implement new taler-auditor-offline tool

This commit is contained in:
Christian Grothoff 2020-12-06 00:05:45 +01:00
parent 9aff197bb3
commit 70b0839644
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
12 changed files with 1541 additions and 97 deletions

View File

@ -2,3 +2,4 @@ test_taler_exchange_httpd_home/.local/share/taler/exchange/live-keys/
test_taler_exchange_httpd_home/.local/share/taler/exchange/wirefees/ test_taler_exchange_httpd_home/.local/share/taler/exchange/wirefees/
test_taler_exchange_httpd_home/.config/taler/account-1.json test_taler_exchange_httpd_home/.config/taler/account-1.json
taler-exchange-offline taler-exchange-offline
taler-auditor-offline

View File

@ -13,6 +13,7 @@ if USE_COVERAGE
endif endif
bin_PROGRAMS = \ bin_PROGRAMS = \
taler-auditor-offline \
taler-exchange-keyup \ taler-exchange-keyup \
taler-exchange-keycheck \ taler-exchange-keycheck \
taler-exchange-offline \ taler-exchange-offline \
@ -47,6 +48,20 @@ taler_exchange_offline_LDADD = \
$(XLIB) $(XLIB)
taler_auditor_offline_SOURCES = \
taler-auditor-offline.c
taler_auditor_offline_LDADD = \
$(LIBGCRYPT_LIBS) \
$(top_builddir)/src/lib/libtalerexchange.la \
$(top_builddir)/src/json/libtalerjson.la \
$(top_builddir)/src/util/libtalerutil.la \
-lgnunetjson \
-lgnunetcurl \
-ljansson \
-lgnunetutil \
$(XLIB)
taler_exchange_wire_SOURCES = \ taler_exchange_wire_SOURCES = \
taler-exchange-wire.c taler-exchange-wire.c
taler_exchange_wire_LDADD = \ taler_exchange_wire_LDADD = \

File diff suppressed because it is too large Load Diff

View File

@ -2391,6 +2391,9 @@ do_sign (char *const *args)
return; return;
} }
} }
if (GNUNET_OK !=
load_offline_key ())
return;
{ {
const char *err_name; const char *err_name;

View File

@ -144,49 +144,34 @@ add_auditor_denom_sig (void *cls,
TALER_B2S (awc->auditor_pub)); TALER_B2S (awc->auditor_pub));
return GNUNET_DB_STATUS_HARD_ERROR; return GNUNET_DB_STATUS_HARD_ERROR;
} }
if (GNUNET_OK !=
TALER_auditor_denom_validity_verify (
auditor_url,
awc->h_denom_pub,
&TEH_master_public_key,
meta.start,
meta.expire_withdraw,
meta.expire_deposit,
meta.expire_legal,
&meta.value,
&meta.fee_withdraw,
&meta.fee_deposit,
&meta.fee_refresh,
&meta.fee_refund,
awc->auditor_pub,
&awc->auditor_sig))
{ {
struct TALER_ExchangeKeyValidityPS kv = {
.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS),
.purpose.size = htonl (sizeof (kv)),
.master = TEH_master_public_key,
.start = GNUNET_TIME_absolute_hton (meta.start),
.expire_withdraw = GNUNET_TIME_absolute_hton (meta.expire_withdraw),
.expire_deposit = GNUNET_TIME_absolute_hton (meta.expire_deposit),
.expire_legal = GNUNET_TIME_absolute_hton (meta.expire_legal),
.denom_hash = *awc->h_denom_pub
};
TALER_amount_hton (&kv.value,
&meta.value);
TALER_amount_hton (&kv.fee_withdraw,
&meta.fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
&meta.fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
&meta.fee_refresh);
TALER_amount_hton (&kv.fee_refund,
&meta.fee_refund);
GNUNET_CRYPTO_hash (auditor_url,
strlen (auditor_url) + 1,
&kv.auditor_url_hash);
GNUNET_free (auditor_url); GNUNET_free (auditor_url);
if (GNUNET_OK != /* signature invalid */
GNUNET_CRYPTO_eddsa_verify ( GNUNET_break_op (0);
TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS, *mhd_ret = TALER_MHD_reply_with_error (
&kv, connection,
&awc->auditor_sig.eddsa_sig, MHD_HTTP_FORBIDDEN,
&TEH_master_public_key.eddsa_pub)) TALER_EC_EXCHANGE_AUDITORS_AUDITOR_SIGNATURE_INVALID,
{ NULL);
/* signature invalid */ return GNUNET_DB_STATUS_HARD_ERROR;
GNUNET_break_op (0);
*mhd_ret = TALER_MHD_reply_with_error (
connection,
MHD_HTTP_FORBIDDEN,
TALER_EC_EXCHANGE_AUDITORS_AUDITOR_SIGNATURE_INVALID,
NULL);
return GNUNET_DB_STATUS_HARD_ERROR;
}
} }
GNUNET_free (auditor_url);
qs = TEH_plugin->insert_auditor_denom_sig (TEH_plugin->cls, qs = TEH_plugin->insert_auditor_denom_sig (TEH_plugin->cls,
session, session,

