126 // 4.1.2 step 2 - The verifier reads the verifier pre-computation
127 // blob (gid, e12, e22, e2w) from its storage.
128 // Refer to Section 3.4 for the computation of
129 // these values.
130 // This Step is not testable
131
132 /////////////////////////////////////////////////////////////////////
133 //
134 // 4.1.2 step 3 - The verifier verifies gid in the public key,
135 // PRIV-RL, and SIG-RL (if provided) and the verifier
136 // pre-computation blob all match.
137 // This step tested with SetPrivRl, SetSigRl and ReadPrecomp functions tests
138 /////////////////////////////////////////////////////////////////////
139 //
140 // 4.1.2 step 4 - The verifier verifies the signatures of PRIV-RL,
141 // SIG-RL (if provided), and Group-RL (if provided)
142 // using IVK.
143 // This Step is not testable
144
145 /////////////////////////////////////////////////////////////////////
146 //
147 // 4.1.2 step 5 - If Group-RL is provided as input, the verifier
148 // verifies that gid has not been revoked, i.e.,
149 // gid does not match any entry in Group-RL.
150
TEST_F(Epid11VerifierTest,VerifyRejectsFromGroupRlSingleEntry)151 TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlSingleEntry) {
152 auto& pub_key = this->kPubKeyStr;
153 auto& msg = this->kMsg0;
154 auto& bsn = this->kBsn0;
155 auto& grp_rl = this->kGrpRlRevokedGrpXSingleEntry;
156 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
157
158 Epid11VerifierCtxObj verifier(pub_key);
159 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
160 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
161 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
162 EXPECT_EQ(kEpidSigRevokedInGroupRl,
163 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
164 sig.size(), msg.data(), msg.size()));
165 }
166
TEST_F(Epid11VerifierTest,VerifyRejectsFromGroupRlFirstEntry)167 TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlFirstEntry) {
168 auto& pub_key = this->kPubKeyStr;
169 auto& msg = this->kMsg0;
170 auto& bsn = this->kBsn0;
171 auto& grp_rl = this->kGrpRlRevokedGrpXFirstEntry;
172 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
173
174 Epid11VerifierCtxObj verifier(pub_key);
175 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
176 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
177 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
178 EXPECT_EQ(kEpidSigRevokedInGroupRl,
179 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
180 sig.size(), msg.data(), msg.size()));
181 }
182
TEST_F(Epid11VerifierTest,VerifyRejectsFromGroupRlMiddleEntry)183 TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlMiddleEntry) {
184 auto& pub_key = this->kPubKeyStr;
185 auto& msg = this->kMsg0;
186 auto& bsn = this->kBsn0;
187 auto& grp_rl = this->kGrpRlRevokedGrpXMiddleEntry;
188 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
189
190 Epid11VerifierCtxObj verifier(pub_key);
191 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
192 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
193 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
194 EXPECT_EQ(kEpidSigRevokedInGroupRl,
195 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
196 sig.size(), msg.data(), msg.size()));
197 }
198
TEST_F(Epid11VerifierTest,VerifyRejectsFromGroupRlLastEntry)199 TEST_F(Epid11VerifierTest, VerifyRejectsFromGroupRlLastEntry) {
200 auto& pub_key = this->kPubKeyStr;
201 auto& msg = this->kMsg0;
202 auto& bsn = this->kBsn0;
203 auto& grp_rl = this->kGrpRlRevokedGrpXLastEntry;
204 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
205
206 Epid11VerifierCtxObj verifier(pub_key);
207 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
208 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
209 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
210 EXPECT_EQ(kEpidSigRevokedInGroupRl,
211 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
212 sig.size(), msg.data(), msg.size()));
213 }
214
215 /////////////////////////////////////////////////////////////////////
216 //
217 // 4.1.2 step 6 - If SIG-RL is provided as input, the verifier
218 // verifies that RLver and n2 values in s match with
219 // the values in SIG-RL. If SIG-RL is not provided
220 // as input, but the input signature is a not basic
221 // signature, the verifier aborts and outputs false.
222
TEST_F(Epid11VerifierTest,VerifyFailsOnSigRlverNotMatchSigRlRlver)223 TEST_F(Epid11VerifierTest, VerifyFailsOnSigRlverNotMatchSigRlRlver) {
224 // The verifier verifies that RLver in Sigma and in SigRL
225 // match. If mismatch, abort and output "operation failed".
