taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fixed CS signatures and cleanup/refactoring

Browse Source
This commit is contained in:
Gian Demarmels 2021-12-27 16:21:26 +01:00
parent 3225566c93
commit ca247f6f58
No known key found for this signature in database
GPG Key ID: 030CEDDCCC92D778
4 changed files with 39 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
src/include/taler_crypto_lib.h
View File

@ -353,12 +353,12 @@ struct TALER_CoinSpendSignatureP
/** /**
* @brief Type of blinding keys for Taler. * @brief Type of blinding keys for Taler.
* must be 32 bytes * must be 32 bytes (DB)
*/ */
union TALER_DenominationBlindingKeyP union TALER_DenominationBlindingKeyP
{ {
/** /**
* Clause Schnorr Signatures have 2 blinding secrets, each containing two unpredictable values. * Clause Schnorr Signatures have 2 blinding secrets, each containing two unpredictable values. (must be 32 bytes)
*/ */
struct GNUNET_CRYPTO_CsNonce nonce; struct GNUNET_CRYPTO_CsNonce nonce;
@ -621,7 +621,6 @@ struct TALER_DenominationSignature
* The Sign Answer for Clause Blind Schnorr signature. * The Sign Answer for Clause Blind Schnorr signature.
* The sign operation returns a parameter @param b and the signature * The sign operation returns a parameter @param b and the signature
* scalar @param s_scalar. * scalar @param s_scalar.
* The function does not return the whole signature, due to that is only the blinded s_scalar.
*/ */
struct TALER_BlindedDenominationCsSignAnswer struct TALER_BlindedDenominationCsSignAnswer
{ {
@ -833,57 +832,6 @@ struct TALER_DenominationCsPrivateR
struct GNUNET_CRYPTO_CsRSecret r[2]; struct GNUNET_CRYPTO_CsRSecret r[2];
}; };
/**
* @brief RSA Parameters to create blinded messages
*
*/
struct TALER_DenominationBlindMessageRsaParams
{
/**
* blinded message to be signed
* Note: is malloc()'ed!
*/
void **coin_ev;
/**
* size of the blinded message to be signed
*/
size_t *coin_ev_size;
};
/**
* @brief CS Parameters to create blinded messages
*
*/
struct TALER_DenominationBlindMessageCsParams
{
};
/**
* @brief Type including Parameters to create blinded message
*
*/
struct TALER_DenominationBlindMessageParams
{
/**
* Details, depending on @e cipher.
*/
union
{
/**
* If we use #TALER_DENOMINATION_CS in @a cipher.
*/
struct TALER_DenominationBlindMessageCsParams cs_blind_msg_params;
/**
* If we use #TALER_DENOMINATION_RSA in @a cipher.
*/
struct TALER_DenominationBlindMessageRsaParams rsa_blind_msg_params;
} details;
};
/** /**
* @brief Public information about a coin (including the public key * @brief Public information about a coin (including the public key
@ -968,6 +916,9 @@ TALER_cs_withdraw_nonce_derive (const struct
* Create a blinding secret @a bs for @a cipher. * Create a blinding secret @a bs for @a cipher.
* *
* @param[out] bs blinding secret to initialize * @param[out] bs blinding secret to initialize
* @param cipher algorithm to use (CS or RSA)
* @param ... If CS signature, R_0 and R_1 (TALER_DenominationCsPublicR)
* and the coins private key is needed
*/ */
void void
TALER_blinding_secret_create (union TALER_DenominationBlindingKeyP *bs, TALER_blinding_secret_create (union TALER_DenominationBlindingKeyP *bs,
@ -1013,20 +964,6 @@ void
TALER_denom_sig_free (struct TALER_DenominationSignature *denom_sig); TALER_denom_sig_free (struct TALER_DenominationSignature *denom_sig);
/**
* Function for CS signatures to derive the secret r_0 and r_1
*
* @param nonce withdraw nonce from a client
* @param denom_priv denomination privkey as long-term secret
* @param r the resulting r_0 and r_1
* @return enum GNUNET_GenericReturnValue, returns SYSERR when denom key has wrong type
*/
enum GNUNET_GenericReturnValue
TALER_denom_cs_derive_r_secret (const struct TALER_WithdrawNonce *nonce,
const struct
TALER_DenominationPrivateKey *denom_priv,
struct TALER_DenominationCsPrivateR *r);
/** /**
* @brief Function for CS signatures to derive public R_0 and R_1 * @brief Function for CS signatures to derive public R_0 and R_1
* *
@ -1053,6 +990,7 @@ TALER_denom_cs_derive_r_public (const struct TALER_WithdrawNonce *nonce,
