From cc670963c5d1469745655f2369059a9c1f87a301 Mon Sep 17 00:00:00 2001
From: Vecna <vvecna@uwaterloo.ca>
Date: Mon, 26 Feb 2024 18:00:43 -0500
Subject: [PATCH] Check that date in Lox proof matches date in PR

---
 Cargo.toml             |  1 +
 src/positive_report.rs | 14 +++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index f5f32e3..3d93807 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -25,6 +25,7 @@ serde = "1.0.195"
 serde_json = "1.0"
 serde_with = {version = "3.5.0", features = ["json"]}
 sha1 = "0.10"
+sha2 = "0.10"
 sha3 = "0.10"
 sled = "0.34.7"
 time = "0.3.30"
diff --git a/src/positive_report.rs b/src/positive_report.rs
index d01c41a..75d8249 100644
--- a/src/positive_report.rs
+++ b/src/positive_report.rs
@@ -3,11 +3,12 @@
 
 use crate::{get_date, CONFIG, COUNTRY_CODES};
 
-use curve25519_dalek::Scalar;
+use curve25519_dalek::{RistrettoPoint, Scalar};
 use ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};
 use lox_library::{cred::Lox, proto::positive_report as lox_pr, IssuerPubKey};
 use serde::{Deserialize, Serialize};
 use sha1::{Digest, Sha1};
+use sha2::Sha512;
 use std::option::Option;
 
 #[derive(Debug)]
@@ -16,6 +17,7 @@ pub enum PositiveReportError {
     FailedToDeserialize, // couldn't deserialize to SerializablePositiveReport
     InvalidBridgeToken,
     InvalidCountryCode,
+    InvalidLoxProof,
     MissingBridgeToken,
     MissingCountryCode,
 }
@@ -130,7 +132,9 @@ impl PositiveReport {
             }
         }
         // Verify knowledge of bucket ID
-        let H = self.lox_proof.H;
+        let H = RistrettoPoint::hash_from_bytes::<Sha512>(
+            format!("{}{}", lox_pr::H_GENERATOR_STRING, self.lox_proof.date).as_bytes(),
+        );
         let BP = self.lox_proof.BP;
         if bucket * H != BP {
             return false;
@@ -162,9 +166,13 @@ impl SerializablePositiveReport {
         if !COUNTRY_CODES.contains(self.country.as_str()) {
             return Err(PositiveReportError::InvalidCountryCode);
         }
-        if self.date > get_date().into() {
+        let date: u32 = get_date().into();
+        if self.date > date {
             return Err(PositiveReportError::DateInFuture);
         }
+        if self.lox_proof.date != date {
+            return Err(PositiveReportError::InvalidLoxProof);
+        }
         let bridge_token = if self.bridge_token.is_none() {
             None
         } else {