summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2020-12-05 19:47:54 +0100
committerChristian Grothoff <christian@grothoff.org>2020-12-05 19:47:54 +0100
commit8170e1e9abaf00b9c27c8758998c4df37d77e757 (patch)
treed8dba0a93e22056b3b1410f9a3a824a829550312
parentc898ff53a24aa469bf7958081f7835bd515d7dc3 (diff)
downloadexchange-8170e1e9abaf00b9c27c8758998c4df37d77e757.tar.gz
exchange-8170e1e9abaf00b9c27c8758998c4df37d77e757.tar.bz2
exchange-8170e1e9abaf00b9c27c8758998c4df37d77e757.zip
move all TALER_SIGNATURE_SM_-operations to secmod_signatures.c
-rw-r--r--src/exchange-tools/taler-exchange-offline.c17
-rw-r--r--src/include/taler_crypto_lib.h78
-rw-r--r--src/lib/exchange_api_management_get_keys.c42
-rw-r--r--src/util/Makefile.am1
-rw-r--r--src/util/crypto_helper_denom.c25
-rw-r--r--src/util/crypto_helper_esign.c38
-rw-r--r--src/util/secmod_signatures.c126
-rw-r--r--src/util/taler-helper-crypto-eddsa.c15
-rw-r--r--src/util/taler-helper-crypto-rsa.c19
9 files changed, 275 insertions, 86 deletions
diff --git a/src/exchange-tools/taler-exchange-offline.c b/src/exchange-tools/taler-exchange-offline.c
index 15a2ed82..dc7b1409 100644
--- a/src/exchange-tools/taler-exchange-offline.c
+++ b/src/exchange-tools/taler-exchange-offline.c
@@ -1606,8 +1606,22 @@ show_signkeys (const json_t *signkeys)
json_array_foreach (signkeys, index, value) {
const char *err_name;
unsigned int err_line;
+ struct TALER_ExchangePublicKeyP exchange_pub;
+ struct TALER_SecurityModuleSignatureP secm_sig;
+ struct GNUNET_TIME_Absolute start_time;
+ struct GNUNET_TIME_Absolute sign_end;
+ struct GNUNET_TIME_Absolute legal_end;
struct GNUNET_JSON_Specification spec[] = {
- // FIXME!
+ GNUNET_JSON_spec_absolute_time ("stamp_start",
+ &start_time),
+ GNUNET_JSON_spec_absolute_time ("stamp_expire",
+ &sign_end),
+ GNUNET_JSON_spec_absolute_time ("stamp_end",
+ &legal_end),
+ GNUNET_JSON_spec_fixed_auto ("key",
+ &exchange_pub),
+ GNUNET_JSON_spec_fixed_auto ("signkey_secmod_sig",
+ &secm_sig),
GNUNET_JSON_spec_end ()
};
@@ -1626,6 +1640,7 @@ show_signkeys (const json_t *signkeys)
test_shutdown ();
return GNUNET_SYSERR;
}
+
// FIXME: print
}
return GNUNET_OK;
diff --git a/src/include/taler_crypto_lib.h b/src/include/taler_crypto_lib.h
index 8203bb9a..b6c7ac72 100644
--- a/src/include/taler_crypto_lib.h
+++ b/src/include/taler_crypto_lib.h
@@ -1151,6 +1151,84 @@ TALER_exchange_offline_signkey_validity_verify (
const struct TALER_MasterSignatureP *master_sig);
+/**
+ * Create security module EdDSA signature.
+ *
+ * @param exchange_pub public signing key to validate
+ * @param start_sign starting point of validity for signing
+ * @param duration how long will the key be in use
+ * @param secm_priv security module key to sign with
+ * @param[out] secm_sig where to write the signature
+ */
+void
+TALER_exchange_secmod_eddsa_sign (
+ const struct TALER_ExchangePublicKeyP *exchange_pub,
+ struct GNUNET_TIME_Absolute start_sign,
+ struct GNUNET_TIME_Relative duration,
+ const struct TALER_SecurityModulePrivateKeyP *secm_priv,
+ struct TALER_SecurityModuleSignatureP *secm_sig);
+
+
+/**
+ * Verify security module EdDSA signature.
