derive refresh info from secret seed

This commit is contained in:
Florian Dold 2020-12-14 16:44:42 +01:00
parent 80a0fab126
commit 12234083ec
No known key found for this signature in database
GPG Key ID: D2E4F00F29D02A4B
6 changed files with 350 additions and 208 deletions

View File

@ -389,3 +389,19 @@ export function setupRefreshPlanchet(
coinPub: eddsaGetPublic(coinPriv),
};
}
export function setupRefreshTransferPub(
secretSeed: Uint8Array,
transferPubIndex: number,
): EcdheKeyPair {
const info = stringToBytes("taler-transfer-pub-derivation");
const saltArrBuf = new ArrayBuffer(4);
const salt = new Uint8Array(saltArrBuf);
const saltDataView = new DataView(saltArrBuf);
saltDataView.setUint32(0, transferPubIndex);
const out = kdf(32, secretSeed, salt, info);
return {
ecdhePriv: out,
ecdhePub: ecdheGetPublic(out),
};
}

View File

@ -47,6 +47,10 @@ import {
import * as timer from "../../util/timer";
import { Logger } from "../../util/logging";
import {
DerivedRefreshSession,
DeriveRefreshSessionRequest,
} from "../../types/cryptoTypes";
const logger = new Logger("cryptoApi.ts");
@ -417,22 +421,10 @@ export class CryptoApi {
return this.doRpc<RecoupRequest>("createRecoupRequest", 1, coin);
}
createRefreshSession(
exchangeBaseUrl: string,
kappa: number,
meltCoin: CoinRecord,
newCoinDenoms: DenominationSelectionInfo,
meltFee: AmountJson,
): Promise<RefreshSessionRecord> {
return this.doRpc<RefreshSessionRecord>(
"createRefreshSession",
4,
exchangeBaseUrl,
kappa,
meltCoin,
newCoinDenoms,
meltFee,
);
deriveRefreshSession(
req: DeriveRefreshSessionRequest,
): Promise<DerivedRefreshSession> {
return this.doRpc<DerivedRefreshSession>("deriveRefreshSession", 4, req);
}
signCoinLink(

