taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

introduce new type for security module pubkeys

Browse Source
This commit is contained in:
Gian Demarmels 2022-01-16 21:07:20 +01:00
parent 3510f953b0
commit bcc159de17
No known key found for this signature in database
GPG Key ID: 030CEDDCCC92D778
2 changed files with 57 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
src/exchange-tools/taler-exchange-offline.c
View File

@ -2531,10 +2531,10 @@ do_download (char *const *args)
* #GNUNET_SYSERR if keys changed from what we remember or other error * #GNUNET_SYSERR if keys changed from what we remember or other error
*/ */
static int static int
tofu_check (const struct TALER_SecurityModulePublicKeyP secm[3]) tofu_check (const struct TALER_SecurityModulePublicKeySetP *secmset)
{ {
char *fn; char *fn;
struct TALER_SecurityModulePublicKeyP old[3]; struct TALER_SecurityModulePublicKeySetP oldset;
ssize_t ret; ssize_t ret;
if (GNUNET_OK != if (GNUNET_OK !=
@ -2552,11 +2552,11 @@ tofu_check (const struct TALER_SecurityModulePublicKeyP secm[3])
GNUNET_DISK_file_test (fn)) GNUNET_DISK_file_test (fn))
{ {
ret = GNUNET_DISK_fn_read (fn, ret = GNUNET_DISK_fn_read (fn,
&old, &oldset,
sizeof (old)); sizeof (oldset));
if (GNUNET_SYSERR != ret) if (GNUNET_SYSERR != ret)
{ {
if (ret != sizeof (old)) if (ret != sizeof (oldset))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"File `%s' corrupt\n", "File `%s' corrupt\n",
@ -2565,9 +2565,9 @@ tofu_check (const struct TALER_SecurityModulePublicKeyP secm[3])
return GNUNET_SYSERR; return GNUNET_SYSERR;
} }
/* TOFU check */ /* TOFU check */
if (0 != memcmp (old, if (0 != memcmp (&oldset,
secm, secmset,
sizeof (old))) sizeof (*secmset)))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Fatal: security module keys changed (file `%s')!\n", "Fatal: security module keys changed (file `%s')!\n",
@ -2608,7 +2608,7 @@ tofu_check (const struct TALER_SecurityModulePublicKeyP secm[3])
GNUNET_free (key); GNUNET_free (key);
if (0 != if (0 !=
GNUNET_memcmp (&k, GNUNET_memcmp (&k,
&secm[2])) &secmset->eddsa))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"ESIGN security module key does not match SECM_ESIGN_PUBKEY in configuration\n"); "ESIGN security module key does not match SECM_ESIGN_PUBKEY in configuration\n");
@ -2639,7 +2639,7 @@ tofu_check (const struct TALER_SecurityModulePublicKeyP secm[3])
GNUNET_free (key); GNUNET_free (key);
if (0 != if (0 !=
GNUNET_memcmp (&k, GNUNET_memcmp (&k,
&secm[0])) &secmset->rsa))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"DENOM security module key does not match SECM_DENOM_PUBKEY in configuration\n"); "DENOM security module key does not match SECM_DENOM_PUBKEY in configuration\n");
@ -2670,7 +2670,7 @@ tofu_check (const struct TALER_SecurityModulePublicKeyP secm[3])
GNUNET_free (key); GNUNET_free (key);
if (0 != if (0 !=
GNUNET_memcmp (&k, GNUNET_memcmp (&k,
&secm[1])) &secmset->cs))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"DENOM security module key does not match SECM_DENOM_CS_PUBKEY in configuration\n"); "DENOM security module key does not match SECM_DENOM_CS_PUBKEY in configuration\n");
@ -2690,8 +2690,8 @@ tofu_check (const struct TALER_SecurityModulePublicKeyP secm[3])
/* persist keys for future runs */ /* persist keys for future runs */
