1 /*############################################################################
2   # Copyright 2016-2017 Intel Corporation
3   #
4   # Licensed under the Apache License, Version 2.0 (the "License");
5   # you may not use this file except in compliance with the License.
6   # You may obtain a copy of the License at
7   #
8   #     http://www.apache.org/licenses/LICENSE-2.0
9   #
10   # Unless required by applicable law or agreed to in writing, software
11   # distributed under the License is distributed on an "AS IS" BASIS,
12   # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   # See the License for the specific language governing permissions and
14   # limitations under the License.
15   ############################################################################*/
16 
17 /*!
18  * \file
19  * \brief Verify unit tests.
20  */
21 
22 #include "epid/common-testhelper/epid_gtest-testhelper.h"
23 #include "gtest/gtest.h"
24 
25 extern "C" {
26 #include "epid/common/src/endian_convert.h"
27 #include "epid/verifier/api.h"
28 }
29 
30 #include "epid/common-testhelper/errors-testhelper.h"
31 #include "epid/common-testhelper/verifier_wrapper-testhelper.h"
32 #include "epid/verifier/unittests/verifier-testhelper.h"
33 
34 namespace {
35 
36 /////////////////////////////////////////////////////////////////////////
37 // Simple Errors
38 
TEST_F(EpidVerifierTest,VerifyFailsGivenNullParameters)39 TEST_F(EpidVerifierTest, VerifyFailsGivenNullParameters) {
40   VerifierCtxObj verifier(this->kGrp01Key);
41   auto& sig = this->kSigGrp01Member0Sha512RandombaseTest0;
42   auto& msg = this->kTest0;
43 
44   EXPECT_EQ(kEpidBadArgErr,
45             EpidVerify(nullptr, (EpidSignature const*)sig.data(), sig.size(),
46                        msg.data(), msg.size()));
47   EXPECT_EQ(kEpidBadArgErr,
48             EpidVerify(verifier, nullptr, sig.size(), msg.data(), msg.size()));
49   EXPECT_EQ(kEpidBadArgErr,
50             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
51                        nullptr, msg.size()));
52 }
53 
TEST_F(EpidVerifierTest,VerifyFailsGivenTooShortSigLen)54 TEST_F(EpidVerifierTest, VerifyFailsGivenTooShortSigLen) {
55   VerifierCtxObj verifier(this->kGrp01Key);
56   auto& sig = this->kSigGrp01Member0Sha512RandombaseTest0;
57   auto& msg = this->kTest0;
58 
59   EXPECT_EQ(kEpidBadArgErr,
60             EpidVerify(verifier, (EpidSignature const*)sig.data(), 0,
61                        msg.data(), msg.size()));
62   EXPECT_EQ(kEpidBadArgErr,
63             EpidVerify(verifier, (EpidSignature const*)sig.data(),
64                        sizeof(EpidSignature) - sizeof(NrProof) - 1, msg.data(),
65                        msg.size()));
66 }
67 
TEST_F(EpidVerifierTest,VerifyFailsGivenSigLenTooShortForRlCount)68 TEST_F(EpidVerifierTest, VerifyFailsGivenSigLenTooShortForRlCount) {
69   VerifierCtxObj verifier(this->kGrp01Key);
70   EpidVerifierSetSigRl(verifier, (SigRl const*)this->kGrp01SigRl.data(),
71                        this->kGrp01SigRl.size());
72   auto sig = this->kSigGrp01Member0Sha512RandombaseTest0;
73   auto n2 = this->kGrp01SigRlN2;
74   sig.resize(sizeof(EpidSignature) +
75              (n2 - 2) * sizeof(((EpidSignature*)0)->sigma));
76   auto& msg = this->kTest0;
77 
78   EXPECT_EQ(kEpidBadArgErr,
79             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
80                        msg.data(), msg.size()));
81 }
82 
TEST_F(EpidVerifierTest,VerifyFailsGivenSigLenTooLongForRlCount)83 TEST_F(EpidVerifierTest, VerifyFailsGivenSigLenTooLongForRlCount) {
84   VerifierCtxObj verifier(this->kGrp01Key);
85   EpidVerifierSetSigRl(verifier, (SigRl const*)this->kGrp01SigRl.data(),
86                        this->kGrp01SigRl.size());
87   auto sig = this->kSigGrp01Member0Sha512RandombaseTest0;
88   auto n2 = this->kGrp01SigRlN2;
89   sig.resize(sizeof(EpidSignature) + n2 * sizeof(((EpidSignature*)0)->sigma));
90   auto& msg = this->kTest0;
91 
92   EXPECT_EQ(kEpidBadArgErr,
93             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
94                        msg.data(), msg.size()));
95 }
96 
97 #if (SIZE_MAX <= 0xFFFFFFFF)  // When size_t value is 32 bit or lower
TEST_F(EpidVerifierTest,VerifyFailsGivenRlCountTooBig)98 TEST_F(EpidVerifierTest, VerifyFailsGivenRlCountTooBig) {
99   VerifierCtxObj verifier(this->kGrp01Key);
100   EpidVerifierSetSigRl(verifier, (SigRl const*)this->kGrp01SigRl.data(),
101                        this->kGrp01SigRl.size());
102   auto sig = this->kSigGrp01Member0Sha512RandombaseTest0;
103   uint32_t n2 = SIZE_MAX / sizeof(NrProof) + 1;
104   uint32_t n2_ = ntohl(n2);
105   EpidSignature* sig_struct = (EpidSignature*)sig.data();
106   sig_struct->n2 = *(OctStr32*)&n2_;
107   sig.resize(sizeof(EpidSignature) + (n2 - 1) * sizeof(NrProof));
108   auto& msg = this->kTest0;
109 
110   EXPECT_EQ(kEpidBadArgErr,
111             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
112                        msg.data(), msg.size()));
113 }
114 #endif
115 
116 /////////////////////////////////////////////////////////////////////
117 //
118 //   4.1.2 step 1 - The verifier reads the pre-computed (e12, e22, e2w, eg12).
119 //                  Refer to Section 3.6 for the computation of these values.
120 // This Step is not testable
121 
122 /////////////////////////////////////////////////////////////////////
123 // Non-Revocation List Reject
124 //   4.1.2 step 2 - The verifier verifies the basic signature Sigma0 as
125 //                  follows:
126 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithBNotInG1)127 TEST_F(EpidVerifierTest, VerifyRejectsSigWithBNotInG1) {
128   // * 4.1.2 step 2.a - The verifier verifies G1.inGroup(B) = true.
129   // result must be kEpidSigInvalid
130   VerifierCtxObj verifier(this->kGrp01Key);
131   auto& msg = this->kTest0;
132   size_t size = this->kSigGrp01Member0Sha512RandombaseTest0.size();
133   EpidSignature sig = *(
134       const EpidSignature*)(this->kSigGrp01Member0Sha512RandombaseTest0.data());
135   sig.sigma0.B.x.data.data[31]++;
136   EXPECT_EQ(kEpidSigInvalid,
137             EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
138 }
139 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithBIdentityOfG1)140 TEST_F(EpidVerifierTest, VerifyRejectsSigWithBIdentityOfG1) {
141   // * 4.1.2 step 2.b - The verifier verifies that G1.isIdentity(B) is false.
