taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[age restriction] progress 6/n

Browse Source 
lift logic for detection of age restriction of a denomination out from
taler-exchange-secmod-rsa.c to taler-exchange_httpd_keys.c
This commit is contained in:
Özgür Kesim 2021-12-01 15:25:33 +01:00
parent 41aba39f0f
commit 54c62f3ab9
Signed by: oec
GPG Key ID: 3D76A56D79EDD9D7
9 changed files with 129 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
src/exchange/taler-exchange-httpd_keys.c
View File

@ -12,7 +12,7 @@
You should have received a copy of the GNU Affero General Public License along with You should have received a copy of the GNU Affero General Public License along with
TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
*/ */
/** /**
* @file taler-exchange-httpd_keys.c * @file taler-exchange-httpd_keys.c
* @brief management of our various keys * @brief management of our various keys
@ -673,6 +673,60 @@ destroy_key_helpers (struct HelperState *hs)
} }
/**
* Looks up the AGE_RESTRICTED setting for a denomination in the config and
* returns the age restriction (mask) accordingly.
*
* FIXME: The mask is currently taken from the config. However, It MUST come
* from the database where it has been persisted after a signed call to the
* /management/extension API (TODO).
*
* @param section_name Section in the configuration for the particular
* denomination.
*/
static struct TALER_AgeMask
load_age_mask (const char*section_name)
{
static const struct TALER_AgeMask null_mask = {0};
struct TALER_AgeMask age_mask = {0};
/* FIXME-oec: get age_mask from database, not from config */
if (TALER_EXTENSION_OK != TALER_get_age_mask (TEH_cfg, &age_mask))
{
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
TALER_EXTENSION_SECTION_AGE_RESTRICTION,
"AGE_GROUPS",
"must be of form a:b:...:n:m, where 0<a<b<...<n<m<32\n");
return null_mask;
}
if (age_mask.mask == 0)
{
return null_mask;
}
if (GNUNET_OK == (GNUNET_CONFIGURATION_have_value (
TEH_cfg,
section_name,
"AGE_RESTRICTED")))
{
enum GNUNET_GenericReturnValue ret;
if (GNUNET_SYSERR == (ret = GNUNET_CONFIGURATION_get_value_yesno (TEH_cfg,
section_name,
"AGE_RESTRICTED")))
{
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
section_name,
"AGE_RESTRICTED",
"Value must be YES or NO\n");
return null_mask;
}
}
return age_mask;
}
/** /**
* Function called with information about available keys for signing. Usually * Function called with information about available keys for signing. Usually
* only called once per key upon connect. Also called again in case a key is * only called once per key upon connect. Also called again in case a key is
@ -690,7 +744,6 @@ destroy_key_helpers (struct HelperState *hs)
* @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_pub public key of the security module, NULL if the key was revoked or purged
* @param sm_sig signature from the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged
* The signature was already verified against @a sm_pub. * The signature was already verified against @a sm_pub.
* @param age_restricted true, if denomination is age restricted
*/ */
static void static void
helper_rsa_cb ( helper_rsa_cb (
@ -701,8 +754,7 @@ helper_rsa_cb (
const struct TALER_RsaPubHashP *h_rsa, const struct TALER_RsaPubHashP *h_rsa,
const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_DenominationPublicKey *denom_pub,
const struct TALER_SecurityModulePublicKeyP *sm_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub,
