[FAB-9695] Idemix Credential Request Signer/Verifier

adecaro · adecaro · commit e8b284ac51fc · 2018-11-07T15:33:28.000Z
This change-set does the following:
- implement the credential request signer/verifier
- tests

Change-Id: I7b6e360babced2da824cc1abfa13ed8ba97854c8
Signed-off-by: Angelo De Caro &lt;adc@zurich.ibm.com&gt;
diff --git a/bccsp/idemix/cred.go b/bccsp/idemix/cred.go
@@ -0,0 +1,63 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+package idemix
+
+import (
+	"github.com/hyperledger/fabric/bccsp"
+	"github.com/pkg/errors"
+)
+
+// CredentialRequestSigner produces credential requests
+type CredentialRequestSigner struct {
+	// CredRequest implements the underlying cryptographic algorithms
+	CredRequest CredRequest
+}
+
+func (c *CredentialRequestSigner) Sign(k bccsp.Key, digest []byte, opts bccsp.SignerOpts) ([]byte, error) {
+	userSecretKey, ok := k.(*userSecretKey)
+	if !ok {
+		return nil, errors.New("invalid key, expected *userSecretKey")
+	}
+	credentialRequestSignerOpts, ok := opts.(*bccsp.IdemixCredentialRequestSignerOpts)
+	if !ok {
+		return nil, errors.New("invalid options, expected *IdemixCredentialRequestSignerOpts")
+	}
+	if credentialRequestSignerOpts.IssuerPK == nil {
+		return nil, errors.New("invalid options, missing issuer public key")
+	}
+	issuerPK, ok := credentialRequestSignerOpts.IssuerPK.(*issuerPublicKey)
+	if !ok {
+		return nil, errors.New("invalid options, expected IssuerPK as *issuerPublicKey")
+	}
+	if len(digest) != 0 {
+		return nil, errors.New("invalid digest, it must be empty")
+	}
+
+	return c.CredRequest.Sign(userSecretKey.sk, issuerPK.pk)
+}
+
+// CredentialRequestVerifier verifies credential requests
+type CredentialRequestVerifier struct {
+	// CredRequest implements the underlying cryptographic algorithms
+	CredRequest CredRequest
+}
+
+func (c *CredentialRequestVerifier) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (bool, error) {
+	issuerPublicKey, ok := k.(*issuerPublicKey)
+	if !ok {
+		return false, errors.New("invalid key, expected *issuerPublicKey")
+	}
+	if len(digest) != 0 {
+		return false, errors.New("invalid digest, it must be empty")
+	}
+
+	err := c.CredRequest.Verify(signature, issuerPublicKey.pk)
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
diff --git a/bccsp/idemix/cred_test.go b/bccsp/idemix/cred_test.go
@@ -0,0 +1,246 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+package idemix_test
+
+import (
+	"github.com/hyperledger/fabric/bccsp"
+	"github.com/hyperledger/fabric/bccsp/idemix"
+	"github.com/hyperledger/fabric/bccsp/idemix/mock"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/pkg/errors"
+)
+
+var _ = Describe("Credential Request", func() {
+
+	Describe("when creating a credential request", func() {
+
+		var (
+			CredentialRequestSigner *idemix.CredentialRequestSigner
+			fakeCredRequest         *mock.CredRequest
+		)
+
+		BeforeEach(func() {
+			fakeCredRequest = &mock.CredRequest{}
+			CredentialRequestSigner = &idemix.CredentialRequestSigner{CredRequest: fakeCredRequest}
+		})
+
+		Context("and the underlying cryptographic algorithm succeed", func() {
+			var (
+				fakeSignature []byte
+			)
+			BeforeEach(func() {
+				fakeSignature = []byte("fake signature")
+				fakeCredRequest.SignReturns(fakeSignature, nil)
+			})
+
+			It("returns no error and a signature", func() {
+				signature, err := CredentialRequestSigner.Sign(
+					idemix.NewUserSecretKey(nil, false),
+					nil,
+					&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: idemix.NewIssuerPublicKey(nil)},
+				)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(signature).To(BeEquivalentTo(fakeSignature))