142   // result must be kEpidSigInvalid
143   VerifierCtxObj verifier(this->kGrp01Key);
144   auto& msg = this->kTest0;
145 
146   EpidSignature sig = *(
147       const EpidSignature*)(this->kSigGrp01Member0Sha512RandombaseTest0.data());
148   sig.sigma0.B = this->kG1IdentityStr;
149   size_t size = this->kSigGrp01Member0Sha512RandombaseTest0.size();
150   EXPECT_EQ(kEpidSigInvalid,
151             EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
152 }
153 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithDiffBaseNameSameHashAlg)154 TEST_F(EpidVerifierTest, VerifyRejectsSigWithDiffBaseNameSameHashAlg) {
155   // * 4.1.2 step 2.c - If bsn is provided, the verifier verifies
156   //                    B = G1.hash(bsn).
157   // result must be kEpidSigInvalid
158   auto& pub_key = this->kGrpXKey;
159   auto& sig = this->kSigGrpXMember0Sha512Bsn0Msg0;
160   auto& msg = this->kMsg0;
161   auto& bsn = this->kBasename1;
162 
163   VerifierCtxObj verifier(pub_key);
164 
165   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
166   EXPECT_EQ(kEpidSigInvalid,
167             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
168                        msg.data(), msg.size()));
169 }
170 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithSameBaseNameDiffHashAlg)171 TEST_F(EpidVerifierTest, VerifyRejectsSigWithSameBaseNameDiffHashAlg) {
172   // * 4.1.2 step 2.c - If bsn is provided, the verifier verifies
173   //                    B = G1.hash(bsn).
174   // result must be kEpidSigInvalid
175   auto& pub_key = this->kGrpXKey;
176   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
177   auto& msg = this->kMsg0;
178   auto& bsn = this->kBsn0;
179 
180   VerifierCtxObj verifier(pub_key);
181   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
182   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
183   EXPECT_EQ(kEpidSigInvalid,
184             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
185                        msg.data(), msg.size()));
186 }
187 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithDifferentHugeBaseName)188 TEST_F(EpidVerifierTest, VerifyRejectsSigWithDifferentHugeBaseName) {
189   // * 4.1.2 step 2.c - If bsn is provided, the verifier verifies
190   //                    B = G1.hash(bsn).
191   // result must be kEpidSigInvalid
192   auto& pub_key = this->kGrpXKey;
193   auto& sig = this->kSigGrpXMember0Sha512HugeBsnMsg0;
194   auto& msg = this->kMsg0;
195   std::vector<uint8_t> bsn(1024 * 1024);
196   uint8_t c = 0;
197   for (size_t i = 0; i < bsn.size(); ++i) {
198     // change middle kilobyte
199     if (i == 512 * 1024) c++;
200     if (i == 513 * 1024) c--;
201     bsn[i] = c++;
202   }
203 
204   VerifierCtxObj verifier(pub_key);
205   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
206   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
207   EXPECT_EQ(kEpidSigInvalid,
208             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
209                        msg.data(), msg.size()));
210 }
211 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithKNotInG1)212 TEST_F(EpidVerifierTest, VerifyRejectsSigWithKNotInG1) {
213   // * 4.1.2 step 2.d - The verifier verifies G1.inGroup(K) = true.
214   // result must be kEpidSigInvalid
215   VerifierCtxObj verifier(this->kGrp01Key);
216   auto& msg = this->kTest0;
217 
218   EpidSignature sig = *(
219       const EpidSignature*)(this->kSigGrp01Member0Sha512RandombaseTest0.data());
220   sig.sigma0.K.x.data.data[31]++;
221   size_t size = this->kSigGrp01Member0Sha512RandombaseTest0.size();
222   EXPECT_EQ(kEpidSigInvalid,
223             EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
224 }
225 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithTNotInG1)226 TEST_F(EpidVerifierTest, VerifyRejectsSigWithTNotInG1) {
227   // * 4.1.2 step 2.e - The verifier verifies G1.inGroup(T) = true.
228   // result must be kEpidSigInvalid
229   VerifierCtxObj verifier(this->kGrp01Key);
230   auto& msg = this->kTest0;
231 
232   EpidSignature sig = *(
233       const EpidSignature*)(this->kSigGrp01Member0Sha512RandombaseTest0.data());
234   sig.sigma0.T.x.data.data[31]++;
235   size_t size = this->kSigGrp01Member0Sha512RandombaseTest0.size();
236   EXPECT_EQ(kEpidSigInvalid,
237             EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
238 }
239 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithCNotInRange)240 TEST_F(EpidVerifierTest, VerifyRejectsSigWithCNotInRange) {
241   // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
242   // result must be kEpidSigInvalid
243   VerifierCtxObj verifier(this->kGrp01Key);
244   auto& msg = this->kTest0;
245 
246   EpidSignature sig = *(
247       const EpidSignature*)(this->kSigGrp01Member0Sha512RandombaseTest0.data());
248   sig.sigma0.c.data = this->kParamsStr.p.data;
249   size_t size = this->kSigGrp01Member0Sha512RandombaseTest0.size();
250   EXPECT_EQ(kEpidSigInvalid,
251             EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
252 }
253 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithSxNotInRange)254 TEST_F(EpidVerifierTest, VerifyRejectsSigWithSxNotInRange) {
255   // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
256   // result must be kEpidSigInvalid
257   VerifierCtxObj verifier(this->kGrp01Key);
258   auto& msg = this->kTest0;
259 
260   EpidSignature sig = *(
261       const EpidSignature*)(this->kSigGrp01Member0Sha512RandombaseTest0.data());
262   sig.sigma0.sx.data = this->kParamsStr.p.data;
263   size_t size = this->kSigGrp01Member0Sha512RandombaseTest0.size();
264   EXPECT_EQ(kEpidSigInvalid,
265             EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
266 }
267 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithSfNotInRange)268 TEST_F(EpidVerifierTest, VerifyRejectsSigWithSfNotInRange) {
269   // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
270   // result must be kEpidSigInvalid
271   VerifierCtxObj verifier(this->kGrp01Key);
272   auto& msg = this->kTest0;
273 
274   EpidSignature sig = *(
275       const EpidSignature*)(this->kSigGrp01Member0Sha512RandombaseTest0.data());
276   sig.sigma0.sf.data = this->kParamsStr.p.data;
277   size_t size = this->kSigGrp01Member0Sha512RandombaseTest0.size();
278   EXPECT_EQ(kEpidSigInvalid,
279             EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
280 }
281 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithSaNotInRange)282 TEST_F(EpidVerifierTest, VerifyRejectsSigWithSaNotInRange) {
283   // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
284   // result must be kEpidSigInvalid
285   VerifierCtxObj verifier(this->kGrp01Key);
286   auto& msg = this->kTest0;
287 
288   EpidSignature sig = *(
289       const EpidSignature*)(this->kSigGrp01Member0Sha512RandombaseTest0.data());
290   sig.sigma0.sa.data = this->kParamsStr.p.data;
291   size_t size = this->kSigGrp01Member0Sha512RandombaseTest0.size();
292   EXPECT_EQ(kEpidSigInvalid,
293             EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
294 }
295 
TEST_F(EpidVerifierTest,VerifyRejectsSigWithSbNotInRange)296 TEST_F(EpidVerifierTest, VerifyRejectsSigWithSbNotInRange) {
297   // * 4.1.2 step 2.f - The verifier verifies c, sx, sf, sa, sb in [0, p-1].
