taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

move all TALER_SIGNATURE_SM_-operations to secmod_signatures.c

Browse Source
This commit is contained in:
Christian Grothoff 2020-12-05 19:47:54 +01:00
parent c898ff53a2
commit 8170e1e9ab
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
9 changed files with 275 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/exchange-tools/taler-exchange-offline.c
View File

@ -1606,8 +1606,22 @@ show_signkeys (const json_t *signkeys)
json_array_foreach (signkeys, index, value) { json_array_foreach (signkeys, index, value) {
const char *err_name; const char *err_name;
unsigned int err_line; unsigned int err_line;
struct TALER_ExchangePublicKeyP exchange_pub;
struct TALER_SecurityModuleSignatureP secm_sig;
struct GNUNET_TIME_Absolute start_time;
struct GNUNET_TIME_Absolute sign_end;
struct GNUNET_TIME_Absolute legal_end;
struct GNUNET_JSON_Specification spec[] = { struct GNUNET_JSON_Specification spec[] = {
// FIXME! GNUNET_JSON_spec_absolute_time ("stamp_start",
&start_time),
GNUNET_JSON_spec_absolute_time ("stamp_expire",
&sign_end),
GNUNET_JSON_spec_absolute_time ("stamp_end",
&legal_end),
GNUNET_JSON_spec_fixed_auto ("key",
&exchange_pub),
GNUNET_JSON_spec_fixed_auto ("signkey_secmod_sig",
&secm_sig),
GNUNET_JSON_spec_end () GNUNET_JSON_spec_end ()
}; };
@ -1626,6 +1640,7 @@ show_signkeys (const json_t *signkeys)
test_shutdown (); test_shutdown ();
return GNUNET_SYSERR; return GNUNET_SYSERR;
} }
// FIXME: print // FIXME: print
} }
return GNUNET_OK; return GNUNET_OK;

78
src/include/taler_crypto_lib.h
View File

@ -1151,6 +1151,84 @@ TALER_exchange_offline_signkey_validity_verify (
const struct TALER_MasterSignatureP *master_sig); const struct TALER_MasterSignatureP *master_sig);
/**
* Create security module EdDSA signature.
*
* @param exchange_pub public signing key to validate
* @param start_sign starting point of validity for signing
* @param duration how long will the key be in use
* @param secm_priv security module key to sign with
* @param[out] secm_sig where to write the signature
*/
void
TALER_exchange_secmod_eddsa_sign (
const struct TALER_ExchangePublicKeyP *exchange_pub,
struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration,
const struct TALER_SecurityModulePrivateKeyP *secm_priv,
struct TALER_SecurityModuleSignatureP *secm_sig);
/**
* Verify security module EdDSA signature.
*
* @param exchange_pub public signing key to validate
* @param start_sign starting point of validity for signing
* @param duration how long will the key be in use
* @param secm_pub public key to verify against
* @param secm_sig the signature the signature
* @return #GNUNET_OK if the signature is valid
*/
int
TALER_exchange_secmod_eddsa_verify (
const struct TALER_ExchangePublicKeyP *exchange_pub,
struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration,
const struct TALER_SecurityModulePublicKeyP *secm_pub,
const struct TALER_SecurityModuleSignatureP *secm_sig);
/**
* Create security module RSA signature.
*
* @param h_denom_pub hash of the public key to validate
* @param section_name name of the section in the configuration
* @param start_sign starting point of validity for signing
* @param duration how long will the key be in use
* @param secm_priv security module key to sign with
* @param[out] secm_sig where to write the signature
*/
void
TALER_exchange_secmod_rsa_sign (
const struct GNUNET_HashCode *h_denom_pub,
const char *section_name,
struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration,
const struct TALER_SecurityModulePrivateKeyP *secm_priv,
struct TALER_SecurityModuleSignatureP *secm_sig);
/**
* Verify security module RSA signature.
*
* @param h_ednom_pub hash of the public key to validate
* @param section_name name of the section in the configuration
* @param start_sign starting point of validity for signing
* @param duration how long will the key be in use
* @param secm_pub public key to verify against
* @param secm_sig the signature the signature
* @return #GNUNET_OK if the signature is valid
*/
int
TALER_exchange_secmod_rsa_verify (
const struct GNUNET_HashCode *h_denom_pub,
const char *section_name,
struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration,
const struct TALER_SecurityModulePublicKeyP *secm_pub,
const struct TALER_SecurityModuleSignatureP *secm_sig);
/* **************** /wire account offline signing **************** */ /* **************** /wire account offline signing **************** */

