implement new taler-auditor-offline tool

This commit is contained in:
Christian Grothoff 2020-12-06 00:05:45 +01:00
parent 9aff197bb3
commit 70b0839644
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
12 changed files with 1541 additions and 97 deletions

View File

@ -2,3 +2,4 @@ test_taler_exchange_httpd_home/.local/share/taler/exchange/live-keys/
test_taler_exchange_httpd_home/.local/share/taler/exchange/wirefees/
test_taler_exchange_httpd_home/.config/taler/account-1.json
taler-exchange-offline
taler-auditor-offline

View File

@ -13,6 +13,7 @@ if USE_COVERAGE
endif
bin_PROGRAMS = \
taler-auditor-offline \
taler-exchange-keyup \
taler-exchange-keycheck \
taler-exchange-offline \
@ -47,6 +48,20 @@ taler_exchange_offline_LDADD = \
$(XLIB)
taler_auditor_offline_SOURCES = \
taler-auditor-offline.c
taler_auditor_offline_LDADD = \
$(LIBGCRYPT_LIBS) \
$(top_builddir)/src/lib/libtalerexchange.la \
$(top_builddir)/src/json/libtalerjson.la \
$(top_builddir)/src/util/libtalerutil.la \
-lgnunetjson \
-lgnunetcurl \
-ljansson \
-lgnunetutil \
$(XLIB)
taler_exchange_wire_SOURCES = \
taler-exchange-wire.c
taler_exchange_wire_LDADD = \

File diff suppressed because it is too large Load Diff

View File

@ -2391,6 +2391,9 @@ do_sign (char *const *args)
return;
}
}
if (GNUNET_OK !=
load_offline_key ())
return;
{
const char *err_name;

View File

@ -144,49 +144,34 @@ add_auditor_denom_sig (void *cls,
TALER_B2S (awc->auditor_pub));
return GNUNET_DB_STATUS_HARD_ERROR;
}
if (GNUNET_OK !=
TALER_auditor_denom_validity_verify (
auditor_url,
awc->h_denom_pub,
&TEH_master_public_key,
meta.start,
meta.expire_withdraw,
meta.expire_deposit,
meta.expire_legal,
&meta.value,
&meta.fee_withdraw,
&meta.fee_deposit,
&meta.fee_refresh,
&meta.fee_refund,
awc->auditor_pub,
&awc->auditor_sig))
{
struct TALER_ExchangeKeyValidityPS kv = {
.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS),
.purpose.size = htonl (sizeof (kv)),
.master = TEH_master_public_key,
.start = GNUNET_TIME_absolute_hton (meta.start),
.expire_withdraw = GNUNET_TIME_absolute_hton (meta.expire_withdraw),
.expire_deposit = GNUNET_TIME_absolute_hton (meta.expire_deposit),
.expire_legal = GNUNET_TIME_absolute_hton (meta.expire_legal),
.denom_hash = *awc->h_denom_pub
};
TALER_amount_hton (&kv.value,
&meta.value);
TALER_amount_hton (&kv.fee_withdraw,
&meta.fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
&meta.fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
&meta.fee_refresh);
TALER_amount_hton (&kv.fee_refund,
&meta.fee_refund);
GNUNET_CRYPTO_hash (auditor_url,
strlen (auditor_url) + 1,
&kv.auditor_url_hash);
GNUNET_free (auditor_url);
if (GNUNET_OK !=
GNUNET_CRYPTO_eddsa_verify (
TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS,
&kv,
&awc->auditor_sig.eddsa_sig,
&TEH_master_public_key.eddsa_pub))
{
/* signature invalid */
GNUNET_break_op (0);
*mhd_ret = TALER_MHD_reply_with_error (
connection,
MHD_HTTP_FORBIDDEN,
TALER_EC_EXCHANGE_AUDITORS_AUDITOR_SIGNATURE_INVALID,
NULL);
return GNUNET_DB_STATUS_HARD_ERROR;
}
/* signature invalid */
GNUNET_break_op (0);
*mhd_ret = TALER_MHD_reply_with_error (
connection,
MHD_HTTP_FORBIDDEN,
TALER_EC_EXCHANGE_AUDITORS_AUDITOR_SIGNATURE_INVALID,
NULL);
return GNUNET_DB_STATUS_HARD_ERROR;
}
GNUNET_free (auditor_url);
qs = TEH_plugin->insert_auditor_denom_sig (TEH_plugin->cls,
session,