298   // result must be kEpidSigInvalid
299   VerifierCtxObj verifier(this->kGrp01Key);
300   auto& msg = this->kTest0;
301 
302   EpidSignature sig = *(
303       const EpidSignature*)(this->kSigGrp01Member0Sha512RandombaseTest0.data());
304   sig.sigma0.sb.data = this->kParamsStr.p.data;
305   size_t size = this->kSigGrp01Member0Sha512RandombaseTest0.size();
306   EXPECT_EQ(kEpidSigInvalid,
307             EpidVerify(verifier, &sig, size, msg.data(), msg.size()));
308 }
309 
310 //   4.1.2 step 2.g - The verifier computes nc = (-c) mod p.
311 // This Step is not testable
312 
313 //   4.1.2 step 2.h - The verifier computes nsx = (-sx) mod p.
314 // This Step is not testable
315 
316 //   4.1.2 step 2.i - The verifier computes R1 = G1.multiExp(B, sf, K, nc).
317 // This Step is not testable
318 
319 //   4.1.2 step 2.j - The verifier computes t1 = G2.multiExp(g2, nsx, w, nc).
320 // This Step is not testable
321 
322 //   4.1.2 step 2.k - The verifier computes R2 = pairing(T, t1).
323 // This Step is not testable
324 
325 //   4.1.2 step 2.l - The verifier compute t2 = GT.multiExp(e12, sf, e22, sb,
326 //                    e2w, sa, eg12, c).
327 // This Step is not testable
328 
329 //   4.1.2 step 2.m - The verifier compute R2 = GT.mul(R2, t2).
330 // This Step is not testable
331 
332 //   4.1.2 step 2.n - The verifier compute t3 = Fp.hash(p || g1 || g2 || h1
333 //                    || h2 || w || B || K || T || R1 || R2).
334 //                    Refer to Section 7.1 for hash operation over a prime
335 //                    field.
336 // This Step is not testable
337 
TEST_F(EpidVerifierTest,VerifyRejectsSigDifferingOnlyInMsg)338 TEST_F(EpidVerifierTest, VerifyRejectsSigDifferingOnlyInMsg) {
339   // * 4.1.2 step 2.o - The verifier verifies c = Fp.hash(t3 || m).
340   // result must be kEpidSigInvalid
341   VerifierCtxObj verifier(this->kGrp01Key);
342   auto& sig = this->kSigGrp01Member0Sha512RandombaseTest0;
343 
344   auto msg = this->kTest0;
345   msg[0]++;
346   EXPECT_EQ(kEpidSigInvalid,
347             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
348                        msg.data(), msg.size()));
349 }
350 
TEST_F(EpidVerifierTest,VerifyRejectsSigDifferingOnlyInBaseName)351 TEST_F(EpidVerifierTest, VerifyRejectsSigDifferingOnlyInBaseName) {
352   // * 4.1.2 step 2.o - The verifier verifies c = Fp.hash(t3 || m).
353   // result must be kEpidSigInvalid
354   VerifierCtxObj verifier(this->kGrpXKey);
355 
356   // copy sig data to a local buffer
357   auto sig_data = this->kSigGrpXMember0Sha512Bsn0Msg0;
358   EpidSignature* sig = (EpidSignature*)sig_data.data();
359   // simulate change to basename
360   sig->sigma0.B.x.data.data[0] += 1;
361   auto msg = this->kMsg0;
362   auto bsn = this->kBsn0;
363   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
364   EXPECT_EQ(kEpidSigInvalid,
365             EpidVerify(verifier, sig, sig_data.size(), msg.data(), msg.size()));
366 }
367 
TEST_F(EpidVerifierTest,VerifyRejectsSigDifferingOnlyInGroup)368 TEST_F(EpidVerifierTest, VerifyRejectsSigDifferingOnlyInGroup) {
369   // * 4.1.2 step 2.o - The verifier verifies c = Fp.hash(t3 || m).
370   // result must be kEpidSigInvalid
371   VerifierCtxObj verifier(this->kGrpXKey);
372 
373   // copy sig data to a local buffer
374   auto sig_data = this->kSigGrpXMember0Sha512RandbaseMsg0;
375   EpidSignature* sig = (EpidSignature*)sig_data.data();
376   // simulate change to h1
377   sig->sigma0.T.x.data.data[0] += 1;
378   auto msg = this->kMsg0;
379   EXPECT_EQ(kEpidSigInvalid,
380             EpidVerify(verifier, sig, sig_data.size(), msg.data(), msg.size()));
381 }
382 
TEST_F(EpidVerifierTest,VerifyRejectsSigDifferingOnlyInHashAlg)383 TEST_F(EpidVerifierTest, VerifyRejectsSigDifferingOnlyInHashAlg) {
384   // * 4.1.2 step 2.o - The verifier verifies c = Fp.hash(t3 || m).
385   // result must be kEpidSigInvalid
386   VerifierCtxObj verifier(this->kGrp01Key);
387   auto& msg = this->kTest0;
388   auto& sig = this->kSigGrp01Member0Sha256RandombaseTest0;
389 
390   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
391   EXPECT_EQ(kEpidSigInvalid,
392             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
393                        msg.data(), msg.size()));
394 }
395 
396 //   4.1.2 step 2.p - If any of the above verifications fails, the verifier
397 //                    aborts and outputs 1.
398 // This Step is an aggregate of the above steps
399 
400 /////////////////////////////////////////////////////////////////////
401 // Group Based Revocation List Reject
402 //   4.1.2 step 3 - If GroupRL is provided
403 
TEST_F(EpidVerifierTest,VerifyRejectsFromGroupRlSingleEntry)404 TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlSingleEntry) {
405   // * 4.1.2 step 3.a - The verifier verifies that gid does not match any entry
406   //                    in GroupRL.
407   // result must be kEpidSigRevokedInGroupRl
408   auto& pub_key = this->kGrpXKey;
409   auto& msg = this->kMsg0;
410   auto& bsn = this->kBsn0;
411   auto& grp_rl = this->kGrpRlRevokedGrpXOnlyEntry;
412   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
413 
414   VerifierCtxObj verifier(pub_key);
415   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
416   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
417   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
418       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
419 
420   EXPECT_EQ(kEpidSigRevokedInGroupRl,
421             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
422                        msg.data(), msg.size()));
423 }
424 
TEST_F(EpidVerifierTest,VerifyRejectsFromGroupRlFirstEntry)425 TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlFirstEntry) {
426   // * 4.1.2 step 3.a - The verifier verifies that gid does not match any entry
427   //                    in GroupRL.
428   // result must be kEpidSigRevokedInGroupRl
429   auto& pub_key = this->kGrpXKey;
430   auto& msg = this->kMsg0;
431   auto& bsn = this->kBsn0;
432   auto& grp_rl = this->kGrpRlRevokedGrpXFirstEntry;
433   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
434 
435   VerifierCtxObj verifier(pub_key);
436   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
437   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
438   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
439       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
440 
441   EXPECT_EQ(kEpidSigRevokedInGroupRl,
442             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
443                        msg.data(), msg.size()));
444 }
445 
TEST_F(EpidVerifierTest,VerifyRejectsFromGroupRlFirstEntryUsingIkgfData)446 TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlFirstEntryUsingIkgfData) {
447   // result must be kEpidSigRevokedInGroupRl
448   auto& pub_key = this->kPubKeyRevGroupIkgfStr;
449   auto& msg = this->kMsg0;
450   auto& bsn = this->kBsn0;
451   auto& grp_rl = this->kGrpRlIkgf;
452   auto& sig = this->kRevGroupSigMember0Sha256Bsn0Msg0Ikgf;
453 
454   VerifierCtxObj verifier(pub_key);
455   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
456   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
457   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
458       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
459 
460   EXPECT_EQ(kEpidSigRevokedInGroupRl,
461             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
462                        msg.data(), msg.size()));
463 }
464 
TEST_F(EpidVerifierTest,VerifyRejectsFromGroupRlMiddleEntry)465 TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlMiddleEntry) {
466   // * 4.1.2 step 3.a - The verifier verifies that gid does not match any entry
467   //                    in GroupRL.