42
src/lib/exchange_api_management_get_keys.c
View File

@ -25,6 +25,7 @@
#include "taler_exchange_service.h" #include "taler_exchange_service.h"
#include "taler_signatures.h" #include "taler_signatures.h"
#include "taler_curl_lib.h" #include "taler_curl_lib.h"
#include "taler_crypto_lib.h"
#include "taler_json_lib.h" #include "taler_json_lib.h"
/** /**
@ -139,20 +140,14 @@ handle_ok (struct TALER_EXCHANGE_ManagementGetKeysHandle *gh,
struct GNUNET_TIME_Relative duration struct GNUNET_TIME_Relative duration
= GNUNET_TIME_absolute_get_difference (sign_key->valid_from, = GNUNET_TIME_absolute_get_difference (sign_key->valid_from,
sign_key->valid_until); sign_key->valid_until);
struct TALER_SigningKeyAnnouncementPS ska = {
.purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
.purpose.size = htonl (sizeof (ska)),
.exchange_pub = sign_key->key,
.anchor_time = GNUNET_TIME_absolute_hton (sign_key->valid_from),
.duration = GNUNET_TIME_relative_hton (duration)
};
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CRYPTO_eddsa_verify ( TALER_exchange_secmod_eddsa_verify (
TALER_SIGNATURE_SM_SIGNING_KEY, &sign_key->key,
&ska, sign_key->valid_from,
&sign_key->signkey_secmod_sig.eddsa_signature, duration,
&fk.signkey_secmod_public_key.eddsa_pub)) &fk.signkey_secmod_public_key,
&sign_key->signkey_secmod_sig))
{ {
GNUNET_break_op (0); GNUNET_break_op (0);
ok = false; ok = false;
@ -166,7 +161,10 @@ handle_ok (struct TALER_EXCHANGE_ManagementGetKeysHandle *gh,
i); i);
struct TALER_EXCHANGE_FutureDenomPublicKey *denom_key struct TALER_EXCHANGE_FutureDenomPublicKey *denom_key
= &fk.denom_keys[i]; = &fk.denom_keys[i];
const char *section_name;
struct GNUNET_JSON_Specification spec[] = { struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_string ("section_name",
&section_name),
GNUNET_JSON_spec_fixed_auto ("denom_secmod_sig", GNUNET_JSON_spec_fixed_auto ("denom_secmod_sig",
&denom_key->denom_secmod_sig), &denom_key->denom_secmod_sig),
TALER_JSON_spec_absolute_time ("stamp_expire_deposit", TALER_JSON_spec_absolute_time ("stamp_expire_deposit",
@ -206,21 +204,17 @@ handle_ok (struct TALER_EXCHANGE_ManagementGetKeysHandle *gh,
struct GNUNET_TIME_Relative duration struct GNUNET_TIME_Relative duration
= GNUNET_TIME_absolute_get_difference (denom_key->valid_from, = GNUNET_TIME_absolute_get_difference (denom_key->valid_from,
denom_key->withdraw_valid_until); denom_key->withdraw_valid_until);
struct TALER_DenominationKeyAnnouncementPS dka = { struct GNUNET_HashCode h_denom_pub;
.purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
.purpose.size = htonl (sizeof (dka)),
.anchor_time = GNUNET_TIME_absolute_hton (denom_key->valid_from),
.duration_withdraw = GNUNET_TIME_relative_hton (duration)
};
GNUNET_CRYPTO_rsa_public_key_hash (denom_key->key.rsa_public_key, GNUNET_CRYPTO_rsa_public_key_hash (denom_key->key.rsa_public_key,
&dka.h_denom_pub); &h_denom_pub);
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CRYPTO_eddsa_verify ( TALER_exchange_secmod_rsa_verify (&h_denom_pub,
TALER_SIGNATURE_SM_DENOMINATION_KEY, section_name,
&dka, denom_key->valid_from,
&denom_key->denom_secmod_sig.eddsa_signature, duration,
&fk.denom_secmod_public_key.eddsa_pub)) &fk.denom_secmod_public_key,
&denom_key->denom_secmod_sig))
{ {
GNUNET_break_op (0); GNUNET_break_op (0);
ok = false; ok = false;

