[age restriction] progress 5/n

- taler-exchange-secmod-rsa
  - extracts AGE_RESTRICTED per denomination from config
  - propagates flag for each denomination to server
- if age restriction is set for a denomination,
  age _mask_ is taken (for now!) from config

src/exchange/taler-exchange-httpd_keys.c

@@ -26,6 +26,7 @@
 #include "taler-exchange-httpd_keys.h"
 #include "taler-exchange-httpd_responses.h"
 #include "taler_exchangedb_plugin.h"
+#include "taler_extensions.h"
 
 
 /**
@@ -687,6 +688,7 @@ destroy_key_helpers (struct HelperState *hs)
  * @param sm_pub public key of the security module, NULL if the key was revoked or purged
  * @param sm_sig signature from the security module, NULL if the key was revoked or purged
  *               The signature was already verified against @a sm_pub.
+ * @param age_restricted true, if denomination is age restricted
  */
 static void
 helper_rsa_cb (
@@ -697,7 +699,8 @@ helper_rsa_cb (
   const struct TALER_RsaPubHashP *h_rsa,
   const struct TALER_DenominationPublicKey *denom_pub,
   const struct TALER_SecurityModulePublicKeyP *sm_pub,
-  const struct TALER_SecurityModuleSignatureP *sm_sig)
+  const struct TALER_SecurityModuleSignatureP *sm_sig,
+  bool age_restricted)
 {
   struct HelperState *hs = cls;
   struct HelperDenomination *hd;
@@ -729,13 +732,17 @@ helper_rsa_cb (
   TALER_denom_pub_deep_copy (&hd->denom_pub,
                              denom_pub);
   GNUNET_assert (TALER_DENOMINATION_RSA == hd->denom_pub.cipher);
-  // FIXME-OEC: set AGE RESTRICTION (from 'global' variable,
+
-  // that itself is set from /managmenet API!) HERE!
+  /* Set age restriction, if applicable */
-  // ISSUE: tricky to handle if configuration changes
-  // between denominations (some with/without age
-  // restrictions). For that, we probably need to look at
-  // configuration [$section_name] (!?).
   hd->denom_pub.age_mask.mask = 0;
+  if (age_restricted)
+  {
+    /* FIXME-oec: get age mask from global */
+    GNUNET_assert (TALER_EXTENSION_OK == TALER_get_age_mask (TEH_cfg,
+                                                             &hd->denom_pub.
+                                                             age_mask));
+  }
+
   TALER_denom_pub_hash (&hd->denom_pub,
                         &hd->h_denom_pub);
   hd->section_name = GNUNET_strdup (section_name);

src/include/taler_crypto_lib.h

@@ -1362,6 +1362,7 @@ struct TALER_CRYPTO_RsaDenominationHelper;
  * @param sm_pub public key of the security module, NULL if the key was revoked or purged
  * @param sm_sig signature from the security module, NULL if the key was revoked or purged
  *               The signature was already verified against @a sm_pub.
+ * @param age_restricted true, if denomnation has age restriction set
  */
 typedef void
 (*TALER_CRYPTO_RsaDenominationKeyStatusCallback)(
@@ -1372,7 +1373,8 @@ typedef void
   const struct TALER_RsaPubHashP *h_rsa,
   const struct TALER_DenominationPublicKey *denom_pub,
   const struct TALER_SecurityModulePublicKeyP *sm_pub,
-  const struct TALER_SecurityModuleSignatureP *sm_sig);
+  const struct TALER_SecurityModuleSignatureP *sm_sig,
+  bool age_restricted);
 
 
 /**

src/include/taler_exchangedb_plugin.h

@@ -629,6 +629,10 @@ struct TALER_EXCHANGEDB_DenominationKeyMetaData
    */
   struct TALER_Amount fee_refund;
 
+  /**
+   * Indication if age restriction is set for this denomination
+   */
+  bool age_restricted;
 };
 