View File

@ -1294,6 +1294,79 @@ TALER_exchange_secmod_rsa_verify (
const struct TALER_SecurityModuleSignatureP *secm_sig);
/**
* Create denomination key validity signature by the auditor.
*
* @param auditor_url BASE URL of the auditor's API
* @param h_denom_pub hash of the denomination's public key
* @param master_pub master public key of the exchange
* @param stamp_start when does the exchange begin signing with this key
* @param stamp_expire_withdraw when does the exchange end signing with this key
* @param stamp_expire_deposit how long does the exchange accept the deposit of coins with this key
* @param stamp_expire_legal how long does the exchange preserve information for legal disputes with this key
* @param coin_value what is the value of coins signed with this key
* @param fee_withdraw what withdraw fee does the exchange charge for this denomination
* @param fee_deposit what deposit fee does the exchange charge for this denomination
* @param fee_refresh what refresh fee does the exchange charge for this denomination
* @param fee_refund what refund fee does the exchange charge for this denomination
* @param auditor_priv private key to sign with
* @param[out] auditor_sig where to write the signature
*/
void
TALER_auditor_denom_validity_sign (
const char *auditor_url,
const struct GNUNET_HashCode *h_denom_pub,
const struct TALER_MasterPublicKeyP *master_pub,
struct GNUNET_TIME_Absolute stamp_start,
struct GNUNET_TIME_Absolute stamp_expire_withdraw,
struct GNUNET_TIME_Absolute stamp_expire_deposit,
struct GNUNET_TIME_Absolute stamp_expire_legal,
const struct TALER_Amount *coin_value,
const struct TALER_Amount *fee_withdraw,
const struct TALER_Amount *fee_deposit,
const struct TALER_Amount *fee_refresh,
const struct TALER_Amount *fee_refund,
const struct TALER_AuditorPrivateKeyP *auditor_priv,
struct TALER_AuditorSignatureP *auditor_sig);
/**
* Verify denomination key validity signature from auditor.
*
* @param auditor_url BASE URL of the auditor's API
* @param h_denom_pub hash of the denomination's public key
* @param master_pub master public key of the exchange
* @param stamp_start when does the exchange begin signing with this key
* @param stamp_expire_withdraw when does the exchange end signing with this key
* @param stamp_expire_deposit how long does the exchange accept the deposit of coins with this key
* @param stamp_expire_legal how long does the exchange preserve information for legal disputes with this key
* @param coin_value what is the value of coins signed with this key
* @param fee_withdraw what withdraw fee does the exchange charge for this denomination
* @param fee_deposit what deposit fee does the exchange charge for this denomination
* @param fee_refresh what refresh fee does the exchange charge for this denomination
* @param fee_refund what refund fee does the exchange charge for this denomination
* @param auditor_pub public key to verify against
* @param auditor_sig the signature the signature
* @return #GNUNET_OK if the signature is valid
*/
int
TALER_auditor_denom_validity_verify (
const char *auditor_url,
const struct GNUNET_HashCode *h_denom_pub,
const struct TALER_MasterPublicKeyP *master_pub,
struct GNUNET_TIME_Absolute stamp_start,
struct GNUNET_TIME_Absolute stamp_expire_withdraw,
struct GNUNET_TIME_Absolute stamp_expire_deposit,
struct GNUNET_TIME_Absolute stamp_expire_legal,
const struct TALER_Amount *coin_value,
const struct TALER_Amount *fee_withdraw,
const struct TALER_Amount *fee_deposit,
const struct TALER_Amount *fee_refresh,
const struct TALER_Amount *fee_refund,
const struct TALER_AuditorPublicKeyP *auditor_pub,
const struct TALER_AuditorSignatureP *auditor_sig);
/* **************** /wire account offline signing **************** */

View File

@ -393,7 +393,7 @@ struct TALER_EXCHANGE_HttpResponse
/**
* Function called with information about who is auditing
* a particular exchange and what key the exchange is using.
* a particular exchange and what keys the exchange is using.
*
* @param cls closure
* @param hr HTTP response data

View File

@ -1041,7 +1041,7 @@ struct TALER_ExchangeKeyValidityPS
/**
* The long-term offline master key of the exchange, affirmed by the
* auditor. Hashed string, including 0-terminator.
* auditor.
*/
struct TALER_MasterPublicKeyP master;