1
src/util/Makefile.am
View File

@ -70,6 +70,7 @@ libtalerutil_la_SOURCES = \
mhd.c \ mhd.c \
offline_signatures.c \ offline_signatures.c \
payto.c \ payto.c \
secmod_signatures.c \
taler_error_codes.c \ taler_error_codes.c \
url.c \ url.c \
util.c \ util.c \

25
src/util/crypto_helper_denom.c
View File

@ -277,12 +277,7 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
{ {
struct TALER_DenominationPublicKey denom_pub; struct TALER_DenominationPublicKey denom_pub;
struct TALER_DenominationKeyAnnouncementPS dka = { struct GNUNET_HashCode h_denom_pub;
.purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
.purpose.size = htonl (sizeof (dka)),
.anchor_time = kan->anchor_time,
.duration_withdraw = kan->duration_withdraw
};
denom_pub.rsa_public_key denom_pub.rsa_public_key
= GNUNET_CRYPTO_rsa_public_key_decode (buf, = GNUNET_CRYPTO_rsa_public_key_decode (buf,
@ -293,15 +288,15 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
return GNUNET_SYSERR; return GNUNET_SYSERR;
} }
GNUNET_CRYPTO_rsa_public_key_hash (denom_pub.rsa_public_key, GNUNET_CRYPTO_rsa_public_key_hash (denom_pub.rsa_public_key,
&dka.h_denom_pub); &h_denom_pub);
GNUNET_CRYPTO_hash (section_name,
strlen (section_name) + 1,
&dka.h_section_name);
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_DENOMINATION_KEY, TALER_exchange_secmod_rsa_verify (
&dka, &h_denom_pub,
&kan->secm_sig.eddsa_signature, section_name,
&kan->secm_pub.eddsa_pub)) GNUNET_TIME_absolute_ntoh (kan->anchor_time),
GNUNET_TIME_relative_ntoh (kan->duration_withdraw),
&kan->secm_pub,
&kan->secm_sig))
{ {
GNUNET_break_op (0); GNUNET_break_op (0);
GNUNET_CRYPTO_rsa_public_key_free (denom_pub.rsa_public_key); GNUNET_CRYPTO_rsa_public_key_free (denom_pub.rsa_public_key);
@ -311,7 +306,7 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
section_name, section_name,
GNUNET_TIME_absolute_ntoh (kan->anchor_time), GNUNET_TIME_absolute_ntoh (kan->anchor_time),
GNUNET_TIME_relative_ntoh (kan->duration_withdraw), GNUNET_TIME_relative_ntoh (kan->duration_withdraw),
&dka.h_denom_pub, &h_denom_pub,
&denom_pub, &denom_pub,
&kan->secm_pub, &kan->secm_pub,
&kan->secm_sig); &kan->secm_sig);