View File

@ -1294,6 +1294,79 @@ TALER_exchange_secmod_rsa_verify (
const struct TALER_SecurityModuleSignatureP *secm_sig); const struct TALER_SecurityModuleSignatureP *secm_sig);
/**
* Create denomination key validity signature by the auditor.
*
* @param auditor_url BASE URL of the auditor's API
* @param h_denom_pub hash of the denomination's public key
* @param master_pub master public key of the exchange
* @param stamp_start when does the exchange begin signing with this key
* @param stamp_expire_withdraw when does the exchange end signing with this key
* @param stamp_expire_deposit how long does the exchange accept the deposit of coins with this key
* @param stamp_expire_legal how long does the exchange preserve information for legal disputes with this key
* @param coin_value what is the value of coins signed with this key
* @param fee_withdraw what withdraw fee does the exchange charge for this denomination
* @param fee_deposit what deposit fee does the exchange charge for this denomination
* @param fee_refresh what refresh fee does the exchange charge for this denomination
* @param fee_refund what refund fee does the exchange charge for this denomination
* @param auditor_priv private key to sign with
* @param[out] auditor_sig where to write the signature
*/
void
TALER_auditor_denom_validity_sign (
const char *auditor_url,
const struct GNUNET_HashCode *h_denom_pub,
const struct TALER_MasterPublicKeyP *master_pub,
struct GNUNET_TIME_Absolute stamp_start,
struct GNUNET_TIME_Absolute stamp_expire_withdraw,
struct GNUNET_TIME_Absolute stamp_expire_deposit,
struct GNUNET_TIME_Absolute stamp_expire_legal,
const struct TALER_Amount *coin_value,
const struct TALER_Amount *fee_withdraw,
const struct TALER_Amount *fee_deposit,
const struct TALER_Amount *fee_refresh,
const struct TALER_Amount *fee_refund,
const struct TALER_AuditorPrivateKeyP *auditor_priv,
struct TALER_AuditorSignatureP *auditor_sig);
/**
* Verify denomination key validity signature from auditor.
*
* @param auditor_url BASE URL of the auditor's API
* @param h_denom_pub hash of the denomination's public key
* @param master_pub master public key of the exchange
* @param stamp_start when does the exchange begin signing with this key
* @param stamp_expire_withdraw when does the exchange end signing with this key
* @param stamp_expire_deposit how long does the exchange accept the deposit of coins with this key
* @param stamp_expire_legal how long does the exchange preserve information for legal disputes with this key
* @param coin_value what is the value of coins signed with this key
* @param fee_withdraw what withdraw fee does the exchange charge for this denomination
* @param fee_deposit what deposit fee does the exchange charge for this denomination
* @param fee_refresh what refresh fee does the exchange charge for this denomination
* @param fee_refund what refund fee does the exchange charge for this denomination
* @param auditor_pub public key to verify against
* @param auditor_sig the signature the signature
* @return #GNUNET_OK if the signature is valid
*/
int
TALER_auditor_denom_validity_verify (
const char *auditor_url,
const struct GNUNET_HashCode *h_denom_pub,
const struct TALER_MasterPublicKeyP *master_pub,
struct GNUNET_TIME_Absolute stamp_start,
struct GNUNET_TIME_Absolute stamp_expire_withdraw,
struct GNUNET_TIME_Absolute stamp_expire_deposit,
struct GNUNET_TIME_Absolute stamp_expire_legal,
const struct TALER_Amount *coin_value,
const struct TALER_Amount *fee_withdraw,
const struct TALER_Amount *fee_deposit,
const struct TALER_Amount *fee_refresh,
const struct TALER_Amount *fee_refund,
const struct TALER_AuditorPublicKeyP *auditor_pub,
const struct TALER_AuditorSignatureP *auditor_sig);
/* **************** /wire account offline signing **************** */ /* **************** /wire account offline signing **************** */