View File

@ -519,7 +519,6 @@ parse_json_auditor (struct TALER_EXCHANGE_AuditorInformation *auditor,
unsigned int off;
unsigned int i;
const char *auditor_url;
struct TALER_ExchangeKeyValidityPS kv;
struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_fixed_auto ("auditor_pub",
&auditor->auditor_pub),
@ -539,12 +538,6 @@ parse_json_auditor (struct TALER_EXCHANGE_AuditorInformation *auditor,
return GNUNET_SYSERR;
}
auditor->auditor_url = GNUNET_strdup (auditor_url);
kv.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS);
kv.purpose.size = htonl (sizeof (struct TALER_ExchangeKeyValidityPS));
GNUNET_CRYPTO_hash (auditor_url,
strlen (auditor_url) + 1,
&kv.auditor_url_hash);
kv.master = key_data->master_pub;
len = json_array_size (keys);
auditor->denom_keys = GNUNET_new_array (len,
struct
@ -590,27 +583,22 @@ parse_json_auditor (struct TALER_EXCHANGE_AuditorInformation *auditor,
}
if (check_sigs)
{
kv.start = GNUNET_TIME_absolute_hton (dk->valid_from);
kv.expire_withdraw = GNUNET_TIME_absolute_hton (dk->withdraw_valid_until);
kv.expire_deposit = GNUNET_TIME_absolute_hton (dk->expire_deposit);
kv.expire_legal = GNUNET_TIME_absolute_hton (dk->expire_legal);
TALER_amount_hton (&kv.value,
&dk->value);
TALER_amount_hton (&kv.fee_withdraw,
&dk->fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
&dk->fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
&dk->fee_refresh);
TALER_amount_hton (&kv.fee_refund,
&dk->fee_refund);
kv.denom_hash = dk->h_key;
if (GNUNET_OK !=
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS,
&kv,
&auditor_sig.eddsa_sig,
&auditor->auditor_pub.eddsa_pub))
TALER_auditor_denom_validity_verify (
auditor_url,
&dk->h_key,
&key_data->master_pub,
dk->valid_from,
dk->withdraw_valid_until,
dk->expire_deposit,
dk->expire_legal,
&dk->value,
&dk->fee_withdraw,
&dk->fee_deposit,
&dk->fee_refresh,
&dk->fee_refund,
&auditor->auditor_pub,
&auditor_sig))
{
GNUNET_break_op (0);
GNUNET_JSON_parse_free (spec);

View File

@ -139,36 +139,25 @@ auditor_add_run (void *cls,
}
else
{
struct TALER_ExchangeKeyValidityPS kv = {
.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS),
.purpose.size = htonl (sizeof (struct TALER_ExchangeKeyValidityPS)),
.start = GNUNET_TIME_absolute_hton (dk->valid_from),
.expire_withdraw = GNUNET_TIME_absolute_hton (
dk->withdraw_valid_until),
.expire_deposit = GNUNET_TIME_absolute_hton (dk->expire_deposit),
.expire_legal = GNUNET_TIME_absolute_hton (dk->expire_legal),
.denom_hash = dk->h_key
};
struct TALER_MasterPublicKeyP master_pub;
TALER_amount_hton (&kv.value,
&dk->value);
TALER_amount_hton (&kv.fee_withdraw,
&dk->fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
&dk->fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
&dk->fee_refresh);
TALER_amount_hton (&kv.fee_refund,
&dk->fee_refund);
GNUNET_CRYPTO_eddsa_key_get_public (&is->master_priv.eddsa_priv,
&kv.master.eddsa_pub);
GNUNET_CRYPTO_hash (is->auditor_url,
strlen (is->auditor_url) + 1,
&kv.auditor_url_hash);
/* Finally sign ... */
GNUNET_CRYPTO_eddsa_sign (&is->auditor_priv.eddsa_priv,
&kv,
&auditor_sig.eddsa_sig);
&master_pub.eddsa_pub);
TALER_auditor_denom_validity_sign (
is->auditor_url,
&dk->h_key,
&master_pub,
dk->valid_from,
dk->withdraw_valid_until,
dk->expire_deposit,
dk->expire_legal,
&dk->value,
&dk->fee_withdraw,
&dk->fee_deposit,
&dk->fee_refresh,
&dk->fee_refund,
&is->auditor_priv,
&auditor_sig);
}
ds->dh = TALER_EXCHANGE_add_auditor_denomination (
is->ctx,