* @param[out] c_hash resulting hashed coin * @param[out] c_hash resulting hashed coin
* @param[out] coin_ev blinded coin to submit * @param[out] coin_ev blinded coin to submit
* @param[out] coin_ev_size number of bytes in @a coin_ev * @param[out] coin_ev_size number of bytes in @a coin_ev
* @param ... cipher-specific parameters
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
enum GNUNET_GenericReturnValue enum GNUNET_GenericReturnValue
@ -1070,8 +1008,8 @@ TALER_denom_blind (const struct TALER_DenominationPublicKey *dk,
* *
* @param[out] denom_sig where to write the signature * @param[out] denom_sig where to write the signature
* @param denom_priv private key to use for signing * @param denom_priv private key to use for signing
* @param blinded_msg message to sign * @param blinded_planchet the planchet already blinded
* @param blinded_msg_size number of bytes in @a blinded_msg * @param ... If CS signature, a TALER_WithdrawNonce is needed
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
enum GNUNET_GenericReturnValue enum GNUNET_GenericReturnValue
@ -1088,6 +1026,7 @@ TALER_denom_sign_blinded (struct TALER_BlindedDenominationSignature *denom_sig,
* @param bdenom_sig the blinded signature * @param bdenom_sig the blinded signature
* @param bks blinding secret to use * @param bks blinding secret to use
* @param denom_pub public key used for signing * @param denom_pub public key used for signing
* @param ... cipher-specific parameters
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
enum GNUNET_GenericReturnValue enum GNUNET_GenericReturnValue
@ -1125,7 +1064,7 @@ TALER_denom_pub_hash (const struct TALER_DenominationPublicKey *denom_pub,
* @a denom_dst. * @a denom_dst.
* *
* @param[out] denom_dst target to copy to * @param[out] denom_dst target to copy to
* @param denom_str public key to copy * @param denom_src public key to copy
*/ */
void void
TALER_denom_pub_deep_copy (struct TALER_DenominationPublicKey *denom_dst, TALER_denom_pub_deep_copy (struct TALER_DenominationPublicKey *denom_dst,
@ -1137,7 +1076,7 @@ TALER_denom_pub_deep_copy (struct TALER_DenominationPublicKey *denom_dst,
* @a denom_dst. * @a denom_dst.
* *
* @param[out] denom_dst target to copy to * @param[out] denom_dst target to copy to
* @param denom_str public key to copy * @param denom_src public key to copy
*/ */
void void
TALER_denom_sig_deep_copy (struct TALER_DenominationSignature *denom_dst, TALER_denom_sig_deep_copy (struct TALER_DenominationSignature *denom_dst,
@ -1149,7 +1088,7 @@ TALER_denom_sig_deep_copy (struct TALER_DenominationSignature *denom_dst,
* @a denom_dst. * @a denom_dst.
* *
* @param[out] denom_dst target to copy to * @param[out] denom_dst target to copy to
* @param denom_str public key to copy * @param denom_src public key to copy
*/ */
void void
TALER_blinded_denom_sig_deep_copy ( TALER_blinded_denom_sig_deep_copy (
@ -1466,6 +1405,7 @@ TALER_planchet_setup_random (struct TALER_PlanchetSecretsP *ps,
* @param[out] c_hash set to the hash of the public key of the coin (needed later) * @param[out] c_hash set to the hash of the public key of the coin (needed later)
* @param[out] pd set to the planchet detail for TALER_MERCHANT_tip_pickup() and * @param[out] pd set to the planchet detail for TALER_MERCHANT_tip_pickup() and
* other withdraw operations * other withdraw operations
* @param ... cipher-specific parameters
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
enum GNUNET_GenericReturnValue enum GNUNET_GenericReturnValue
@ -1485,6 +1425,7 @@ TALER_planchet_prepare (const struct TALER_DenominationPublicKey *dk,
* @param ps secrets from #TALER_planchet_prepare() * @param ps secrets from #TALER_planchet_prepare()
* @param c_hash hash of the coin's public key for verification of the signature * @param c_hash hash of the coin's public key for verification of the signature
* @param[out] coin set to the details of the fresh coin * @param[out] coin set to the details of the fresh coin
* @param ... cipher-specific parameters
* @return #GNUNET_OK on success * @return #GNUNET_OK on success
*/ */
enum GNUNET_GenericReturnValue enum GNUNET_GenericReturnValue