38
src/util/crypto_helper_esign.c
View File

@ -258,31 +258,23 @@ handle_mt_avail (struct TALER_CRYPTO_ExchangeSignHelper *esh,
GNUNET_break_op (0); GNUNET_break_op (0);
return GNUNET_SYSERR; return GNUNET_SYSERR;
} }
if (GNUNET_OK !=
TALER_exchange_secmod_eddsa_verify (
&kan->exchange_pub,
GNUNET_TIME_absolute_ntoh (kan->anchor_time),
GNUNET_TIME_relative_ntoh (kan->duration),
&kan->secm_pub,
&kan->secm_sig))
{ {
struct TALER_SigningKeyAnnouncementPS ska = { GNUNET_break_op (0);
.purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY), return GNUNET_SYSERR;
.purpose.size = htonl (sizeof (ska)),
.exchange_pub = kan->exchange_pub,
.anchor_time = kan->anchor_time,
.duration = kan->duration
};
if (GNUNET_OK !=
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_SIGNING_KEY,
&ska,
&kan->secm_sig.eddsa_signature,
&kan->secm_pub.eddsa_pub))
{
GNUNET_break_op (0);
return GNUNET_SYSERR;
}
esh->ekc (esh->ekc_cls,
GNUNET_TIME_absolute_ntoh (kan->anchor_time),
GNUNET_TIME_relative_ntoh (kan->duration),
&kan->exchange_pub,
&kan->secm_pub,
&kan->secm_sig);
} }
esh->ekc (esh->ekc_cls,
GNUNET_TIME_absolute_ntoh (kan->anchor_time),
GNUNET_TIME_relative_ntoh (kan->duration),
&kan->exchange_pub,
&kan->secm_pub,
&kan->secm_sig);
return GNUNET_OK; return GNUNET_OK;
} }

126
src/util/secmod_signatures.c Normal file
View File

@ -0,0 +1,126 @@
/*
This file is part of TALER
Copyright (C) 2020 Taler Systems SA
TALER is free software; you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 3, or (at your option) any later version.
TALER is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
*/
/**
* @file secmod_signatures.c
* @brief Utility functions for Taler security module signatures
* @author Christian Grothoff
*/
#include "platform.h"
#include "taler_util.h"
#include "taler_signatures.h"
void
TALER_exchange_secmod_eddsa_sign (
const struct TALER_ExchangePublicKeyP *exchange_pub,
struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration,
const struct TALER_SecurityModulePrivateKeyP *secm_priv,
struct TALER_SecurityModuleSignatureP *secm_sig)
{
struct TALER_SigningKeyAnnouncementPS ska = {
.purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
.purpose.size = htonl (sizeof (ska)),
.exchange_pub = *exchange_pub,
.anchor_time = GNUNET_TIME_absolute_hton (start_sign),
.duration = GNUNET_TIME_relative_hton (duration)
};
GNUNET_CRYPTO_eddsa_sign (&secm_priv->eddsa_priv,
&ska,
&secm_sig->eddsa_signature);
}
int
TALER_exchange_secmod_eddsa_verify (
const struct TALER_ExchangePublicKeyP *exchange_pub,
struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration,
const struct TALER_SecurityModulePublicKeyP *secm_pub,
const struct TALER_SecurityModuleSignatureP *secm_sig)
{
struct TALER_SigningKeyAnnouncementPS ska = {
.purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
.purpose.size = htonl (sizeof (ska)),
.exchange_pub = *exchange_pub,
.anchor_time = GNUNET_TIME_absolute_hton (start_sign),
.duration = GNUNET_TIME_relative_hton (duration)
};
return
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_SIGNING_KEY,
&ska,
&secm_sig->eddsa_signature,
&secm_pub->eddsa_pub);
}
void
TALER_exchange_secmod_rsa_sign (
const struct GNUNET_HashCode *h_denom_pub,
const char *section_name,
struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration,
const struct TALER_SecurityModulePrivateKeyP *secm_priv,
struct TALER_SecurityModuleSignatureP *secm_sig)
{
struct TALER_DenominationKeyAnnouncementPS dka = {
.purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
.purpose.size = htonl (sizeof (dka)),
.h_denom_pub = *h_denom_pub,
.anchor_time = GNUNET_TIME_absolute_hton (start_sign),
.duration_withdraw = GNUNET_TIME_relative_hton (duration)
};
GNUNET_CRYPTO_hash (section_name,
strlen (section_name) + 1,
&dka.h_section_name);
GNUNET_CRYPTO_eddsa_sign (&secm_priv->eddsa_priv,
&dka,
&secm_sig->eddsa_signature);
}
int
TALER_exchange_secmod_rsa_verify (
const struct GNUNET_HashCode *h_denom_pub,
const char *section_name,
struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration,
const struct TALER_SecurityModulePublicKeyP *secm_pub,
const struct TALER_SecurityModuleSignatureP *secm_sig)
{
struct TALER_DenominationKeyAnnouncementPS dka = {
.purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
.purpose.size = htonl (sizeof (dka)),
.anchor_time = GNUNET_TIME_absolute_hton (start_sign),
.duration_withdraw = GNUNET_TIME_relative_hton (duration)
};
GNUNET_CRYPTO_hash (section_name,
strlen (section_name) + 1,
&dka.h_section_name);
return
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_DENOMINATION_KEY,
&dka,
&secm_sig->eddsa_signature,
&secm_pub->eddsa_pub);
}
/* end of secmod_signatures.c */

