/* This file is part of TALER Copyright (C) 2014, 2015 GNUnet e.V. TALER is free software; you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation; either version 3, or (at your option) any later version. TALER is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with TALER; see the file COPYING. If not, If not, see */ /** * @file taler-mint-httpd_refresh.c * @brief Handle /refresh/ requests * @author Florian Dold * @author Benedikt Mueller * @author Christian Grothoff */ #include "platform.h" #include #include #include #include "taler_mintdb_plugin.h" #include "taler_signatures.h" #include "taler_util.h" #include "taler-mint-httpd_parsing.h" #include "taler-mint-httpd_mhd.h" #include "taler-mint-httpd_refresh.h" #include "taler-mint-httpd_responses.h" #include "taler-mint-httpd_keystate.h" /** * Handle a "/refresh/melt" request after the main JSON parsing has happened. * We now need to validate the coins being melted and the session signature * and then hand things of to execute the melt operation. * * @param connection the MHD connection to handle * @param refresh_session_pub public key of the melt operation * @param num_new_denoms number of coins to be created, size of y-dimension of @commit_link array * @param denom_pubs array of @a num_new_denoms keys * @param coin_count number of coins to be melted, size of y-dimension of @commit_coin array * @param coin_public_infos array with @a coin_count entries about the coins * @param coin_melt_details array with @a coin_count entries with melting details * @param commit_hash hash over the data that the client commits to * @param commit_client_sig signature of the client over this commitment * @param kappa size of x-dimension of @commit_coin and @commit_link arrays * @param commit_coin 2d array of coin commitments (what the mint is to sign * once the "/refres/reveal" of cut and choose is done) * @param commit_link 2d array of coin link commitments (what the mint is * to return via "/refresh/link" to enable linkage in the * future) * @return MHD result code */ static int handle_refresh_melt_binary (struct MHD_Connection *connection, const struct GNUNET_CRYPTO_EddsaPublicKey *refresh_session_pub, unsigned int num_new_denoms, struct GNUNET_CRYPTO_rsa_PublicKey *const*denom_pubs, unsigned int coin_count, struct TALER_CoinPublicInfo *coin_public_infos, const struct MeltDetails *coin_melt_details, const struct GNUNET_HashCode *commit_hash, const struct GNUNET_CRYPTO_EddsaSignature *commit_client_sig, unsigned int kappa, struct RefreshCommitCoin *const* commit_coin, struct RefreshCommitLink *const* commit_link) { unsigned int i; struct GNUNET_HashContext *hash_context; struct GNUNET_HashCode melt_hash; struct RefreshMeltSessionSignature body; char *buf; size_t buf_size; struct MintKeyState *key_state; struct TALER_MINT_DenomKeyIssue *dki; struct TALER_Amount cost; struct TALER_Amount total_cost; struct TALER_Amount melt; struct TALER_Amount value; struct TALER_Amount fee_withdraw; struct TALER_Amount fee_melt; struct TALER_Amount total_melt; /* check that signature from the session public key is ok */ hash_context = GNUNET_CRYPTO_hash_context_start (); /* FIXME: also hash session public key here!? #3708 */ for (i = 0; i < num_new_denoms; i++) { buf_size = GNUNET_CRYPTO_rsa_public_key_encode (denom_pubs[i], &buf); GNUNET_CRYPTO_hash_context_read (hash_context, buf, buf_size); GNUNET_free (buf); } for (i = 0; i < coin_count; i++) GNUNET_CRYPTO_hash_context_read (hash_context, &coin_public_infos[i].coin_pub, sizeof (struct GNUNET_CRYPTO_EddsaPublicKey)); GNUNET_CRYPTO_hash_context_finish (hash_context, &melt_hash); /* FIXME: what about the `commit_hash`? #3708 */ body.purpose.purpose = htonl (TALER_SIGNATURE_REFRESH_MELT_SESSION); body.purpose.size = htonl (sizeof (struct RefreshMeltSessionSignature)); body.melt_hash = melt_hash; TALER_amount_hton (&body.amount_with_fee, &coin_melt_details->melt_amount_with_fee); if (GNUNET_OK != GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_REFRESH_MELT_SESSION, &body.purpose, commit_client_sig, refresh_session_pub)) { GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "signature invalid (did not verify)\n"); return