diff options
Diffstat (limited to 'doc/html/_user_manual__generating_an_intel_epid_signature.html')
| -rw-r--r-- | doc/html/_user_manual__generating_an_intel_epid_signature.html | 188 |
1 files changed, 188 insertions, 0 deletions
diff --git a/doc/html/_user_manual__generating_an_intel_epid_signature.html b/doc/html/_user_manual__generating_an_intel_epid_signature.html new file mode 100644 index 0000000..60118ba --- /dev/null +++ b/doc/html/_user_manual__generating_an_intel_epid_signature.html @@ -0,0 +1,188 @@ +<!-- HTML header for doxygen 1.8.10--> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/> +<meta http-equiv="X-UA-Compatible" content="IE=9"/> +<meta name="generator" content="Doxygen 1.8.14"/> +<title>Intel® Enhanced Privacy ID SDK: Generating an Intel® EPID Signature</title> +<link href="tabs.css" rel="stylesheet" type="text/css"/> +<script type="text/javascript" src="jquery.js"></script> +<script type="text/javascript" src="dynsections.js"></script> +<link href="navtree.css" rel="stylesheet" type="text/css"/> +<script type="text/javascript" src="resize.js"></script> +<script type="text/javascript" src="navtreedata.js"></script> +<script type="text/javascript" src="navtree.js"></script> +<script type="text/javascript"> +/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */ + $(document).ready(initResizable); +/* @license-end */</script> +<link href="doxygen.css" rel="stylesheet" type="text/css" /> +<link href="epidstyle.css" rel="stylesheet" type="text/css"/> +</head> +<body> +<div id="top"><!-- do not remove this div, it is closed by doxygen! --> +<div id="titlearea"> +<table cellspacing="0" cellpadding="0"> + <tbody> + <tr style="height: 56px;"> + <td id="projectalign" style="padding-left: 0.5em;"> + <div id="projectname"><a + onclick="storeLink('index.html')" + id="projectlink" + class="index.html" + href="index.html">Intel® Enhanced Privacy ID SDK</a> + <span id="projectnumber">6.0.1</span> +</div> + </td> + </tr> + </tbody> +</table> +</div> +<!-- end header part --> +<!-- Generated by Doxygen 1.8.14 --> +</div><!-- top --> +<div id="side-nav" class="ui-resizable side-nav-resizable"> + <div id="nav-tree"> + <div id="nav-tree-contents"> + <div id="nav-sync" class="sync"></div> + </div> + </div> + <div id="splitbar" style="-moz-user-select:none;" + class="ui-resizable-handle"> + </div> +</div> +<script type="text/javascript"> +/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */ +$(document).ready(function(){initNavTree('_user_manual__generating_an_intel_epid_signature.html','');}); +/* @license-end */ +</script> +<div id="doc-content"> +<div class="header"> + <div class="headertitle"> +<div class="title">Generating an Intel® EPID Signature </div> </div> +</div><!--header--> +<div class="contents"> +<div class="textblock"><p>This walkthrough of the <code>signmsg</code> example shows you how to use SDK APIs to generate an Intel® EPID signature. <code>signmsg</code> is built during the <a class="el" href="_building_sdk.html">SDK build</a>.</p> +<h1><a class="anchor" id="signmsgWalktrhu_overview"></a> +Summary</h1> +<p>In the code example below, we take this approach:</p> +<ul> +<li>Extract and authenticate issuer provided material</li> +<li>Create the member context to allow us to call other member APIs</li> +<li>Generate the signature</li> +<li>Clean up</li> +</ul> +<h1><a class="anchor" id="signmsgWalkthru_"></a> +Signmsg Walkthrough</h1> +<p><br /> +</p> +<p>First, we include headers so we have access to needed declarations.</p> +<p><div class="fragment"><div class="line"><span class="preprocessor">#include "src/signmsg.h"</span></div><div class="line"><span class="preprocessor">#include <stdio.h></span></div><div class="line"><span class="preprocessor">#include <stdlib.h></span></div><div class="line"><span class="preprocessor">#include <string.h></span></div><div class="line"><span class="preprocessor">#include "<a class="code" href="file__parser_8h.html">epid/common/file_parser.h</a>"</span></div><div class="line"><span class="preprocessor">#include "<a class="code" href="member_2api_8h.html">epid/member/api.h</a>"</span></div><div class="line"><span class="preprocessor">#include "src/prng.h"</span></div></div><!