View File

@ -393,7 +393,7 @@ struct TALER_EXCHANGE_HttpResponse
/** /**
* Function called with information about who is auditing * Function called with information about who is auditing
* a particular exchange and what key the exchange is using. * a particular exchange and what keys the exchange is using.
* *
* @param cls closure * @param cls closure
* @param hr HTTP response data * @param hr HTTP response data

View File

@ -1041,7 +1041,7 @@ struct TALER_ExchangeKeyValidityPS
/** /**
* The long-term offline master key of the exchange, affirmed by the * The long-term offline master key of the exchange, affirmed by the
* auditor. Hashed string, including 0-terminator. * auditor.
*/ */
struct TALER_MasterPublicKeyP master; struct TALER_MasterPublicKeyP master;

View File

@ -519,7 +519,6 @@ parse_json_auditor (struct TALER_EXCHANGE_AuditorInformation *auditor,
unsigned int off; unsigned int off;
unsigned int i; unsigned int i;
const char *auditor_url; const char *auditor_url;
struct TALER_ExchangeKeyValidityPS kv;
struct GNUNET_JSON_Specification spec[] = { struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_fixed_auto ("auditor_pub", GNUNET_JSON_spec_fixed_auto ("auditor_pub",
&auditor->auditor_pub), &auditor->auditor_pub),
@ -539,12 +538,6 @@ parse_json_auditor (struct TALER_EXCHANGE_AuditorInformation *auditor,
return GNUNET_SYSERR; return GNUNET_SYSERR;
} }
auditor->auditor_url = GNUNET_strdup (auditor_url); auditor->auditor_url = GNUNET_strdup (auditor_url);
kv.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS);
kv.purpose.size = htonl (sizeof (struct TALER_ExchangeKeyValidityPS));
GNUNET_CRYPTO_hash (auditor_url,
strlen (auditor_url) + 1,
&kv.auditor_url_hash);
kv.master = key_data->master_pub;
len = json_array_size (keys); len = json_array_size (keys);
auditor->denom_keys = GNUNET_new_array (len, auditor->denom_keys = GNUNET_new_array (len,
struct struct
@ -590,27 +583,22 @@ parse_json_auditor (struct TALER_EXCHANGE_AuditorInformation *auditor,
} }
if (check_sigs) if (check_sigs)
{ {
kv.start = GNUNET_TIME_absolute_hton (dk->valid_from);
kv.expire_withdraw = GNUNET_TIME_absolute_hton (dk->withdraw_valid_until);
kv.expire_deposit = GNUNET_TIME_absolute_hton (dk->expire_deposit);
kv.expire_legal = GNUNET_TIME_absolute_hton (dk->expire_legal);
TALER_amount_hton (&kv.value,
&dk->value);
TALER_amount_hton (&kv.fee_withdraw,
&dk->fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
&dk->fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
&dk->fee_refresh);
TALER_amount_hton (&kv.fee_refund,
&dk->fee_refund);
kv.denom_hash = dk->h_key;
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS, TALER_auditor_denom_validity_verify (
&kv, auditor_url,
&auditor_sig.eddsa_sig, &dk->h_key,
&auditor->auditor_pub.eddsa_pub)) &key_data->master_pub,
dk->valid_from,
dk->withdraw_valid_until,
dk->expire_deposit,
dk->expire_legal,
&dk->value,
&dk->fee_withdraw,
&dk->fee_deposit,
&dk->fee_refresh,
&dk->fee_refund,
&auditor->auditor_pub,
&auditor_sig))
{ {
GNUNET_break_op (0); GNUNET_break_op (0);
GNUNET_JSON_parse_free (spec); GNUNET_JSON_parse_free (spec);

