implement #6661: secm key pinning via configuration
This commit is contained in:
parent
deed88fe33
commit
247d1ca3e5
@ -977,7 +977,7 @@ future denomnations. So this must be read with a keen eye on the
|
|||||||
business situation.
|
business situation.
|
||||||
|
|
||||||
|
|
||||||
{% if coins.unsigned_denominations() == 0 %}
|
{% if coins.unsigned_denominations|length() == 0 %}
|
||||||
{\bf All denominations officially audited by this auditor.}
|
{\bf All denominations officially audited by this auditor.}
|
||||||
{% else %}
|
{% else %}
|
||||||
\begin{longtable}{p{6cm}|r|r|r}
|
\begin{longtable}{p{6cm}|r|r|r}
|
||||||
|
@ -681,12 +681,12 @@ TALER_ARL_init (const struct GNUNET_CONFIGURATION_Handle *c)
|
|||||||
if (GNUNET_OK !=
|
if (GNUNET_OK !=
|
||||||
GNUNET_CONFIGURATION_get_value_string (TALER_ARL_cfg,
|
GNUNET_CONFIGURATION_get_value_string (TALER_ARL_cfg,
|
||||||
"auditor",
|
"auditor",
|
||||||
"BASE_URL",
|
"AUDITOR_URL",
|
||||||
&TALER_ARL_auditor_url))
|
&TALER_ARL_auditor_url))
|
||||||
{
|
{
|
||||||
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
|
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
|
||||||
"auditor",
|
"auditor",
|
||||||
"BASE_URL");
|
"AUDITOR_URL");
|
||||||
return GNUNET_SYSERR;
|
return GNUNET_SYSERR;
|
||||||
}
|
}
|
||||||
if (GNUNET_YES == GNUNET_is_zero (&TALER_ARL_master_pub))
|
if (GNUNET_YES == GNUNET_is_zero (&TALER_ARL_master_pub))
|
||||||
|
@ -7,3 +7,9 @@ MASTER_PRIV_FILE = ${TALER_DATA_HOME}/exchange/offline-keys/master.priv
|
|||||||
|
|
||||||
# Where do we store the TOFU key material?
|
# Where do we store the TOFU key material?
|
||||||
SECM_TOFU_FILE = ${TALER_DATA_HOME}/exchange/offline-keys/secm_tofus.pub
|
SECM_TOFU_FILE = ${TALER_DATA_HOME}/exchange/offline-keys/secm_tofus.pub
|
||||||
|
|
||||||
|
# Base32-encoded public key of the RSA helper.
|
||||||
|
# SECM_DENOM_PUBKEY =
|
||||||
|
|
||||||
|
# Base32-encoded public key of the EdDSA helper.
|
||||||
|
# SECM_ESIGN_PUBKEY =
|
@ -2331,6 +2331,74 @@ tofu_check (const struct TALER_SecurityModulePublicKeyP secm[2])
|
|||||||
GNUNET_free (fn);
|
GNUNET_free (fn);
|
||||||
return GNUNET_OK;
|
return GNUNET_OK;
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
char *key;
|
||||||
|
|
||||||
|
/* check against SECMOD-keys pinned in configuration */
|
||||||
|
if (GNUNET_OK ==
|
||||||
|
GNUNET_CONFIGURATION_get_value_string (kcfg,
|
||||||
|
"exchange-offline",
|
||||||
|
"SECM_ESIGN_PUBKEY",
|
||||||
|
&key))
|
||||||
|
{
|
||||||
|
struct TALER_SecurityModulePublicKeyP k;
|
||||||
|
|
||||||
|
if (GNUNET_OK !=
|
||||||
|
GNUNET_STRINGS_string_to_data (key,
|
||||||
|
strlen (key),
|
||||||
|
&k,
|
||||||
|
sizeof (k)))
|
||||||
|
{
|
||||||
|
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
|
||||||
|
"exchange-offline",
|
||||||
|
"SECM_ESIGN_PUBKEY",
|
||||||
|
"key malformed");
|
||||||
|
GNUNET_free (key);
|
||||||
|
return GNUNET_SYSERR;
|
||||||
|
}
|
||||||
|
GNUNET_free (key);
|
||||||
|
if (0 !=
|
||||||
|
GNUNET_memcmp (&k,
|
||||||
|
&secm[1]))
|
||||||
|
{
|
||||||
|
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
|
||||||
|
"ESIGN security module key does not match SECM_ESIGN_PUBKEY in configuration\n");
|
||||||
|
return GNUNET_SYSERR;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (GNUNET_OK ==
|
||||||
|
GNUNET_CONFIGURATION_get_value_string (kcfg,
|
||||||
|
"exchange-offline",
|
||||||
|
"SECM_DENOM_PUBKEY",
|
||||||
|
&key))
|
||||||
|
{
|
||||||
|
struct TALER_SecurityModulePublicKeyP k;
|
||||||
|
|
||||||
|
if (GNUNET_OK !=
|
||||||
|
GNUNET_STRINGS_string_to_data (key,
|
||||||
|
strlen (key),
|
||||||
|
&k,
|
||||||
|
sizeof (k)))
|
||||||
|
{
|
||||||
|
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
|
||||||
|
"exchange-offline",
|
||||||
|
"SECM_DENOM_PUBKEY",
|
||||||
|
"key malformed");
|
||||||
|
GNUNET_free (key);
|
||||||
|
return GNUNET_SYSERR;
|
||||||
|
}
|
||||||
|
GNUNET_free (key);
|
||||||
|
if (0 !=
|
||||||
|
GNUNET_memcmp (&k,
|
||||||
|
&secm[0]))
|
||||||
|
{
|
||||||
|
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
|
||||||
|
"DENOM security module key does not match SECM_DENOM_PUBKEY in configuration\n");
|
||||||
|
return GNUNET_SYSERR;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
/* persist keys for future runs */
|
/* persist keys for future runs */
|
||||||
if (GNUNET_OK !=
|
if (GNUNET_OK !=
|
||||||
GNUNET_DISK_fn_write (fn,
|
GNUNET_DISK_fn_write (fn,
|
||||||
|
Loading…
Reference in New Issue
Block a user