226 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
227 auto msg = this->kMsg0;
228 auto bsn = this->kBsn0;
229 auto sig_rl = this->kGrpXSigRlMember0Bsn0Msg0SingleEntry;
230 auto sig_rl_size = sig_rl.size();
231 auto sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
232 Epid11SigRl sig_rl_wrong_ver = *(Epid11SigRl const*)sig_rl.data();
233 sig_rl_wrong_ver.version.data[0]++;
234 THROW_ON_EPIDERR(
235 Epid11VerifierSetSigRl(verifier, &sig_rl_wrong_ver, sig_rl_size));
236 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
237 EXPECT_EQ(kEpidErr, Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
238 sig.size(), msg.data(), msg.size()));
239 }
240
TEST_F(Epid11VerifierTest,VerifyFailsOnSigN2NotMatchSigRlN2)241 TEST_F(Epid11VerifierTest, VerifyFailsOnSigN2NotMatchSigRlN2) {
242 // The verifier verifies that n2 in Sigma and in SigRL
243 // match. If mismatch, abort and output "operation failed".
244 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
245 auto msg = this->kMsg0;
246 auto bsn = this->kBsn0;
247 auto* sig_rl =
248 (Epid11SigRl const*)this->kGrpXSigRlMember0Bsn0Msg0MiddleEntry.data();
249 size_t sig_rl_size = this->kGrpXSigRlMember0Bsn0Msg0MiddleEntry.size();
250 auto sig_raw = this->kSigGrpXMember0Sha256Bsn0Msg0SingleEntry;
251 Epid11Signature* sig = (Epid11Signature*)sig_raw.data();
252 sig->rl_ver = sig_rl->version;
253 THROW_ON_EPIDERR(Epid11VerifierSetSigRl(verifier, sig_rl, sig_rl_size));
254 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
255 EXPECT_EQ(kEpidBadArgErr, Epid11Verify(verifier, sig, sig_raw.size(),
256 msg.data(), msg.size()));
257 }
258
TEST_F(Epid11VerifierTest,VerifyFailsSigIsNotBasicAndSigRlIsNotProvided)259 TEST_F(Epid11VerifierTest, VerifyFailsSigIsNotBasicAndSigRlIsNotProvided) {
260 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
261 auto msg = this->kMsg0;
262 auto bsn = this->kBsn0;
263 auto sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry;
264 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
265 EXPECT_EQ(kEpidBadArgErr,
266 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
267 sig.size(), msg.data(), msg.size()));
268 }
269
270 /////////////////////////////////////////////////////////////////////
271 //
272 // 4.1.2 step 7 - The verifier verifies that G3.isIdentity(B) is false.
273 //
TEST_F(Epid11VerifierTest,VerifyRejectsIdentityB)274 TEST_F(Epid11VerifierTest, VerifyRejectsIdentityB) {
275 auto& pub_key = this->kPubKeyStr;
276 Epid11Signature sig = {0};
277 sig.sigma0 =
278 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256Bsn0Msg0.data());
279 size_t sig_len = this->kSigGrpXMember0Sha256Bsn0Msg0.size();
280 auto& msg = this->kMsg0;
281 auto& bsn = this->kBsn0;
282 memset(&sig.sigma0.B, 0, sizeof(sig.sigma0.B));
283
284 Epid11VerifierCtxObj verifier(pub_key);
285 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
286 EXPECT_EQ(kEpidSigInvalid,
287 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
288 }
289
290 /////////////////////////////////////////////////////////////////////
291 //
292 // 4.1.2 step 8 - If bsnSize = 0, the verifier verifies G3.inGroup(B) = true.
293 //
TEST_F(Epid11VerifierTest,VerifyRejectsBNotInG3)294 TEST_F(Epid11VerifierTest, VerifyRejectsBNotInG3) {
295 auto& pub_key = this->kPubKeyStr;
296 Epid11Signature sig = {0};
297 sig.sigma0 =
298 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
299 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
300 auto& msg = this->kMsg0;
301 sig.sigma0.B.x.data.data[0] = 0xEE;
302
303 Epid11VerifierCtxObj verifier(pub_key);
304 EXPECT_EQ(kEpidSigInvalid,
305 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
306 }
307
308 /////////////////////////////////////////////////////////////////////
309 //
310 // 4.1.2 step 9 - If bsnSize > 0, the verifier verifies B = G3.hash(bsn).