468   // result must be kEpidSigRevokedInGroupRl
469   auto& pub_key = this->kGrpXKey;
470   auto& msg = this->kMsg0;
471   auto& bsn = this->kBsn0;
472   auto& grp_rl = this->kGrpRlRevokedGrpXMiddleEntry;
473   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
474 
475   VerifierCtxObj verifier(pub_key);
476   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
477   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
478   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
479       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
480 
481   EXPECT_EQ(kEpidSigRevokedInGroupRl,
482             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
483                        msg.data(), msg.size()));
484 }
485 
TEST_F(EpidVerifierTest,VerifyRejectsFromGroupRlLastEntry)486 TEST_F(EpidVerifierTest, VerifyRejectsFromGroupRlLastEntry) {
487   // * 4.1.2 step 3.a - The verifier verifies that gid does not match any entry
488   //                    in GroupRL.
489   // result must be kEpidSigRevokedInGroupRl
490   auto& pub_key = this->kGrpXKey;
491   auto& msg = this->kMsg0;
492   auto& bsn = this->kBsn0;
493   auto& grp_rl = this->kGrpRlRevokedGrpXLastEntry;
494   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
495 
496   VerifierCtxObj verifier(pub_key);
497   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
498   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
499   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
500       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
501 
502   EXPECT_EQ(kEpidSigRevokedInGroupRl,
503             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
504                        msg.data(), msg.size()));
505 }
506 
507 //   4.1.2 step 3.b - If gid matches an entry in GroupRL, aborts and returns 2.
508 // This Step is an aggregate of the above steps
509 
510 /////////////////////////////////////////////////////////////////////
511 // Private Based Revocation List Reject
512 //   4.1.2 step 4 - If PrivRL is provided
513 
514 // * 4.1.2 step 4.a - The verifier verifies that gid in the public key and in
515 //                    PrivRL match. If mismatch, abort and return
516 //                    "operation failed".
517 // Not possible, checked in EpidVerifierSetPrivRl
518 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromPrivRlSingleEntry)519 TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlSingleEntry) {
520   // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
521   //                    the verifier computes t4 =G1.exp(B, f[i])
522   //                    and verifies that G1.isEqual(t4, K) = false.
523   //                    A faster private-key revocation check algorithm is
524   //                    provided in Section 4.5.
525   // result must be kEpidSigRevokedInPrivRl
526   auto& pub_key = this->kGrpXKey;
527   auto& msg = this->kMsg0;
528   auto& bsn = this->kBsn0;
529   auto& priv_rl = this->kGrpXPrivRlRevokedPrivKey000OnlyEntry;
530   auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0;
531 
532   VerifierCtxObj verifier(pub_key);
533   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
534   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
535   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
536       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
537 
538   EXPECT_EQ(kEpidSigRevokedInPrivRl,
539             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
540                        msg.data(), msg.size()));
541 }
542 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromPrivRlFirstEntry)543 TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlFirstEntry) {
544   // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
545   //                    the verifier computes t4 =G1.exp(B, f[i])
546   //                    and verifies that G1.isEqual(t4, K) = false.
547   //                    A faster private-key revocation check algorithm is
548   //                    provided in Section 4.5.
549   // result must be kEpidSigRevokedInPrivRl
550   auto& pub_key = this->kGrpXKey;
551   auto& msg = this->kMsg0;
552   auto& bsn = this->kBsn0;
553   auto& priv_rl = this->kGrpXPrivRl;
554   auto& sig = this->kSigGrpXRevokedPrivKey000Sha256Bsn0Msg0;
555 
556   VerifierCtxObj verifier(pub_key);
557   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
558   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
559   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
560       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
561 
562   EXPECT_EQ(kEpidSigRevokedInPrivRl,
563             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
564                        msg.data(), msg.size()));
565 }
566 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromPrivRlFirstEntryUsingIkgfData)567 TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlFirstEntryUsingIkgfData) {
568   // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
569   //                    the verifier computes t4 =G1.exp(B, f[i])
570   //                    and verifies that G1.isEqual(t4, K) = false.
571   //                    A faster private-key revocation check algorithm is
572   //                    provided in Section 4.5.
573   // result must be kEpidSigRevokedInPrivRl
574   auto& pub_key = this->kPubKeyIkgfStr;
575   auto& msg = this->kMsg0;
576   auto& bsn = this->kBsn0;
577   auto& priv_rl = this->kPrivRlIkgf;
578   auto& sig = this->kSigRevokedPrivKeySha256Bsn0Msg0Ikgf;
579 
580   VerifierCtxObj verifier(pub_key);
581   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
582   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
583   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
584       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
585 
586   EXPECT_EQ(kEpidSigRevokedInPrivRl,
587             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
588                        msg.data(), msg.size()));
589 }
590 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromPrivRlMiddleEntry)591 TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlMiddleEntry) {
592   // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
593   //                    the verifier computes t4 =G1.exp(B, f[i])
594   //                    and verifies that G1.isEqual(t4, K) = false.
595   //                    A faster private-key revocation check algorithm is
596   //                    provided in Section 4.5.
597   // result must be kEpidSigRevokedInPrivRl
598   auto& pub_key = this->kGrpXKey;
599   auto& msg = this->kMsg0;
600   auto& bsn = this->kBsn0;
601   auto& priv_rl = this->kGrpXPrivRl;
602   auto& sig = this->kSigGrpXRevokedPrivKey001Sha256Bsn0Msg0;
603 
604   VerifierCtxObj verifier(pub_key);
605   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
606   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
607   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
608       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
609 
610   EXPECT_EQ(kEpidSigRevokedInPrivRl,
611             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
612                        msg.data(), msg.size()));
613 }
614 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromPrivRlLastEntry)615 TEST_F(EpidVerifierTest, VerifyRejectsSigFromPrivRlLastEntry) {
616   // * 4.1.2 step 4.b - For i = 0, ?, n1-1,
617   //                    the verifier computes t4 =G1.exp(B, f[i])
618   //                    and verifies that G1.isEqual(t4, K) = false.
619   //                    A faster private-key revocation check algorithm is
620   //                    provided in Section 4.5.