View File

@ -63,6 +63,8 @@ import {
keyExchangeEcdheEddsa,
setupRefreshPlanchet,
rsaVerify,
getRandomBytes,
setupRefreshTransferPub,
} from "../talerCrypto";
import { randomBytes } from "../primitives/nacl-fast";
import { kdf } from "../primitives/kdf";
@ -73,6 +75,10 @@ import {
} from "../../util/time";
import { Logger } from "../../util/logging";
import {
DerivedRefreshSession,
DeriveRefreshSessionRequest,
} from "../../types/cryptoTypes";
const logger = new Logger("cryptoImplementation.ts");
@ -375,21 +381,24 @@ export class CryptoImplementation {
return s;
}
/**
* Create a new refresh session.
*/
createRefreshSession(
exchangeBaseUrl: string,
kappa: number,
meltCoin: CoinRecord,
newCoinDenoms: DenominationSelectionInfo,
meltFee: AmountJson,
): RefreshSessionRecord {
const currency = newCoinDenoms.selectedDenoms[0].denom.value.currency;
deriveRefreshSession(
req: DeriveRefreshSessionRequest,
): DerivedRefreshSession {
const {
newCoinDenoms,
feeRefresh: meltFee,
kappa,
meltCoinDenomPubHash,
meltCoinPriv,
meltCoinPub,
sessionSecretSeed: refreshSessionSecretSeed,
} = req;
const currency = newCoinDenoms[0].value.currency;
let valueWithFee = Amounts.getZero(currency);
for (const ncd of newCoinDenoms.selectedDenoms) {
const t = Amounts.add(ncd.denom.value, ncd.denom.feeWithdraw).amount;
for (const ncd of newCoinDenoms) {
const t = Amounts.add(ncd.value, ncd.feeWithdraw).amount;
valueWithFee = Amounts.add(
valueWithFee,
Amounts.mult(t, ncd.count).amount,
@ -409,7 +418,10 @@ export class CryptoImplementation {
logger.trace("starting RC computation");
for (let i = 0; i < kappa; i++) {
const transferKeyPair = createEcdheKeyPair();
const transferKeyPair = setupRefreshTransferPub(
decodeCrock(refreshSessionSecretSeed),
i,
);
sessionHc.update(transferKeyPair.ecdhePub);
logger.trace(
`HASH transfer_pub ${encodeCrock(transferKeyPair.ecdhePub)}`,
@ -418,16 +430,16 @@ export class CryptoImplementation {
transferPubs.push(encodeCrock(transferKeyPair.ecdhePub));
}
for (const denomSel of newCoinDenoms.selectedDenoms) {
for (const denomSel of newCoinDenoms) {
for (let i = 0; i < denomSel.count; i++) {
const r = decodeCrock(denomSel.denom.denomPub);
const r = decodeCrock(denomSel.denomPub);
sessionHc.update(r);
logger.trace(`HASH new_coins ${encodeCrock(r)}`);
}
}
sessionHc.update(decodeCrock(meltCoin.coinPub));
logger.trace(`HASH coin_pub ${meltCoin.coinPub}`);
sessionHc.update(decodeCrock(meltCoinPub));
logger.trace(`HASH coin_pub ${meltCoinPub}`);
sessionHc.update(amountToBuffer(valueWithFee));
logger.trace(
`HASH melt_amount ${encodeCrock(amountToBuffer(valueWithFee))}`,