311 //
TEST_F(Epid11VerifierTest,VerifyRejectsBNotMatchingBasename)312 TEST_F(Epid11VerifierTest, VerifyRejectsBNotMatchingBasename) {
313 auto& pub_key = this->kPubKeyStr;
314 Epid11Signature sig = {0};
315 sig.sigma0 =
316 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256Bsn0Msg0.data());
317 size_t sig_len = this->kSigGrpXMember0Sha256Bsn0Msg0.size();
318 auto msg = this->kMsg0;
319 auto bsn = this->kBsn0;
320 bsn.push_back('x');
321
322 Epid11VerifierCtxObj verifier(pub_key);
323 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
324 EXPECT_EQ(kEpidSigInvalid,
325 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
326 }
327
328 /////////////////////////////////////////////////////////////////////
329 //
330 // 4.1.2 step 10 - The verifier verifies G3.inGroup(K) = true.
331 //
TEST_F(Epid11VerifierTest,VerifyRejectsKNotInG3)332 TEST_F(Epid11VerifierTest, VerifyRejectsKNotInG3) {
333 auto& pub_key = this->kPubKeyStr;
334 Epid11Signature sig = {0};
335 sig.sigma0 =
336 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
337 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
338 auto& msg = this->kMsg0;
339 sig.sigma0.K.x.data.data[0] = 0xEE;
340
341 Epid11VerifierCtxObj verifier(pub_key);
342 EXPECT_EQ(kEpidSigInvalid,
343 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
344 }
345
346 /////////////////////////////////////////////////////////////////////
347 //
348 // 4.1.2 step 11 - The verifier verifies G1.inGroup(T1) = true.
349 //
TEST_F(Epid11VerifierTest,VerifyRejectsT1NotInG1)350 TEST_F(Epid11VerifierTest, VerifyRejectsT1NotInG1) {
351 auto& pub_key = this->kPubKeyStr;
352 Epid11Signature sig = {0};
353 sig.sigma0 =
354 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
355 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
356 auto& msg = this->kMsg0;
357 sig.sigma0.T1.x.data.data[0] = 0xEE;
358
359 Epid11VerifierCtxObj verifier(pub_key);
360 EXPECT_EQ(kEpidSigInvalid,
361 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
362 }
363
364 /////////////////////////////////////////////////////////////////////
365 //
366 // 4.1.2 step 12 - The verifier verifies G1.inGroup(T2) = true.
367 //
TEST_F(Epid11VerifierTest,VerifyRejectsT2NotInG1)368 TEST_F(Epid11VerifierTest, VerifyRejectsT2NotInG1) {
369 auto& pub_key = this->kPubKeyStr;
370 Epid11Signature sig = {0};
371 sig.sigma0 =
372 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
373 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
374 auto& msg = this->kMsg0;
375 sig.sigma0.T2.x.data.data[0] = 0xEE;
376
377 Epid11VerifierCtxObj verifier(pub_key);
378 EXPECT_EQ(kEpidSigInvalid,
379 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
380 }
381
382 /////////////////////////////////////////////////////////////////////
383 //
384 // 4.1.2 step 13 - The verifier verifies sx, sy, sa, sb, salpha, sbeta
385 // in [0, p-1].