View File

@ -139,36 +139,25 @@ auditor_add_run (void *cls,
} }
else else
{ {
struct TALER_ExchangeKeyValidityPS kv = { struct TALER_MasterPublicKeyP master_pub;
.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS),
.purpose.size = htonl (sizeof (struct TALER_ExchangeKeyValidityPS)),
.start = GNUNET_TIME_absolute_hton (dk->valid_from),
.expire_withdraw = GNUNET_TIME_absolute_hton (
dk->withdraw_valid_until),
.expire_deposit = GNUNET_TIME_absolute_hton (dk->expire_deposit),
.expire_legal = GNUNET_TIME_absolute_hton (dk->expire_legal),
.denom_hash = dk->h_key
};
TALER_amount_hton (&kv.value,
&dk->value);
TALER_amount_hton (&kv.fee_withdraw,
&dk->fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
&dk->fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
&dk->fee_refresh);
TALER_amount_hton (&kv.fee_refund,
&dk->fee_refund);
GNUNET_CRYPTO_eddsa_key_get_public (&is->master_priv.eddsa_priv, GNUNET_CRYPTO_eddsa_key_get_public (&is->master_priv.eddsa_priv,
&kv.master.eddsa_pub); &master_pub.eddsa_pub);
GNUNET_CRYPTO_hash (is->auditor_url, TALER_auditor_denom_validity_sign (
strlen (is->auditor_url) + 1, is->auditor_url,
&kv.auditor_url_hash); &dk->h_key,
/* Finally sign ... */ &master_pub,
GNUNET_CRYPTO_eddsa_sign (&is->auditor_priv.eddsa_priv, dk->valid_from,
&kv, dk->withdraw_valid_until,
&auditor_sig.eddsa_sig); dk->expire_deposit,
dk->expire_legal,
&dk->value,
&dk->fee_withdraw,
&dk->fee_deposit,
&dk->fee_refresh,
&dk->fee_refund,
&is->auditor_priv,
&auditor_sig);
} }
ds->dh = TALER_EXCHANGE_add_auditor_denomination ( ds->dh = TALER_EXCHANGE_add_auditor_denomination (
is->ctx, is->ctx,

View File

@ -60,6 +60,7 @@ lib_LTLIBRARIES = \
libtalerutil_la_SOURCES = \ libtalerutil_la_SOURCES = \
amount.c \ amount.c \
auditor_signatures.c \
config.c \ config.c \
crypto.c \ crypto.c \
crypto_helper_denom.c \ crypto_helper_denom.c \