-- fragment --></p> +<p>The <code>prng.h</code> header provides access to a pseudo-random number generator needed for signing, while the utility headers are used by <code>signmsg</code> for logging and buffer management. The <code><a class="el" href="member_2api_8h.html" title="Intel(R) EPID SDK member API. ">epid/member/api.h</a></code> header provides access to the core member APIs. The <code><a class="el" href="file__parser_8h.html" title="Intel(R) EPID issuer material parsing utilities. ">epid/common/file_parser.h</a></code> header provides an API for parsing buffers formatted according to the various IoT Intel® EPID binary file formats. The <code><a class="el" href="software__member_8h.html" title="Member creation parameters for software only implementation. ">epid/member/software_member.h</a></code> provides an implementation specific definition of <a class="el" href="struct_member_params.html" title="Software only specific member parameters. ">MemberParams</a>. The specific definition of <a class="el" href="struct_member_params.html" title="Software only specific member parameters. ">MemberParams</a> may differ dramatically between implementations.</p> +<p><br /> +</p> +<p>We define a stub function responsible for checking that the CA certificate is authorized by the root CA.</p> +<p>In <code>main.c</code>, we define a stub function, IsCaCertAuthorizedByRootCa, which is responsible for checking that the CA certificate is authorized by the root CA. Before calling <code>signmsg</code>, we call this function, IsCaCertAuthorizedByRootCa. In an actual implementation, you need to provide an implementation to validate the issuing CA certificate with the CA root certificate before using it in parse functions.</p> +<p><br /> +</p> +<p>The core signing functionality is contained in <code>SignMsg</code>.</p> +<p><div class="fragment"><div class="line"><a class="code" href="group___error_codes.html#gafdb27c77c2c4b32c807e326a8a0da360">EpidStatus</a> SignMsg(<span class="keywordtype">void</span> <span class="keyword">const</span>* msg, <span class="keywordtype">size_t</span> msg_len, <span class="keywordtype">void</span> <span class="keyword">const</span>* basename,</div><div class="line"> <span class="keywordtype">size_t</span> basename_len, <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> <span class="keyword">const</span>* signed_sig_rl,</div><div class="line"> <span class="keywordtype">size_t</span> signed_sig_rl_size,</div><div class="line"> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> <span class="keyword">const</span>* signed_pubkey,</div><div class="line"> <span class="keywordtype">size_t</span> signed_pubkey_size, <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> <span class="keyword">const</span>* priv_key_ptr,</div><div class="line"> <span class="keywordtype">size_t</span> privkey_size, <a class="code" href="group___epid_types.html#ga5e450438f6f9a5eacd0cf5ce354ec890">HashAlg</a> hash_alg,</div><div class="line"> <a class="code" href="struct_member_precomp.html">MemberPrecomp</a>* member_precomp, <a class="code" href="struct_epid_signature.html">EpidSignature</a>** sig,</div><div class="line"> <span class="keywordtype">size_t</span>* sig_len, <a class="code" href="struct_epid_ca_certificate.html">EpidCaCertificate</a> <span class="keyword">const</span>* cacert) {</div></div><!-- fragment --></p> +<p>The <code>SignMsg</code> parameters are either received by the member, or they are part of the member's configuration. The exceptions are the <code>sig</code> and <code>sig_len</code> parameters, which are used to output the signature.</p> +<p>The verifier might send the message to the member or there may be another mechanism to choose the message, but the way the message is communicated is outside the scope of the Intel® EPID scheme.</p> +<p>We use the parameters <code>member_precomp</code> to pass in a pre-computation blob if provided. We can use the pre-computation blob to increase performance when verifying signatures repeatedly with the same group public key.</p> +<p>The member knows the group public key and the member private key.</p> +<p>The member and the verifier agree on the message, basename, hash algorithm, and SigRL that the member uses for signing.</p> +<p><br /> +</p> +<p>Next we do basic variable setup and argument checking.