386 //
TEST_F(Epid11VerifierTest,VerifyRejectsSxNotInFp)387 TEST_F(Epid11VerifierTest, VerifyRejectsSxNotInFp) {
388 auto& pub_key = this->kPubKeyStr;
389 Epid11Signature sig = {0};
390 sig.sigma0 =
391 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
392 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
393 auto& msg = this->kMsg0;
394 sig.sigma0.sx.data.data[0] = 0xEE;
395
396 Epid11VerifierCtxObj verifier(pub_key);
397 EXPECT_EQ(kEpidSigInvalid,
398 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
399 }
400
TEST_F(Epid11VerifierTest,VerifyRejectsSyNotInFp)401 TEST_F(Epid11VerifierTest, VerifyRejectsSyNotInFp) {
402 auto& pub_key = this->kPubKeyStr;
403 Epid11Signature sig = {0};
404 sig.sigma0 =
405 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
406 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
407 auto& msg = this->kMsg0;
408 sig.sigma0.sy.data.data[0] = 0xEE;
409
410 Epid11VerifierCtxObj verifier(pub_key);
411 EXPECT_EQ(kEpidSigInvalid,
412 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
413 }
414
TEST_F(Epid11VerifierTest,VerifyRejectsSaNotInFp)415 TEST_F(Epid11VerifierTest, VerifyRejectsSaNotInFp) {
416 auto& pub_key = this->kPubKeyStr;
417 Epid11Signature sig = {0};
418 sig.sigma0 =
419 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
420 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
421 auto& msg = this->kMsg0;
422 sig.sigma0.sa.data.data[0] = 0xEE;
423
424 Epid11VerifierCtxObj verifier(pub_key);
425 EXPECT_EQ(kEpidSigInvalid,
426 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
427 }
428
TEST_F(Epid11VerifierTest,VerifyRejectsSbNotInFp)429 TEST_F(Epid11VerifierTest, VerifyRejectsSbNotInFp) {
430 auto& pub_key = this->kPubKeyStr;
431 Epid11Signature sig = {0};
432 sig.sigma0 =
433 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
434 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
435 auto& msg = this->kMsg0;
436 sig.sigma0.sb.data.data[0] = 0xEE;
437
438 Epid11VerifierCtxObj verifier(pub_key);
439 EXPECT_EQ(kEpidSigInvalid,
440 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
441 }
442
TEST_F(Epid11VerifierTest,VerifyRejectsSalphaNotInFp)443 TEST_F(Epid11VerifierTest, VerifyRejectsSalphaNotInFp) {
444 auto& pub_key = this->kPubKeyStr;
445 Epid11Signature sig = {0};
446 sig.sigma0 =
447 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
448 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
449 auto& msg = this->kMsg0;
450 sig.sigma0.salpha.data.data[0] = 0xEE;
451
452 Epid11VerifierCtxObj verifier(pub_key);
453 EXPECT_EQ(kEpidSigInvalid,
454 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
455 }
456
TEST_F(Epid11VerifierTest,VerifyRejectsSbetaNotInFp)457 TEST_F(Epid11VerifierTest, VerifyRejectsSbetaNotInFp) {
458 auto& pub_key = this->kPubKeyStr;
459 Epid11Signature sig = {0};
460 sig.sigma0 =
461 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
462 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
463 auto& msg = this->kMsg0;
464 sig.sigma0.sbeta.data.data[0] = 0xEE;
465
466 Epid11VerifierCtxObj verifier(pub_key);
467 EXPECT_EQ(kEpidSigInvalid,
468 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
469 }
470
471 /////////////////////////////////////////////////////////////////////
472 //
473 // 4.1.2 step 14 - The verifier verifies that sf is an (at-most) 593-bit
474 // unsigned integer, in other words, sf < 2^593.
475 //
TEST_F(Epid11VerifierTest,VerifyRejectsSfMoreThan592Bits)476 TEST_F(Epid11VerifierTest, VerifyRejectsSfMoreThan592Bits) {
477 auto& pub_key = this->kPubKeyStr;
478 Epid11Signature sig = {0};
479 sig.sigma0 =
480 *(Epid11BasicSignature*)(this->kSigGrpXMember0Sha256RandbaseMsg0.data());
481 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
482 auto& msg = this->kMsg0;
483 memset(&sig.sigma0.sf, 0, sizeof(sig.sigma0.sf));
484 sig.sigma0.sf.data[593 / CHAR_BIT] = 1 << ((593 % CHAR_BIT) - 1);
485
486 Epid11VerifierCtxObj verifier(pub_key);
487 EXPECT_EQ(kEpidSigInvalid,
488 Epid11Verify(verifier, &sig, sig_len, msg.data(), msg.size()));
489 }
490
491 /////////////////////////////////////////////////////////////////////
492 //
493 // 4.1.2 step 15 - The verifier computes nc = (-c) mod p.
494 // 4.1.2 step 16 - The verifier computes nc' = (-c) mod p'.
495 // 4.1.2 step 17 - The verifier computes nsx = (-sx) mod p.
496 // 4.1.2 step 18 - The verifier computes syalpha = (sy + salpha) mod p.