View File

@ -0,0 +1,122 @@
/*
This file is part of TALER
Copyright (C) 2020 Taler Systems SA
TALER is free software; you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 3, or (at your option) any later version.
TALER is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
*/
/**
* @file auditor_signatures.c
* @brief Utility functions for Taler auditor signatures
* @author Christian Grothoff
*/
#include "platform.h"
#include "taler_util.h"
#include "taler_signatures.h"
void
TALER_auditor_denom_validity_sign (
const char *auditor_url,
const struct GNUNET_HashCode *h_denom_pub,
const struct TALER_MasterPublicKeyP *master_pub,
struct GNUNET_TIME_Absolute stamp_start,
struct GNUNET_TIME_Absolute stamp_expire_withdraw,
struct GNUNET_TIME_Absolute stamp_expire_deposit,
struct GNUNET_TIME_Absolute stamp_expire_legal,
const struct TALER_Amount *coin_value,
const struct TALER_Amount *fee_withdraw,
const struct TALER_Amount *fee_deposit,
const struct TALER_Amount *fee_refresh,
const struct TALER_Amount *fee_refund,
const struct TALER_AuditorPrivateKeyP *auditor_priv,
struct TALER_AuditorSignatureP *auditor_sig)
{
struct TALER_ExchangeKeyValidityPS kv = {
.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS),
.purpose.size = htonl (sizeof (kv)),
.start = GNUNET_TIME_absolute_hton (stamp_start),
.expire_withdraw = GNUNET_TIME_absolute_hton (stamp_expire_withdraw),
.expire_deposit = GNUNET_TIME_absolute_hton (stamp_expire_deposit),
.expire_legal = GNUNET_TIME_absolute_hton (stamp_expire_legal),
.denom_hash = *h_denom_pub,
.master = *master_pub,
};
TALER_amount_hton (&kv.value,
coin_value);
TALER_amount_hton (&kv.fee_withdraw,
fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
fee_refresh);
TALER_amount_hton (&kv.fee_refund,
fee_refund);
GNUNET_CRYPTO_hash (auditor_url,
strlen (auditor_url) + 1,
&kv.auditor_url_hash);
GNUNET_CRYPTO_eddsa_sign (&auditor_priv->eddsa_priv,
&kv,
&auditor_sig->eddsa_sig);
}
int
TALER_auditor_denom_validity_verify (
const char *auditor_url,
const struct GNUNET_HashCode *h_denom_pub,
const struct TALER_MasterPublicKeyP *master_pub,
struct GNUNET_TIME_Absolute stamp_start,
struct GNUNET_TIME_Absolute stamp_expire_withdraw,
struct GNUNET_TIME_Absolute stamp_expire_deposit,
struct GNUNET_TIME_Absolute stamp_expire_legal,
const struct TALER_Amount *coin_value,
const struct TALER_Amount *fee_withdraw,
const struct TALER_Amount *fee_deposit,
const struct TALER_Amount *fee_refresh,
const struct TALER_Amount *fee_refund,
const struct TALER_AuditorPublicKeyP *auditor_pub,
const struct TALER_AuditorSignatureP *auditor_sig)
{
struct TALER_ExchangeKeyValidityPS kv = {
.purpose.purpose = htonl (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS),
.purpose.size = htonl (sizeof (kv)),
.start = GNUNET_TIME_absolute_hton (stamp_start),
.expire_withdraw = GNUNET_TIME_absolute_hton (stamp_expire_withdraw),
.expire_deposit = GNUNET_TIME_absolute_hton (stamp_expire_deposit),
.expire_legal = GNUNET_TIME_absolute_hton (stamp_expire_legal),
.denom_hash = *h_denom_pub,
.master = *master_pub,
};
TALER_amount_hton (&kv.value,
coin_value);
TALER_amount_hton (&kv.fee_withdraw,
fee_withdraw);
TALER_amount_hton (&kv.fee_deposit,
fee_deposit);
TALER_amount_hton (&kv.fee_refresh,
fee_refresh);
TALER_amount_hton (&kv.fee_refund,
fee_refund);
GNUNET_CRYPTO_hash (auditor_url,
strlen (auditor_url) + 1,
&kv.auditor_url_hash);
return
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_AUDITOR_EXCHANGE_KEYS,
&kv,
&auditor_sig->eddsa_sig,
&auditor_pub->eddsa_pub);
}
/* end of auditor_signatures.c */