const struct TALER_SecurityModuleSignatureP *sm_sig, const struct TALER_SecurityModuleSignatureP *sm_sig)
bool age_restricted)
{ {
struct HelperState *hs = cls; struct HelperState *hs = cls;
struct HelperDenomination *hd; struct HelperDenomination *hd;
@ -734,17 +786,8 @@ helper_rsa_cb (
TALER_denom_pub_deep_copy (&hd->denom_pub, TALER_denom_pub_deep_copy (&hd->denom_pub,
denom_pub); denom_pub);
GNUNET_assert (TALER_DENOMINATION_RSA == hd->denom_pub.cipher); GNUNET_assert (TALER_DENOMINATION_RSA == hd->denom_pub.cipher);
/* load the age mask for the denomination, if applicable */
/* Set age restriction, if applicable */ hd->denom_pub.age_mask = load_age_mask (section_name);
hd->denom_pub.age_mask.mask = 0;
if (age_restricted)
{
/* FIXME-oec: get age mask from global */
GNUNET_assert (TALER_EXTENSION_OK == TALER_get_age_mask (TEH_cfg,
&hd->denom_pub.
age_mask));
}
TALER_denom_pub_hash (&hd->denom_pub, TALER_denom_pub_hash (&hd->denom_pub,
&hd->h_denom_pub); &hd->h_denom_pub);
hd->section_name = GNUNET_strdup (section_name); hd->section_name = GNUNET_strdup (section_name);
@ -2285,16 +2328,17 @@ TEH_keys_get_handler (struct TEH_RequestContext *rc,
/** /**
* Load fees and expiration times (!) for the denomination type configured in * Load extension data, like fees, expiration times (!) and age restriction
* section @a section_name. Before calling this function, the `start` and * flags for the denomination type configured in section @a section_name.
* `validity_duration` times must already be initialized in @a meta. * Before calling this function, the `start` and `validity_duration` times must
* already be initialized in @a meta.
* *
* @param section_name section in the configuration to use * @param section_name section in the configuration to use
* @param[in,out] meta denomination type data to complete * @param[in,out] meta denomination type data to complete
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
static enum GNUNET_GenericReturnValue static enum GNUNET_GenericReturnValue
load_fees (const char *section_name, load_extension_data (const char *section_name,
struct TALER_EXCHANGEDB_DenominationKeyMetaData *meta) struct TALER_EXCHANGEDB_DenominationKeyMetaData *meta)
{ {
struct GNUNET_TIME_Relative deposit_duration; struct GNUNET_TIME_Relative deposit_duration;
@ -2408,6 +2452,7 @@ load_fees (const char *section_name,
TEH_currency); TEH_currency);
return GNUNET_SYSERR; return GNUNET_SYSERR;
} }
meta->age_restrictions = load_age_mask (section_name);
return GNUNET_OK; return GNUNET_OK;
} }
@ -2440,7 +2485,7 @@ TEH_keys_load_fees (const struct TALER_DenominationHash *h_denom_pub,
meta->start = hd->start_time; meta->start = hd->start_time;
meta->expire_withdraw = GNUNET_TIME_absolute_add (meta->start, meta->expire_withdraw = GNUNET_TIME_absolute_add (meta->start,
hd->validity_duration); hd->validity_duration);
ok = load_fees (hd->section_name, ok = load_extension_data (hd->section_name,
meta); meta);
if (GNUNET_OK == ok) if (GNUNET_OK == ok)
{ {
@ -2542,7 +2587,7 @@ add_future_denomkey_cb (void *cls,
meta.expire_withdraw = GNUNET_TIME_absolute_add (meta.start, meta.expire_withdraw = GNUNET_TIME_absolute_add (meta.start,
hd->validity_duration); hd->validity_duration);
if (GNUNET_OK != if (GNUNET_OK !=
load_fees (hd->section_name, load_extension_data (hd->section_name,
&meta)) &meta))
{ {
/* Woops, couldn't determine fee structure!? */ /* Woops, couldn't determine fee structure!? */

