taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

-use different hash for RSA vs. Denomination hashing

Browse Source
This commit is contained in:
Christian Grothoff 2021-11-17 23:02:05 +01:00
parent 2078dd1bfb
commit b61f601028
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
11 changed files with 306 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
src/exchange-tools/taler-exchange-offline.c
View File

@ -2635,6 +2635,7 @@ show_denomkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub,
}; };
struct GNUNET_TIME_Relative duration; struct GNUNET_TIME_Relative duration;
struct TALER_DenominationHash h_denom_pub; struct TALER_DenominationHash h_denom_pub;
enum GNUNET_GenericReturnValue ok;
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_JSON_parse (value, GNUNET_JSON_parse (value,
@ -2659,13 +2660,28 @@ show_denomkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub,
stamp_expire_withdraw); stamp_expire_withdraw);
TALER_denom_pub_hash (&denom_pub, TALER_denom_pub_hash (&denom_pub,
&h_denom_pub); &h_denom_pub);
if (GNUNET_OK != switch (denom_pub.cipher)
TALER_exchange_secmod_denom_verify (&h_denom_pub, {
section_name, case TALER_DENOMINATION_RSA:
stamp_start, {
duration, struct TALER_RsaPubHashP h_rsa;
secm_pub,
&secm_sig)) TALER_rsa_pub_hash (denom_pub.details.rsa_public_key,
&h_rsa);
ok = TALER_exchange_secmod_rsa_verify (&h_rsa,
section_name,
stamp_start,
duration,
secm_pub,
&secm_sig);
}
break;
default:
GNUNET_break (0);
ok = GNUNET_SYSERR;
break;
}
if (GNUNET_OK != ok)
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Invalid security module signature for denomination key %s (aborting)\n", "Invalid security module signature for denomination key %s (aborting)\n",
@ -2997,7 +3013,7 @@ sign_signkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub,
* @param[in,out] result array where to output the signatures * @param[in,out] result array where to output the signatures
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
static int static enum GNUNET_GenericReturnValue
sign_denomkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub, sign_denomkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub,
const json_t *denomkeys, const json_t *denomkeys,
json_t *result) json_t *result)
@ -3076,19 +3092,36 @@ sign_denomkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub,
} }
duration = GNUNET_TIME_absolute_get_difference (stamp_start, duration = GNUNET_TIME_absolute_get_difference (stamp_start,
stamp_expire_withdraw); stamp_expire_withdraw);
// FIXME-Oec: setup age mask here?
TALER_denom_pub_hash (&denom_pub, TALER_denom_pub_hash (&denom_pub,
&h_denom_pub); &h_denom_pub);
if (GNUNET_OK != switch (denom_pub.cipher)
TALER_exchange_secmod_denom_verify (&h_denom_pub,
section_name,
stamp_start,
duration,
secm_pub,
&secm_sig))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, case TALER_DENOMINATION_RSA:
"Invalid security module signature for denomination key %s (aborting)\n", {
GNUNET_h2s (&h_denom_pub.hash)); struct TALER_RsaPubHashP h_rsa;
TALER_rsa_pub_hash (denom_pub.details.rsa_public_key,
&h_rsa);
if (GNUNET_OK !=
TALER_exchange_secmod_rsa_verify (&h_rsa,
section_name,
stamp_start,
duration,
secm_pub,
&secm_sig))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Invalid security module signature for denomination key %s (aborting)\n",
GNUNET_h2s (&h_denom_pub.hash));
global_ret = EXIT_FAILURE;
test_shutdown ();
GNUNET_JSON_parse_free (spec);
return GNUNET_SYSERR;
}
}
break;
default:
global_ret = EXIT_FAILURE; global_ret = EXIT_FAILURE;
test_shutdown (); test_shutdown ();
GNUNET_JSON_parse_free (spec); GNUNET_JSON_parse_free (spec);