</p> +<p><div class="fragment"><div class="line"> <a class="code" href="group___error_codes.html#gafdb27c77c2c4b32c807e326a8a0da360">EpidStatus</a> sts = <a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360aa08f0d2e394b37694117a6a32bc71e6e">kEpidErr</a>;</div><div class="line"> <span class="keywordtype">void</span>* prng = NULL;</div><div class="line"> <a class="code" href="member_2api_8h.html#adfb10d5dfdadb0694792c7b06718e817">MemberCtx</a>* member = NULL;</div><div class="line"> <a class="code" href="struct_sig_rl.html">SigRl</a>* sig_rl = NULL;</div><div class="line"></div><div class="line"> <span class="keywordflow">do</span> {</div><div class="line"> <a class="code" href="struct_group_pub_key.html">GroupPubKey</a> pub_key = {0};</div><div class="line"> <a class="code" href="struct_priv_key.html">PrivKey</a> priv_key = {0};</div><div class="line"> <a class="code" href="struct_membership_credential.html">MembershipCredential</a> member_credential = {0};</div><div class="line"> <span class="keywordtype">size_t</span> sig_rl_size = 0;</div><div class="line"> <a class="code" href="struct_member_params.html">MemberParams</a> params = {0};</div><div class="line"> <span class="keywordtype">size_t</span> member_size = 0;</div><div class="line"></div><div class="line"> <span class="keywordflow">if</span> (!sig) {</div><div class="line"> sts = <a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360ad134d6cc95a9dcb1b1a9f9c358047cbf">kEpidBadArgErr</a>;</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div></div><!-- fragment --></p> +<p>We create pointers to resources to be allocated and use the <code>do {} while(0)</code> idiom so that we can reliably free resources on return from <code>SignMsg</code>.</p> +<p>We create variables on the stack to hold the group public key and member private key.</p> +<p>Finally we check to make sure that <code>sig</code> is a vaild pointer.</p> +<p><br /> +</p> +<p>Next, if group public key is passed we authenticate and extract the group public key using <a class="el" href="group___file_parser.html#ga43fdbc1bf2edd3695d21cb457365afbb" title="Extracts group public key from buffer in issuer binary format. ">EpidParseGroupPubKeyFile</a>.</p> +<p><div class="fragment"><div class="line"> sts = <a class="code" href="group___file_parser.html#ga43fdbc1bf2edd3695d21cb457365afbb">EpidParseGroupPubKeyFile</a>(signed_pubkey, signed_pubkey_size, cacert,</div><div class="line"> &pub_key);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div></div><!-- fragment --></p> +<p><a class="el" href="group___file_parser.html#ga43fdbc1bf2edd3695d21cb457365afbb" title="Extracts group public key from buffer in issuer binary format. ">EpidParseGroupPubKeyFile</a> takes a buffer containing a group public key in issuer binary format and validates that the public key is signed by the private key that corresponds to the provided CA certificate, extracting the key in the process.</p> +<p><br /> +</p> +<p>Next, if member private key is passed we fill the member private key.</p> +<p><div class="fragment"><div class="line"> <span class="keywordflow">if</span> (privkey_size == <span class="keyword">sizeof</span>(<a class="code" href="struct_priv_key.html">PrivKey</a>)) {</div><div class="line"> priv_key = *(<a class="code" href="struct_priv_key.html">PrivKey</a>*)priv_key_ptr;</div><div class="line"> } <span class="keywordflow">else</span> <span class="keywordflow">if</span> (privkey_size == <span class="keyword">sizeof</span>(<a class="code" href="struct_compressed_priv_key.html">CompressedPrivKey</a>)) {</div><div class="line"> sts = <a class="code" href="group___epid_member_module.html#gaf8cd05388f017486f14da2ee48d067ef">EpidDecompressPrivKey</a>(&pub_key, (<a class="code" href="struct_compressed_priv_key.html">CompressedPrivKey</a>*)priv_key_ptr,</div><div class="line"> &priv_key);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> } <span class="keywordflow">else</span> <span class="keywordflow">if</span> (privkey_size == <span class="keyword">sizeof</span>(<a class="code" href="struct_membership_credential.html">MembershipCredential</a>)) {</div><div class="line"> member_credential = *(<a class="code" href="struct_membership_credential.html">MembershipCredential</a>*)priv_key_ptr;</div><div class="line"> } <span class="keywordflow">else</span> {</div><div class="line"> sts = <a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360aa08f0d2e394b37694117a6a32bc71e6e">kEpidErr</a>;</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> } <span class="comment">// if (privkey_size == sizeof(PrivKey))</span></div></div><!-- fragment --></p> +<p>If the member private key is compressed, then we decompress it using <a class="el" href="group___epid_member_module.html#gaf8cd05388f017486f14da2ee48d067ef" title="Decompresses compressed member private key. ">EpidDecompressPrivKey</a> before it can be passed to the member APIs. To determine if the member private key is compressed, we check if it is the known size of a compressed key.