4
src/include/taler_crypto_lib.h
View File

@ -1362,7 +1362,6 @@ struct TALER_CRYPTO_RsaDenominationHelper;
* @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_pub public key of the security module, NULL if the key was revoked or purged
* @param sm_sig signature from the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged
* The signature was already verified against @a sm_pub. * The signature was already verified against @a sm_pub.
* @param age_restricted true, if denomnation has age restriction set
*/ */
typedef void typedef void
(*TALER_CRYPTO_RsaDenominationKeyStatusCallback)( (*TALER_CRYPTO_RsaDenominationKeyStatusCallback)(
@ -1373,8 +1372,7 @@ typedef void
const struct TALER_RsaPubHashP *h_rsa, const struct TALER_RsaPubHashP *h_rsa,
const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_DenominationPublicKey *denom_pub,
const struct TALER_SecurityModulePublicKeyP *sm_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub,
const struct TALER_SecurityModuleSignatureP *sm_sig, const struct TALER_SecurityModuleSignatureP *sm_sig);
bool age_restricted);
/** /**

15
src/include/taler_exchangedb_plugin.h
View File

@ -630,9 +630,20 @@ struct TALER_EXCHANGEDB_DenominationKeyMetaData
struct TALER_Amount fee_refund; struct TALER_Amount fee_refund;
/** /**
* Indication if age restriction is set for this denomination * Age restriction for the denomination. (can be zero). If not zero, the bits
* set in the mask mark the edges at the beginning of a next age group. F.e.
* for the age groups
* 0-7, 8-9, 10-11, 12-14, 14-15, 16-17, 18-21, 21-*
* the following bits are set:
*
* 31 24 16 8 0
* | | | | |
* oooooooo oo1oo1o1 o1o1o1o1 ooooooo1
*
* A value of 0 means that the denomination does not support the extension for
* age-restriction.
*/ */
bool age_restricted; struct TALER_AgeMask age_restrictions;
}; };

4
src/include/taler_extensions.h
View File

@ -39,8 +39,8 @@ enum TALER_EXTENSION_ReturnValue
* TALER Age Restriction Extensions * TALER Age Restriction Extensions
*/ */
#define TALER_EXTENSION_SECTION_AGE_RESTRICTION TALER_EXTENSION_SECTION_PREFIX \ #define TALER_EXTENSION_SECTION_AGE_RESTRICTION (TALER_EXTENSION_SECTION_PREFIX \
"agerestriction" "agerestriction")
/** /**
* The default age mask represents the age groups * The default age mask represents the age groups

4
src/lib/exchange_api_deposit.c
View File

@ -13,7 +13,7 @@
You should have received a copy of the GNU General Public License along with You should have received a copy of the GNU General Public License along with
TALER; see the file COPYING. If not, see TALER; see the file COPYING. If not, see
<http://www.gnu.org/licenses/> <http://www.gnu.org/licenses/>
*/ */
/** /**
* @file lib/exchange_api_deposit.c * @file lib/exchange_api_deposit.c
* @brief Implementation of the /deposit request of the exchange's HTTP API * @brief Implementation of the /deposit request of the exchange's HTTP API
@ -514,7 +514,7 @@ verify_signatures (const struct TALER_EXCHANGE_DenomPublicKey *dki,
.coin_pub = *coin_pub, .coin_pub = *coin_pub,
.denom_pub_hash = *denom_pub_hash, .denom_pub_hash = *denom_pub_hash,
.denom_sig = *denom_sig, .denom_sig = *denom_sig,
.age_commitment_hash = { 0 } /* FIXME-Oec */ .age_commitment_hash = {{{0}}} /* FIXME-Oec */
}; };
if (GNUNET_YES != if (GNUNET_YES !=

6
src/util/crypto_helper_rsa.c
View File

@ -239,8 +239,7 @@ handle_mt_avail (struct TALER_CRYPTO_RsaDenominationHelper *dh,
&h_rsa, &h_rsa,
&denom_pub, &denom_pub,
&kan->secm_pub, &kan->secm_pub,
&kan->secm_sig, &kan->secm_sig);
(kan->age_restricted > 0));
TALER_denom_pub_free (&denom_pub); TALER_denom_pub_free (&denom_pub);
} }
return GNUNET_OK; return GNUNET_OK;
@ -276,8 +275,7 @@ handle_mt_purge (struct TALER_CRYPTO_RsaDenominationHelper *dh,
&pn->h_rsa, &pn->h_rsa,
NULL, NULL,
NULL, NULL,
NULL, NULL);
false);
return GNUNET_OK; return GNUNET_OK;
} }