107
src/exchange/taler-exchange-httpd_keys.c
View File

@ -71,7 +71,7 @@ struct HelperDenomination
struct GNUNET_TIME_Relative validity_duration; struct GNUNET_TIME_Relative validity_duration;
/** /**
* Hash of the denomination key. * Hash of the full denomination key.
*/ */
struct TALER_DenominationHash h_denom_pub; struct TALER_DenominationHash h_denom_pub;
@ -85,11 +85,25 @@ struct HelperDenomination
*/ */
struct TALER_DenominationPublicKey denom_pub; struct TALER_DenominationPublicKey denom_pub;
/**
* Details depend on the @e denom_pub.cipher type.
*/
union
{
/**
* Hash of the RSA key.
*/
struct TALER_RsaPubHashP h_rsa;
} h_details;
/** /**
* Name in configuration section for this denomination type. * Name in configuration section for this denomination type.
*/ */
char *section_name; char *section_name;
}; };
@ -167,13 +181,18 @@ struct HelperState
/** /**
* Handle for the denom/RSA helper. * Handle for the denom/RSA helper.
*/ */
struct TALER_CRYPTO_DenominationHelper *dh; struct TALER_CRYPTO_RsaDenominationHelper *dh;
/** /**
* Map from H(denom_pub) to `struct HelperDenomination` entries. * Map from H(denom_pub) to `struct HelperDenomination` entries.
*/ */
struct GNUNET_CONTAINER_MultiHashMap *denom_keys; struct GNUNET_CONTAINER_MultiHashMap *denom_keys;
/**
* Map from H(rsa_pub) to `struct HelperDenomination` entries.
*/
struct GNUNET_CONTAINER_MultiHashMap *rsa_keys;
/** /**
* Map from `struct TALER_ExchangePublicKey` to `struct HelperSignkey` * Map from `struct TALER_ExchangePublicKey` to `struct HelperSignkey`
* entries. Based on the fact that a `struct GNUNET_PeerIdentity` is also * entries. Based on the fact that a `struct GNUNET_PeerIdentity` is also
@ -591,6 +610,8 @@ destroy_key_helpers (struct HelperState *hs)
GNUNET_CONTAINER_multihashmap_iterate (hs->denom_keys, GNUNET_CONTAINER_multihashmap_iterate (hs->denom_keys,
&free_denom_cb, &free_denom_cb,
hs); hs);
GNUNET_CONTAINER_multihashmap_destroy (hs->rsa_keys);
hs->rsa_keys = NULL;
GNUNET_CONTAINER_multihashmap_destroy (hs->denom_keys); GNUNET_CONTAINER_multihashmap_destroy (hs->denom_keys);
hs->denom_keys = NULL; hs->denom_keys = NULL;
GNUNET_CONTAINER_multipeermap_iterate (hs->esign_keys, GNUNET_CONTAINER_multipeermap_iterate (hs->esign_keys,
@ -600,7 +621,7 @@ destroy_key_helpers (struct HelperState *hs)
hs->esign_keys = NULL; hs->esign_keys = NULL;
if (NULL != hs->dh) if (NULL != hs->dh)
{ {
TALER_CRYPTO_helper_denom_disconnect (hs->dh); TALER_CRYPTO_helper_rsa_disconnect (hs->dh);
hs->dh = NULL; hs->dh = NULL;
} }
if (NULL != hs->esh) if (NULL != hs->esh)
@ -630,12 +651,12 @@ destroy_key_helpers (struct HelperState *hs)
* The signature was already verified against @a sm_pub. * The signature was already verified against @a sm_pub.
*/ */
static void static void
helper_denom_cb ( helper_rsa_cb (
void *cls, void *cls,
const char *section_name, const char *section_name,
struct GNUNET_TIME_Absolute start_time, struct GNUNET_TIME_Absolute start_time,
struct GNUNET_TIME_Relative validity_duration, struct GNUNET_TIME_Relative validity_duration,
const struct TALER_DenominationHash *h_denom_pub, const struct TALER_RsaPubHashP *h_rsa,
const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_DenominationPublicKey *denom_pub,
const struct TALER_SecurityModulePublicKeyP *sm_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub,
const struct TALER_SecurityModuleSignatureP *sm_sig) const struct TALER_SecurityModuleSignatureP *sm_sig)
@ -645,14 +666,14 @@ helper_denom_cb (
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"RSA helper announces key %s for denomination type %s with validity %s\n", "RSA helper announces key %s for denomination type %s with validity %s\n",
GNUNET_h2s (&h_denom_pub->hash), GNUNET_h2s (&h_rsa->hash),
section_name, section_name,
GNUNET_STRINGS_relative_time_to_string (validity_duration, GNUNET_STRINGS_relative_time_to_string (validity_duration,
GNUNET_NO)); GNUNET_NO));
key_generation++; key_generation++;
TEH_resume_keys_requests (false); TEH_resume_keys_requests (false);
hd = GNUNET_CONTAINER_multihashmap_get (hs->denom_keys, hd = GNUNET_CONTAINER_multihashmap_get (hs->rsa_keys,
&h_denom_pub->hash); &h_rsa->hash);
if (NULL != hd) if (NULL != hd)
{ {
/* should be just an update (revocation!), so update existing entry */ /* should be just an update (revocation!), so update existing entry */
@ -664,10 +685,19 @@ helper_denom_cb (
hd = GNUNET_new (struct HelperDenomination); hd = GNUNET_new (struct HelperDenomination);
hd->start_time = start_time; hd->start_time = start_time;
hd->validity_duration = validity_duration; hd->validity_duration = validity_duration;
hd->h_denom_pub = *h_denom_pub; hd->h_details.h_rsa = *h_rsa;
hd->sm_sig = *sm_sig; hd->sm_sig = *sm_sig;
TALER_denom_pub_deep_copy (&hd->denom_pub, TALER_denom_pub_deep_copy (&hd->denom_pub,
denom_pub); denom_pub);
// FIXME-OEC: set AGE RESTRICTION (from 'global' variable,
// that itself is set from /managmenet API!) HERE!
// ISSUE: tricky to handle if configuration changes
// between denominations (some with/without age
// restrictions). For that, we probably need to look at
// configuration [$section_name] (!?).
hd->denom_pub.age_mask.mask = 0;
TALER_denom_pub_hash (&hd->denom_pub,
&hd->h_denom_pub);
hd->section_name = GNUNET_strdup (section_name); hd->section_name = GNUNET_strdup (section_name);
GNUNET_assert ( GNUNET_assert (
GNUNET_OK == GNUNET_OK ==
@ -676,6 +706,13 @@ helper_denom_cb (
&hd->h_denom_pub.hash, &hd->h_denom_pub.hash,
hd, hd,
GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
GNUNET_assert (
GNUNET_OK ==
GNUNET_CONTAINER_multihashmap_put (
hs->rsa_keys,
&hd->h_details.h_rsa.hash,
hd,
GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
} }
@ -752,12 +789,15 @@ setup_key_helpers (struct HelperState *hs)
hs->denom_keys hs->denom_keys
= GNUNET_CONTAINER_multihashmap_create (1024, = GNUNET_CONTAINER_multihashmap_create (1024,
GNUNET_YES); GNUNET_YES);
hs->rsa_keys
= GNUNET_CONTAINER_multihashmap_create (1024,
GNUNET_YES);
hs->esign_keys hs->esign_keys
= GNUNET_CONTAINER_multipeermap_create (32, = GNUNET_CONTAINER_multipeermap_create (32,
GNUNET_NO /* MUST BE NO! */); GNUNET_NO /* MUST BE NO! */);
hs->dh = TALER_CRYPTO_helper_denom_connect (TEH_cfg, hs->dh = TALER_CRYPTO_helper_rsa_connect (TEH_cfg,
&helper_denom_cb, &helper_rsa_cb,
hs); hs);
if (NULL == hs->dh) if (NULL == hs->dh)
{ {
destroy_key_helpers (hs); destroy_key_helpers (hs);
@ -783,7 +823,7 @@ setup_key_helpers (struct HelperState *hs)
static void static void
sync_key_helpers (struct HelperState *hs) sync_key_helpers (struct HelperState *hs)
{ {
TALER_CRYPTO_helper_denom_poll (hs->dh); TALER_CRYPTO_helper_rsa_poll (hs->dh);
TALER_CRYPTO_helper_esign_poll (hs->esh); TALER_CRYPTO_helper_esign_poll (hs->esh);
} }
@ -1925,6 +1965,7 @@ TEH_keys_denomination_sign (const struct TALER_DenominationHash *h_denom_pub,
{ {
struct TEH_KeyStateHandle *ksh; struct TEH_KeyStateHandle *ksh;
struct TALER_BlindedDenominationSignature none; struct TALER_BlindedDenominationSignature none;
struct HelperDenomination *hd;
memset (&none, memset (&none,
0, 0,
@ -1935,11 +1976,25 @@ TEH_keys_denomination_sign (const struct TALER_DenominationHash *h_denom_pub,
*ec = TALER_EC_EXCHANGE_GENERIC_KEYS_MISSING; *ec = TALER_EC_EXCHANGE_GENERIC_KEYS_MISSING;
return none; return none;
} }
return TALER_CRYPTO_helper_denom_sign (ksh->helpers->dh, hd = GNUNET_CONTAINER_multihashmap_get (ksh->helpers->denom_keys,
h_denom_pub, &h_denom_pub->hash);
if (NULL == hd)
{
*ec = TALER_EC_EXCHANGE_GENERIC_DENOMINATION_KEY_UNKNOWN;
return none;
}
switch (hd->denom_pub.cipher)
{
case TALER_DENOMINATION_RSA:
return TALER_CRYPTO_helper_rsa_sign (ksh->helpers->dh,
&hd->h_details.h_rsa,
msg, msg,
msg_size, msg_size,
ec); ec);
default:
*ec = TALER_EC_GENERIC_INTERNAL_INVARIANT_FAILURE;
return none;
}
} }
@ -1947,6 +2002,7 @@ void
TEH_keys_denomination_revoke (const struct TALER_DenominationHash *h_denom_pub) TEH_keys_denomination_revoke (const struct TALER_DenominationHash *h_denom_pub)
{ {
struct TEH_KeyStateHandle *ksh; struct TEH_KeyStateHandle *ksh;
struct HelperDenomination *hd;
ksh = TEH_keys_get_state (); ksh = TEH_keys_get_state ();
if (NULL == ksh) if (NULL == ksh)
@ -1954,9 +2010,24 @@ TEH_keys_denomination_revoke (const struct TALER_DenominationHash *h_denom_pub)
GNUNET_break (0); GNUNET_break (0);
return; return;
} }
TALER_CRYPTO_helper_denom_revoke (ksh->helpers->dh, hd = GNUNET_CONTAINER_multihashmap_get (ksh->helpers->denom_keys,
h_denom_pub); &h_denom_pub->hash);
TEH_keys_update_states (); if (NULL == hd)
{
GNUNET_break (0);
return;
}
switch (hd->denom_pub.cipher)
{
case TALER_DENOMINATION_RSA:
TALER_CRYPTO_helper_rsa_revoke (ksh->helpers->dh,
&hd->h_details.h_rsa);
TEH_keys_update_states ();
return;
default:
GNUNET_break (0);
return;
}
} }