621   // result must be kEpidSigRevokedInPrivRl
622   auto& pub_key = this->kGrpXKey;
623   auto& msg = this->kMsg0;
624   auto& bsn = this->kBsn0;
625   auto& priv_rl = this->kGrpXPrivRl;
626   auto& sig = this->kSigGrpXRevokedPrivKey002Sha256Bsn0Msg0;
627 
628   VerifierCtxObj verifier(pub_key);
629   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
630   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
631   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
632       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
633 
634   EXPECT_EQ(kEpidSigRevokedInPrivRl,
635             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
636                        msg.data(), msg.size()));
637 }
638 
TEST_F(EpidVerifierTest,VerifyRejectsSigUsingCorruptedPrivRlEntry)639 TEST_F(EpidVerifierTest, VerifyRejectsSigUsingCorruptedPrivRlEntry) {
640   auto& pub_key = this->kGrpXKey;
641   auto& msg = this->kMsg0;
642   auto& bsn = this->kBsn0;
643   auto& priv_rl = this->kGrpXCorruptedPrivRl;
644   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
645 
646   VerifierCtxObj verifier(pub_key);
647   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
648   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
649   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
650       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
651 
652   EXPECT_EQ(kEpidSigRevokedInPrivRl,
653             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
654                        msg.data(), msg.size()));
655 }
656 
TEST_F(EpidVerifierTest,VerifyAcceptsSigFromEmptyPrivRlUsingIkgfData)657 TEST_F(EpidVerifierTest, VerifyAcceptsSigFromEmptyPrivRlUsingIkgfData) {
658   auto& pub_key = this->kPubKeyIkgfStr;
659   auto& msg = this->kMsg0;
660   auto& bsn = this->kBsn0;
661   auto& priv_rl = this->kEmptyPrivRlIkgf;
662   auto& sig = this->kSigMember0Sha256Bsn0Msg0NoSigRlIkgf;
663 
664   VerifierCtxObj verifier(pub_key);
665   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
666   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
667   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
668       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
669 
670   EXPECT_EQ(kEpidNoErr, EpidVerify(verifier, (EpidSignature const*)sig.data(),
671                                    sig.size(), msg.data(), msg.size()));
672 }
673 
674 //   4.1.2 step 4.c - If the above step fails, the verifier aborts and
675 //                    output 3.
676 // This Step is an aggregate of the above steps
677 
678 /////////////////////////////////////////////////////////////////////
679 // Signature Based Revocation List Reject
680 //   4.1.2 step 5 - If SigRL is provided
681 
682 // * 4.1.2 step 5.a - The verifier verifies that gid in the public key and in
683 //                    SigRL match. If mismatch, abort and return
684 //                    "operation failed".
685 // Not possible, checked in EpidVerifierSetSigRl
686 
TEST_F(EpidVerifierTest,VerifyFailsOnSigRlverNotMatchSigRlRlver)687 TEST_F(EpidVerifierTest, VerifyFailsOnSigRlverNotMatchSigRlRlver) {
688   // * 4.1.2 step 5.b - The verifier verifies that RLver in Sigma and in SigRL
689   //                    match. If mismatch, abort and output "operation failed".
690   // result must be "operation failed" (not kEpidSig*)
691   auto& pub_key = this->kGrpXKey;
692   auto& msg = this->kMsg0;
693   auto& bsn = this->kBsn0;
694   auto& sig_rl = this->kGrpXSigRlVersion2;
695   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
696   VerifierCtxObj verifier(pub_key);
697   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
698   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
699   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
700                                         sig_rl.size()));
701 
702   EXPECT_EQ(kEpidErr, EpidVerify(verifier, (EpidSignature const*)sig.data(),
703                                  sig.size(), msg.data(), msg.size()));
704 }
705 
TEST_F(EpidVerifierTest,VerifyFailsOnSigN2NotMatchSigRlN2)706 TEST_F(EpidVerifierTest, VerifyFailsOnSigN2NotMatchSigRlN2) {
707   // * 4.1.2 step 5.c - The verifier verifies that n2 in Sigma and in SigRL
708   //                    match. If mismatch, abort and output "operation failed".
709   // result must be "operation failed" (not kEpidSig*)
710   auto& pub_key = this->kGrpXKey;
711   auto& msg = this->kMsg0;
712   auto& bsn = this->kBsn0;
713   auto* sig_rl =
714       (SigRl const*)this->kGrpXSigRlMember0Sha256Bsn0Msg0OnlyEntry.data();
715   size_t sig_rl_size = this->kGrpXSigRlMember0Sha256Bsn0Msg0OnlyEntry.size();
716   auto sig_raw = this->kSigGrpXMember0Sha256Bsn0Msg0;
717   EpidSignature* sig = (EpidSignature*)sig_raw.data();
718   sig->rl_ver = sig_rl->version;
719   VerifierCtxObj verifier(pub_key);
720   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
721   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
722   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, sig_rl, sig_rl_size));
723 
724   EXPECT_EQ(kEpidBadArgErr,
725             EpidVerify(verifier, sig, sig_raw.size(), msg.data(), msg.size()));
726 }
727 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromSigRlSingleEntry)728 TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlSingleEntry) {
729   // * 4.1.2 step 5.d - For i = 0, ..., n2-1, the verifier verifies
730   //                    nrVerify(B, K, B[i], K[i], Sigma[i]) = true. The details
731   //                    of nrVerify() will be given in the next subsection.
732   // result must be kEpidSigRevokedInSigRl
733   auto& pub_key = this->kGrpXKey;
734   auto& msg = this->kMsg0;
735   auto& bsn = this->kBsn0;
736   auto& sig_rl = this->kGrpXSigRlMember0Sha256Bsn0Msg0OnlyEntry;
737   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0SingleEntrySigRl;
738   VerifierCtxObj verifier(pub_key);
739   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
740   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
741   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
742                                         sig_rl.size()));
743 
744   EXPECT_EQ(kEpidSigRevokedInSigRl,
745             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
746                        msg.data(), msg.size()));
747 }
748 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromSigRlFirstEntry)749 TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlFirstEntry) {
750   // * 4.1.2 step 5.d - For i = 0, ..., n2-1, the verifier verifies
751   //                    nrVerify(B, K, B[i], K[i], Sigma[i]) = true. The details
752   //                    of nrVerify() will be given in the next subsection.
753   // result must be kEpidSigRevokedInSigRl
754   auto& pub_key = this->kGrpXKey;
755   auto& msg = this->kMsg0;
756   auto& bsn = this->kBsn0;
757   auto& sig_rl = this->kGrpXSigRlMember0Sha256Bsn0Msg0FirstEntry;
758   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
759   VerifierCtxObj verifier(pub_key);
760   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
761   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
762   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
763                                         sig_rl.size()));
764 
765   EXPECT_EQ(kEpidSigRevokedInSigRl,
766             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
767                        msg.data(), msg.size()));
768 }
769 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromSigRlFirstEntryUsingIkgfData)770 TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlFirstEntryUsingIkgfData) {
771   auto& pub_key = this->kPubKeyIkgfStr;
772   auto& msg = this->kMsg0;
773   auto& bsn = this->kBsn0;
774   auto& sig_rl = this->kSigRlIkgf;
775   auto& sig = this->kSigRevSigMember0Sha256Bsn0Msg0Ikgf;
776   VerifierCtxObj verifier(pub_key);
777   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
778   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
779   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
780                                         sig_rl.size()));
781 
782   EXPECT_EQ(kEpidSigRevokedInSigRl,
783             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
784                        msg.data(), msg.size()));
785 }
786 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromSigRlMiddleEntry)787 TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlMiddleEntry) {
788   // * 4.1.2 step 5.d - For i = 0, ..., n2-1, the verifier verifies
789   //                    nrVerify(B, K, B[i], K[i], Sigma[i]) = true. The details
790   //                    of nrVerify() will be given in the next subsection.
