Add verification methods

keyserver/server_test.go

@@ -154,7 +154,7 @@ func TestUpdateDirectory(t *testing.T) {
 		timer := time.NewTimer(1 * time.Second)
 		<-timer.C
 		str1 := server.dir.LatestSTR()
-		if str0.Epoch != 0 || str1.Epoch != 1 || !str1.VerifyHashChain(str0.Signature) {
+		if str0.Epoch != 0 || str1.Epoch != 1 || !str1.VerifyHashChain(str0) {
 			t.Fatal("Expect next STR in hash chain")
 		}
 	})

merkletree/proof.go

@@ -36,12 +36,21 @@ func (n *ProofNode) hash(treeNonce []byte) []byte {
 	}
 }
 
+type ProofType int
+
+const (
+	undeterminedProof ProofType = iota
+	ProofOfAbsence
+	ProofOfInclusion
+)
+
 type AuthenticationPath struct {
 	TreeNonce   []byte
 	PrunedTree  [][crypto.HashSizeByte]byte
 	LookupIndex []byte
 	VrfProof    []byte
 	Leaf        *ProofNode
+	proofType   ProofType
 }
 
 func (ap *AuthenticationPath) authPathHash() []byte {
@@ -59,11 +68,14 @@ func (ap *AuthenticationPath) authPathHash() []byte {
 	return hash
 }
 
+func (ap *AuthenticationPath) verifyBinding(key, value []byte) bool {
+	return bytes.Equal(ap.Leaf.Value, value) &&
+		ap.Leaf.Commitment.Verify(key, value)
+}
+
 // Verify should be called after the vrf index is verified successfully
-func (ap *AuthenticationPath) Verify(treeHash []byte) bool {
-	// step 1. Verify if it's a proof of inclusion/proof of absence
-	if !bytes.Equal(ap.Leaf.Index, ap.LookupIndex) {
-		// proof of absence
+func (ap *AuthenticationPath) Verify(key, value, treeHash []byte) bool {
+	if ap.ProofType() == ProofOfAbsence { // proof of absence
 		// Check if i and j match in the first l bits
 		indexBits := util.ToBits(ap.Leaf.Index)
 		lookupIndexBits := util.ToBits(ap.LookupIndex)
@@ -72,10 +84,27 @@ func (ap *AuthenticationPath) Verify(treeHash []byte) bool {
 				return false
 			}
 		}
+	} else { // proof of inclusion
+		// Verify the key-value binding returned in the ProofNode
+		if !ap.verifyBinding(key, value) {
+			return false
+		}
 	}
+
 	// step 2. Verify the auth path of the returned leaf
 	if !bytes.Equal(treeHash, ap.authPathHash()) {
 		return false
 	}
 	return true
 }
+
+func (ap *AuthenticationPath) ProofType() ProofType {
+	if ap.proofType == undeterminedProof {
+		if bytes.Equal(ap.LookupIndex, ap.Leaf.Index) {
+			ap.proofType = ProofOfInclusion
+		} else {
+			ap.proofType = ProofOfAbsence
+		}
+	}
+	return ap.proofType
+}

merkletree/proof_test.go

@@ -56,18 +56,14 @@ func TestVerifyProof(t *testing.T) {
 	if proof.Leaf.Value == nil {
 		t.Fatal("Expect returned leaf's value is not nil")
 	}
-	// step 1. ensure this is a proof of inclusion by comparing the returned indices
+	// ensure this is a proof of inclusion by comparing the returned indices
 	// and verifying the VRF index as well.
 	if !bytes.Equal(proof.LookupIndex, proof.Leaf.Index) ||
 		!bytes.Equal(vrfPrivKey1.Compute([]byte(key3)), proof.LookupIndex) {
 		t.Fatal("Expect a proof of inclusion")
 	}
-	// step 2. verify commitment
-	if !proof.Leaf.Commitment.Verify([]byte(key3), proof.Leaf.Value) {
-		t.Fatal("Commitment verification returns false")
-	}
-	// step 3. verify auth path
-	if !proof.Verify(m.hash) {
+	// verify auth path
+	if !proof.Verify([]byte(key3), val3, m.hash) {
 		t.Error("Proof of inclusion verification failed.")
 	}
 