73
src/include/taler_crypto_lib.h
View File

@ -402,6 +402,31 @@ struct TALER_WireSalt
}; };
/**
* Hash used to represent an RSA public key. Does not include age
* restrictions and is ONLY for RSA. Used ONLY for interactions with the RSA
* security module.
*/
struct TALER_RsaPubHashP
{
/**
* Actual hash value.
*/
struct GNUNET_HashCode hash;
};
/**
* Hash @a rsa.
*
* @param rsa key to hash
* @param[out] h_rsa where to write the result
*/
void
TALER_rsa_pub_hash (const struct GNUNET_CRYPTO_RsaPublicKey *rsa,
struct TALER_RsaPubHashP *h_rsa);
/** /**
* Hash used to represent a denomination public key * Hash used to represent a denomination public key
* and associated age restrictions (if any). * and associated age restrictions (if any).
@ -1318,7 +1343,7 @@ TALER_refresh_get_commitment (struct TALER_RefreshCommitmentP *rc,
/** /**
* Handle for talking to an Denomination key signing helper. * Handle for talking to an Denomination key signing helper.
*/ */
struct TALER_CRYPTO_DenominationHelper; struct TALER_CRYPTO_RsaDenominationHelper;
/** /**
* Function called with information about available keys for signing. Usually * Function called with information about available keys for signing. Usually
@ -1332,19 +1357,19 @@ struct TALER_CRYPTO_DenominationHelper;
* zero if the key has been revoked or purged * zero if the key has been revoked or purged
* @param validity_duration how long does the key remain available for signing; * @param validity_duration how long does the key remain available for signing;
* zero if the key has been revoked or purged * zero if the key has been revoked or purged
* @param h_denom_pub hash of the @a denom_pub that is available (or was purged) * @param h_rsa hash of the RSA @a denom_pub that is available (or was purged)
* @param denom_pub the public key itself, NULL if the key was revoked or purged * @param denom_pub the public key itself, NULL if the key was revoked or purged
* @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_pub public key of the security module, NULL if the key was revoked or purged
* @param sm_sig signature from the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged
* The signature was already verified against @a sm_pub. * The signature was already verified against @a sm_pub.
*/ */
typedef void typedef void
(*TALER_CRYPTO_DenominationKeyStatusCallback)( (*TALER_CRYPTO_RsaDenominationKeyStatusCallback)(
void *cls, void *cls,
const char *section_name, const char *section_name,
struct GNUNET_TIME_Absolute start_time, struct GNUNET_TIME_Absolute start_time,
struct GNUNET_TIME_Relative validity_duration, struct GNUNET_TIME_Relative validity_duration,
const struct TALER_DenominationHash *h_denom_pub, const struct TALER_RsaPubHashP *h_rsa,
const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_DenominationPublicKey *denom_pub,
const struct TALER_SecurityModulePublicKeyP *sm_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub,
const struct TALER_SecurityModuleSignatureP *sm_sig); const struct TALER_SecurityModuleSignatureP *sm_sig);
@ -1358,10 +1383,10 @@ typedef void
* @param dkc_cls closure for @a dkc * @param dkc_cls closure for @a dkc
* @return NULL on error (such as bad @a cfg). * @return NULL on error (such as bad @a cfg).
*/ */
struct TALER_CRYPTO_DenominationHelper * struct TALER_CRYPTO_RsaDenominationHelper *
TALER_CRYPTO_helper_denom_connect ( TALER_CRYPTO_helper_rsa_connect (
const struct GNUNET_CONFIGURATION_Handle *cfg, const struct GNUNET_CONFIGURATION_Handle *cfg,
TALER_CRYPTO_DenominationKeyStatusCallback dkc, TALER_CRYPTO_RsaDenominationKeyStatusCallback dkc,
void *dkc_cls); void *dkc_cls);
@ -1375,7 +1400,7 @@ TALER_CRYPTO_helper_denom_connect (
* @param dh helper process connection * @param dh helper process connection
*/ */
void void
TALER_CRYPTO_helper_denom_poll (struct TALER_CRYPTO_DenominationHelper *dh); TALER_CRYPTO_helper_rsa_poll (struct TALER_CRYPTO_RsaDenominationHelper *dh);
/** /**
@ -1389,7 +1414,7 @@ TALER_CRYPTO_helper_denom_poll (struct TALER_CRYPTO_DenominationHelper *dh);
* differences in the signature counters. Retrying in this case may work. * differences in the signature counters. Retrying in this case may work.
* *
* @param dh helper process connection * @param dh helper process connection
* @param h_denom_pub hash of the public key to use to sign * @param h_rsa hash of the RSA public key to use to sign
* @param msg message to sign * @param msg message to sign
* @param msg_size number of bytes in @a msg * @param msg_size number of bytes in @a msg
* @param[out] ec set to the error code (or #TALER_EC_NONE on success) * @param[out] ec set to the error code (or #TALER_EC_NONE on success)
@ -1397,9 +1422,9 @@ TALER_CRYPTO_helper_denom_poll (struct TALER_CRYPTO_DenominationHelper *dh);
* see @a ec for details about the failure * see @a ec for details about the failure
*/ */
struct TALER_BlindedDenominationSignature struct TALER_BlindedDenominationSignature
TALER_CRYPTO_helper_denom_sign ( TALER_CRYPTO_helper_rsa_sign (
struct TALER_CRYPTO_DenominationHelper *dh, struct TALER_CRYPTO_RsaDenominationHelper *dh,
const struct TALER_DenominationHash *h_denom_pub, const struct TALER_RsaPubHashP *h_rsa,
const void *msg, const void *msg,
size_t msg_size, size_t msg_size,
enum TALER_ErrorCode *ec); enum TALER_ErrorCode *ec);
@ -1418,12 +1443,12 @@ TALER_CRYPTO_helper_denom_sign (
* callback. * callback.
* *
* @param dh helper to process connection * @param dh helper to process connection
* @param h_denom_pub hash of the public key to revoke * @param h_rsa hash of the RSA public key to revoke
*/ */
void void
TALER_CRYPTO_helper_denom_revoke ( TALER_CRYPTO_helper_rsa_revoke (
struct TALER_CRYPTO_DenominationHelper *dh, struct TALER_CRYPTO_RsaDenominationHelper *dh,
const struct TALER_DenominationHash *h_denom_pub); const struct TALER_RsaPubHashP *h_rsa);
/** /**
@ -1432,8 +1457,8 @@ TALER_CRYPTO_helper_denom_revoke (
* @param[in] dh connection to close * @param[in] dh connection to close
*/ */
void void
TALER_CRYPTO_helper_denom_disconnect ( TALER_CRYPTO_helper_rsa_disconnect (
struct TALER_CRYPTO_DenominationHelper *dh); struct TALER_CRYPTO_RsaDenominationHelper *dh);
/** /**
@ -1990,7 +2015,7 @@ TALER_exchange_secmod_eddsa_verify (
/** /**
* Create security module denomination signature. * Create security module denomination signature.
* *
* @param h_denom_pub hash of the public key to sign * @param h_rsa hash of the RSA public key to sign
* @param section_name name of the section in the configuration * @param section_name name of the section in the configuration
* @param start_sign starting point of validity for signing * @param start_sign starting point of validity for signing
* @param duration how long will the key be in use * @param duration how long will the key be in use
@ -1998,8 +2023,8 @@ TALER_exchange_secmod_eddsa_verify (
* @param[out] secm_sig where to write the signature * @param[out] secm_sig where to write the signature
*/ */
void void
TALER_exchange_secmod_denom_sign ( TALER_exchange_secmod_rsa_sign (
const struct TALER_DenominationHash *h_denom_pub, const struct TALER_RsaPubHashP *h_rsa,
const char *section_name, const char *section_name,
struct GNUNET_TIME_Absolute start_sign, struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration, struct GNUNET_TIME_Relative duration,
@ -2010,7 +2035,7 @@ TALER_exchange_secmod_denom_sign (
/** /**
* Verify security module denomination signature. * Verify security module denomination signature.
* *
* @param h_denom_pub hash of the public key to validate * @param h_rsa hash of the public key to validate
* @param section_name name of the section in the configuration * @param section_name name of the section in the configuration
* @param start_sign starting point of validity for signing * @param start_sign starting point of validity for signing
* @param duration how long will the key be in use * @param duration how long will the key be in use
@ -2019,8 +2044,8 @@ TALER_exchange_secmod_denom_sign (
* @return #GNUNET_OK if the signature is valid * @return #GNUNET_OK if the signature is valid
*/ */
enum GNUNET_GenericReturnValue enum GNUNET_GenericReturnValue
TALER_exchange_secmod_denom_verify ( TALER_exchange_secmod_rsa_verify (
const struct TALER_DenominationHash *h_denom_pub, const struct TALER_RsaPubHashP *h_rsa,
const char *section_name, const char *section_name,
struct GNUNET_TIME_Absolute start_sign, struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration, struct GNUNET_TIME_Relative duration,