TALER_MINT_reply_json_pack (connection, MHD_HTTP_UNAUTHORIZED, "{s:s}", "error", "invalid signature (verification)"); } GNUNET_assert (GNUNET_OK == TALER_amount_get_zero (MINT_CURRENCY, &total_cost)); key_state = TALER_MINT_key_state_acquire (); for (i=0;iissue; TALER_amount_ntoh (&value, &dki->value); TALER_amount_ntoh (&fee_withdraw, &dki->fee_withdraw); if ( (GNUNET_OK != TALER_amount_add (&cost, &value, &fee_withdraw)) || (GNUNET_OK != TALER_amount_add (&total_cost, &cost, &total_cost)) ) { TALER_MINT_key_state_release (key_state); return TALER_MINT_reply_internal_error (connection, "cost calculation failure"); } } GNUNET_assert (GNUNET_OK == TALER_amount_get_zero (MINT_CURRENCY, &total_melt)); for (i=0;iissue; TALER_amount_ntoh (&fee_melt, &dki->fee_refresh); if (GNUNET_OK != TALER_amount_subtract (&melt, &coin_melt_details->melt_amount_with_fee, &fee_melt)) { TALER_MINT_key_state_release (key_state); return TALER_MINT_reply_external_error (connection, "Melt contribution below melting fee"); } if (GNUNET_OK != TALER_amount_add (&total_melt, &melt, &total_melt)) { TALER_MINT_key_state_release (key_state); return TALER_MINT_reply_internal_error (connection, "balance calculation failure"); } } TALER_MINT_key_state_release (key_state); if (0 != TALER_amount_cmp (&total_cost, &total_melt)) { /* We require total value of coins being melted and total value of coins being generated to match! */ return TALER_MINT_reply_json_pack (connection, MHD_HTTP_BAD_REQUEST, "{s:s}", "error", "value mismatch"); } return TALER_MINT_db_execute_refresh_melt (connection, &melt_hash, refresh_session_pub, commit_client_sig, num_new_denoms, denom_pubs, coin_count, coin_public_infos, coin_melt_details, kappa, commit_coin, commit_link); } /** * Extract public coin information from a JSON object. * * @param connection the connection to send error responses to * @param coin_info the JSON object to extract the coin info from * @param r_public_info[OUT] set to the coin's public information * @param r_melt_detail[OUT] set to details about the coin's melting permission (if valid) * @return #GNUNET_YES if coin public info in JSON was valid * #GNUNET_NO JSON was invalid, response was generated * #GNUNET_SYSERR on internal error */ static int get_coin_public_info (struct MHD_Connection *connection, json_t *coin_info, struct TALER_CoinPublicInfo *r_public_info, struct MeltDetails *r_melt_detail) { int ret; struct GNUNET_CRYPTO_EcdsaSignature melt_sig; struct GNUNET_CRYPTO_rsa_Signature *sig; struct GNUNET_CRYPTO_rsa_PublicKey *pk; struct TALER_Amount amount; struct GNUNET_MINT_ParseFieldSpec spec[] = { TALER_MINT_PARSE_FIXED ("coin_pub", &r_public_info->coin_pub), TALER_MINT_PARSE_RSA_SIGNATURE ("denom_sig", &sig), TALER_MINT_PARSE_RSA_PUBLIC_KEY ("denom_pub", &pk), TALER_MINT_PARSE_FIXED ("confirm_sig", &melt_sig), /* FIXME: #3636! */ TALER_MINT_PARSE_END }; memset (&amount, 0, sizeof (amount)); // FIXME: #3636! ret = TALER_MINT_parse_json_data (connection, coin_info, spec); if (GNUNET_OK != ret) return ret; /* FIXME: include amount of coin value to be melted here (#3636!) and in what we return!? */ /* check mint signature on the coin */ r_public_info->denom_sig = sig; r_public_info->denom_pub = pk; if (GNUNET_OK != TALER_test_coin_valid (r_public_info)) { TALER_MINT_release_parsed_data (spec); r_public_info->denom_sig = NULL; r_public_info->denom_pub = NULL; return (MHD_YES == TALER_MINT_reply_json_pack (connection, MHD_HTTP_NOT_FOUND, "{s:s}", "error", "coin invalid")) ? GNUNET_NO : GNUNET_SYSERR; } r_melt_detail->melt_sig = melt_sig; r_melt_detail->melt_amount_with_fee = amount; TALER_MINT_release_parsed_data (spec); return GNUNET_OK; } /** * Verify that the signature shows that this coin is to be melted into * the given @a session_pub melting session, and that this is a valid * coin (we know the denomination key and the signature on it is * valid). Essentially, this does all of the per-coin checks that can * be done before the transaction starts. * * @param connection the connection to send error responses to * @param melt_hash hash over refresh session the coin is melted into * @param r_public_info the coin's public information * @param r_melt_detail