@@ -82,7 +78,7 @@ func TestVerifyProof(t *testing.T) {
 		!bytes.Equal(vrfPrivKey1.Compute([]byte("123")), proof.LookupIndex) {
 		t.Fatal("Expect a proof of absence")
 	}
-	if !proof.Verify(m.hash) {
+	if !proof.Verify([]byte("123"), nil, m.hash) {
 		t.Error("Proof of absence verification failed.")
 	}
 }
@@ -115,7 +111,7 @@ func TestVerifyProofSamePrefix(t *testing.T) {
 		util.ToBytes(util.ToBits(absentIndex)[:proof.Leaf.Level])) {
 		t.Fatal("Expect these indices share the same prefix in the first bit")
 	}
-	if !proof.Verify(m.hash) {
+	if !proof.Verify([]byte("a"), nil, m.hash) {
 		t.Error("Proof of absence verification failed.")
 	}
 
@@ -125,19 +121,14 @@ func TestVerifyProofSamePrefix(t *testing.T) {
 	if proof.Leaf.Value == nil {
 		t.Fatal("Expect returned leaf's value is not nil")
 	}
-	// step 1. ensure this is a proof of inclusion by comparing the returned indices
+	// ensure this is a proof of inclusion by comparing the returned indices
 	// and verifying the VRF index as well.
 	if !bytes.Equal(proof.LookupIndex, proof.Leaf.Index) ||
 		!bytes.Equal(vrfPrivKey1.Compute([]byte(key1)), proof.LookupIndex) {
 		t.Fatal("Expect a proof of inclusion")
 	}
-	// step 2. verify commitment
-	if !proof.Leaf.Commitment.Verify([]byte(key1), proof.Leaf.Value) {
-		t.Fatal("Commitment verification returns false",
-			"got commitment salt", proof.Leaf.Commitment.Salt)
-	}
-	// step 3. verify auth path
-	if !proof.Verify(m.hash) {
+	// step 2. verify auth path
+	if !proof.Verify([]byte(key1), val1, m.hash) {
 		t.Error("Proof of inclusion verification failed.")
 	}
 }

merkletree/str.go

@@ -56,7 +56,7 @@ func (str *SignedTreeRoot) Serialize() []byte {
 	return strBytes
 }
 
-func (str *SignedTreeRoot) VerifyHashChain(savedSTRSig []byte) bool {
-	hash := crypto.Digest(savedSTRSig)
-	return bytes.Equal(hash, str.PreviousSTRHash)
+func (str *SignedTreeRoot) VerifyHashChain(savedSTR *SignedTreeRoot) bool {
+	hash := crypto.Digest(savedSTR.Signature)
+	return str.Epoch == savedSTR.Epoch+1 && bytes.Equal(hash, str.PreviousSTRHash)
 }

merkletree/str_test.go

@@ -4,7 +4,6 @@ import "testing"
 
 func TestVerifyHashChain(t *testing.T) {
 	var N uint64 = 100
-	var savedSTR []byte
 
 	keyPrefix := "key"
 	valuePrefix := []byte("value")
@@ -13,7 +12,7 @@ func TestVerifyHashChain(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	savedSTR = pad.LatestSTR().Signature
+	savedSTR := pad.LatestSTR()
 
 	pk, ok := pad.signKey.Public()
 	if !ok {
@@ -38,6 +37,6 @@ func TestVerifyHashChain(t *testing.T) {
 		if !str.VerifyHashChain(savedSTR) {
 			t.Fatal("Spurious STR at epoch", i)
 		}
-		savedSTR = str.Signature
+		savedSTR = str
 	}
 }