6
src/include/taler_signatures.h
View File

@ -271,7 +271,7 @@
/** /**
* Signature on a denomination key announcement. * Signature on a denomination key announcement.
*/ */
#define TALER_SIGNATURE_SM_DENOMINATION_KEY 1250 #define TALER_SIGNATURE_SM_RSA_DENOMINATION_KEY 1250
/** /**
* Signature on an exchange message signing key announcement. * Signature on an exchange message signing key announcement.
@ -324,7 +324,7 @@ struct TALER_DenominationKeyAnnouncementPS
{ {
/** /**
* Purpose must be #TALER_SIGNATURE_SM_DENOMINATION_KEY. * Purpose must be #TALER_SIGNATURE_SM_RSA_DENOMINATION_KEY.
* Used with an EdDSA signature of a `struct TALER_SecurityModulePublicKeyP`. * Used with an EdDSA signature of a `struct TALER_SecurityModulePublicKeyP`.
*/ */
struct GNUNET_CRYPTO_EccSignaturePurpose purpose; struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
@ -332,7 +332,7 @@ struct TALER_DenominationKeyAnnouncementPS
/** /**
* Hash of the denomination public key. * Hash of the denomination public key.
*/ */
struct TALER_DenominationHash h_denom_pub; struct TALER_RsaPubHashP h_rsa;
/** /**
* Hash of the section name in the configuration of this denomination. * Hash of the section name in the configuration of this denomination.

31
src/lib/exchange_api_management_get_keys.c
View File

@ -219,20 +219,37 @@ handle_ok (struct TALER_EXCHANGE_ManagementGetKeysHandle *gh,
TALER_denom_pub_hash (&denom_key->key, TALER_denom_pub_hash (&denom_key->key,
&h_denom_pub); &h_denom_pub);
if (GNUNET_OK != switch (denom_key->key.cipher)
TALER_exchange_secmod_denom_verify (&h_denom_pub,
section_name,
denom_key->valid_from,
duration,
&fk.denom_secmod_public_key,
&denom_key->denom_secmod_sig))
{ {
case TALER_DENOMINATION_RSA:
{
struct TALER_RsaPubHashP h_rsa;
TALER_rsa_pub_hash (denom_key->key.details.rsa_public_key,
&h_rsa);
if (GNUNET_OK !=
TALER_exchange_secmod_rsa_verify (&h_rsa,
section_name,
denom_key->valid_from,
duration,
&fk.denom_secmod_public_key,
&denom_key->denom_secmod_sig))
{
GNUNET_break_op (0);
ok = false;
break;
}
}
break;
default:
GNUNET_break_op (0); GNUNET_break_op (0);
ok = false; ok = false;
break; break;
} }
} }
GNUNET_JSON_parse_free (spec); GNUNET_JSON_parse_free (spec);
if (! ok)
break;
} }
if (ok) if (ok)
{ {

2
src/util/Makefile.am
View File

@ -79,7 +79,7 @@ libtalerutil_la_SOURCES = \
config.c \ config.c \
crypto.c \ crypto.c \
crypto_helper_common.c \ crypto_helper_common.c \
crypto_helper_denom.c \ crypto_helper_rsa.c \
crypto_helper_esign.c \ crypto_helper_esign.c \
crypto_wire.c \ crypto_wire.c \
denom.c \ denom.c \