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_DISK_fn_write (fn, GNUNET_DISK_fn_write (fn,
secm, secmset,
sizeof (old), sizeof (oldset),
GNUNET_DISK_PERM_USER_READ)) GNUNET_DISK_PERM_USER_READ))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
@ -2803,7 +2803,8 @@ show_signkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub,
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
static int static int
show_denomkeys (const struct TALER_SecurityModulePublicKeyP secm_pub[2], show_denomkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub_rsa,
const struct TALER_SecurityModulePublicKeyP *secm_pub_cs,
const json_t *denomkeys) const json_t *denomkeys)
{ {
size_t index; size_t index;
@ -2896,7 +2897,7 @@ show_denomkeys (const struct TALER_SecurityModulePublicKeyP secm_pub[2],
section_name, section_name,
stamp_start, stamp_start,
duration, duration,
&secm_pub[0], secm_pub_rsa,
&secm_sig); &secm_sig);
} }
break; break;
@ -2910,7 +2911,7 @@ show_denomkeys (const struct TALER_SecurityModulePublicKeyP secm_pub[2],
section_name, section_name,
stamp_start, stamp_start,
duration, duration,
&secm_pub[1], secm_pub_cs,
&secm_sig); &secm_sig);
} }
break; break;
@ -3065,7 +3066,7 @@ do_show (char *const *args)
json_t *denomkeys; json_t *denomkeys;
json_t *signkeys; json_t *signkeys;
struct TALER_MasterPublicKeyP mpub; struct TALER_MasterPublicKeyP mpub;
struct TALER_SecurityModulePublicKeyP secm[3]; struct TALER_SecurityModulePublicKeySetP secmset;
struct GNUNET_JSON_Specification spec[] = { struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_json ("future_denoms", GNUNET_JSON_spec_json ("future_denoms",
&denomkeys), &denomkeys),
@ -3074,11 +3075,11 @@ do_show (char *const *args)
GNUNET_JSON_spec_fixed_auto ("master_pub", GNUNET_JSON_spec_fixed_auto ("master_pub",
&mpub), &mpub),
GNUNET_JSON_spec_fixed_auto ("denom_secmod_public_key", GNUNET_JSON_spec_fixed_auto ("denom_secmod_public_key",
&secm[0]), &secmset.rsa),
GNUNET_JSON_spec_fixed_auto ("denom_secmod_cs_public_key", GNUNET_JSON_spec_fixed_auto ("denom_secmod_cs_public_key",
&secm[1]), &secmset.cs),
GNUNET_JSON_spec_fixed_auto ("signkey_secmod_public_key", GNUNET_JSON_spec_fixed_auto ("signkey_secmod_public_key",
&secm[2]), &secmset.eddsa),
GNUNET_JSON_spec_end () GNUNET_JSON_spec_end ()
}; };
@ -3119,7 +3120,7 @@ do_show (char *const *args)
return; return;
} }
if (GNUNET_SYSERR == if (GNUNET_SYSERR ==
tofu_check (secm)) tofu_check (&secmset))
{ {
global_ret = EXIT_FAILURE; global_ret = EXIT_FAILURE;
test_shutdown (); test_shutdown ();
@ -3128,10 +3129,11 @@ do_show (char *const *args)
return; return;
} }
if ( (GNUNET_OK != if ( (GNUNET_OK !=
show_signkeys (&secm[2], show_signkeys (&secmset.eddsa,
signkeys)) || signkeys)) ||
(GNUNET_OK != (GNUNET_OK !=
show_denomkeys (&secm[0], show_denomkeys (&secmset.rsa,
&secmset.cs,
denomkeys)) ) denomkeys)) )
{ {
global_ret = EXIT_FAILURE; global_ret = EXIT_FAILURE;
@ -3256,7 +3258,8 @@ sign_signkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub,
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
static enum GNUNET_GenericReturnValue static enum GNUNET_GenericReturnValue
sign_denomkeys (const struct TALER_SecurityModulePublicKeyP secm_pub[2], sign_denomkeys (const struct TALER_SecurityModulePublicKeyP *secm_pub_rsa,
const struct TALER_SecurityModulePublicKeyP *secm_pub_cs,