</p> +<p>If the member private key contains just public part, then we fill it as membership credential. To check if the member private key is complete or contains only the membership credential, we check if it is the known size of the member private key without the secret <code>f</code> value.</p> +<p>If the key size is not the size of a known format, we return an error.</p> +<p><br /> +</p> +<p>Next, we create a pseudo-random number generator.</p> +<p><div class="fragment"><div class="line"> sts = PrngCreate(&prng);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div></div><!-- fragment --></p> +<dl class="section warning"><dt>Warning</dt><dd>This pseudo-random number generator is included only for demonstration, and should not be used in production code as a source of secure random data. For security, <code>prng</code> should be a cryptographically secure random number generator.</dd></dl> +<p><br /> +</p> +<p>Now that the inputs have been prepared, we create a member context using <a class="el" href="group___epid_member_module.html#ga2b3c0cc1d8d4e50190ca94656fa36e24" title="Computes the size in bytes required for a member context. ">EpidMemberGetSize</a> and <a class="el" href="group___epid_member_module.html#ga35273b8e75d51e312f0d2fd3aa094efb" title="Initializes a new member context. ">EpidMemberInit</a>.</p> +<p><div class="fragment"><div class="line"> sts = <a class="code" href="group___epid_member_module.html#ga2b3c0cc1d8d4e50190ca94656fa36e24">EpidMemberGetSize</a>(&params, &member_size);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> member = (<a class="code" href="member_2api_8h.html#adfb10d5dfdadb0694792c7b06718e817">MemberCtx</a>*)calloc(1, member_size);</div><div class="line"> <span class="keywordflow">if</span> (!member) {</div><div class="line"> sts = <a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360ab7dfec784192a827a91a4b8a6054d01c">kEpidNoMemErr</a>;</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> sts = <a class="code" href="group___epid_member_module.html#ga35273b8e75d51e312f0d2fd3aa094efb">EpidMemberInit</a>(&params, member);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div></div><!-- fragment --></p> +<p>Then we set the hash algorithm to be used by the member using <a class="el" href="group___epid_member_module.html#ga9998eb454838ff5d232ff22ecbab31bf" title="Sets the hash algorithm to be used by a member. ">EpidMemberSetHashAlg</a>.</p> +<p><div class="fragment"><div class="line"> sts = <a class="code" href="group___epid_member_module.html#ga9998eb454838ff5d232ff22ecbab31bf">EpidMemberSetHashAlg</a>(member, hash_alg);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div></div><!-- fragment --></p> +<p>After the hash algorithm is set, future calls to <code>EpidSign</code> will use the same algorithm.</p> +<p><br /> +</p> +<p>If a pre-computation blob is provided to the top level application, we use it. Otherwise, we pass in <code>NULL</code>.</p> +<p><br /> +</p> +<p>Next we provision either the member private key or the membership credential based on the passed member private key.</p> +<p><div class="fragment"><div class="line"> <span class="keywordflow">if</span> (privkey_size == <span class="keyword">sizeof</span>(<a class="code" href="struct_priv_key.html">PrivKey</a>) ||</div><div class="line"> privkey_size == <span class="keyword">sizeof</span>(<a class="code" href="struct_compressed_priv_key.html">CompressedPrivKey</a>)) {</div><div class="line"> sts = <a class="code" href="group___epid_member_module.html#ga07094399c1e040b95ae3e58a74e7c302">EpidProvisionKey</a>(member, &pub_key, &priv_key, member_precomp);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> } <span class="keywordflow">else</span> <span class="keywordflow">if</span> (privkey_size == <span class="keyword">sizeof</span>(<a class="code" href="struct_membership_credential.html">MembershipCredential</a>)) {</div><div class="line"> sts = <a class="code" href="group___epid_member_module.html#ga788ebc9d1ba6153c637b762484ca1140">EpidProvisionCredential</a>(member, &pub_key, &member_credential,</div><div class="line"> member_precomp);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> } <span class="comment">// if (privkey_size == sizeof(PrivKey))</span></div></div><!-- fragment --></p> +<p>If neither is passed, we provision nothing.</p> +<p><br /> +</p> +<p>Now we load provisioned membership credential and initialize context.