66
src/util/crypto_helper_denom.c → src/util/crypto_helper_rsa.c
View File

@ -26,12 +26,12 @@
#include "crypto_helper_common.h" #include "crypto_helper_common.h"
struct TALER_CRYPTO_DenominationHelper struct TALER_CRYPTO_RsaDenominationHelper
{ {
/** /**
* Function to call with updates to available key material. * Function to call with updates to available key material.
*/ */
TALER_CRYPTO_DenominationKeyStatusCallback dkc; TALER_CRYPTO_RsaDenominationKeyStatusCallback dkc;
/** /**
* Closure for @e dkc * Closure for @e dkc
@ -63,7 +63,7 @@ struct TALER_CRYPTO_DenominationHelper
* @param[in,out] dh handle to tear down connection of * @param[in,out] dh handle to tear down connection of
*/ */
static void static void
do_disconnect (struct TALER_CRYPTO_DenominationHelper *dh) do_disconnect (struct TALER_CRYPTO_RsaDenominationHelper *dh)
{ {
GNUNET_break (0 == close (dh->sock)); GNUNET_break (0 == close (dh->sock));
dh->sock = -1; dh->sock = -1;
@ -79,7 +79,7 @@ do_disconnect (struct TALER_CRYPTO_DenominationHelper *dh)
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
static enum GNUNET_GenericReturnValue static enum GNUNET_GenericReturnValue
try_connect (struct TALER_CRYPTO_DenominationHelper *dh) try_connect (struct TALER_CRYPTO_RsaDenominationHelper *dh)
{ {
if (-1 != dh->sock) if (-1 != dh->sock)
return GNUNET_OK; return GNUNET_OK;
@ -107,13 +107,13 @@ try_connect (struct TALER_CRYPTO_DenominationHelper *dh)
} }
struct TALER_CRYPTO_DenominationHelper * struct TALER_CRYPTO_RsaDenominationHelper *
TALER_CRYPTO_helper_denom_connect ( TALER_CRYPTO_helper_rsa_connect (
const struct GNUNET_CONFIGURATION_Handle *cfg, const struct GNUNET_CONFIGURATION_Handle *cfg,
TALER_CRYPTO_DenominationKeyStatusCallback dkc, TALER_CRYPTO_RsaDenominationKeyStatusCallback dkc,
void *dkc_cls) void *dkc_cls)
{ {
struct TALER_CRYPTO_DenominationHelper *dh; struct TALER_CRYPTO_RsaDenominationHelper *dh;
char *unixpath; char *unixpath;
if (GNUNET_OK != if (GNUNET_OK !=
@ -138,7 +138,7 @@ TALER_CRYPTO_helper_denom_connect (
GNUNET_free (unixpath); GNUNET_free (unixpath);
return NULL; return NULL;
} }
dh = GNUNET_new (struct TALER_CRYPTO_DenominationHelper); dh = GNUNET_new (struct TALER_CRYPTO_RsaDenominationHelper);
dh->dkc = dkc; dh->dkc = dkc;
dh->dkc_cls = dkc_cls; dh->dkc_cls = dkc_cls;
dh->sa.sun_family = AF_UNIX; dh->sa.sun_family = AF_UNIX;
@ -150,10 +150,10 @@ TALER_CRYPTO_helper_denom_connect (
if (GNUNET_OK != if (GNUNET_OK !=
try_connect (dh)) try_connect (dh))
{ {
TALER_CRYPTO_helper_denom_disconnect (dh); TALER_CRYPTO_helper_rsa_disconnect (dh);
return NULL; return NULL;
} }
TALER_CRYPTO_helper_denom_poll (dh); TALER_CRYPTO_helper_rsa_poll (dh);
return dh; return dh;
} }
@ -166,7 +166,7 @@ TALER_CRYPTO_helper_denom_connect (
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
static enum GNUNET_GenericReturnValue static enum GNUNET_GenericReturnValue
handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh, handle_mt_avail (struct TALER_CRYPTO_RsaDenominationHelper *dh,
const struct GNUNET_MessageHeader *hdr) const struct GNUNET_MessageHeader *hdr)
{ {
const struct TALER_CRYPTO_RsaKeyAvailableNotification *kan const struct TALER_CRYPTO_RsaKeyAvailableNotification *kan
@ -196,7 +196,7 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
{ {
struct TALER_DenominationPublicKey denom_pub; struct TALER_DenominationPublicKey denom_pub;
struct TALER_DenominationHash h_denom_pub; struct TALER_RsaPubHashP h_rsa;
denom_pub.cipher = TALER_DENOMINATION_RSA; denom_pub.cipher = TALER_DENOMINATION_RSA;
denom_pub.details.rsa_public_key denom_pub.details.rsa_public_key
@ -208,14 +208,14 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
return GNUNET_SYSERR; return GNUNET_SYSERR;
} }
GNUNET_CRYPTO_rsa_public_key_hash (denom_pub.details.rsa_public_key, GNUNET_CRYPTO_rsa_public_key_hash (denom_pub.details.rsa_public_key,
&h_denom_pub.hash); &h_rsa.hash);
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Received RSA key %s (%s)\n", "Received RSA key %s (%s)\n",
GNUNET_h2s (&h_denom_pub.hash), GNUNET_h2s (&h_rsa.hash),
section_name); section_name);
if (GNUNET_OK != if (GNUNET_OK !=
TALER_exchange_secmod_denom_verify ( TALER_exchange_secmod_rsa_verify (
&h_denom_pub, &h_rsa,
section_name, section_name,
GNUNET_TIME_absolute_ntoh (kan->anchor_time), GNUNET_TIME_absolute_ntoh (kan->anchor_time),
GNUNET_TIME_relative_ntoh (kan->duration_withdraw), GNUNET_TIME_relative_ntoh (kan->duration_withdraw),
@ -230,7 +230,7 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
section_name, section_name,
GNUNET_TIME_absolute_ntoh (kan->anchor_time), GNUNET_TIME_absolute_ntoh (kan->anchor_time),
GNUNET_TIME_relative_ntoh (kan->duration_withdraw), GNUNET_TIME_relative_ntoh (kan->duration_withdraw),
&h_denom_pub, &h_rsa,
&denom_pub, &denom_pub,
&kan->secm_pub, &kan->secm_pub,
&kan->secm_sig); &kan->secm_sig);
@ -248,7 +248,7 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
static enum GNUNET_GenericReturnValue static enum GNUNET_GenericReturnValue
handle_mt_purge (struct TALER_CRYPTO_DenominationHelper *dh, handle_mt_purge (struct TALER_CRYPTO_RsaDenominationHelper *dh,
const struct GNUNET_MessageHeader *hdr) const struct GNUNET_MessageHeader *hdr)
{ {
const struct TALER_CRYPTO_RsaKeyPurgeNotification *pn const struct TALER_CRYPTO_RsaKeyPurgeNotification *pn
@ -261,12 +261,12 @@ handle_mt_purge (struct TALER_CRYPTO_DenominationHelper *dh,
} }
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Received revocation of denomination key %s\n", "Received revocation of denomination key %s\n",
GNUNET_h2s (&pn->h_denom_pub.hash)); GNUNET_h2s (&pn->h_rsa.hash));
dh->dkc (dh->dkc_cls, dh->dkc (dh->dkc_cls,
NULL, NULL,
GNUNET_TIME_UNIT_ZERO_ABS, GNUNET_TIME_UNIT_ZERO_ABS,
GNUNET_TIME_UNIT_ZERO, GNUNET_TIME_UNIT_ZERO,
&pn->h_denom_pub, &pn->h_rsa,
NULL, NULL,
NULL, NULL,
NULL); NULL);
@ -275,7 +275,7 @@ handle_mt_purge (struct TALER_CRYPTO_DenominationHelper *dh,
void void
TALER_CRYPTO_helper_denom_poll (struct TALER_CRYPTO_DenominationHelper *dh) TALER_CRYPTO_helper_rsa_poll (struct TALER_CRYPTO_RsaDenominationHelper *dh)
{ {
char buf[UINT16_MAX]; char buf[UINT16_MAX];
size_t off = 0; size_t off = 0;
@ -376,9 +376,9 @@ more:
struct TALER_BlindedDenominationSignature struct TALER_BlindedDenominationSignature
TALER_CRYPTO_helper_denom_sign ( TALER_CRYPTO_helper_rsa_sign (
struct TALER_CRYPTO_DenominationHelper *dh, struct TALER_CRYPTO_RsaDenominationHelper *dh,
const struct TALER_DenominationHash *h_denom_pub, const struct TALER_RsaPubHashP *h_rsa,
const void *msg, const void *msg,
size_t msg_size, size_t msg_size,
enum TALER_ErrorCode *ec) enum TALER_ErrorCode *ec)
@ -404,7 +404,7 @@ TALER_CRYPTO_helper_denom_sign (
sr->header.size = htons (sizeof (buf)); sr->header.size = htons (sizeof (buf));
sr->header.type = htons (TALER_HELPER_RSA_MT_REQ_SIGN); sr->header.type = htons (TALER_HELPER_RSA_MT_REQ_SIGN);
sr->reserved = htonl (0); sr->reserved = htonl (0);
sr->h_denom_pub = *h_denom_pub; sr->h_rsa = *h_rsa;
memcpy (&sr[1], memcpy (&sr[1],
msg, msg,
msg_size); msg_size);
@ -568,14 +568,14 @@ end:
void void
TALER_CRYPTO_helper_denom_revoke ( TALER_CRYPTO_helper_rsa_revoke (
struct TALER_CRYPTO_DenominationHelper *dh, struct TALER_CRYPTO_RsaDenominationHelper *dh,
const struct TALER_DenominationHash *h_denom_pub) const struct TALER_RsaPubHashP *h_rsa)
{ {
struct TALER_CRYPTO_RevokeRequest rr = { struct TALER_CRYPTO_RevokeRequest rr = {
.header.size = htons (sizeof (rr)), .header.size = htons (sizeof (rr)),
.header.type = htons (TALER_HELPER_RSA_MT_REQ_REVOKE), .header.type = htons (TALER_HELPER_RSA_MT_REQ_REVOKE),
.h_denom_pub = *h_denom_pub .h_rsa = *h_rsa
}; };
if (GNUNET_OK != if (GNUNET_OK !=
@ -593,13 +593,13 @@ TALER_CRYPTO_helper_denom_revoke (
} }
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Requested revocation of denomination key %s\n", "Requested revocation of denomination key %s\n",
GNUNET_h2s (&h_denom_pub->hash)); GNUNET_h2s (&h_rsa->hash));
} }
void void
TALER_CRYPTO_helper_denom_disconnect ( TALER_CRYPTO_helper_rsa_disconnect (
struct TALER_CRYPTO_DenominationHelper *dh) struct TALER_CRYPTO_RsaDenominationHelper *dh)
{ {
if (-1 != dh->sock) if (-1 != dh->sock)
do_disconnect (dh); do_disconnect (dh);