+ *
+ * @param exchange_pub public signing key to validate
+ * @param start_sign starting point of validity for signing
+ * @param duration how long will the key be in use
+ * @param secm_pub public key to verify against
+ * @param secm_sig the signature the signature
+ * @return #GNUNET_OK if the signature is valid
+ */
+int
+TALER_exchange_secmod_eddsa_verify (
+ const struct TALER_ExchangePublicKeyP *exchange_pub,
+ struct GNUNET_TIME_Absolute start_sign,
+ struct GNUNET_TIME_Relative duration,
+ const struct TALER_SecurityModulePublicKeyP *secm_pub,
+ const struct TALER_SecurityModuleSignatureP *secm_sig);
+
+
+/**
+ * Create security module RSA signature.
+ *
+ * @param h_denom_pub hash of the public key to validate
+ * @param section_name name of the section in the configuration
+ * @param start_sign starting point of validity for signing
+ * @param duration how long will the key be in use
+ * @param secm_priv security module key to sign with
+ * @param[out] secm_sig where to write the signature
+ */
+void
+TALER_exchange_secmod_rsa_sign (
+ const struct GNUNET_HashCode *h_denom_pub,
+ const char *section_name,
+ struct GNUNET_TIME_Absolute start_sign,
+ struct GNUNET_TIME_Relative duration,
+ const struct TALER_SecurityModulePrivateKeyP *secm_priv,
+ struct TALER_SecurityModuleSignatureP *secm_sig);
+
+
+/**
+ * Verify security module RSA signature.
+ *
+ * @param h_ednom_pub hash of the public key to validate
+ * @param section_name name of the section in the configuration
+ * @param start_sign starting point of validity for signing
+ * @param duration how long will the key be in use
+ * @param secm_pub public key to verify against
+ * @param secm_sig the signature the signature
+ * @return #GNUNET_OK if the signature is valid
+ */
+int
+TALER_exchange_secmod_rsa_verify (
+ const struct GNUNET_HashCode *h_denom_pub,
+ const char *section_name,
+ struct GNUNET_TIME_Absolute start_sign,
+ struct GNUNET_TIME_Relative duration,
+ const struct TALER_SecurityModulePublicKeyP *secm_pub,
+ const struct TALER_SecurityModuleSignatureP *secm_sig);
+
+
/* **************** /wire account offline signing **************** */
diff --git a/src/lib/exchange_api_management_get_keys.c b/src/lib/exchange_api_management_get_keys.c
index bfda08c7..35b191a1 100644
--- a/src/lib/exchange_api_management_get_keys.c
+++ b/src/lib/exchange_api_management_get_keys.c
@@ -25,6 +25,7 @@
#include "taler_exchange_service.h"
#include "taler_signatures.h"
#include "taler_curl_lib.h"
+#include "taler_crypto_lib.h"
#include "taler_json_lib.h"
/**
@@ -139,20 +140,14 @@ handle_ok (struct TALER_EXCHANGE_ManagementGetKeysHandle *gh,
struct GNUNET_TIME_Relative duration
= GNUNET_TIME_absolute_get_difference (sign_key->valid_from,
sign_key->valid_until);
- struct TALER_SigningKeyAnnouncementPS ska = {
- .purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
- .purpose.size = htonl (sizeof (ska)),
- .exchange_pub = sign_key->key,
- .anchor_time = GNUNET_TIME_absolute_hton (sign_key->valid_from),
- .duration = GNUNET_TIME_relative_hton (duration)
- };
if (GNUNET_OK !=
- GNUNET_CRYPTO_eddsa_verify (
