[age restriction] progress 5/n

- taler-exchange-secmod-rsa
  - extracts AGE_RESTRICTED per denomination from config
  - propagates flag for each denomination to server
- if age restriction is set for a denomination,
  age _mask_ is taken (for now!) from config
This commit is contained in:
Özgür Kesim 2021-11-28 18:43:41 +01:00
parent 2d1a618d3d
commit 97bae4dd65
Signed by: oec
GPG Key ID: 3D76A56D79EDD9D7
7 changed files with 71 additions and 24 deletions

View File

@ -26,6 +26,7 @@
#include "taler-exchange-httpd_keys.h"
#include "taler-exchange-httpd_responses.h"
#include "taler_exchangedb_plugin.h"
#include "taler_extensions.h"
/**
@ -687,6 +688,7 @@ destroy_key_helpers (struct HelperState *hs)
* @param sm_pub public key of the security module, NULL if the key was revoked or purged
* @param sm_sig signature from the security module, NULL if the key was revoked or purged
* The signature was already verified against @a sm_pub.
* @param age_restricted true, if denomination is age restricted
*/
static void
helper_rsa_cb (
@ -697,7 +699,8 @@ helper_rsa_cb (
const struct TALER_RsaPubHashP *h_rsa,
const struct TALER_DenominationPublicKey *denom_pub,
const struct TALER_SecurityModulePublicKeyP *sm_pub,
const struct TALER_SecurityModuleSignatureP *sm_sig)
const struct TALER_SecurityModuleSignatureP *sm_sig,
bool age_restricted)
{
struct HelperState *hs = cls;
struct HelperDenomination *hd;
@ -729,13 +732,17 @@ helper_rsa_cb (
TALER_denom_pub_deep_copy (&hd->denom_pub,
denom_pub);
GNUNET_assert (TALER_DENOMINATION_RSA == hd->denom_pub.cipher);
// FIXME-OEC: set AGE RESTRICTION (from 'global' variable,
// that itself is set from /managmenet API!) HERE!
// ISSUE: tricky to handle if configuration changes
// between denominations (some with/without age
// restrictions). For that, we probably need to look at
// configuration [$section_name] (!?).
/* Set age restriction, if applicable */
hd->denom_pub.age_mask.mask = 0;
if (age_restricted)
{
/* FIXME-oec: get age mask from global */
GNUNET_assert (TALER_EXTENSION_OK == TALER_get_age_mask (TEH_cfg,
&hd->denom_pub.
age_mask));
}
TALER_denom_pub_hash (&hd->denom_pub,
&hd->h_denom_pub);
hd->section_name = GNUNET_strdup (section_name);

View File

@ -1362,6 +1362,7 @@ struct TALER_CRYPTO_RsaDenominationHelper;
* @param sm_pub public key of the security module, NULL if the key was revoked or purged
* @param sm_sig signature from the security module, NULL if the key was revoked or purged
* The signature was already verified against @a sm_pub.
* @param age_restricted true, if denomnation has age restriction set
*/
typedef void
(*TALER_CRYPTO_RsaDenominationKeyStatusCallback)(
@ -1372,7 +1373,8 @@ typedef void
const struct TALER_RsaPubHashP *h_rsa,
const struct TALER_DenominationPublicKey *denom_pub,
const struct TALER_SecurityModulePublicKeyP *sm_pub,
const struct TALER_SecurityModuleSignatureP *sm_sig);
const struct TALER_SecurityModuleSignatureP *sm_sig,
bool age_restricted);
/**

View File

@ -629,6 +629,10 @@ struct TALER_EXCHANGEDB_DenominationKeyMetaData
*/
struct TALER_Amount fee_refund;
/**
* Indication if age restriction is set for this denomination
*/
bool age_restricted;
};

View File

@ -239,7 +239,8 @@ handle_mt_avail (struct TALER_CRYPTO_RsaDenominationHelper *dh,
&h_rsa,
&denom_pub,
&kan->secm_pub,
&kan->secm_sig);
&kan->secm_sig,
(&kan->age_restricted > 0));
TALER_denom_pub_free (&denom_pub);
}
return GNUNET_OK;
@ -275,7 +276,8 @@ handle_mt_purge (struct TALER_CRYPTO_RsaDenominationHelper *dh,
&pn->h_rsa,
NULL,
NULL,
NULL);
NULL,
false);
return GNUNET_OK;
}

View File

@ -12,7 +12,7 @@
You should have received a copy of the GNU General Public License along with
TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
*/
*/
/**
* @file util/taler-exchange-secmod-rsa.c
* @brief Standalone process to perform private key RSA operations
@ -156,6 +156,11 @@ struct Denomination
* Length of (new) RSA keys (in bits).
*/
uint32_t rsa_keysize;
/**
* Is the denomination age restricted? 0 == false
*/
uint8_t age_restricted;
};
@ -258,6 +263,7 @@ notify_client_dk_add (struct TES_Client *client,
an->section_name_len = htons ((uint16_t) nlen);
an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor);
an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw);
an->age_restricted = denom->age_restricted;
TALER_exchange_secmod_rsa_sign (&dk->h_rsa,
denom->section,
dk->anchor,
@ -1256,6 +1262,24 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg,
}
denom->rsa_keysize = (unsigned int) rsa_keysize;
denom->section = GNUNET_strdup (ct);
if (GNUNET_OK == (GNUNET_CONFIGURATION_have_value (cfg,
ct,
"AGE_RESTRICTED")))
{
enum GNUNET_GenericReturnValue ret;
if (GNUNET_SYSERR == (ret = GNUNET_CONFIGURATION_get_value_yesno (cfg,
ct,
"AGE_RESTRICTED")))
{
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
ct,
"AGE_RESTRICTED",
"Value must be YES or NO\n");
return GNUNET_SYSERR;
}
denom->age_restricted = (ret == GNUNET_OK) ? 1 : 0;
}
return GNUNET_OK;
}

View File

@ -77,6 +77,11 @@ struct TALER_CRYPTO_RsaKeyAvailableNotification
*/
struct TALER_SecurityModuleSignatureP secm_sig;
/**
* Indicator for age restriction
*/
uint8_t age_restricted;
/* followed by @e pub_size bytes of the RSA public key */
/* followed by @e section_name bytes of the configuration section name

View File

@ -133,6 +133,7 @@ free_keys (void)
* @param sm_pub public key of the security module, NULL if the key was revoked or purged
* @param sm_sig signature from the security module, NULL if the key was revoked or purged
* The signature was already verified against @a sm_pub.
* @param age_restricted indication if denomination is age restricted
*/
static void
key_cb (void *cls,
@ -142,7 +143,8 @@ key_cb (void *cls,
const struct TALER_RsaPubHashP *h_rsa,
const struct TALER_DenominationPublicKey *denom_pub,
const struct TALER_SecurityModulePublicKeyP *sm_pub,
const struct TALER_SecurityModuleSignatureP *sm_sig)
const struct TALER_SecurityModuleSignatureP *sm_sig,
bool age_restricted)
{
(void) cls;
(void) sm_pub;
@ -186,6 +188,7 @@ key_cb (void *cls,
keys[i].validity_duration = validity_duration;
TALER_denom_pub_deep_copy (&keys[i].denom_pub,
denom_pub);
/* FIXME-oec: take age_restriction into account!? */
num_keys++;
return;
}