16
src/util/denom.c
View File

@ -156,6 +156,22 @@ TALER_blinding_secret_create (union TALER_DenominationBlindingKeyP *bs)
} }
/**
* Hash @a rsa.
*
* @param rsa key to hash
* @param[out] h_rsa where to write the result
*/
void
TALER_rsa_pub_hash (const struct GNUNET_CRYPTO_RsaPublicKey *rsa,
struct TALER_RsaPubHashP *h_rsa)
{
GNUNET_CRYPTO_rsa_public_key_hash (rsa,
&h_rsa->hash);
}
void void
TALER_denom_pub_hash (const struct TALER_DenominationPublicKey *denom_pub, TALER_denom_pub_hash (const struct TALER_DenominationPublicKey *denom_pub,
struct TALER_DenominationHash *denom_hash) struct TALER_DenominationHash *denom_hash)

18
src/util/secmod_signatures.c
View File

@ -70,8 +70,8 @@ TALER_exchange_secmod_eddsa_verify (
void void
TALER_exchange_secmod_denom_sign ( TALER_exchange_secmod_rsa_sign (
const struct TALER_DenominationHash *h_denom_pub, const struct TALER_RsaPubHashP *h_rsa,
const char *section_name, const char *section_name,
struct GNUNET_TIME_Absolute start_sign, struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration, struct GNUNET_TIME_Relative duration,
@ -79,9 +79,9 @@ TALER_exchange_secmod_denom_sign (
struct TALER_SecurityModuleSignatureP *secm_sig) struct TALER_SecurityModuleSignatureP *secm_sig)
{ {
struct TALER_DenominationKeyAnnouncementPS dka = { struct TALER_DenominationKeyAnnouncementPS dka = {
.purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY), .purpose.purpose = htonl (TALER_SIGNATURE_SM_RSA_DENOMINATION_KEY),
.purpose.size = htonl (sizeof (dka)), .purpose.size = htonl (sizeof (dka)),
.h_denom_pub = *h_denom_pub, .h_rsa = *h_rsa,
.anchor_time = GNUNET_TIME_absolute_hton (start_sign), .anchor_time = GNUNET_TIME_absolute_hton (start_sign),
.duration_withdraw = GNUNET_TIME_relative_hton (duration) .duration_withdraw = GNUNET_TIME_relative_hton (duration)
}; };
@ -97,8 +97,8 @@ TALER_exchange_secmod_denom_sign (
enum GNUNET_GenericReturnValue enum GNUNET_GenericReturnValue
TALER_exchange_secmod_denom_verify ( TALER_exchange_secmod_rsa_verify (
const struct TALER_DenominationHash *h_denom_pub, const struct TALER_RsaPubHashP *h_rsa,
const char *section_name, const char *section_name,
struct GNUNET_TIME_Absolute start_sign, struct GNUNET_TIME_Absolute start_sign,
struct GNUNET_TIME_Relative duration, struct GNUNET_TIME_Relative duration,
@ -106,9 +106,9 @@ TALER_exchange_secmod_denom_verify (
const struct TALER_SecurityModuleSignatureP *secm_sig) const struct TALER_SecurityModuleSignatureP *secm_sig)
{ {
struct TALER_DenominationKeyAnnouncementPS dka = { struct TALER_DenominationKeyAnnouncementPS dka = {
.purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY), .purpose.purpose = htonl (TALER_SIGNATURE_SM_RSA_DENOMINATION_KEY),
.purpose.size = htonl (sizeof (dka)), .purpose.size = htonl (sizeof (dka)),
.h_denom_pub = *h_denom_pub, .h_rsa = *h_rsa,
.anchor_time = GNUNET_TIME_absolute_hton (start_sign), .anchor_time = GNUNET_TIME_absolute_hton (start_sign),
.duration_withdraw = GNUNET_TIME_relative_hton (duration) .duration_withdraw = GNUNET_TIME_relative_hton (duration)
}; };
@ -117,7 +117,7 @@ TALER_exchange_secmod_denom_verify (
strlen (section_name) + 1, strlen (section_name) + 1,
&dka.h_section_name); &dka.h_section_name);
return return
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_DENOMINATION_KEY, GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_RSA_DENOMINATION_KEY,
&dka, &dka,
&secm_sig->eddsa_signature, &secm_sig->eddsa_signature,
&secm_pub->eddsa_pub); &secm_pub->eddsa_pub);

52
src/util/taler-exchange-secmod-rsa.c
View File

@ -88,7 +88,7 @@ struct DenominationKey
/** /**
* Hash of this denomination's public key. * Hash of this denomination's public key.
*/ */
struct TALER_DenominationHash h_denom_pub; struct TALER_RsaPubHashP h_rsa;
/** /**
* Time at which this key is supposed to become valid. * Time at which this key is supposed to become valid.
@ -258,12 +258,12 @@ notify_client_dk_add (struct TES_Client *client,
an->section_name_len = htons ((uint16_t) nlen); an->section_name_len = htons ((uint16_t) nlen);
an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor); an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor);
an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw); an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw);
TALER_exchange_secmod_denom_sign (&dk->h_denom_pub, TALER_exchange_secmod_rsa_sign (&dk->h_rsa,
denom->section, denom->section,
dk->anchor, dk->anchor,
denom->duration_withdraw, denom->duration_withdraw,
&TES_smpriv, &TES_smpriv,
&an->secm_sig); &an->secm_sig);
an->secm_pub = TES_smpub; an->secm_pub = TES_smpub;
p = (void *) &an[1]; p = (void *) &an[1];
memcpy (p, memcpy (p,
@ -275,7 +275,7 @@ notify_client_dk_add (struct TES_Client *client,
nlen); nlen);
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Sending RSA denomination key %s (%s)\n", "Sending RSA denomination key %s (%s)\n",
GNUNET_h2s (&dk->h_denom_pub.hash), GNUNET_h2s (&dk->h_rsa.hash),
denom->section); denom->section);
if (GNUNET_OK != if (GNUNET_OK !=
TES_transmit (client->csock, TES_transmit (client->csock,
@ -306,12 +306,12 @@ notify_client_dk_del (struct TES_Client *client,
struct TALER_CRYPTO_RsaKeyPurgeNotification pn = { struct TALER_CRYPTO_RsaKeyPurgeNotification pn = {
.header.type = htons (TALER_HELPER_RSA_MT_PURGE), .header.type = htons (TALER_HELPER_RSA_MT_PURGE),
.header.size = htons (sizeof (pn)), .header.size = htons (sizeof (pn)),
.h_denom_pub = dk->h_denom_pub .h_rsa = dk->h_rsa
}; };
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Sending RSA denomination expiration %s\n", "Sending RSA denomination expiration %s\n",
GNUNET_h2s (&dk->h_denom_pub.hash)); GNUNET_h2s (&dk->h_rsa.hash));
if (GNUNET_OK != if (GNUNET_OK !=
TES_transmit (client->csock, TES_transmit (client->csock,
&pn.header)) &pn.header))