791   // result must be kEpidSigRevokedInSigRl
792   auto& pub_key = this->kGrpXKey;
793   auto& msg = this->kMsg0;
794   auto& bsn = this->kBsn0;
795   auto& sig_rl = this->kGrpXSigRlMember0Sha256Bsn0Msg0MiddleEntry;
796   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
797   VerifierCtxObj verifier(pub_key);
798   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
799   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
800   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
801                                         sig_rl.size()));
802 
803   EXPECT_EQ(kEpidSigRevokedInSigRl,
804             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
805                        msg.data(), msg.size()));
806 }
807 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromSigRlLastEntry)808 TEST_F(EpidVerifierTest, VerifyRejectsSigFromSigRlLastEntry) {
809   // * 4.1.2 step 5.d - For i = 0, ..., n2-1, the verifier verifies
810   //                    nrVerify(B, K, B[i], K[i], Sigma[i]) = true. The details
811   //                    of nrVerify() will be given in the next subsection.
812   // result must be kEpidSigRevokedInSigRl
813   auto& pub_key = this->kGrpXKey;
814   auto& msg = this->kMsg0;
815   auto& bsn = this->kBsn0;
816   auto& sig_rl = this->kGrpXSigRlMember0Sha256Bsn0Msg0LastEntry;
817   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
818   VerifierCtxObj verifier(pub_key);
819   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
820   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
821   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
822                                         sig_rl.size()));
823 
824   EXPECT_EQ(kEpidSigRevokedInSigRl,
825             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
826                        msg.data(), msg.size()));
827 }
828 
TEST_F(EpidVerifierTest,RejectsSigFromNonemptySigRlGivenEmptySigRlUsingIkgfData)829 TEST_F(EpidVerifierTest,
830        RejectsSigFromNonemptySigRlGivenEmptySigRlUsingIkgfData) {
831   auto& pub_key = this->kPubKeyIkgfStr;
832   auto& msg = this->kMsg0;
833   auto& bsn = this->kBsn0;
834   auto& sig_rl = this->kEmptySigRlIkgf;
835   auto& sig = this->kSigMember0Sha256Bsn0Msg0Ikgf;
836   VerifierCtxObj verifier(pub_key);
837   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
838   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
839   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
840                                         sig_rl.size()));
841 
842   EXPECT_EQ(kEpidErr, EpidVerify(verifier, (EpidSignature const*)sig.data(),
843                                  sig.size(), msg.data(), msg.size()));
844 }
845 
TEST_F(EpidVerifierTest,VerifyAcceptsSigFromEmptySigRlUsingIkgfData)846 TEST_F(EpidVerifierTest, VerifyAcceptsSigFromEmptySigRlUsingIkgfData) {
847   auto& pub_key = this->kPubKeyIkgfStr;
848   auto& msg = this->kMsg0;
849   auto& bsn = this->kBsn0;
850   auto& sig_rl = this->kEmptySigRlIkgf;
851   auto& sig = this->kSigMember0Sha256Bsn0Msg0EmptySigRlIkgf;
852   VerifierCtxObj verifier(pub_key);
853   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
854   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
855   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
856                                         sig_rl.size()));
857 
858   EXPECT_EQ(kEpidNoErr, EpidVerify(verifier, (EpidSignature const*)sig.data(),
859                                    sig.size(), msg.data(), msg.size()));
860 }
861 
862 //   4.1.2 step 5.e - If the above step fails, the verifier aborts and
863 //                    output 4.
864 // This Step is an aggregate of the above steps
865 
866 /////////////////////////////////////////////////////////////////////
867 // Verifier Based Revocation List Reject
868 //   4.1.2 step 6 - If VerifierRL is provided
869 
870 // * 4.1.2 step 6.a - The verifier verifies that gid in the public key and in
871 //                    VerifierRL match. If mismatch, abort and return
872 //                    "operation failed".
873 // Not possible, checked in EpidVerifierSetVerifierRl
874 
875 // * 4.1.2 step 6.b - The verifier verifies that B in the signature and in
876 //                    VerifierRL match. If mismatch, go to step 7.
877 // result must be "operation failed" (not kEpidSig*)
878 // Not possible, checked in EpidVerifierSetVerifierRl
879 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromVerifierRlSingleEntry)880 TEST_F(EpidVerifierTest, VerifyRejectsSigFromVerifierRlSingleEntry) {
881   // * 4.1.2 step 6.c - For i = 0, ..., n4-1, the verifier verifies that
882   //                    K != K[i].
883   // result must be kEpidSigRevokedInVerifierRl
884   auto& pub_key = this->kGrpXKey;
885   auto& msg = this->kMsg0;
886   auto& bsn = this->kBsn0;
887   auto& grp_rl = this->kGrpRl;
888   auto& priv_rl = this->kGrpXPrivRl;
889   auto& sig_rl = this->kGrpXSigRl;
890   auto& ver_rl = this->kGrpXBsn0VerRlSingleEntry;
891   auto& sig = this->kSigGrpXVerRevokedMember0Sha256Bsn0Msg0;
892 
893   VerifierCtxObj verifier(pub_key);
894   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
895   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
896   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
897       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
898   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
899       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
900   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
901                                         sig_rl.size()));
902   THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
903       verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
904 
905   EXPECT_EQ(kEpidSigRevokedInVerifierRl,
906             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
907                        msg.data(), msg.size()));
908 }
909 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromVerifierRlFirstEntry)910 TEST_F(EpidVerifierTest, VerifyRejectsSigFromVerifierRlFirstEntry) {
911   // * 4.1.2 step 6.c - For i = 0, ..., n4-1, the verifier verifies that
912   //                    K != K[i].
913   // result must be kEpidSigRevokedInVerifierRl
914   auto& pub_key = this->kGrpXKey;
915   auto& msg = this->kMsg0;
916   auto& bsn = this->kBsn0;
917   auto& grp_rl = this->kGrpRl;
918   auto& priv_rl = this->kGrpXPrivRl;
919   auto& sig_rl = this->kGrpXSigRl;
920   auto& ver_rl = this->kGrpXBsn0Sha256VerRl;
921   auto& sig = this->kSigGrpXVerRevokedMember0Sha256Bsn0Msg0;
922 
923   VerifierCtxObj verifier(pub_key);
924   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
925   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
926   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
927       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
928   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
929       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
930   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
931                                         sig_rl.size()));
932   THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
933       verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
934 
935   EXPECT_EQ(kEpidSigRevokedInVerifierRl,
936             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
937                        msg.data(), msg.size()));
938 }
939 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromVerifierRlMiddleEntry)940 TEST_F(EpidVerifierTest, VerifyRejectsSigFromVerifierRlMiddleEntry) {
941   // * 4.1.2 step 6.c - For i = 0, ..., n4-1, the verifier verifies that
942   //                    K != K[i].
943   // result must be kEpidSigRevokedInVerifierRl
944   auto& pub_key = this->kGrpXKey;
945   auto& msg = this->kMsg0;
946   auto& bsn = this->kBsn0;
947   auto& grp_rl = this->kGrpRl;
948   auto& priv_rl = this->kGrpXPrivRl;
949   auto& sig_rl = this->kGrpXSigRl;
950   auto& ver_rl = this->kGrpXBsn0Sha256VerRl;
951   auto& sig = this->kSigGrpXVerRevokedMember1Sha256Bsn0Msg0;
952 
953   VerifierCtxObj verifier(pub_key);
954   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
955   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
956   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
957       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
958   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
959       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
960   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
961                                         sig_rl.size()));
962   THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
963       verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
964 
965   EXPECT_EQ(kEpidSigRevokedInVerifierRl,
966             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
967                        msg.data(), msg.size()));
968 }
969 
TEST_F(EpidVerifierTest,VerifyRejectsSigFromVerifierRlLastEntry)970 TEST_F(EpidVerifierTest, VerifyRejectsSigFromVerifierRlLastEntry) {
971   // * 4.1.2 step 6.c - For i = 0, ..., n4-1, the verifier verifies that
972   //                    K != K[i].