</p> +<p><div class="fragment"><div class="line"> sts = <a class="code" href="group___epid_member_module.html#gaa2c85b1f0ea17a11ac5d297b21aa30f6">EpidMemberStartup</a>(member);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div></div><!-- fragment --></p> +<p><br /> +</p> +<p>Next, if a basename is specified, we register it with <a class="el" href="group___epid_member_module.html#ga8c6f097ba89542664375bd5e0f205220" title="Registers a basename with a member. ">EpidRegisterBasename</a> so that the member can use it.</p> +<p><div class="fragment"><div class="line"> <span class="keywordflow">if</span> (0 != basename_len) {</div><div class="line"> sts = <a class="code" href="group___epid_member_module.html#ga8c6f097ba89542664375bd5e0f205220">EpidRegisterBasename</a>(member, basename, basename_len);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> }</div></div><!-- fragment --></p> +<p>In a typical use case, to prevent loss of privacy, the member keeps a list of basenames that correspond to authorized verifiers. The member signs a message with a basename only if the basename is in the member's basename list.</p> +<dl class="section warning"><dt>Warning</dt><dd>The use of a name-based signature creates a platform unique pseudonymous identifier. Because it reduces the member's privacy, the user should be notified when it is used and should have control over its use.</dd></dl> +<p><br /> +</p> +<p>We authenticate and extract the signed SigRL using <a class="el" href="group___file_parser.html#ga237ef5a43076aa6fc6eb18829a93da3f" title="Extracts signature revocation list from buffer in issuer binary format. ">EpidParseSigRlFile</a>.</p> +<p><div class="fragment"><div class="line"> <span class="keywordflow">if</span> (signed_sig_rl) {</div><div class="line"> <span class="comment">// authenticate and determine space needed for SigRl</span></div><div class="line"> sts = <a class="code" href="group___file_parser.html#ga237ef5a43076aa6fc6eb18829a93da3f">EpidParseSigRlFile</a>(signed_sig_rl, signed_sig_rl_size, cacert, NULL,</div><div class="line"> &sig_rl_size);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360aeedd19b8a1cbdecf963f90b4860e02b8">kEpidSigInvalid</a> == sts) {</div><div class="line"> <span class="comment">// authentication failure</span></div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> sig_rl = calloc(1, sig_rl_size);</div><div class="line"> <span class="keywordflow">if</span> (!sig_rl) {</div><div class="line"> sts = <a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a11a4d2f1c37064eb663de08dc57bcda8">kEpidMemAllocErr</a>;</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"></div><div class="line"> <span class="comment">// fill the SigRl</span></div><div class="line"> sts = <a class="code" href="group___file_parser.html#ga237ef5a43076aa6fc6eb18829a93da3f">EpidParseSigRlFile</a>(signed_sig_rl, signed_sig_rl_size, cacert,</div><div class="line"> sig_rl, &sig_rl_size);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360aeedd19b8a1cbdecf963f90b4860e02b8">kEpidSigInvalid</a> == sts) {</div><div class="line"> <span class="comment">// authentication failure</span></div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"></div><div class="line"> sts = <a class="code" href="group___epid_member_module.html#gaaae6f21f58c22fce58076f10d68159f4">EpidMemberSetSigRl</a>(member, sig_rl, sig_rl_size);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"> } <span class="comment">// if (signed_sig_rl)</span></div></div><!-- fragment --></p> +<p>We use <a class="el" href="group___file_parser.html#ga237ef5a43076aa6fc6eb18829a93da3f" title="Extracts signature revocation list from buffer in issuer binary format. ">EpidParseSigRlFile</a> to:</p> +<ul> +<li>extract the signature based revocation list</li> +<li>validate that the revocation list was signed by the private key corresponding to the provided CA certificate</li> +<li>validate that the size of the input buffer is correct</li> +<li>determine the required size of the revocation list output buffer</li> +</ul> +<p>To determine the required <code>sig_rl</code> output buffer size, we provide a null pointer for the output buffer when calling <a class="el" href="group___file_parser.html#ga237ef5a43076aa6fc6eb18829a93da3f" title="Extracts signature revocation list from buffer in issuer binary format. ">EpidParseSigRlFile</a>. This updates <code>sig_rl_size</code> with the required size of the output buffer.