26
src/util/taler-exchange-secmod-rsa.c
View File

@ -12,7 +12,7 @@
You should have received a copy of the GNU General Public License along with You should have received a copy of the GNU General Public License along with
TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
*/ */
/** /**
* @file util/taler-exchange-secmod-rsa.c * @file util/taler-exchange-secmod-rsa.c
* @brief Standalone process to perform private key RSA operations * @brief Standalone process to perform private key RSA operations
@ -156,11 +156,6 @@ struct Denomination
* Length of (new) RSA keys (in bits). * Length of (new) RSA keys (in bits).
*/ */
uint32_t rsa_keysize; uint32_t rsa_keysize;
/**
* Is the denomination age restricted? 0 == false
*/
uint8_t age_restricted;
}; };
@ -263,7 +258,6 @@ notify_client_dk_add (struct TES_Client *client,
an->section_name_len = htons ((uint16_t) nlen); an->section_name_len = htons ((uint16_t) nlen);
an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor); an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor);
an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw); an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw);
an->age_restricted = denom->age_restricted;
TALER_exchange_secmod_rsa_sign (&dk->h_rsa, TALER_exchange_secmod_rsa_sign (&dk->h_rsa,
denom->section, denom->section,
dk->anchor, dk->anchor,
@ -1262,24 +1256,6 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg,
} }
denom->rsa_keysize = (unsigned int) rsa_keysize; denom->rsa_keysize = (unsigned int) rsa_keysize;
denom->section = GNUNET_strdup (ct); denom->section = GNUNET_strdup (ct);
if (GNUNET_OK == (GNUNET_CONFIGURATION_have_value (cfg,
ct,
"AGE_RESTRICTED")))
{
enum GNUNET_GenericReturnValue ret;
if (GNUNET_SYSERR == (ret = GNUNET_CONFIGURATION_get_value_yesno (cfg,
ct,
"AGE_RESTRICTED")))
{
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
ct,
"AGE_RESTRICTED",
"Value must be YES or NO\n");
return GNUNET_SYSERR;
}
denom->age_restricted = (ret == GNUNET_OK) ? 1 : 0;
}
return GNUNET_OK; return GNUNET_OK;
} }

5
src/util/taler-exchange-secmod-rsa.h
View File

@ -77,11 +77,6 @@ struct TALER_CRYPTO_RsaKeyAvailableNotification
*/ */
struct TALER_SecurityModuleSignatureP secm_sig; struct TALER_SecurityModuleSignatureP secm_sig;
/**
* Indicator for age restriction
*/
uint8_t age_restricted;
/* followed by @e pub_size bytes of the RSA public key */ /* followed by @e pub_size bytes of the RSA public key */
/* followed by @e section_name bytes of the configuration section name /* followed by @e section_name bytes of the configuration section name

6
src/util/test_helper_rsa.c
View File

@ -133,7 +133,6 @@ free_keys (void)
* @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_pub public key of the security module, NULL if the key was revoked or purged
* @param sm_sig signature from the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged
* The signature was already verified against @a sm_pub. * The signature was already verified against @a sm_pub.
* @param age_restricted indication if denomination is age restricted
*/ */
static void static void
key_cb (void *cls, key_cb (void *cls,
@ -143,13 +142,11 @@ key_cb (void *cls,
const struct TALER_RsaPubHashP *h_rsa, const struct TALER_RsaPubHashP *h_rsa,
const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_DenominationPublicKey *denom_pub,
const struct TALER_SecurityModulePublicKeyP *sm_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub,
const struct TALER_SecurityModuleSignatureP *sm_sig, const struct TALER_SecurityModuleSignatureP *sm_sig)
bool age_restricted)
{ {
(void) cls; (void) cls;
(void) sm_pub; (void) sm_pub;
(void) sm_sig; (void) sm_sig;
(void) age_restricted;
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Key notification about key %s in `%s'\n", "Key notification about key %s in `%s'\n",
GNUNET_h2s (&h_rsa->hash), GNUNET_h2s (&h_rsa->hash),
@ -189,7 +186,6 @@ key_cb (void *cls,
keys[i].validity_duration = validity_duration; keys[i].validity_duration = validity_duration;
TALER_denom_pub_deep_copy (&keys[i].denom_pub, TALER_denom_pub_deep_copy (&keys[i].denom_pub,
denom_pub); denom_pub);
/* FIXME-oec: take age_restriction into account!? */
num_keys++; num_keys++;
return; return;
} }