497 // 4.1.2 step 19 - The verifier computes R1 = G1.multiexp(h1, sa, h2, sb, T2,
498 // nc).
499 // 4.1.2 step 20 - The verifier computes R2 = G1.multiexp(h1, salpha, h2,
500 // sbeta, T2, nsx).
501 // 4.1.2 step 21 - The verifier computes R3 = G3.multiexp(B, sf, K, nc').
502 // 4.1.2 step 22 - The verifier computes t1 = G1.multiexp(T1, nsx, g1, c).
503 // 4.1.2 step 23 - The verifier computes t2 = G1.exp(T1, nc).
504 // 4.1.2 step 24 - The verifier computes R4 = pairing(t1, g2).
505 // 4.1.2 step 25 - The verifier computes t3 = pairing(t2, w).
506 // 4.1.2 step 26 - The verifier computes R4 = GT.mul(R4, t3).
507 // 4.1.2 step 27 - The verifier compute t3 = GT.multiexp(e12, sf, e22,
508 // syalpha, e2w, sa).
509 // 4.1.2 step 28 - The verifier compute R4 = GT.mul(R4, t3).
510 // 4.1.2 step 29 - The verifier compute t4 = Hash(p || g1 || g2 || g3
511 // || h1 || h2 || w || B || K
512 // || T1 || T2 || R1 || R2
513 // || R3 || R4).
514 // These steps are not testable
515
516 /////////////////////////////////////////////////////////////////////
517 //
518 // 4.1.2 step 30 - The verifier verifies c = H(t4 || nd || mSize || m).
519 // It is not practical to test all inputs to this hash
TEST_F(Epid11VerifierTest,VerifyRejectsSigWithMismatchedMsg)520 TEST_F(Epid11VerifierTest, VerifyRejectsSigWithMismatchedMsg) {
521 auto& pub_key = this->kPubKeyStr;
522 auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
523 size_t sig_len = this->kSigGrpXMember0Sha256RandbaseMsg0.size();
524 auto msg = this->kMsg0;
525 msg.push_back('x');
526
527 Epid11VerifierCtxObj verifier(pub_key);
528 EXPECT_EQ(kEpidSigInvalid,
529 Epid11Verify(verifier, (Epid11Signature const*)sig.data(), sig_len,
530 msg.data(), msg.size()));
531 }
532
533 /////////////////////////////////////////////////////////////////////
534 //
535 // 4.1.2 step 31 - For i = 0, ..., n1-1, the verifier computes
536 // t5 = G3.exp(B, f[i]) and verifies that
537 // G3.isEqual(t5, K) = false.
538 //
TEST_F(Epid11VerifierTest,VerifyRejectsSigFromPrivRlSingleEntry)539 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlSingleEntry) {
540 auto& pub_key = this->kPubKeyStr;
541 auto& msg = this->kMsg0;
542 auto& bsn = this->kBsn0;
543 auto& priv_rl = this->kGrpXPrivRlSingleEntry;
544 auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0;
545 Epid11VerifierCtxObj verifier(pub_key);
546 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
547 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
548 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
549 EXPECT_EQ(kEpidSigRevokedInPrivRl,
550 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
551 sig.size(), msg.data(), msg.size()));
552 }
553
TEST_F(Epid11VerifierTest,VerifyRejectsSigFromPrivRlFirstEntry)554 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlFirstEntry) {
555 auto& pub_key = this->kPubKeyStr;
556 auto& msg = this->kMsg0;
557 auto& bsn = this->kBsn0;
558 auto& priv_rl = this->kGrpXPrivRl;
559 auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0;
560 Epid11VerifierCtxObj verifier(pub_key);
561 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
562 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
563 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
564 EXPECT_EQ(kEpidSigRevokedInPrivRl,
565 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
566 sig.size(), msg.data(), msg.size()));
567 }
568
TEST_F(Epid11VerifierTest,VerifyRejectsSigFromPrivRlMiddleEntry)569 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlMiddleEntry) {
570 auto& pub_key = this->kPubKeyStr;
571 auto& msg = this->kMsg0;
572 auto& bsn = this->kBsn0;
573 auto& priv_rl = this->kGrpXPrivRl;
574 auto& sig = this->kSigGrpXRevokedPrivKey001Sha256Bsn0Msg0;
575 Epid11VerifierCtxObj verifier(pub_key);
576 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
577 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
578 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
579 EXPECT_EQ(kEpidSigRevokedInPrivRl,
580 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
581 sig.size(), msg.data(), msg.size()));
582 }
583
TEST_F(Epid11VerifierTest,VerifyRejectsSigFromPrivRlLastEntry)584 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromPrivRlLastEntry) {
585 auto& pub_key = this->kPubKeyStr;
586 auto& msg = this->kMsg0;
587 auto& bsn = this->kBsn0;
588 auto& priv_rl = this->kGrpXPrivRl;
589 auto& sig = this->kSigGrpXRevokedPrivKey002Sha256Bsn0Msg0;
590 Epid11VerifierCtxObj verifier(pub_key);