@ -345,7 +345,7 @@ handle_sign_request (struct TES_Client *client,
GNUNET_assert (0 == pthread_mutex_lock (&keys_lock)); GNUNET_assert (0 == pthread_mutex_lock (&keys_lock));
dk = GNUNET_CONTAINER_multihashmap_get (keys, dk = GNUNET_CONTAINER_multihashmap_get (keys,
&sr->h_denom_pub.hash); &sr->h_rsa.hash);
if (NULL == dk) if (NULL == dk)
{ {
struct TALER_CRYPTO_SignFailure sf = { struct TALER_CRYPTO_SignFailure sf = {
@ -357,7 +357,7 @@ handle_sign_request (struct TES_Client *client,
GNUNET_assert (0 == pthread_mutex_unlock (&keys_lock)); GNUNET_assert (0 == pthread_mutex_unlock (&keys_lock));
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Signing request failed, denomination key %s unknown\n", "Signing request failed, denomination key %s unknown\n",
GNUNET_h2s (&sr->h_denom_pub.hash)); GNUNET_h2s (&sr->h_rsa.hash));
return TES_transmit (client->csock, return TES_transmit (client->csock,
&sf.header); &sf.header);
} }
@ -374,7 +374,7 @@ handle_sign_request (struct TES_Client *client,
GNUNET_assert (0 == pthread_mutex_unlock (&keys_lock)); GNUNET_assert (0 == pthread_mutex_unlock (&keys_lock));
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Signing request failed, denomination key %s is not yet valid\n", "Signing request failed, denomination key %s is not yet valid\n",
GNUNET_h2s (&sr->h_denom_pub.hash)); GNUNET_h2s (&sr->h_rsa.hash));
return TES_transmit (client->csock, return TES_transmit (client->csock,
&sf.header); &sf.header);
} }
@ -382,7 +382,7 @@ handle_sign_request (struct TES_Client *client,
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Received request to sign over %u bytes with key %s\n", "Received request to sign over %u bytes with key %s\n",
(unsigned int) blinded_msg_size, (unsigned int) blinded_msg_size,
GNUNET_h2s (&sr->h_denom_pub.hash)); GNUNET_h2s (&sr->h_rsa.hash));
GNUNET_assert (dk->rc < UINT_MAX); GNUNET_assert (dk->rc < UINT_MAX);
dk->rc++; dk->rc++;
GNUNET_assert (0 == pthread_mutex_unlock (&keys_lock)); GNUNET_assert (0 == pthread_mutex_unlock (&keys_lock));
@ -470,8 +470,8 @@ setup_key (struct DenominationKey *dk,
} }
buf_size = GNUNET_CRYPTO_rsa_private_key_encode (priv, buf_size = GNUNET_CRYPTO_rsa_private_key_encode (priv,
&buf); &buf);
GNUNET_CRYPTO_rsa_public_key_hash (pub, TALER_rsa_pub_hash (pub,
&dk->h_denom_pub.hash); &dk->h_rsa);
GNUNET_asprintf (&dk->filename, GNUNET_asprintf (&dk->filename,
"%s/%s/%llu", "%s/%s/%llu",
keydir, keydir,
@ -495,7 +495,7 @@ setup_key (struct DenominationKey *dk,
GNUNET_free (buf); GNUNET_free (buf);
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Setup fresh private key %s at %s in `%s' (generation #%llu)\n", "Setup fresh private key %s at %s in `%s' (generation #%llu)\n",
GNUNET_h2s (&dk->h_denom_pub.hash), GNUNET_h2s (&dk->h_rsa.hash),
GNUNET_STRINGS_absolute_time_to_string (dk->anchor), GNUNET_STRINGS_absolute_time_to_string (dk->anchor),
dk->filename, dk->filename,
(unsigned long long) key_gen); (unsigned long long) key_gen);
@ -505,7 +505,7 @@ setup_key (struct DenominationKey *dk,
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CONTAINER_multihashmap_put ( GNUNET_CONTAINER_multihashmap_put (
keys, keys,
&dk->h_denom_pub.hash, &dk->h_rsa.hash,
dk, dk,
GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)) GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY))
{ {
@ -563,13 +563,13 @@ handle_revoke_request (struct TES_Client *client,
GNUNET_assert (0 == pthread_mutex_lock (&keys_lock)); GNUNET_assert (0 == pthread_mutex_lock (&keys_lock));
dk = GNUNET_CONTAINER_multihashmap_get (keys, dk = GNUNET_CONTAINER_multihashmap_get (keys,
&rr->h_denom_pub.hash); &rr->h_rsa.hash);
if (NULL == dk) if (NULL == dk)
{ {
GNUNET_assert (0 == pthread_mutex_unlock (&keys_lock)); GNUNET_assert (0 == pthread_mutex_unlock (&keys_lock));
GNUNET_log (GNUNET_ERROR_TYPE_WARNING, GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
"Revocation request ignored, denomination key %s unknown\n", "Revocation request ignored, denomination key %s unknown\n",
GNUNET_h2s (&rr->h_denom_pub.hash)); GNUNET_h2s (&rr->h_rsa.hash));
return GNUNET_OK; return GNUNET_OK;
} }
@ -877,7 +877,7 @@ update_keys (struct Denomination *denom,
GNUNET_assert (GNUNET_OK == GNUNET_assert (GNUNET_OK ==
GNUNET_CONTAINER_multihashmap_remove ( GNUNET_CONTAINER_multihashmap_remove (
keys, keys,
&key->h_denom_pub.hash, &key->h_rsa.hash,
key)); key));
if ( (! key->purge) && if ( (! key->purge) &&
(0 != unlink (key->filename)) ) (0 != unlink (key->filename)) )
@ -1029,19 +1029,19 @@ parse_key (struct Denomination *denom,
dk->denom = denom; dk->denom = denom;
dk->anchor = anchor; dk->anchor = anchor;
dk->filename = GNUNET_strdup (filename); dk->filename = GNUNET_strdup (filename);
GNUNET_CRYPTO_rsa_public_key_hash (pub, TALER_rsa_pub_hash (pub,
&dk->h_denom_pub.hash); &dk->h_rsa);
dk->denom_pub = pub; dk->denom_pub = pub;
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CONTAINER_multihashmap_put ( GNUNET_CONTAINER_multihashmap_put (
keys, keys,
&dk->h_denom_pub.hash, &dk->h_rsa.hash,
dk, dk,
GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)) GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Duplicate private key %s detected in file `%s'. Skipping.\n", "Duplicate private key %s detected in file `%s'. Skipping.\n",
GNUNET_h2s (&dk->h_denom_pub.hash), GNUNET_h2s (&dk->h_rsa.hash),
filename); filename);
GNUNET_CRYPTO_rsa_private_key_free (priv); GNUNET_CRYPTO_rsa_private_key_free (priv);
GNUNET_CRYPTO_rsa_public_key_free (pub); GNUNET_CRYPTO_rsa_public_key_free (pub);
@ -1063,7 +1063,7 @@ parse_key (struct Denomination *denom,
dk); dk);
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Imported key %s from `%s'\n", "Imported key %s from `%s'\n",
GNUNET_h2s (&dk->h_denom_pub.hash), GNUNET_h2s (&dk->h_rsa.hash),
filename); filename);
} }
} }