@ -435,12 +447,12 @@ export class CryptoImplementation {
for (let i = 0; i < kappa; i++) {
const planchets: RefreshPlanchet[] = [];
for (let j = 0; j < newCoinDenoms.selectedDenoms.length; j++) {
const denomSel = newCoinDenoms.selectedDenoms[j];
for (let j = 0; j < newCoinDenoms.length; j++) {
const denomSel = newCoinDenoms[j];
for (let k = 0; k < denomSel.count; k++) {
const coinNumber = planchets.length;
const transferPriv = decodeCrock(transferPrivs[i]);
const oldCoinPub = decodeCrock(meltCoin.coinPub);
const oldCoinPub = decodeCrock(meltCoinPub);
const transferSecret = keyExchangeEcdheEddsa(
transferPriv,
oldCoinPub,
@ -450,7 +462,7 @@ export class CryptoImplementation {
const coinPub = fresh.coinPub;
const blindingFactor = fresh.bks;
const pubHash = hash(coinPub);
const denomPub = decodeCrock(denomSel.denom.denomPub);
const denomPub = decodeCrock(denomSel.denomPub);
const ev = rsaBlind(pubHash, blindingFactor, denomPub);
const planchet: RefreshPlanchet = {
blindingKey: encodeCrock(blindingFactor),
@ -481,49 +493,22 @@ export class CryptoImplementation {
const confirmData = buildSigPS(SignaturePurpose.WALLET_COIN_MELT)
.put(sessionHash)
.put(decodeCrock(meltCoin.denomPubHash))
.put(decodeCrock(meltCoinDenomPubHash))
.put(amountToBuffer(valueWithFee))
.put(amountToBuffer(meltFee))
.put(decodeCrock(meltCoin.coinPub))
.put(decodeCrock(meltCoinPub))
.build();
const confirmSig = eddsaSign(confirmData, decodeCrock(meltCoin.coinPriv));
const confirmSig = eddsaSign(confirmData, decodeCrock(meltCoinPriv));
let valueOutput = Amounts.getZero(currency);
for (const denomSel of newCoinDenoms.selectedDenoms) {
const denom = denomSel.denom;
for (let i = 0; i < denomSel.count; i++) {
valueOutput = Amounts.add(valueOutput, denom.value).amount;
}
}
const newDenoms: string[] = [];
const newDenomHashes: string[] = [];
for (const denomSel of newCoinDenoms.selectedDenoms) {
const denom = denomSel.denom;
for (let i = 0; i < denomSel.count; i++) {
newDenoms.push(denom.denomPub);
newDenomHashes.push(denom.denomPubHash);
}
}
const refreshSession: RefreshSessionRecord = {
const refreshSession: DerivedRefreshSession = {
confirmSig: encodeCrock(confirmSig),
exchangeBaseUrl,
hash: encodeCrock(sessionHash),
meltCoinPub: meltCoin.coinPub,
newDenomHashes,
newDenoms,
norevealIndex: undefined,
meltCoinPub: meltCoinPub,
planchetsForGammas: planchetsForGammas,
transferPrivs,
transferPubs,
amountRefreshOutput: valueOutput,
amountRefreshInput: valueWithFee,
timestampCreated: getTimestampNow(),
finishedTimestamp: undefined,
lastError: undefined,
meltValueWithFee: valueWithFee,
};
return refreshSession;