12
src/util/crypto.c
View File

@ -247,7 +247,7 @@ TALER_blinding_secret_create (union TALER_DenominationBlindingKeyP *bs,
/** /**
* @brief setup a random planchet * @brief setup a random planchet
* In Case of RSA planchet, the bks gets set * In Case of RSA planchet, the bks gets set
* In Case of Schnorr this will be set in future * In Case of Clause Schnorr this will be set in future
*/ */
void void
TALER_planchet_setup_random (struct TALER_PlanchetSecretsP *ps, TALER_planchet_setup_random (struct TALER_PlanchetSecretsP *ps,
@ -307,11 +307,9 @@ TALER_planchet_prepare (const struct TALER_DenominationPublicKey *dk,
{ {
va_list ap; va_list ap;
va_start (ap, pd); va_start (ap, pd);
struct TALER_WithdrawNonce *nonce;
struct TALER_DenominationCsPublicR *r_pub; struct TALER_DenominationCsPublicR *r_pub;
struct TALER_DenominationCsPublicR *blinded_r_pub; struct TALER_DenominationCsPublicR *blinded_r_pub;
nonce = va_arg (ap, struct TALER_WithdrawNonce *);
r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *); r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *);
blinded_r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *); blinded_r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *);
@ -322,7 +320,6 @@ TALER_planchet_prepare (const struct TALER_DenominationPublicKey *dk,
&coin_pub, &coin_pub,
c_hash, c_hash,
&pd->blinded_planchet, &pd->blinded_planchet,
nonce,
r_pub, r_pub,
blinded_r_pub)) blinded_r_pub))
{ {
@ -373,14 +370,14 @@ TALER_planchet_to_coin (
va_list ap; va_list ap;
va_start (ap, coin); va_start (ap, coin);
struct TALER_DenominationCsPublicR *r_pub_dash; struct TALER_DenominationCsPublicR *r_pub_blind;
r_pub_dash = va_arg (ap, struct TALER_DenominationCsPublicR *); r_pub_blind = va_arg (ap, struct TALER_DenominationCsPublicR *);
if (GNUNET_OK != if (GNUNET_OK !=
TALER_denom_sig_unblind (&sig, TALER_denom_sig_unblind (&sig,
blind_sig, blind_sig,
&ps->blinding_key, &ps->blinding_key,
dk, dk,
r_pub_dash)) r_pub_blind))
{ {
GNUNET_break_op (0); GNUNET_break_op (0);
va_end (ap); va_end (ap);
@ -403,6 +400,7 @@ TALER_planchet_to_coin (
TALER_denom_sig_free (&sig); TALER_denom_sig_free (&sig);
return GNUNET_SYSERR; return GNUNET_SYSERR;
} }
coin->sig = sig; coin->sig = sig;
coin->coin_priv = ps->coin_priv; coin->coin_priv = ps->coin_priv;
return GNUNET_OK; return GNUNET_OK;