591 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
592 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
593 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
594 EXPECT_EQ(kEpidSigRevokedInPrivRl,
595 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
596 sig.size(), msg.data(), msg.size()));
597 }
598
TEST_F(Epid11VerifierTest,VerifyRejectsSigUsingCorruptedPrivRlEntry)599 TEST_F(Epid11VerifierTest, VerifyRejectsSigUsingCorruptedPrivRlEntry) {
600 auto& pub_key = this->kPubKeyStr;
601 auto& msg = this->kMsg0;
602 auto& bsn = this->kBsn0;
603 auto& priv_rl = this->kGrpXCorruptedPrivRl;
604 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
605 Epid11VerifierCtxObj verifier(pub_key);
606 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
607 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
608 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
609 EXPECT_EQ(kEpidSigRevokedInPrivRl,
610 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
611 sig.size(), msg.data(), msg.size()));
612 }
613
614 /////////////////////////////////////////////////////////////////////
615 //
616 // 4.1.2 step 32 - For i = 0, ..., n2-1, the verifier verifies
617 // nr-verify(B, K, B[i], K[i], s[i]) = true.
618 // The details of nr-verify will be given in the
619 // next subsection.
620
TEST_F(Epid11VerifierTest,VerifyRejectsSigFromSigRlSingleEntry)621 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlSingleEntry) {
622 auto& msg = this->kMsg0;
623 auto& bsn = this->kBsn0;
624 auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0SingleEntry;
625 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0SingleEntry;
626 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
627 THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
628 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
629 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
630 EXPECT_EQ(kEpidSigRevokedInSigRl,
631 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
632 sig.size(), msg.data(), msg.size()));
633 }
634
TEST_F(Epid11VerifierTest,VerifyRejectsSigFromSigRlFirstEntry)635 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlFirstEntry) {
636 auto& msg = this->kMsg0;
637 auto& bsn = this->kBsn0;
638 auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0FirstEntry;
639 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry;
640 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
641 THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
642 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
643 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
644 EXPECT_EQ(kEpidSigRevokedInSigRl,
645 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
646 sig.size(), msg.data(), msg.size()));
647 }
648
TEST_F(Epid11VerifierTest,VerifyRejectsSigFromSigRlMiddleEntry)649 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlMiddleEntry) {
650 auto& msg = this->kMsg0;
651 auto& bsn = this->kBsn0;
652 auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0MiddleEntry;
653 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry;
654 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
655 THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
656 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
657 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
658 EXPECT_EQ(kEpidSigRevokedInSigRl,
659 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
660 sig.size(), msg.data(), msg.size()));
661 }
662
TEST_F(Epid11VerifierTest,VerifyRejectsSigFromSigRlLastEntry)663 TEST_F(Epid11VerifierTest, VerifyRejectsSigFromSigRlLastEntry) {
664 auto& msg = this->kMsg0;
665 auto& bsn = this->kBsn0;
666 auto& sig_rl = this->kGrpXSigRlMember0Bsn0Msg0LastEntry;
667 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0ThreeEntry;
668 Epid11VerifierCtxObj verifier(this->kPubKeyStr);
669 THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
670 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
671 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
672 EXPECT_EQ(kEpidSigRevokedInSigRl,
673 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
674 sig.size(), msg.data(), msg.size()));
675 }
676
677 /////////////////////////////////////////////////////////////////////
678 //
679 // 4.1.2 step 33 - If all the above verifications succeed, the
680 // verifier outputs true. If any of the above
681 // verifications fails, the verifier immediately
682 // aborts and outputs false.