View File

@ -60,6 +60,8 @@ import {
import { URL } from "../util/url";
import { checkDbInvariant } from "../util/invariants";
import { initRetryInfo, updateRetryInfoTimeout } from "../util/retries";
import { WALLET_EXCHANGE_PROTOCOL_VERSION } from "./versions";
import { RefreshNewDenomInfo } from "../types/cryptoTypes";
const logger = new Logger("refresh.ts");
@ -182,13 +184,7 @@ async function refreshCreateSession(
return;
}
const refreshSession: RefreshSessionRecord = await ws.cryptoApi.createRefreshSession(
exchange.baseUrl,
3,
coin,
newCoinDenoms,
oldDenom.feeRefresh,
);
const sessionSecretSeed = encodeCrock(getRandomBytes(64));
// Store refresh session for this coin in the database.
await ws.db.runWithWriteTransaction(
@ -201,7 +197,15 @@ async function refreshCreateSession(
if (rg.refreshSessionPerCoin[coinIndex]) {
return;
}
rg.refreshSessionPerCoin[coinIndex] = refreshSession;
rg.refreshSessionPerCoin[coinIndex] = {
norevealIndex: undefined,
sessionSecretSeed: sessionSecretSeed,
newDenoms: newCoinDenoms.selectedDenoms.map((x) => ({
count: x.count,
denomPubHash: x.denom.denomPubHash,
})),
amountRefreshOutput: newCoinDenoms.totalCoinValue,
};
await tx.put(Stores.refreshGroups, rg);
},
);
@ -232,24 +236,57 @@ async function refreshMelt(
return;
}
const coin = await ws.db.get(Stores.coins, refreshSession.meltCoinPub);
const oldCoin = await ws.db.get(
Stores.coins,
refreshGroup.oldCoinPubs[coinIndex],
);
checkDbInvariant(!!oldCoin, "melt coin doesn't exist");
const oldDenom = await ws.db.get(Stores.denominations, [
oldCoin.exchangeBaseUrl,
oldCoin.denomPubHash,
]);
checkDbInvariant(!!oldDenom, "denomination for melted coin doesn't exist");
if (!coin) {
console.error("can't melt coin, it does not exist");
return;
const newCoinDenoms: RefreshNewDenomInfo[] = [];
for (const dh of refreshSession.newDenoms) {
const newDenom = await ws.db.get(Stores.denominations, [
oldCoin.exchangeBaseUrl,
dh.denomPubHash,
]);
checkDbInvariant(
!!newDenom,
"new denomination for refresh not in database",
);
newCoinDenoms.push({
count: dh.count,
denomPub: newDenom.denomPub,
feeWithdraw: newDenom.feeWithdraw,
value: newDenom.value,
});
}
const derived = await ws.cryptoApi.deriveRefreshSession({
kappa: 3,
meltCoinDenomPubHash: oldCoin.denomPubHash,
meltCoinPriv: oldCoin.coinPriv,
meltCoinPub: oldCoin.coinPub,
feeRefresh: oldDenom.feeRefresh,
newCoinDenoms,
sessionSecretSeed: refreshSession.sessionSecretSeed,
});
const reqUrl = new URL(
`coins/${coin.coinPub}/melt`,
refreshSession.exchangeBaseUrl,
`coins/${oldCoin.coinPub}/melt`,
oldCoin.exchangeBaseUrl,
);
const meltReq = {
coin_pub: coin.coinPub,
confirm_sig: refreshSession.confirmSig,
denom_pub_hash: coin.denomPubHash,
denom_sig: coin.denomSig,
rc: refreshSession.hash,
value_with_fee: Amounts.stringify(refreshSession.amountRefreshInput),
coin_pub: oldCoin.coinPub,
confirm_sig: derived.confirmSig,
denom_pub_hash: oldCoin.denomPubHash,
denom_sig: oldCoin.denomSig,
rc: derived.hash,
value_with_fee: Amounts.stringify(derived.meltValueWithFee),
};
logger.trace(`melt request for coin:`, meltReq);
@ -270,15 +307,15 @@ async function refreshMelt(
await ws.db.mutate(Stores.refreshGroups, refreshGroupId, (rg) => {
const rs = rg.refreshSessionPerCoin[coinIndex];
if (rg.timestampFinished) {
return;
}
if (!rs) {
return;
}
if (rs.norevealIndex !== undefined) {
return;
}
if (rs.finishedTimestamp) {
return;
}
rs.norevealIndex = norevealIndex;
return rg;
});
@ -305,48 +342,95 @@ async function refreshReveal(
if (norevealIndex === undefined) {
throw Error("can't reveal without melting first");
}
const privs = Array.from(refreshSession.transferPrivs);
const oldCoin = await ws.db.get(
Stores.coins,
refreshGroup.oldCoinPubs[coinIndex],
);
checkDbInvariant(!!oldCoin, "melt coin doesn't exist");
const oldDenom = await ws.db.get(Stores.denominations, [
oldCoin.exchangeBaseUrl,
oldCoin.denomPubHash,
]);
checkDbInvariant(!!oldDenom, "denomination for melted coin doesn't exist");