47
src/util/denom.c
View File

@ -81,25 +81,6 @@ TALER_denom_priv_create (struct TALER_DenominationPrivateKey *denom_priv,
} }
enum GNUNET_GenericReturnValue
TALER_denom_cs_derive_r_secret (const struct TALER_WithdrawNonce *nonce,
const struct
TALER_DenominationPrivateKey *denom_priv,
struct TALER_DenominationCsPrivateR *r)
{
if (denom_priv->cipher != TALER_DENOMINATION_CS)
{
GNUNET_break (0);
return GNUNET_SYSERR;
}
GNUNET_CRYPTO_cs_r_derive (&nonce->nonce,
&denom_priv->details.cs_private_key,
r->r);
return GNUNET_OK;
}
enum GNUNET_GenericReturnValue enum GNUNET_GenericReturnValue
TALER_denom_cs_derive_r_public (const struct TALER_WithdrawNonce *nonce, TALER_denom_cs_derive_r_public (const struct TALER_WithdrawNonce *nonce,
const struct const struct
@ -216,26 +197,19 @@ TALER_denom_sig_unblind (
{ {
va_list ap; va_list ap;
va_start (ap, denom_pub); va_start (ap, denom_pub);
struct TALER_DenominationCsPublicR *r_pub_dash; struct TALER_DenominationCsPublicR *r_pub_blind;
r_pub_dash = va_arg (ap, struct TALER_DenominationCsPublicR *); r_pub_blind = va_arg (ap, struct TALER_DenominationCsPublicR *);
struct GNUNET_CRYPTO_CsBlindingSecret bs[2]; struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce, bs); GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce, bs);
struct GNUNET_CRYPTO_CsS s_scalar;
GNUNET_CRYPTO_cs_unblind (&bdenom_sig->details.blinded_cs_answer.s_scalar, GNUNET_CRYPTO_cs_unblind (&bdenom_sig->details.blinded_cs_answer.s_scalar,
&bs[bdenom_sig->details.blinded_cs_answer.b], &bs[bdenom_sig->details.blinded_cs_answer.b],
&s_scalar); &denom_sig->details.cs_signature.s_scalar);
// TODO: This seems to work, but is this a good idea? GNUNET_memcpy (&denom_sig->details.cs_signature.r_point,
// Not working: &r_pub_blind->r_pub[bdenom_sig->details.blinded_cs_answer.b
// denom_sig->details.cs_signature.r_point = r_pub_dash->r_pub[bdenom_sig->details.blinded_cs_answer.b]; ],
GNUNET_memcpy (&denom_sig->details.cs_signature, &s_scalar, sizeof(struct
GNUNET_CRYPTO_CsS));
GNUNET_memcpy (&denom_sig->details.cs_signature + sizeof(struct
GNUNET_CRYPTO_CsS),
&r_pub_dash->r_pub[bdenom_sig->details.blinded_cs_answer.b],
sizeof(struct GNUNET_CRYPTO_CsRPublic)); sizeof(struct GNUNET_CRYPTO_CsRPublic));
denom_sig->cipher = TALER_DENOMINATION_CS; denom_sig->cipher = TALER_DENOMINATION_CS;
@ -362,16 +336,14 @@ TALER_denom_blind (const struct TALER_DenominationPublicKey *dk,
{ {
va_list ap; va_list ap;
va_start (ap, blinded_planchet); va_start (ap, blinded_planchet);
struct TALER_WithdrawNonce *nonce;
struct TALER_DenominationCsPublicR *r_pub; struct TALER_DenominationCsPublicR *r_pub;
struct TALER_DenominationCsPublicR *blinded_r_pub; struct TALER_DenominationCsPublicR *blinded_r_pub;
nonce = va_arg (ap, struct TALER_WithdrawNonce *);
r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *); r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *);
blinded_r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *); blinded_r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *);
struct GNUNET_CRYPTO_CsBlindingSecret bs[2]; struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
GNUNET_CRYPTO_cs_blinding_secrets_derive (&nonce->nonce, bs); GNUNET_CRYPTO_cs_blinding_secrets_derive (&coin_bks->nonce, bs);
GNUNET_CRYPTO_cs_calc_blinded_c (bs, GNUNET_CRYPTO_cs_calc_blinded_c (bs,
r_pub->r_pub, r_pub->r_pub,
@ -422,11 +394,12 @@ TALER_denom_pub_verify (const struct TALER_DenominationPublicKey *denom_pub,
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CRYPTO_cs_verify (&denom_sig->details.cs_signature, GNUNET_CRYPTO_cs_verify (&denom_sig->details.cs_signature,
&denom_pub->details.cs_public_key, &denom_pub->details.cs_public_key,
c_hash, &c_hash->hash,
sizeof(*c_hash))) sizeof(struct GNUNET_HashCode)))
{ {
GNUNET_log (GNUNET_ERROR_TYPE_WARNING, GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
"Coin signature is invalid\n"); "Coin signature is invalid\n");
// return GNUNET_YES;
return GNUNET_NO; return GNUNET_NO;
} }
return GNUNET_YES; return GNUNET_YES;

24
src/util/test_crypto.c
View File

@ -149,7 +149,6 @@ test_planchets_cs (void)
struct TALER_WithdrawNonce nonce; struct TALER_WithdrawNonce nonce;
struct TALER_DenominationCsPublicR r_pub; struct TALER_DenominationCsPublicR r_pub;
struct TALER_DenominationCsPublicR r_pub_blind; struct TALER_DenominationCsPublicR r_pub_blind;
struct TALER_DenominationCsPrivateR priv_r;
struct TALER_BlindedDenominationSignature blind_sig; struct TALER_BlindedDenominationSignature blind_sig;
struct TALER_FreshCoin coin; struct TALER_FreshCoin coin;
@ -174,30 +173,25 @@ test_planchets_cs (void)
&ps, &ps,
&c_hash, &c_hash,
&pd, &pd,
&nonce,
&r_pub, &r_pub,
&r_pub_blind)); &r_pub_blind));
// TODO: Remove r_secret if not needed
GNUNET_assert (GNUNET_OK ==
TALER_denom_cs_derive_r_secret (&nonce,
&dk_priv,
&priv_r));
GNUNET_assert (GNUNET_OK == GNUNET_assert (GNUNET_OK ==
TALER_denom_sign_blinded (&blind_sig, TALER_denom_sign_blinded (&blind_sig,
&dk_priv, &dk_priv,
&pd.blinded_planchet, &pd.blinded_planchet,
&nonce)); &nonce));
// GNUNET_assert (GNUNET_OK == GNUNET_assert (GNUNET_OK ==
// TALER_planchet_to_coin (&dk_pub, TALER_planchet_to_coin (&dk_pub,
// &blind_sig, &blind_sig,
// &ps, &ps,
// &c_hash, &c_hash,
// &coin, &coin,
// &r_pub_blind)); &r_pub_blind));
TALER_blinded_denom_sig_free (&blind_sig); TALER_blinded_denom_sig_free (&blind_sig);
// TALER_denom_sig_free (&coin.sig); TALER_denom_sig_free (&coin.sig);
TALER_denom_priv_free (&dk_priv); TALER_denom_priv_free (&dk_priv);
TALER_denom_pub_free (&dk_pub); TALER_denom_pub_free (&dk_pub);
return 0; return 0;