683
TEST_F(Epid11VerifierTest,VerifyAcceptsSigWithBaseNameNoRl)684 TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithBaseNameNoRl) {
685 auto& pub_key = this->kPubKeyStr;
686 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
687 auto& msg = this->kMsg0;
688 auto& bsn = this->kBsn0;
689
690 Epid11VerifierCtxObj verifier(pub_key);
691 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
692 EXPECT_EQ(kEpidSigValid,
693 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
694 sig.size(), msg.data(), msg.size()));
695 }
696
TEST_F(Epid11VerifierTest,VerifyAcceptsSigWithBaseNameAllRl)697 TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithBaseNameAllRl) {
698 auto& pub_key = this->kPubKeyStr;
699 auto& msg = this->kMsg0;
700 auto& bsn = this->kBsn0;
701 auto& grp_rl = this->kGroupRlEmptyBuf;
702 auto& priv_rl = this->kGrpXPrivRl;
703 auto& sig_rl = this->kEmptySigRl;
704 auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
705
706 Epid11VerifierCtxObj verifier(pub_key);
707 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
708 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
709 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
710 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
711 THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
712 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
713 THROW_ON_EPIDERR(Epid11VerifierSetBasename(verifier, bsn.data(), bsn.size()));
714
715 EXPECT_EQ(kEpidSigValid,
716 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
717 sig.size(), msg.data(), msg.size()));
718 }
719
TEST_F(Epid11VerifierTest,VerifyAcceptsSigWithRandomBaseNameNoRl)720 TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithRandomBaseNameNoRl) {
721 auto& pub_key = this->kPubKeyStr;
722 auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
723 auto& msg = this->kMsg0;
724
725 Epid11VerifierCtxObj verifier(pub_key);
726 EXPECT_EQ(kEpidSigValid,
727 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
728 sig.size(), msg.data(), msg.size()));
729 }
730
TEST_F(Epid11VerifierTest,VerifyAcceptsSigWithRandomBaseNameAllRl)731 TEST_F(Epid11VerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRl) {
732 auto& pub_key = this->kPubKeyStr;
733 auto& msg = this->kMsg0;
734 auto& grp_rl = this->kGroupRlEmptyBuf;
735 auto& priv_rl = this->kGrpXPrivRl;
736 auto& sig_rl = this->kEmptySigRl;
737 auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
738
739 Epid11VerifierCtxObj verifier(pub_key);
740 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
741 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
742 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
743 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
744 THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
745 verifier, (Epid11SigRl const*)sig_rl.data(), sig_rl.size()));
746 EXPECT_EQ(kEpidSigValid,
747 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
748 sig.size(), msg.data(), msg.size()));
749 }
750
TEST_F(Epid11VerifierTest,VerifyAcceptsSigGivenMsgContainingAllPossibleBytes)751 TEST_F(Epid11VerifierTest, VerifyAcceptsSigGivenMsgContainingAllPossibleBytes) {
752 auto& pub_key = this->kPubKeyStrForMsg0_255;
753 auto& msg = this->kData_0_255;
754 auto& grp_rl = this->kGroupRlEmptyBuf;
755 auto& priv_rl = this->kGrpXPrivRl;
756 auto& sig = this->kSigGrp01Member0Sha256kBsn0Data_0_255;
757
758 Epid11VerifierCtxObj verifier(pub_key);
759 THROW_ON_EPIDERR(Epid11VerifierSetGroupRl(
760 verifier, (Epid11GroupRl const*)grp_rl.data(), grp_rl.size()));
761 THROW_ON_EPIDERR(Epid11VerifierSetPrivRl(
762 verifier, (Epid11PrivRl const*)priv_rl.data(), priv_rl.size()));
763 THROW_ON_EPIDERR(Epid11VerifierSetSigRl(
764 verifier, (Epid11SigRl const*)this->kSigRlForMsg0_255.data(),
765 this->kSigRlForMsg0_255.size()));
766
767 EXPECT_EQ(kEpidSigValid,
768 Epid11Verify(verifier, (Epid11Signature const*)sig.data(),
769 sig.size(), msg.data(), msg.size()));
770 }
771
772 } // namespace
773