View File

@ -60,6 +60,7 @@ lib_LTLIBRARIES = \
libtalerutil_la_SOURCES = \
amount.c \
auditor_signatures.c \
config.c \
crypto.c \
crypto_helper_denom.c \

View File

@ -0,0 +1,122 @@
/*
This file is part of TALER
Copyright (C) 2020 Taler Systems SA
TALER is free software; you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 3, or (at your option) any later version.
TALER is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
*/
/**
* @file auditor_signatures.c
* @brief Utility functions for Taler auditor signatures
* @author Christian Grothoff
*/
#include "platform.h"
#include "taler_util.h"
#include "taler_signatures.h"
void
TALER_auditor_denom_validity_sign (
const char *auditor_url,
const struct GNUNET_HashCode *h_denom_pub,
const struct TALER_MasterPublicKeyP *master_pub,
struct GNUNET_TIME_Absolute stamp_start,
struct GNUNET_TIME_Absolute stamp_expire_withdraw,
struct GNUNET_TIME_Absolute stamp_expire_deposit,
struct GNUNET_TIME_Absolute stamp_expire_legal,
const struct TALER_Amount *coin_value,
const struct TALER_Amount *fee_withdraw,
const struct TALER_Amount *fee_deposit,
const struct TALER_Amount *fee_refresh,
const struct TALER_Amount *fee_refund,
const struct TALER_AuditorPrivateKeyP *auditor_priv,
struct TALER_AuditorSignatureP *auditor_sig)
{
struct TALER_ExchangeKeyValidityPS kv = {
.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS),
.purpose.size = htonl (sizeof (kv)),
.start = GNUNET_TIME_absolute_hton (stamp_start),
.expire_withdraw = GNUNET_TIME_absolute_hton (stamp_expire_withdraw),
.expire_deposit = GNUNET_TIME_absolute_hton (stamp_expire_deposit),
.expire_legal = GNUNET_TIME_absolute_hton (stamp_expire_legal),
.denom_hash = *h_denom_pub,
.master = *master_pub,
};
TALER_amount_hton (&kv.value,
coin_value);
TALER_amount_hton (&kv.fee_withdraw,
fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
fee_refresh);
TALER_amount_hton (&kv.fee_refund,
fee_refund);
GNUNET_CRYPTO_hash (auditor_url,
strlen (auditor_url) + 1,
&kv.auditor_url_hash);
GNUNET_CRYPTO_eddsa_sign (&auditor_priv->eddsa_priv,
&kv,
&auditor_sig->eddsa_sig);
}
int
TALER_auditor_denom_validity_verify (
const char *auditor_url,
const struct GNUNET_HashCode *h_denom_pub,
const struct TALER_MasterPublicKeyP *master_pub,
struct GNUNET_TIME_Absolute stamp_start,
struct GNUNET_TIME_Absolute stamp_expire_withdraw,
struct GNUNET_TIME_Absolute stamp_expire_deposit,
struct GNUNET_TIME_Absolute stamp_expire_legal,
const struct TALER_Amount *coin_value,
const struct TALER_Amount *fee_withdraw,
const struct TALER_Amount *fee_deposit,
const struct TALER_Amount *fee_refresh,
const struct TALER_Amount *fee_refund,
const struct TALER_AuditorPublicKeyP *auditor_pub,
const struct TALER_AuditorSignatureP *auditor_sig)
{
struct TALER_ExchangeKeyValidityPS kv = {
.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS),
.purpose.size = htonl (sizeof (kv)),
.start = GNUNET_TIME_absolute_hton (stamp_start),
.expire_withdraw = GNUNET_TIME_absolute_hton (stamp_expire_withdraw),
.expire_deposit = GNUNET_TIME_absolute_hton (stamp_expire_deposit),
.expire_legal = GNUNET_TIME_absolute_hton (stamp_expire_legal),
.denom_hash = *h_denom_pub,
.master = *master_pub,
};
TALER_amount_hton (&kv.value,
coin_value);
TALER_amount_hton (&kv.fee_withdraw,
fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
fee_refresh);
TALER_amount_hton (&kv.fee_refund,
fee_refund);
GNUNET_CRYPTO_hash (auditor_url,
strlen (auditor_url) + 1,
&kv.auditor_url_hash);
return
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS,
&kv,
&auditor_sig->eddsa_sig,
&auditor_pub->eddsa_pub);
}
/* end of auditor_signatures.c */