973   // result must be kEpidSigRevokedInVerifierRl
974   auto& pub_key = this->kGrpXKey;
975   auto& msg = this->kMsg0;
976   auto& bsn = this->kBsn0;
977   auto& grp_rl = this->kGrpRl;
978   auto& priv_rl = this->kGrpXPrivRl;
979   auto& sig_rl = this->kGrpXSigRl;
980   auto& ver_rl = this->kGrpXBsn0Sha256VerRl;
981   auto& sig = this->kSigGrpXVerRevokedMember2Sha256Bsn0Msg0;
982 
983   VerifierCtxObj verifier(pub_key);
984   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
985   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
986   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
987       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
988   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
989       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
990   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
991                                         sig_rl.size()));
992   THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
993       verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
994 
995   EXPECT_EQ(kEpidSigRevokedInVerifierRl,
996             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
997                        msg.data(), msg.size()));
998 }
999 
1000 //   4.1.2 step 6.d - If the above step fails, the verifier aborts and
1001 //                    output 5
1002 // This Step is an aggregate of the above steps
1003 
1004 /////////////////////////////////////////////////////////////////////
1005 // Accept
1006 // 4.1.2 step 7 - If all the above verifications succeed, the verifier
1007 //                outputs 0
1008 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithBaseNameNoRlSha256)1009 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithBaseNameNoRlSha256) {
1010   auto& pub_key = this->kGrpXKey;
1011   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
1012   auto& msg = this->kMsg0;
1013   auto& bsn = this->kBsn0;
1014 
1015   VerifierCtxObj verifier(pub_key);
1016   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
1017   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
1018   EXPECT_EQ(kEpidSigValid,
1019             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1020                        msg.data(), msg.size()));
1021 }
1022 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithBaseNameAllRlSha256)1023 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithBaseNameAllRlSha256) {
1024   auto& pub_key = this->kGrpXKey;
1025   auto& msg = this->kMsg0;
1026   auto& bsn = this->kBsn0;
1027   auto& grp_rl = this->kGrpRl;
1028   auto& priv_rl = this->kGrpXPrivRl;
1029   auto& sig_rl = this->kGrpXSigRl;
1030   auto& ver_rl = this->kGrpXBsn0Sha256VerRl;
1031   auto& sig = this->kSigGrpXMember0Sha256Bsn0Msg0;
1032 
1033   VerifierCtxObj verifier(pub_key);
1034   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
1035   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
1036   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1037       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1038   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1039       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1040   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1041                                         sig_rl.size()));
1042   THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
1043       verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
1044 
1045   EXPECT_EQ(kEpidSigValid,
1046             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1047                        msg.data(), msg.size()));
1048 }
1049 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithRandomBaseNameNoRlSha256)1050 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithRandomBaseNameNoRlSha256) {
1051   auto& pub_key = this->kGrpXKey;
1052   auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
1053   auto& msg = this->kMsg0;
1054 
1055   VerifierCtxObj verifier(pub_key);
1056   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
1057   EXPECT_EQ(kEpidSigValid,
1058             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1059                        msg.data(), msg.size()));
1060 }
1061 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithRandomBaseNameAllRlSha256)1062 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRlSha256) {
1063   auto& pub_key = this->kGrpXKey;
1064   auto& msg = this->kMsg0;
1065   auto& grp_rl = this->kGrpRl;
1066   auto& priv_rl = this->kGrpXPrivRl;
1067   auto& sig_rl = this->kGrpXSigRl;
1068   auto& sig = this->kSigGrpXMember0Sha256RandbaseMsg0;
1069 
1070   VerifierCtxObj verifier(pub_key);
1071   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
1072   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1073       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1074   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1075       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1076   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1077                                         sig_rl.size()));
1078 
1079   EXPECT_EQ(kEpidSigValid,
1080             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1081                        msg.data(), msg.size()));
1082 }
1083 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithRandomBaseNameAllRlSha256UsingIkgfData)1084 TEST_F(EpidVerifierTest,
1085        VerifyAcceptsSigWithRandomBaseNameAllRlSha256UsingIkgfData) {
1086   auto& pub_key = this->kPubKeyIkgfStr;
1087   auto& msg = this->kMsg0;
1088   auto& grp_rl = this->kGrpRlIkgf;
1089   auto& priv_rl = this->kPrivRlIkgf;
1090   auto& sig_rl = this->kSigRlIkgf;
1091   auto& sig = this->kSigMember0Sha256RandbaseMsg0Ikgf;
1092 
1093   VerifierCtxObj verifier(pub_key);
1094   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha256));
1095   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1096       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1097   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1098       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1099   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1100                                         sig_rl.size()));
1101 
1102   EXPECT_EQ(kEpidSigValid,
1103             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1104                        msg.data(), msg.size()));
1105 }
1106 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithBaseNameAllRlSha384)1107 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithBaseNameAllRlSha384) {
1108   auto& pub_key = this->kGrpXKey;
1109   auto& msg = this->kMsg0;
1110   auto& bsn = this->kBsn0;
1111   auto& grp_rl = this->kGrpRl;
1112   auto& priv_rl = this->kGrpXPrivRl;
1113   auto& sig_rl = this->kGrpXSigRl;
1114   auto& ver_rl = this->kGrpXBsn0Sha384VerRl;
1115   auto& sig = this->kSigGrpXMember0Sha384Bsn0Msg0;
1116 
1117   VerifierCtxObj verifier(pub_key);
1118   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha384));
1119   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
1120   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1121       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1122   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1123       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1124   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1125                                         sig_rl.size()));
1126   THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
1127       verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
1128 
1129   EXPECT_EQ(kEpidSigValid,
1130             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1131                        msg.data(), msg.size()));
1132 }
1133 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithRandomBaseNameAllRlSha384)1134 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRlSha384) {
1135   auto& pub_key = this->kGrpXKey;
1136   auto& msg = this->kMsg0;
1137   auto& grp_rl = this->kGrpRl;
1138   auto& priv_rl = this->kGrpXPrivRl;
1139   auto& sig_rl = this->kGrpXSigRl;
1140   auto& sig = this->kSigGrpXMember0Sha384RandbaseMsg0;
1141 
1142   VerifierCtxObj verifier(pub_key);
1143   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha384));