+
+			})
+		})
+
+		Context("and the underlying cryptographic algorithm fails", func() {
+			BeforeEach(func() {
+				fakeCredRequest.SignReturns(nil, errors.New("sign error"))
+			})
+
+			It("returns an error", func() {
+				signature, err := CredentialRequestSigner.Sign(
+					idemix.NewUserSecretKey(nil, false),
+					nil,
+					&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: idemix.NewIssuerPublicKey(nil)},
+				)
+				Expect(err).To(MatchError("sign error"))
+				Expect(signature).To(BeNil())
+			})
+		})
+
+		Context("and the options are not well formed", func() {
+
+			Context("and the user secret key is nil", func() {
+				It("returns error", func() {
+					signature, err := CredentialRequestSigner.Sign(
+						nil,
+						nil,
+						&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: idemix.NewIssuerPublicKey(nil)},
+					)
+					Expect(err).To(MatchError("invalid key, expected *userSecretKey"))
+					Expect(signature).To(BeNil())
+				})
+			})
+
+			Context("and the user secret key is not of type *userSecretKey", func() {
+				It("returns error", func() {
+					signature, err := CredentialRequestSigner.Sign(
+						idemix.NewIssuerPublicKey(nil),
+						nil,
+						&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: idemix.NewIssuerPublicKey(nil)},
+					)
+					Expect(err).To(MatchError("invalid key, expected *userSecretKey"))
+					Expect(signature).To(BeNil())
+				})
+			})
+
+			Context("and the option is missing", func() {
+				It("returns error", func() {
+					signature, err := CredentialRequestSigner.Sign(
+						idemix.NewUserSecretKey(nil, false),
+						nil,
+						nil,
+					)
+					Expect(err).To(MatchError("invalid options, expected *IdemixCredentialRequestSignerOpts"))
+					Expect(signature).To(BeNil())
+				})
+			})
+
+			Context("and the option is not of type *bccsp.IdemixCredentialRequestSignerOpts", func() {
+				It("returns error", func() {
+					signature, err := CredentialRequestSigner.Sign(
+						idemix.NewUserSecretKey(nil, false),
+						nil,
+						&bccsp.IdemixSignerOpts{},
+					)
+					Expect(err).To(MatchError("invalid options, expected *IdemixCredentialRequestSignerOpts"))
+					Expect(signature).To(BeNil())
+				})
+			})
+
+			Context("and the issuer public key is missing", func() {
+				It("returns error", func() {
+					signature, err := CredentialRequestSigner.Sign(
+						idemix.NewUserSecretKey(nil, false),
+						nil,
+						&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: nil},
+					)
+					Expect(err).To(MatchError("invalid options, missing issuer public key"))
+					Expect(signature).To(BeNil())
+				})
+			})
+
+			Context("and the issuer public key is not of type *issuerPublicKey", func() {
+				It("returns error", func() {
+					signature, err := CredentialRequestSigner.Sign(
+						idemix.NewUserSecretKey(nil, false),
+						nil,
+						&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: idemix.NewUserSecretKey(nil, false)},
+					)
+					Expect(err).To(MatchError("invalid options, expected IssuerPK as *issuerPublicKey"))
+					Expect(signature).To(BeNil())
+				})
+			})
+
+			Context("and the digest is not nil", func() {
+				It("returns error", func() {
+					signature, err := CredentialRequestSigner.Sign(
+						idemix.NewUserSecretKey(nil, false),
+						[]byte{1, 2, 3, 4},
+						&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: idemix.NewIssuerPublicKey(nil)},
+					)
+					Expect(err).To(MatchError("invalid digest, it must be empty"))
+					Expect(signature).To(BeNil())
+				})
+			})
+
+		})
+	})
+
+	Describe("when verifying a credential request", func() {
+
+		var (