const newCoinDenoms: RefreshNewDenomInfo[] = [];
for (const dh of refreshSession.newDenoms) {
const newDenom = await ws.db.get(Stores.denominations, [
oldCoin.exchangeBaseUrl,
dh.denomPubHash,
]);
checkDbInvariant(
!!newDenom,
"new denomination for refresh not in database",
);
newCoinDenoms.push({
count: dh.count,
denomPub: newDenom.denomPub,
feeWithdraw: newDenom.feeWithdraw,
value: newDenom.value,
});
}
const derived = await ws.cryptoApi.deriveRefreshSession({
kappa: 3,
meltCoinDenomPubHash: oldCoin.denomPubHash,
meltCoinPriv: oldCoin.coinPriv,
meltCoinPub: oldCoin.coinPub,
feeRefresh: oldDenom.feeRefresh,
newCoinDenoms,
sessionSecretSeed: refreshSession.sessionSecretSeed,
});
const privs = Array.from(derived.transferPrivs);
privs.splice(norevealIndex, 1);
const planchets = refreshSession.planchetsForGammas[norevealIndex];
const planchets = derived.planchetsForGammas[norevealIndex];
if (!planchets) {
throw Error("refresh index error");
}
const meltCoinRecord = await ws.db.get(
Stores.coins,
refreshSession.meltCoinPub,
refreshGroup.oldCoinPubs[coinIndex],
);
if (!meltCoinRecord) {
throw Error("inconsistent database");
}
const evs = planchets.map((x: RefreshPlanchet) => x.coinEv);
const newDenomsFlat: string[] = [];
const linkSigs: string[] = [];
for (let i = 0; i < refreshSession.newDenoms.length; i++) {
const dsel = refreshSession.newDenoms[i];
for (let j = 0; j < dsel.count; j++) {
const newCoinIndex = linkSigs.length;
const linkSig = await ws.cryptoApi.signCoinLink(
meltCoinRecord.coinPriv,
refreshSession.newDenomHashes[i],
refreshSession.meltCoinPub,
refreshSession.transferPubs[norevealIndex],
planchets[i].coinEv,
dsel.denomPubHash,
meltCoinRecord.coinPub,
derived.transferPubs[norevealIndex],
planchets[newCoinIndex].coinEv,
);
linkSigs.push(linkSig);
newDenomsFlat.push(dsel.denomPubHash);
}
}
const req = {
coin_evs: evs,
new_denoms_h: refreshSession.newDenomHashes,
rc: refreshSession.hash,
new_denoms_h: newDenomsFlat,
rc: derived.hash,
transfer_privs: privs,
transfer_pub: refreshSession.transferPubs[norevealIndex],
transfer_pub: derived.transferPubs[norevealIndex],
link_sigs: linkSigs,
};
const reqUrl = new URL(
`refreshes/${refreshSession.hash}/reveal`,
refreshSession.exchangeBaseUrl,
`refreshes/${derived.hash}/reveal`,
oldCoin.exchangeBaseUrl,
);
const resp = await ws.runSequentialized([EXCHANGE_COINS_LOCK], async () => {
@ -362,18 +446,20 @@ async function refreshReveal(
const coins: CoinRecord[] = [];
for (let i = 0; i < reveal.ev_sigs.length; i++) {
for (let i = 0; i < refreshSession.newDenoms.length; i++) {
for (let j = 0; j < refreshSession.newDenoms[i].count; j++) {
const newCoinIndex = coins.length;
const denom = await ws.db.get(Stores.denominations, [
refreshSession.exchangeBaseUrl,
refreshSession.newDenomHashes[i],
oldCoin.exchangeBaseUrl,
refreshSession.newDenoms[i].denomPubHash,
]);
if (!denom) {
console.error("denom not found");
continue;
}
const pc = refreshSession.planchetsForGammas[norevealIndex][i];
const pc = derived.planchetsForGammas[norevealIndex][newCoinIndex];
const denomSig = await ws.cryptoApi.rsaUnblind(
reveal.ev_sigs[i].ev_sig,
reveal.ev_sigs[newCoinIndex].ev_sig,
pc.blindingKey,
denom.denomPub,
);
@ -385,17 +471,18 @@ async function refreshReveal(
denomPub: denom.denomPub,
denomPubHash: denom.denomPubHash,
denomSig,
exchangeBaseUrl: refreshSession.exchangeBaseUrl,
exchangeBaseUrl: oldCoin.exchangeBaseUrl,
status: CoinStatus.Fresh,
coinSource: {
type: CoinSourceType.Refresh,
oldCoinPub: refreshSession.meltCoinPub,
oldCoinPub: refreshGroup.oldCoinPubs[coinIndex],
},
suspended: false,
};
coins.push(coin);
}
}
await ws.db.runWithWriteTransaction(
[Stores.coins, Stores.refreshGroups],
@ -409,11 +496,6 @@ async function refreshReveal(
if (!rs) {
return;
}
if (rs.finishedTimestamp) {
logger.warn("refresh session already finished");
return;
}
rs.finishedTimestamp = getTimestampNow();
rg.finishedPerCoin[coinIndex] = true;
let allDone = true;
for (const f of rg.finishedPerCoin) {

