1 files changed, 80 insertions, 16 deletions

diff --git a/src/exchange/taler-exchange-httpd_age-withdraw_reveal.c b/src/exchange/taler-exchange-httpd_age-withdraw_reveal.c
index cdb8115f..b378e0e2 100644
--- a/src/exchange/taler-exchange-httpd_age-withdraw_reveal.c
+++ b/src/exchange/taler-exchange-httpd_age-withdraw_reveal.c
@@ -35,7 +35,8 @@ struct AgeRevealContext
 {
 
   /**
-   * Commitment for the age-withdraw operation.
+   * Commitment for the age-withdraw operation, previously called by the
+   * client.
    */
   struct TALER_AgeWithdrawCommitmentHashP ach;
 
@@ -63,11 +64,6 @@ struct AgeRevealContext
   struct TEH_DenominationKey *denom_keys;
 
   /**
-   * #num_coins hases of blinded coins.
-   */
-  struct TALER_BlindedCoinHashP *coin_evs;
-
-  /**
    * Total sum of all denominations' values
    **/
   struct TALER_Amount total_amount;
@@ -78,6 +74,11 @@ struct AgeRevealContext
   struct TALER_Amount total_fee;
 
   /**
+   * #num_coins hashes of blinded coins.
+   */
+  struct TALER_BlindedCoinHashP *coin_evs;
+
+  /**
    * #num_coins*(kappa - 1) disclosed coins.
    */
   struct GNUNET_CRYPTO_EddsaPrivateKey *disclosed_coins;
@@ -343,17 +344,15 @@ denomination_is_valid (
     connection,
     result);
 
-  /* Does the denomination exist? */
   if (NULL == dks)
   {
+    /* The denomination doesn't exist */
     GNUNET_assert (result != NULL);
     /* Note: a HTTP-response has been queued and result has been set by
      * TEH_keys_denominations_by_hash2 */
     return false;
   }
 
-  /* Is the denomation still and already valid? */
-
   if (GNUNET_TIME_absolute_is_past (dks->meta.expire_withdraw.abs_time))
   {
     /* This denomination is past the expiration time for withdraws */
@@ -504,7 +503,7 @@ are_denominations_valid (
 
     if (0 != TALER_amount_cmp (&sum, amount_with_fee))
     {
-      GNUNET_break (0);
+      GNUNET_break_op (0);
       *result = TALER_MHD_reply_with_ec (connection,
                                          TALER_EC_EXCHANGE_AGE_WITHDRAW_AMOUNT_INCORRECT,
                                          NULL);
@@ -516,6 +515,62 @@ are_denominations_valid (
 }
 
 
+/**
+ * Checks the validity of the disclosed coins as follows:
+ * - Derives and calculates the disclosed coins'
+ *    - public keys,
+ *    - nonces (if applicable),
+ *    - age commitments,
+ *    - blindings
+ *    - blinded hashes
+ * - Computes h_commitment with those calculated and the undisclosed hashes
+ * - Compares h_commitment with the value from the original commitment
+ * - Verifies that all public keys in indices larger than max_age_group are
+ *   derived from the constant public key.
+ *
+ * The derivation of the blindings, (potential) nonces and age-commitment from
+ * a coin's private keys is defined in
+ * https://docs.taler.net/design-documents/024-age-restriction.html#withdraw
+ *
+ * @param connection HTTP-connection to the client
+ * @param h_commitment_orig Original commitment
+ * @param max_age_group Maximum age group allowed for the age restriction
+ * @param noreveal_idx Index that was given to the client in response to the age-withdraw request
+ * @param num_coins Number of coins
+ * @param coin_evs The Hashes of the undisclosed, blinded coins
+ * @param discloded_coins The private keys of the disclosed coins
+ * @param denom_keys The array of denomination keys. Needed to detect Clause-Schnorr-based denominations
+ * @param[out] result On error, a HTTP-response will be queued and result set accordingly
+ * @return GNUNET_OK on success, GNUNET_SYSERR otherwise
+ */
+static enum GNUNET_GenericReturnValue
+verify_commitment_and_max_age (
+  struct MHD_Connection *connection,
+  const struct TALER_AgeWithdrawCommitmentHashP *h_commitment_orig,
+  uint32_t max_age_group,
+  uint32_t noreveal_idx,
+  uint32_t num_coins,
+  const struct TALER_BlindedCoinHashP *coin_evs,
+  const struct GNUNET_CRYPTO_EddsaPrivateKey *disclosed_coins,
+  const struct TEH_DenominationKey *denom_keys,
+  MHD_RESULT *result)
+{
+  struct TALER_BlindedCoinHashP *disclosed_evs; /* Will contain all calculated hashes */
+
+  disclosed_evs = GNUNET_new_array (
+    num_coins * (TALER_CNC_KAPPA - 1),
+    struct TALER_BlindedCoinHashP);
+
+  for (uint32_t i = 0; i < num_coins; i++)
+  {
+    /* FIXME:oec:  Calculate new coins and blinded hashes */
+    /*TALER_age_restriction_commit_from_base(); */
+  }
+
+  return GNUNET_SYSERR;
+}
+
+
 MHD_RESULT
 TEH_handler_age_withdraw_reveal (
   struct TEH_RequestContext *rc,
@@ -583,15 +638,24 @@ TEH_handler_age_withdraw_reveal (
           &result))
       break;
 
+    /* Verify the computed h_commitment equals the committed one and that
+     * coins have a maximum age group of max_age_group */
+    if (GNUNET_OK != verify_commitment_and_max_age (
+          rc->connection,
+          &actx.commitment.h_commitment,
+          actx.commitment.max_age_group,
+          actx.commitment.noreveal_index,
+          actx.num_coins,
+          actx.coin_evs,
+          actx.disclosed_coins,
+          actx.denom_keys,
+          &result))
+      break;
+
+    /* TODO:oec: sign the coins */
 
   } while(0);
 
-  /* TODO:oec: compute the disclosed blinded coins */
-  /* TODO:oec: generate h_commitment_comp */
-  /* TODO:oec: compare h_commitment_comp against h_commitment */
-  /* TODO:oec: sign the coins */
-  /* TODO:oec: send response */
-
   age_reveal_context_free (&actx);
   GNUNET_JSON_parse_free (spec);
   return result;