[age restriction] progress 5/n

- taler-exchange-secmod-rsa - extracts AGE_RESTRICTED per denomination from config - propagates flag for each denomination to server - if age restriction is set for a denomination, age _mask_ is taken (for now!) from config
2021-11-28 18:43:41 +01:00 · 2021-11-28 18:43:41 +01:00 · 97bae4dd65
commit 97bae4dd65
parent 2d1a618d3d
7 changed files with 71 additions and 24 deletions
--- a/src/exchange/taler-exchange-httpd_keys.c
+++ b/src/exchange/taler-exchange-httpd_keys.c
@ -26,6 +26,7 @@
 #include "taler-exchange-httpd_keys.h"
 #include "taler-exchange-httpd_responses.h"
 #include "taler_exchangedb_plugin.h"
+#include "taler_extensions.h"


 /**
@ -687,6 +688,7 @@ destroy_key_helpers (struct HelperState *hs)
 * @param sm_pub public key of the security module, NULL if the key was revoked or purged
 * @param sm_sig signature from the security module, NULL if the key was revoked or purged
 *               The signature was already verified against @a sm_pub.
+ * @param age_restricted true, if denomination is age restricted
 */
 static void
 helper_rsa_cb (
@ -697,7 +699,8 @@ helper_rsa_cb (
  const struct TALER_RsaPubHashP *h_rsa,
  const struct TALER_DenominationPublicKey *denom_pub,
  const struct TALER_SecurityModulePublicKeyP *sm_pub,
-  const struct TALER_SecurityModuleSignatureP *sm_sig)
+  const struct TALER_SecurityModuleSignatureP *sm_sig,
+  bool age_restricted)
 {
  struct HelperState *hs = cls;
  struct HelperDenomination *hd;
@ -729,13 +732,17 @@ helper_rsa_cb (
  TALER_denom_pub_deep_copy (&hd->denom_pub,
                             denom_pub);
  GNUNET_assert (TALER_DENOMINATION_RSA == hd->denom_pub.cipher);
-  // FIXME-OEC: set AGE RESTRICTION (from 'global' variable,
-  // that itself is set from /managmenet API!) HERE!
-  // ISSUE: tricky to handle if configuration changes
-  // between denominations (some with/without age
-  // restrictions). For that, we probably need to look at
-  // configuration [$section_name] (!?).
+
+  /* Set age restriction, if applicable */
  hd->denom_pub.age_mask.mask = 0;
+  if (age_restricted)
+  {
+    /* FIXME-oec: get age mask from global */
+    GNUNET_assert (TALER_EXTENSION_OK == TALER_get_age_mask (TEH_cfg,
+                                                             &hd->denom_pub.
+                                                             age_mask));
+  }
+
  TALER_denom_pub_hash (&hd->denom_pub,
                        &hd->h_denom_pub);
  hd->section_name = GNUNET_strdup (section_name);
--- a/src/include/taler_crypto_lib.h
+++ b/src/include/taler_crypto_lib.h
@ -1362,6 +1362,7 @@ struct TALER_CRYPTO_RsaDenominationHelper;
 * @param sm_pub public key of the security module, NULL if the key was revoked or purged
 * @param sm_sig signature from the security module, NULL if the key was revoked or purged
 *               The signature was already verified against @a sm_pub.
+ * @param age_restricted true, if denomnation has age restriction set
 */
 typedef void
 (*TALER_CRYPTO_RsaDenominationKeyStatusCallback)(
@ -1372,7 +1373,8 @@ typedef void
  const struct TALER_RsaPubHashP *h_rsa,
  const struct TALER_DenominationPublicKey *denom_pub,
  const struct TALER_SecurityModulePublicKeyP *sm_pub,
-  const struct TALER_SecurityModuleSignatureP *sm_sig);
+  const struct TALER_SecurityModuleSignatureP *sm_sig,
+  bool age_restricted);


 /**
--- a/src/include/taler_exchangedb_plugin.h
+++ b/src/include/taler_exchangedb_plugin.h
@ -629,6 +629,10 @@ struct TALER_EXCHANGEDB_DenominationKeyMetaData
   */
  struct TALER_Amount fee_refund;

+  /**
+   * Indication if age restriction is set for this denomination
+   */
+  bool age_restricted;
 };


--- a/src/util/crypto_helper_rsa.c
+++ b/src/util/crypto_helper_rsa.c
@ -239,7 +239,8 @@ handle_mt_avail (struct TALER_CRYPTO_RsaDenominationHelper *dh,
             &h_rsa,
             &denom_pub,
             &kan->secm_pub,
-             &kan->secm_sig);
+             &kan->secm_sig,
+             (&kan->age_restricted > 0));
    TALER_denom_pub_free (&denom_pub);
  }
  return GNUNET_OK;
@ -275,7 +276,8 @@ handle_mt_purge (struct TALER_CRYPTO_RsaDenominationHelper *dh,
           &pn->h_rsa,
           NULL,
           NULL,
-           NULL);
+           NULL,
+           false);
  return GNUNET_OK;
 }