12
src/util/taler-exchange-secmod-rsa.h
View File

@ -35,6 +35,7 @@
GNUNET_NETWORK_STRUCT_BEGIN GNUNET_NETWORK_STRUCT_BEGIN
/** /**
* Message sent if a key is available. * Message sent if a key is available.
*/ */
@ -76,7 +77,7 @@ struct TALER_CRYPTO_RsaKeyAvailableNotification
*/ */
struct TALER_SecurityModuleSignatureP secm_sig; struct TALER_SecurityModuleSignatureP secm_sig;
/* followed by @e pub_size bytes of the public key */ /* followed by @e pub_size bytes of the RSA public key */
/* followed by @e section_name bytes of the configuration section name /* followed by @e section_name bytes of the configuration section name
of the denomination of this key */ of the denomination of this key */
@ -102,8 +103,7 @@ struct TALER_CRYPTO_RsaKeyPurgeNotification
/** /**
* Hash of the public key of the purged RSA key. * Hash of the public key of the purged RSA key.
*/ */
// FIXME: wrong type, not hashed with age restriction here! struct TALER_RsaPubHashP h_rsa;
struct TALER_DenominationHash h_denom_pub;
}; };
@ -126,8 +126,7 @@ struct TALER_CRYPTO_SignRequest
/** /**
* Hash of the public key of the RSA key to use for the signature. * Hash of the public key of the RSA key to use for the signature.
*/ */
// FIXME: wrong type, not hashed with age restriction here! struct TALER_RsaPubHashP h_rsa;
struct TALER_DenominationHash h_denom_pub;
/* followed by message to sign */ /* followed by message to sign */
}; };
@ -151,8 +150,7 @@ struct TALER_CRYPTO_RevokeRequest
/** /**
* Hash of the public key of the revoked RSA key. * Hash of the public key of the revoked RSA key.
*/ */
// FIXME: wrong type, not hashed with age restriction here! struct TALER_RsaPubHashP h_rsa;
struct TALER_DenominationHash h_denom_pub;
}; };