1144   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1145       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1146   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1147       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1148   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1149                                         sig_rl.size()));
1150 
1151   EXPECT_EQ(kEpidSigValid,
1152             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1153                        msg.data(), msg.size()));
1154 }
1155 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithBaseNameAllRlSha512)1156 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithBaseNameAllRlSha512) {
1157   auto& pub_key = this->kGrpXKey;
1158   auto& msg = this->kMsg0;
1159   auto& bsn = this->kBsn0;
1160   auto& grp_rl = this->kGrpRl;
1161   auto& priv_rl = this->kGrpXPrivRl;
1162   auto& sig_rl = this->kGrpXSigRl;
1163   auto& ver_rl = this->kGrpXBsn0Sha512VerRl;
1164   auto& sig = this->kSigGrpXMember0Sha512Bsn0Msg0;
1165 
1166   VerifierCtxObj verifier(pub_key);
1167   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
1168   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
1169   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1170       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1171   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1172       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1173   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1174                                         sig_rl.size()));
1175   THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
1176       verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
1177 
1178   EXPECT_EQ(kEpidSigValid,
1179             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1180                        msg.data(), msg.size()));
1181 }
1182 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithHugeBaseNameNoRlSha512)1183 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithHugeBaseNameNoRlSha512) {
1184   auto& pub_key = this->kGrpXKey;
1185   auto& msg = this->kMsg0;
1186   auto& sig = this->kSigGrpXMember0Sha512HugeBsnMsg0;
1187   std::vector<uint8_t> bsn(1024 * 1024);
1188   uint8_t c = 0;
1189   for (int i = 0; i < 1024 * 1024; ++i) {
1190     bsn[i] = c++;
1191   }
1192 
1193   VerifierCtxObj verifier(pub_key);
1194   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
1195   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
1196 
1197   EXPECT_EQ(kEpidSigValid,
1198             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1199                        msg.data(), msg.size()));
1200 }
1201 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithRandomBaseNameAllRlSha512)1202 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRlSha512) {
1203   auto& pub_key = this->kGrpXKey;
1204   auto& msg = this->kMsg0;
1205   auto& grp_rl = this->kGrpRl;
1206   auto& priv_rl = this->kGrpXPrivRl;
1207   auto& sig_rl = this->kGrpXSigRl;
1208   auto& sig = this->kSigGrpXMember0Sha512RandbaseMsg0;
1209 
1210   VerifierCtxObj verifier(pub_key);
1211   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
1212   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1213       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1214   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1215       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1216   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1217                                         sig_rl.size()));
1218 
1219   EXPECT_EQ(kEpidSigValid,
1220             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1221                        msg.data(), msg.size()));
1222 }
1223 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithBaseNameAllRlSha512256)1224 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithBaseNameAllRlSha512256) {
1225   auto& pub_key = this->kGrpXKey;
1226   auto& msg = this->kMsg0;
1227   auto& bsn = this->kBsn0;
1228   auto& grp_rl = this->kGrpRl;
1229   auto& priv_rl = this->kGrpXPrivRl;
1230   auto& sig_rl = this->kGrpXSigRl;
1231   auto& ver_rl = this->kGrpXBsn0Sha512256VerRl;
1232   auto& sig = this->kSigGrpXMember0Sha512256Bsn0Msg0;
1233 
1234   VerifierCtxObj verifier(pub_key);
1235   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512_256));
1236   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
1237   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1238       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1239   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1240       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1241   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1242                                         sig_rl.size()));
1243   THROW_ON_EPIDERR(EpidVerifierSetVerifierRl(
1244       verifier, (VerifierRl const*)ver_rl.data(), ver_rl.size()));
1245 
1246   EXPECT_EQ(kEpidSigValid,
1247             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1248                        msg.data(), msg.size()));
1249 }
1250 
TEST_F(EpidVerifierTest,VerifyAcceptsSigWithRandomBaseNameAllRlSha512256)1251 TEST_F(EpidVerifierTest, VerifyAcceptsSigWithRandomBaseNameAllRlSha512256) {
1252   auto& pub_key = this->kGrpXKey;
1253   auto& msg = this->kMsg0;
1254   auto& grp_rl = this->kGrpRl;
1255   auto& priv_rl = this->kGrpXPrivRl;
1256   auto& sig_rl = this->kGrpXSigRl;
1257   auto& sig = this->kSigGrpXMember0Sha512256RandbaseMsg0;
1258 
1259   VerifierCtxObj verifier(pub_key);
1260   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512_256));
1261   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1262       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1263   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1264       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1265   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1266                                         sig_rl.size()));
1267 
1268   EXPECT_EQ(kEpidSigValid,
1269             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1270                        msg.data(), msg.size()));
1271 }
1272 
TEST_F(EpidVerifierTest,VerifyAcceptsSigGivenMsgContainingAllPossibleBytes)1273 TEST_F(EpidVerifierTest, VerifyAcceptsSigGivenMsgContainingAllPossibleBytes) {
1274   auto& pub_key = this->kPubKeySigRlVerify;
1275   auto& msg = this->kData_0_255;
1276   auto& bsn = this->kBsn0;
1277   auto& grp_rl = this->kGrpRl;
1278   auto& priv_rl = this->kGrp01PrivRl;
1279   std::vector<uint8_t> sig_rl = {
1280       // gid
1281       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1282       0x00, 0x00, 0x00, 0x2A,
1283       // version
1284       0x00, 0x00, 0x00, 0x00,
1285       // n2
1286       0x00, 0x00, 0x00, 0x01,
1287       // bk's
1288       0x9c, 0xa5, 0xe5, 0xae, 0x5f, 0xae, 0x51, 0x59, 0x33, 0x35, 0x27, 0xd,
1289       0x8, 0xb1, 0xbe, 0x5d, 0x69, 0x50, 0x84, 0xc5, 0xfe, 0xe2, 0x87, 0xea,
1290       0x2e, 0xef, 0xfa, 0xee, 0x67, 0xf2, 0xd8, 0x28, 0x56, 0x43, 0xc6, 0x94,
1291       0x67, 0xa6, 0x72, 0xf6, 0x41, 0x15, 0x4, 0x58, 0x42, 0x16, 0x88, 0x57,
1292       0x9d, 0xc7, 0x71, 0xd1, 0xc, 0x84, 0x13, 0xa, 0x90, 0x23, 0x18, 0x8, 0xad,
1293       0x7d, 0xfe, 0xf5, 0xc8, 0xae, 0xfc, 0x51, 0x40, 0xa7, 0xd1, 0x28, 0xc2,
1294       0x89, 0xb2, 0x6b, 0x4e, 0xb4, 0xc1, 0x55, 0x87, 0x98, 0xbd, 0x72, 0xf9,
1295       0xcf, 0xd, 0x40, 0x15, 0xee, 0x32, 0xc, 0xf3, 0x56, 0xc5, 0xc, 0x61, 0x9d,
1296       0x4f, 0x7a, 0xb5, 0x2b, 0x16, 0xa9, 0xa3, 0x97, 0x38, 0xe2, 0xdd, 0x3a,
1297       0x33, 0xad, 0xf6, 0x7b, 0x68, 0x8b, 0x68, 0xcf, 0xa3, 0xd3, 0x98, 0x37,
1298       0xce, 0xec, 0xd1, 0xa8, 0xc, 0x8b,
1299   };
1300   auto& sig = this->kSigGrp01Member0Sha512kBsn0Data_0_255;
1301 
1302   VerifierCtxObj verifier(pub_key);
1303   THROW_ON_EPIDERR(EpidVerifierSetHashAlg(verifier, kSha512));
1304   THROW_ON_EPIDERR(EpidVerifierSetBasename(verifier, bsn.data(), bsn.size()));
1305   THROW_ON_EPIDERR(EpidVerifierSetGroupRl(
1306       verifier, (GroupRl const*)grp_rl.data(), grp_rl.size()));
1307   THROW_ON_EPIDERR(EpidVerifierSetPrivRl(
1308       verifier, (PrivRl const*)priv_rl.data(), priv_rl.size()));
1309   THROW_ON_EPIDERR(EpidVerifierSetSigRl(verifier, (SigRl const*)sig_rl.data(),
1310                                         sig_rl.size()));
1311 
1312   EXPECT_EQ(kEpidSigValid,
1313             EpidVerify(verifier, (EpidSignature const*)sig.data(), sig.size(),
1314                        msg.data(), msg.size()));
1315 }
1316 
1317 }  // namespace
1318