</p> +<p>After we find out the required size of the <code>sig_rl</code>, we allocate a buffer for the <code>sig_rl</code>. Then we fill the buffer using <a class="el" href="group___file_parser.html#ga237ef5a43076aa6fc6eb18829a93da3f" title="Extracts signature revocation list from buffer in issuer binary format. ">EpidParseSigRlFile</a>.</p> +<p>After we extracted the signature based revocation list we should assign it to the member context using <a class="el" href="group___epid_member_module.html#gaaae6f21f58c22fce58076f10d68159f4" title="Sets the signature based revocation list to be used by a member. ">EpidMemberSetSigRl</a>.</p> +<p><br /> +</p> +<p>Next, we sign the message, generating an Intel® EPID signature.</p> +<p><div class="fragment"><div class="line"> *sig_len = <a class="code" href="group___epid_member_module.html#ga76e535722467af7c16809b5b521e0000">EpidGetSigSize</a>(sig_rl);</div><div class="line"></div><div class="line"> *sig = calloc(1, *sig_len);</div><div class="line"> <span class="keywordflow">if</span> (!*sig) {</div><div class="line"> sts = <a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a11a4d2f1c37064eb663de08dc57bcda8">kEpidMemAllocErr</a>;</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div><div class="line"></div><div class="line"> <span class="comment">// sign message</span></div><div class="line"> sts =</div><div class="line"> <a class="code" href="group___epid_member_module.html#ga74d1409a816cb52633564b793072da5f">EpidSign</a>(member, msg, msg_len, basename, basename_len, *sig, *sig_len);</div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a> != sts) {</div><div class="line"> <span class="keywordflow">break</span>;</div><div class="line"> }</div></div><!-- fragment --></p> +<p>To create a signature, first we find out the required size of the signature using <a class="el" href="group___epid_member_module.html#ga76e535722467af7c16809b5b521e0000" title="Computes the size in bytes required for an Intel(R) EPID signature. ">EpidGetSigSize</a>. Then we allocate a buffer for the signature and fill the buffer using <a class="el" href="group___epid_member_module.html#ga74d1409a816cb52633564b793072da5f" title="Writes an Intel(R) EPID signature. ">EpidSign</a>.</p> +<p>It is important to compute signature size after loading <code>sig_rl</code> because the signature size varies with the size of the SigRL.</p> +<p><br /> +</p> +<p>Finally, we clean up and exit.</p> +<p><div class="fragment"><div class="line"> sts = <a class="code" href="group___error_codes.html#ggafdb27c77c2c4b32c807e326a8a0da360a8a6861e14322ca9193498ffc955537f9">kEpidNoErr</a>;</div><div class="line"> } <span class="keywordflow">while</span> (0);</div><div class="line"></div><div class="line"> PrngDelete(&prng);</div><div class="line"> <a class="code" href="group___epid_member_module.html#ga98b4d990a885339b83cd0513fedcc76d">EpidMemberDeinit</a>(member);</div><div class="line"> <span class="keywordflow">if</span> (member) free(member);</div><div class="line"></div><div class="line"> <span class="keywordflow">if</span> (sig_rl) free(sig_rl);</div><div class="line"></div><div class="line"> <span class="keywordflow">return</span> sts;</div><div class="line">}</div></div><!-- fragment --></p> +<p>If we made it past signing without an error, we set the return code appropriately and fall out of the do-while loop. If there was an error earlier, all breaks in the do-while loop bring us to this point with an error status.</p> +<p>Next, we de-initialize the member context and free the allocated resources. <a class="el" href="group___epid_member_module.html#ga98b4d990a885339b83cd0513fedcc76d" title="De-initializes an existing member context buffer. ">EpidMemberDeinit</a> de-initializes an existing member context.</p> +<p>We return from SignMsg with the success or error status.</p> +<p><br /> +</p> +<p>This concludes the <code>signmsg</code> walkthrough. Now you should be able to generate an Intel® EPID signature that proves a member's group membership to a verifier without revealing the member's identity.</p> +<p>To learn more about the SDK APIs see the <a href="modules.html"><b>API Reference</b></a>. To learn more about the Intel® EPID scheme see <a class="el" href="_epid_overview.html">Introduction to the Intel® EPID Scheme</a> in the documentation. </p> +</div></div><!-- contents --> +</div><!-- doc-content --> +<!-- HTML footer for doxygen 1.8.10--> +<!-- start footer part --> +<div id="nav-path" class="navpath"><!-- id is needed for treeview function! --> + <ul> + <li class="footer"> + © 2016-2017 Intel Corporation + </li> + </ul> +</div> +</body> +</html> |