View File

@ -0,0 +1,111 @@
/*
This file is part of GNU Taler
(C) 2020 Taler Systems SA
TALER is free software; you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 3, or (at your option) any later version.
TALER is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
*/
/**
* Types used by the wallet crypto worker.
*
* These types are defined in a separate file make tree shaking easier, since
* some components use these types (via RPC) but do not depend on the wallet
* code directly.
*
* @author Florian Dold <dold@taler.net>
*/
/**
* Imports.
*/
import { AmountJson } from "../util/amounts";
export interface RefreshNewDenomInfo {
count: number;
value: AmountJson;
feeWithdraw: AmountJson;
denomPub: string;
}
/**
* Request to derive a refresh session from the refresh session
* secret seed.
*/
export interface DeriveRefreshSessionRequest {
sessionSecretSeed: string;
kappa: number;
meltCoinPub: string;
meltCoinPriv: string;
meltCoinDenomPubHash: string;
newCoinDenoms: RefreshNewDenomInfo[];
feeRefresh: AmountJson;
}
/**
*
*/
export interface DerivedRefreshSession {
/**
* Public key that's being melted in this session.
*/
meltCoinPub: string;
/**
* Signature to confirm the melting.
*/
confirmSig: string;
/**
* Planchets for each cut-and-choose instance.
*/
planchetsForGammas: {
/**
* Public key for the coin.
*/
publicKey: string;
/**
* Private key for the coin.
*/
privateKey: string;
/**
* Blinded public key.
*/
coinEv: string;
/**
* Blinding key used.
*/
blindingKey: string;
}[][];
/**
* The transfer keys, kappa of them.
*/
transferPubs: string[];
/**
* Private keys for the transfer public keys.
*/
transferPrivs: string[];
/**
* Hash of the session.
*/
hash: string;
/**
* Exact value that is being melted.
*/
meltValueWithFee: AmountJson;
}

View File

@ -664,14 +664,17 @@ export interface RefreshPlanchet {
* Public key for the coin.
*/
publicKey: string;
/**
* Private key for the coin.
*/
privateKey: string;
/**
* Blinded public key.
*/
coinEv: string;
/**
* Blinding key used.
*/
@ -991,18 +994,14 @@ export interface RefreshGroupRecord {
* Ongoing refresh
*/
export interface RefreshSessionRecord {
lastError: TalerErrorDetails | undefined;
/**
* Public key that's being melted in this session.
* 512-bit secret that can be used to derive
* the other cryptographic material for the refresh session.
*
* FIXME: We currently store the derived material, but
* should always derive it.
*/
meltCoinPub: string;
/**
* How much of the coin's value is melted away
* with this refresh session?
*/
amountRefreshInput: AmountJson;
sessionSecretSeed: string;
/**
* Sum of the value of denominations we want
@ -1011,59 +1010,17 @@ export interface RefreshSessionRecord {
amountRefreshOutput: AmountJson;
/**
* Signature to confirm the melting.
* Hashed denominations of the newly requested coins.
*/
confirmSig: string;
/**
* Hased denominations of the newly requested coins.
*/
newDenomHashes: string[];
/**
* Denominations of the newly requested coins.
*/
newDenoms: string[];
/**
* Planchets for each cut-and-choose instance.
*/
planchetsForGammas: RefreshPlanchet[][];
/**
* The transfer keys, kappa of them.
*/
transferPubs: string[];
/**
* Private keys for the transfer public keys.
*/
transferPrivs: string[];
newDenoms: {
denomPubHash: string;
count: number;
}[];
/**
* The no-reveal-index after we've done the melting.
*/
norevealIndex?: number;
/**
* Hash of the session.
*/
hash: string;
/**
* Timestamp when the refresh session finished.
*/
finishedTimestamp: Timestamp | undefined;
/**
* When has this refresh session been created?
*/
timestampCreated: Timestamp;
/**
* Base URL for the exchange we're doing the refresh with.
*/
exchangeBaseUrl: string;
}
/**
@ -1712,7 +1669,6 @@ class BankWithdrawUrisStore extends Store<
}
}
/**
*/
class BackupProvidersStore extends Store<