details about the coin's melting permission (if valid) * @return #GNUNET_YES if coin public info in JSON was valid * #GNUNET_NO JSON was invalid, response was generated * #GNUNET_SYSERR on internal error */ static int verify_coin_public_info (struct MHD_Connection *connection, const struct GNUNET_HashCode *melt_hash, const struct TALER_CoinPublicInfo *r_public_info, const struct MeltDetails *r_melt_detail) { struct RefreshMeltCoinSignature body; struct MintKeyState *key_state; struct TALER_MINT_DenomKeyIssuePriv *dki; struct TALER_Amount fee_refresh; body.purpose.size = htonl (sizeof (struct RefreshMeltCoinSignature)); body.purpose.purpose = htonl (TALER_SIGNATURE_REFRESH_MELT_COIN); body.melt_hash = *melt_hash; TALER_amount_hton (&body.amount_with_fee, &r_melt_detail->melt_amount_with_fee); body.coin_pub = r_public_info->coin_pub; if (GNUNET_OK != GNUNET_CRYPTO_ecdsa_verify (TALER_SIGNATURE_REFRESH_MELT_COIN, &body.purpose, &r_melt_detail->melt_sig, &r_public_info->coin_pub)) { if (MHD_YES != TALER_MINT_reply_json_pack (connection, MHD_HTTP_UNAUTHORIZED, "{s:s}", "error", "signature invalid")) return GNUNET_SYSERR; return GNUNET_NO; } key_state = TALER_MINT_key_state_acquire (); dki = TALER_MINT_get_denom_key (key_state, r_public_info->denom_pub); if (NULL == dki) { TALER_MINT_key_state_release (key_state); LOG_WARNING ("Unknown denomination key in /refresh/melt request\n"); return TALER_MINT_reply_arg_invalid (connection, "denom_pub"); } /* FIXME: need to check if denomination key is still valid for issuing! (#3634) */ TALER_amount_ntoh (&fee_refresh, &dki->issue.fee_refresh); if (TALER_amount_cmp (&fee_refresh, &r_melt_detail->melt_amount_with_fee) < 0) { TALER_MINT_key_state_release (key_state); return (MHD_YES == TALER_MINT_reply_external_error (connection, "melt amount smaller than melting fee")) ? GNUNET_NO : GNUNET_SYSERR; } TALER_MINT_key_state_release (key_state); return GNUNET_OK; } /** * Release memory from the @a commit_coin array. * * @param commit_coin array to release * @param kappa size of 1st dimension * @param num_new_coins size of 2nd dimension */ static void free_commit_coins (struct RefreshCommitCoin **commit_coin, unsigned int kappa, unsigned int num_new_coins) { unsigned int i; unsigned int j; for (i=0;i kappa) || (kappa > 32) ) { GNUNET_break_op (0); TALER_MINT_release_parsed_data (spec); return TALER_MINT_reply_arg_invalid (connection, "coin_evs"); } if (json_array_size (transfer_pubs) != kappa) { GNUNET_break_op (0); TALER_MINT_release_parsed_data (spec); return TALER_MINT_reply_arg_invalid (connection, "transfer_pubs"); } res = GNUNET_MINT_parse_navigate_json (connection, coin_evs, JNAV_INDEX, (int) 0, JNAV_RET_DATA, JSON_ARRAY, &coin_detail); if (GNUNET_OK != res) { TALER_MINT_release_parsed_data (spec); return (GNUNET_SYSERR == res) ? MHD_NO : MHD_YES; } num_newcoins = json_array_size (coin_detail); res = GNUNET_MINT_parse_navigate_json (connection, transfer_pubs, JNAV_INDEX, (int) 0, JNAV_RET_DATA, JSON_ARRAY, &coin_detail); if (GNUNET_OK != res) { TALER_MINT_release_parsed_data (spec); return (GNUNET_SYSERR == res) ? MHD_NO : MHD_YES; } num_oldcoins = json_array_size (coin_detail); res = handle_refresh_melt_json (connection, &refresh_session_pub, new_denoms, melt_coins, melt_sig_json, commit_sig_json, kappa, num_oldcoins, transfer_pubs, secret_encs, num_newcoins, coin_evs, link_encs); TALER_MINT_release_parsed_data (spec); return res; } /** * Handle a "/refresh/reveal" request. Parses the given JSON * transfer private keys and if successful, passes everything to * #TALER_MINT_db_execute_refresh_reveal() which will verify that the * revealed information is valid then returns the signed refreshed * coins. * * @param connection the MHD connection to handle * @param refresh_session_pub public key of the session * @param kappa length of the 1st dimension of @a transfer_privs array PLUS ONE * @param num_oldcoins length of the 2nd dimension of @a transfer_privs array * @param tp_json private transfer keys in JSON format * @return MHD result code */ static int handle_refresh_reveal_json (struct MHD_Connection *connection, const struct GNUNET_CRYPTO_EddsaPublicKey *refresh_session_pub, unsigned