--- a/src/util/taler-exchange-secmod-rsa.c
+++ b/src/util/taler-exchange-secmod-rsa.c
@ -1,18 +1,18 @@
 /*
-  This file is part of TALER
-  Copyright (C) 2014-2021 Taler Systems SA
+   This file is part of TALER
+   Copyright (C) 2014-2021 Taler Systems SA

-  TALER is free software; you can redistribute it and/or modify it under the
-  terms of the GNU General Public License as published by the Free Software
-  Foundation; either version 3, or (at your option) any later version.
+   TALER is free software; you can redistribute it and/or modify it under the
+   terms of the GNU General Public License as published by the Free Software
+   Foundation; either version 3, or (at your option) any later version.

-  TALER is distributed in the hope that it will be useful, but WITHOUT ANY
-  WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
-  A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+   TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+   A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

-  You should have received a copy of the GNU General Public License along with
-  TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
-*/
+   You should have received a copy of the GNU General Public License along with
+   TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+ */
 /**
 * @file util/taler-exchange-secmod-rsa.c
 * @brief Standalone process to perform private key RSA operations
@ -156,6 +156,11 @@ struct Denomination
   * Length of (new) RSA keys (in bits).
   */
  uint32_t rsa_keysize;
+
+  /**
+   * Is the denomination age restricted?  0 == false
+   */
+  uint8_t age_restricted;
 };


@ -258,6 +263,7 @@ notify_client_dk_add (struct TES_Client *client,
  an->section_name_len = htons ((uint16_t) nlen);
  an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor);
  an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw);
+  an->age_restricted = denom->age_restricted;
  TALER_exchange_secmod_rsa_sign (&dk->h_rsa,
                                  denom->section,
                                  dk->anchor,
@ -1256,6 +1262,24 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg,
  }
  denom->rsa_keysize = (unsigned int) rsa_keysize;
  denom->section = GNUNET_strdup (ct);
+  if (GNUNET_OK == (GNUNET_CONFIGURATION_have_value (cfg,
+                                                     ct,
+                                                     "AGE_RESTRICTED")))
+  {
+    enum GNUNET_GenericReturnValue ret;
+    if (GNUNET_SYSERR == (ret = GNUNET_CONFIGURATION_get_value_yesno (cfg,
+                                                                      ct,
+                                                                      "AGE_RESTRICTED")))
+    {
+      GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+                                 ct,
+                                 "AGE_RESTRICTED",
+                                 "Value must be YES or NO\n");
+      return GNUNET_SYSERR;
+    }
+    denom->age_restricted = (ret == GNUNET_OK) ? 1 : 0;
+  }
+
  return GNUNET_OK;
 }

@ -1522,8 +1546,8 @@ main (int argc,
  (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH);

  /* force linker to link against libtalerutil; if we do
-   not do this, the linker may "optimize" libtalerutil
-   away and skip #TALER_OS_init(), which we do need */
+     not do this, the linker may "optimize" libtalerutil
+     away and skip #TALER_OS_init(), which we do need */
  TALER_OS_init ();
  now = now_tmp = GNUNET_TIME_absolute_get ();
  ret = GNUNET_PROGRAM_run (argc, argv,
--- a/src/util/taler-exchange-secmod-rsa.h
+++ b/src/util/taler-exchange-secmod-rsa.h
@ -77,6 +77,11 @@ struct TALER_CRYPTO_RsaKeyAvailableNotification
   */
  struct TALER_SecurityModuleSignatureP secm_sig;

+  /**
+   * Indicator for age restriction
+   */
+  uint8_t age_restricted;
+
  /* followed by @e pub_size bytes of the RSA public key */

  /* followed by @e section_name bytes of the configuration section name
--- a/src/util/test_helper_rsa.c
+++ b/src/util/test_helper_rsa.c
@ -133,6 +133,7 @@ free_keys (void)
 * @param sm_pub public key of the security module, NULL if the key was revoked or purged
 * @param sm_sig signature from the security module, NULL if the key was revoked or purged
 *               The signature was already verified against @a sm_pub.
+ * @param age_restricted indication if denomination is age restricted
 */
 static void
 key_cb (void *cls,
@ -142,7 +143,8 @@ key_cb (void *cls,
        const struct TALER_RsaPubHashP *h_rsa,
        const struct TALER_DenominationPublicKey *denom_pub,
        const struct TALER_SecurityModulePublicKeyP *sm_pub,
-        const struct TALER_SecurityModuleSignatureP *sm_sig)
+        const struct TALER_SecurityModuleSignatureP *sm_sig,
+        bool age_restricted)
 {
  (void) cls;
  (void) sm_pub;
@ -186,6 +188,7 @@ key_cb (void *cls,
      keys[i].validity_duration = validity_duration;
      TALER_denom_pub_deep_copy (&keys[i].denom_pub,
                                 denom_pub);
+      /* FIXME-oec: take age_restriction into account!? */
      num_keys++;
      return;
    }