+			CredentialRequestVerifier *idemix.CredentialRequestVerifier
+			fakeCredRequest           *mock.CredRequest
+		)
+
+		BeforeEach(func() {
+			fakeCredRequest = &mock.CredRequest{}
+			CredentialRequestVerifier = &idemix.CredentialRequestVerifier{CredRequest: fakeCredRequest}
+		})
+
+		Context("and the underlying cryptographic algorithm succeed", func() {
+			BeforeEach(func() {
+				fakeCredRequest.VerifyReturns(nil)
+			})
+
+			It("returns no error and valid signature", func() {
+				valid, err := CredentialRequestVerifier.Verify(
+					idemix.NewIssuerPublicKey(nil),
+					[]byte("fake signature"),
+					nil,
+					nil,
+				)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(valid).To(BeTrue())
+			})
+		})
+
+		Context("and the underlying cryptographic algorithm fails", func() {
+			BeforeEach(func() {
+				fakeCredRequest.VerifyReturns(errors.New("verify error"))
+			})
+
+			It("returns an error", func() {
+				valid, err := CredentialRequestVerifier.Verify(
+					idemix.NewIssuerPublicKey(nil),
+					[]byte("fake signature"),
+					nil,
+					nil,
+				)
+				Expect(err).To(MatchError("verify error"))
+				Expect(valid).To(BeFalse())
+			})
+		})
+
+		Context("and the parameters are not well formed", func() {
+
+			Context("and the issuer public key is nil", func() {
+				It("returns error", func() {
+					valid, err := CredentialRequestVerifier.Verify(
+						nil,
+						[]byte("fake signature"),
+						nil,
+						nil,
+					)
+					Expect(err).To(MatchError("invalid key, expected *issuerPublicKey"))
+					Expect(valid).To(BeFalse())
+				})
+			})
+
+			Context("and the issuer public key is not of type *issuerPublicKey", func() {
+				It("returns error", func() {
+					valid, err := CredentialRequestVerifier.Verify(
+						idemix.NewUserSecretKey(nil, false),
+						[]byte("fake signature"),
+						nil,
+						nil,
+					)
+					Expect(err).To(MatchError("invalid key, expected *issuerPublicKey"))
+					Expect(valid).To(BeFalse())
+				})
+			})
+
+			Context("and the digest is not nil", func() {
+				It("returns error", func() {
+					valid, err := CredentialRequestVerifier.Verify(
+						idemix.NewIssuerPublicKey(nil),
+						[]byte("fake signature"),
+						[]byte{1, 2, 3, 4},
+						nil,
+					)
+					Expect(err).To(MatchError("invalid digest, it must be empty"))
+					Expect(valid).To(BeFalse())
+				})
+			})
+
+		})
+	})
+})
diff --git a/bccsp/idemix/idemix.go b/bccsp/idemix/idemix.go
@@ -48,3 +48,14 @@ type User interface {
 	// MakeNym creates a new unlinkable pseudonym
 	MakeNym(sk Big, key IssuerPublicKey) (Ecp, Big, error)
 }
+
+// CredRequest is a local interface to decouple from the idemix implementation
+// of the issuance of credential requests.
+type CredRequest interface {
+	// Sign creates a new Credential Request, the first message of the interactive credential issuance protocol
+	// (from user to issuer)
+	Sign(sk Big, ipk IssuerPublicKey) ([]byte, error)
+
+	// Verify verifies the credential request
+	Verify(credRequest []byte, ipk IssuerPublicKey) error
+}
diff --git a/bccsp/idemix/idemix_suite_test.go b/bccsp/idemix/idemix_suite_test.go
@@ -18,6 +18,7 @@ import (
 //go:generate counterfeiter -o mock/user.go -fake-name User . User
 //go:generate counterfeiter -o mock/big.go -fake-name Big . Big
 //go:generate counterfeiter -o mock/ecp.go -fake-name Ecp . Ecp
+//go:generate counterfeiter -o mock/credrequest.go -fake-name CredRequest . CredRequest
 
 func TestPlain(t *testing.T) {
 	RegisterFailHandler(Fail)
diff --git a/bccsp/idemix/mock/credrequest.go b/bccsp/idemix/mock/credrequest.go
diff --git a/bccsp/idemixopts.go b/bccsp/idemixopts.go