const json_t *denomkeys, const json_t *denomkeys,
json_t *result) json_t *result)
{ {
@ -3351,7 +3354,7 @@ sign_denomkeys (const struct TALER_SecurityModulePublicKeyP secm_pub[2],
section_name, section_name,
stamp_start, stamp_start,
duration, duration,
&secm_pub[0], secm_pub_rsa,
&secm_sig)) &secm_sig))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
@ -3375,7 +3378,7 @@ sign_denomkeys (const struct TALER_SecurityModulePublicKeyP secm_pub[2],
section_name, section_name,
stamp_start, stamp_start,
duration, duration,
&secm_pub[1], secm_pub_cs,
&secm_sig)) &secm_sig))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
@ -3439,7 +3442,7 @@ do_sign (char *const *args)
json_t *denomkeys; json_t *denomkeys;
json_t *signkeys; json_t *signkeys;
struct TALER_MasterPublicKeyP mpub; struct TALER_MasterPublicKeyP mpub;
struct TALER_SecurityModulePublicKeyP secm[3]; struct TALER_SecurityModulePublicKeySetP secmset;
struct GNUNET_JSON_Specification spec[] = { struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_json ("future_denoms", GNUNET_JSON_spec_json ("future_denoms",
&denomkeys), &denomkeys),
@ -3448,11 +3451,11 @@ do_sign (char *const *args)
GNUNET_JSON_spec_fixed_auto ("master_pub", GNUNET_JSON_spec_fixed_auto ("master_pub",
&mpub), &mpub),
GNUNET_JSON_spec_fixed_auto ("denom_secmod_public_key", GNUNET_JSON_spec_fixed_auto ("denom_secmod_public_key",
&secm[0]), &secmset.rsa),
GNUNET_JSON_spec_fixed_auto ("denom_secmod_cs_public_key", GNUNET_JSON_spec_fixed_auto ("denom_secmod_cs_public_key",
&secm[1]), &secmset.cs),
GNUNET_JSON_spec_fixed_auto ("signkey_secmod_public_key", GNUNET_JSON_spec_fixed_auto ("signkey_secmod_public_key",
&secm[2]), &secmset.eddsa),
GNUNET_JSON_spec_end () GNUNET_JSON_spec_end ()
}; };
@ -3496,7 +3499,7 @@ do_sign (char *const *args)
return; return;
} }
if (GNUNET_SYSERR == if (GNUNET_SYSERR ==
tofu_check (secm)) tofu_check (&secmset))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Fatal: security module keys changed!\n"); "Fatal: security module keys changed!\n");
@ -3513,11 +3516,12 @@ do_sign (char *const *args)
GNUNET_assert (NULL != signkey_sig_array); GNUNET_assert (NULL != signkey_sig_array);
GNUNET_assert (NULL != denomkey_sig_array); GNUNET_assert (NULL != denomkey_sig_array);
if ( (GNUNET_OK != if ( (GNUNET_OK !=
sign_signkeys (&secm[2], sign_signkeys (&secmset.eddsa,
signkeys, signkeys,
signkey_sig_array)) || signkey_sig_array)) ||
(GNUNET_OK != (GNUNET_OK !=
sign_denomkeys (&secm[0], sign_denomkeys (&secmset.rsa,
&secmset.cs,
denomkeys, denomkeys,
denomkey_sig_array)) ) denomkey_sig_array)) )
{ {

20
src/include/taler_crypto_lib.h
View File

@ -44,6 +44,26 @@ struct TALER_SecurityModulePublicKeyP
struct GNUNET_CRYPTO_EddsaPublicKey eddsa_pub; struct GNUNET_CRYPTO_EddsaPublicKey eddsa_pub;
}; };
/**
* @brief Set of the public keys of the security modules
*/
struct TALER_SecurityModulePublicKeySetP
{
/**
* Public key of the RSA security module
*/
struct TALER_SecurityModulePublicKeyP rsa;
/**
* Public key of the CS security module
*/
struct TALER_SecurityModulePublicKeyP cs;
/**
* Public key of the eddsa security module
*/
struct TALER_SecurityModulePublicKeyP eddsa;
};
/** /**
* @brief Type of private keys for Taler security modules (software or hardware). * @brief Type of private keys for Taler security modules (software or hardware).