 

src/util/crypto_helper_rsa.c

@@ -239,7 +239,8 @@ handle_mt_avail (struct TALER_CRYPTO_RsaDenominationHelper *dh,
              &h_rsa,
              &denom_pub,
              &kan->secm_pub,
-             &kan->secm_sig);
+             &kan->secm_sig,
+             (&kan->age_restricted > 0));
     TALER_denom_pub_free (&denom_pub);
   }
   return GNUNET_OK;
@@ -275,7 +276,8 @@ handle_mt_purge (struct TALER_CRYPTO_RsaDenominationHelper *dh,
            &pn->h_rsa,
            NULL,
            NULL,
-           NULL);
+           NULL,
+           false);
   return GNUNET_OK;
 }
 

src/util/taler-exchange-secmod-rsa.c

@@ -156,6 +156,11 @@ struct Denomination
    * Length of (new) RSA keys (in bits).
    */
   uint32_t rsa_keysize;
+
+  /**
+   * Is the denomination age restricted?  0 == false
+   */
+  uint8_t age_restricted;
 };
 
 
@@ -258,6 +263,7 @@ notify_client_dk_add (struct TES_Client *client,
   an->section_name_len = htons ((uint16_t) nlen);
   an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor);
   an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw);
+  an->age_restricted = denom->age_restricted;
   TALER_exchange_secmod_rsa_sign (&dk->h_rsa,
                                   denom->section,
                                   dk->anchor,
@@ -1256,6 +1262,24 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg,
   }
   denom->rsa_keysize = (unsigned int) rsa_keysize;
   denom->section = GNUNET_strdup (ct);
+  if (GNUNET_OK == (GNUNET_CONFIGURATION_have_value (cfg,
+                                                     ct,
+                                                     "AGE_RESTRICTED")))
+  {
+    enum GNUNET_GenericReturnValue ret;
+    if (GNUNET_SYSERR == (ret = GNUNET_CONFIGURATION_get_value_yesno (cfg,
+                                                                      ct,
+                                                                      "AGE_RESTRICTED")))
+    {
+      GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+                                 ct,
+                                 "AGE_RESTRICTED",
+                                 "Value must be YES or NO\n");
+      return GNUNET_SYSERR;
+    }
+    denom->age_restricted = (ret == GNUNET_OK) ? 1 : 0;
+  }
+
   return GNUNET_OK;
 }
 

src/util/taler-exchange-secmod-rsa.h

@@ -77,6 +77,11 @@ struct TALER_CRYPTO_RsaKeyAvailableNotification
    */
   struct TALER_SecurityModuleSignatureP secm_sig;
 
+  /**
+   * Indicator for age restriction
+   */
+  uint8_t age_restricted;
+
   /* followed by @e pub_size bytes of the RSA public key */
 
   /* followed by @e section_name bytes of the configuration section name

src/util/test_helper_rsa.c

@@ -133,6 +133,7 @@ free_keys (void)
  * @param sm_pub public key of the security module, NULL if the key was revoked or purged
  * @param sm_sig signature from the security module, NULL if the key was revoked or purged
  *               The signature was already verified against @a sm_pub.
+ * @param age_restricted indication if denomination is age restricted
  */
 static void
 key_cb (void *cls,
@@ -142,7 +143,8 @@ key_cb (void *cls,
         const struct TALER_RsaPubHashP *h_rsa,
         const struct TALER_DenominationPublicKey *denom_pub,
         const struct TALER_SecurityModulePublicKeyP *sm_pub,
-        const struct TALER_SecurityModuleSignatureP *sm_sig)
+        const struct TALER_SecurityModuleSignatureP *sm_sig,
+        bool age_restricted)
 {
   (void) cls;
   (void) sm_pub;
@@ -186,6 +188,7 @@ key_cb (void *cls,
       keys[i].validity_duration = validity_duration;
       TALER_denom_pub_deep_copy (&keys[i].denom_pub,
                                  denom_pub);
+      /* FIXME-oec: take age_restriction into account!? */
       num_keys++;
       return;
     }