15
src/util/taler-helper-crypto-eddsa.c
View File

@ -606,13 +606,6 @@ static int
notify_client_key_add (struct Client *client, notify_client_key_add (struct Client *client,
const struct Key *key) const struct Key *key)
{ {
struct TALER_SigningKeyAnnouncementPS ska = {
.purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
.purpose.size = htonl (sizeof (ska)),
.exchange_pub = key->exchange_pub,
.anchor_time = GNUNET_TIME_absolute_hton (key->anchor),
.duration = GNUNET_TIME_relative_hton (duration)
};
struct TALER_CRYPTO_EddsaKeyAvailableNotification an = { struct TALER_CRYPTO_EddsaKeyAvailableNotification an = {
.header.size = htons (sizeof (an)), .header.size = htons (sizeof (an)),
.header.type = htons (TALER_HELPER_EDDSA_MT_AVAIL), .header.type = htons (TALER_HELPER_EDDSA_MT_AVAIL),
@ -622,9 +615,11 @@ notify_client_key_add (struct Client *client,
.secm_pub = smpub .secm_pub = smpub
}; };
GNUNET_CRYPTO_eddsa_sign (&smpriv.eddsa_priv, TALER_exchange_secmod_eddsa_sign (&key->exchange_pub,
&ska, key->anchor,
&an.secm_sig.eddsa_signature); duration,
&smpriv,
&an.secm_sig);
if (GNUNET_OK != if (GNUNET_OK !=
transmit (&client->addr, transmit (&client->addr,
client->addr_size, client->addr_size,

19
src/util/taler-helper-crypto-rsa.c
View File

@ -708,22 +708,12 @@ notify_client_dk_add (struct Client *client,
{ {
struct Denomination *denom = dk->denom; struct Denomination *denom = dk->denom;
size_t nlen = strlen (denom->section) + 1; size_t nlen = strlen (denom->section) + 1;
struct TALER_DenominationKeyAnnouncementPS dka = {
.purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
.purpose.size = htonl (sizeof (dka)),
.h_denom_pub = dk->h_denom_pub,
.anchor_time = GNUNET_TIME_absolute_hton (dk->anchor),
.duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw)
};
struct TALER_CRYPTO_RsaKeyAvailableNotification *an; struct TALER_CRYPTO_RsaKeyAvailableNotification *an;
size_t buf_len; size_t buf_len;
void *buf; void *buf;
void *p; void *p;
size_t tlen; size_t tlen;
GNUNET_CRYPTO_hash (denom->section,
nlen,
&dka.h_section_name);
buf_len = GNUNET_CRYPTO_rsa_public_key_encode (dk->denom_pub.rsa_public_key, buf_len = GNUNET_CRYPTO_rsa_public_key_encode (dk->denom_pub.rsa_public_key,
&buf); &buf);
GNUNET_assert (buf_len < UINT16_MAX); GNUNET_assert (buf_len < UINT16_MAX);
@ -737,9 +727,12 @@ notify_client_dk_add (struct Client *client,
an->section_name_len = htons ((uint16_t) nlen); an->section_name_len = htons ((uint16_t) nlen);
an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor); an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor);
an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw); an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw);
GNUNET_CRYPTO_eddsa_sign (&smpriv.eddsa_priv, TALER_exchange_secmod_rsa_sign (&dk->h_denom_pub,
&dka, denom->section,
&an->secm_sig.eddsa_signature); dk->anchor,
denom->duration_withdraw,
&smpriv,
&an->secm_sig);
an->secm_pub = smpub; an->secm_pub = smpub;
p = (void *) &an[1]; p = (void *) &an[1];
memcpy (p, memcpy (p,