int kappa, unsigned int num_oldcoins, const json_t *tp_json) { struct GNUNET_CRYPTO_EcdsaPrivateKey *transfer_privs[kappa - 1]; unsigned int i; unsigned int j; int res; for (i = 0; i < kappa - 1; i++) transfer_privs[i] = GNUNET_malloc (num_oldcoins * sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey)); res = GNUNET_OK; for (i = 0; i < kappa - 1; i++) { if (GNUNET_OK != res) break; for (j = 0; j < num_oldcoins; j++) { if (GNUNET_OK != res) break; res = GNUNET_MINT_parse_navigate_json (connection, tp_json, JNAV_INDEX, (int) i, JNAV_INDEX, (int) j, JNAV_RET_DATA, &transfer_privs[i][j], sizeof (struct GNUNET_CRYPTO_EddsaPrivateKey)); } } if (GNUNET_OK != res) res = (GNUNET_SYSERR == res) ? MHD_NO : MHD_YES; else res = TALER_MINT_db_execute_refresh_reveal (connection, refresh_session_pub, kappa, num_oldcoins, transfer_privs); for (i = 0; i < kappa - 1; i++) GNUNET_free (transfer_privs[i]); return res; } /** * Handle a "/refresh/reveal" request. This time, the client reveals * the private transfer keys except for the cut-and-choose value * returned from "/refresh/melt". This function parses the revealed * keys and secrets and ultimately passes everything to * #TALER_MINT_db_execute_refresh_reveal() which will verify that the * revealed information is valid then returns the signed refreshed * coins. * * @param rh context of the handler * @param connection the MHD connection to handle * @param[IN|OUT] connection_cls the connection's closure (can be updated) * @param upload_data upload data * @param[IN|OUT] upload_data_size number of bytes (left) in @a upload_data * @return MHD result code */ int TALER_MINT_handler_refresh_reveal (struct RequestHandler *rh, struct MHD_Connection *connection, void **connection_cls, const char *upload_data, size_t *upload_data_size) { struct GNUNET_CRYPTO_EddsaPublicKey refresh_session_pub; int res; unsigned int kappa; unsigned int num_oldcoins; json_t *reveal_detail; json_t *root; json_t *transfer_privs; struct GNUNET_MINT_ParseFieldSpec spec[] = { TALER_MINT_PARSE_FIXED ("session_pub", &refresh_session_pub), TALER_MINT_PARSE_ARRAY ("transfer_privs", &transfer_privs), TALER_MINT_PARSE_END }; res = TALER_MINT_parse_post_json (connection, connection_cls, upload_data, upload_data_size, &root); if (GNUNET_SYSERR == res) return MHD_NO; if ( (GNUNET_NO == res) || (NULL == root) ) return MHD_YES; res = TALER_MINT_parse_json_data (connection, root, spec); json_decref (root); if (GNUNET_OK != res) return (GNUNET_SYSERR == res) ? MHD_NO : MHD_YES; /* Determine dimensionality of the request (kappa and #old coins) */ kappa = json_array_size (transfer_privs) + 1; if ( (2 > kappa) || (kappa > 31) ) { TALER_MINT_release_parsed_data (spec); return TALER_MINT_reply_arg_invalid (connection, "transfer_privs"); } /* Note we do +1 as 1 row (cut-and-choose!) is missing! */ kappa++; res = GNUNET_MINT_parse_navigate_json (connection, transfer_privs, JNAV_INDEX, 0, JNAV_RET_TYPED_JSON, JSON_ARRAY, &reveal_detail); if (GNUNET_OK != res) { TALER_MINT_release_parsed_data (spec); return (GNUNET_SYSERR == res) ? MHD_NO : MHD_YES; } num_oldcoins = json_array_size (reveal_detail); res = handle_refresh_reveal_json (connection, &refresh_session_pub, kappa, num_oldcoins, transfer_privs); TALER_MINT_release_parsed_data (spec); return res; } /** * Handle a "/refresh/link" request * * @param rh context of the handler * @param connection the MHD connection to handle * @param[IN|OUT] connection_cls the connection's closure (can be updated) * @param upload_data upload data * @param[IN|OUT] upload_data_size number of bytes (left) in @a upload_data * @return MHD result code */ int TALER_MINT_handler_refresh_link (struct RequestHandler *rh, struct MHD_Connection *connection, void **connection_cls, const char *upload_data, size_t *upload_data_size) { struct GNUNET_CRYPTO_EcdsaPublicKey coin_pub; int res; res = TALER_MINT_mhd_request_arg_data (connection, "coin_pub", &coin_pub, sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); if (GNUNET_SYSERR == res) return MHD_NO; if (GNUNET_OK != res) return MHD_YES; return TALER_MINT_db_execute_refresh_link (connection, &coin_pub); } /* end of taler-mint-httpd_refresh.c */