- TALER_SIGNATURE_SM_SIGNING_KEY,
- &ska,
- &sign_key->signkey_secmod_sig.eddsa_signature,
- &fk.signkey_secmod_public_key.eddsa_pub))
+ TALER_exchange_secmod_eddsa_verify (
+ &sign_key->key,
+ sign_key->valid_from,
+ duration,
+ &fk.signkey_secmod_public_key,
+ &sign_key->signkey_secmod_sig))
{
GNUNET_break_op (0);
ok = false;
@@ -166,7 +161,10 @@ handle_ok (struct TALER_EXCHANGE_ManagementGetKeysHandle *gh,
i);
struct TALER_EXCHANGE_FutureDenomPublicKey *denom_key
= &fk.denom_keys[i];
+ const char *section_name;
struct GNUNET_JSON_Specification spec[] = {
+ GNUNET_JSON_spec_string ("section_name",
+ &section_name),
GNUNET_JSON_spec_fixed_auto ("denom_secmod_sig",
&denom_key->denom_secmod_sig),
TALER_JSON_spec_absolute_time ("stamp_expire_deposit",
@@ -206,21 +204,17 @@ handle_ok (struct TALER_EXCHANGE_ManagementGetKeysHandle *gh,
struct GNUNET_TIME_Relative duration
= GNUNET_TIME_absolute_get_difference (denom_key->valid_from,
denom_key->withdraw_valid_until);
- struct TALER_DenominationKeyAnnouncementPS dka = {
- .purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
- .purpose.size = htonl (sizeof (dka)),
- .anchor_time = GNUNET_TIME_absolute_hton (denom_key->valid_from),
- .duration_withdraw = GNUNET_TIME_relative_hton (duration)
- };
+ struct GNUNET_HashCode h_denom_pub;
GNUNET_CRYPTO_rsa_public_key_hash (denom_key->key.rsa_public_key,
- &dka.h_denom_pub);
+ &h_denom_pub);
if (GNUNET_OK !=
- GNUNET_CRYPTO_eddsa_verify (
- TALER_SIGNATURE_SM_DENOMINATION_KEY,
- &dka,
- &denom_key->denom_secmod_sig.eddsa_signature,
- &fk.denom_secmod_public_key.eddsa_pub))
+ TALER_exchange_secmod_rsa_verify (&h_denom_pub,
+ section_name,
+ denom_key->valid_from,
+ duration,
+ &fk.denom_secmod_public_key,
+ &denom_key->denom_secmod_sig))
{
GNUNET_break_op (0);
ok = false;
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index c65a3ef1..bf460a57 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -70,6 +70,7 @@ libtalerutil_la_SOURCES = \
mhd.c \
offline_signatures.c \
payto.c \
+ secmod_signatures.c \
taler_error_codes.c \
url.c \
util.c \
diff --git a/src/util/crypto_helper_denom.c b/src/util/crypto_helper_denom.c
index 547336e7..fa8a820b 100644
--- a/src/util/crypto_helper_denom.c
+++ b/src/util/crypto_helper_denom.c
@@ -277,12 +277,7 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
{
struct TALER_DenominationPublicKey denom_pub;
- struct TALER_DenominationKeyAnnouncementPS dka = {
- .purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
- .purpose.size = htonl (sizeof (dka)),
- .anchor_time = kan->anchor_time,
- .duration_withdraw = kan->duration_withdraw
- };
+ struct GNUNET_HashCode h_denom_pub;
denom_pub.rsa_public_key
= GNUNET_CRYPTO_rsa_public_key_decode (buf,
@@ -293,15 +288,15 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
return GNUNET_SYSERR;
}
GNUNET_CRYPTO_rsa_public_key_hash (denom_pub.rsa_public_key,
- &dka.h_denom_pub);
- GNUNET_CRYPTO_hash (section_name,
- strlen (section_name) + 1,
- &dka.h_section_name);
+ &h_denom_pub);
if (GNUNET_OK !=
- GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_DENOMINATION_KEY,
- &dka,
- &kan->secm_sig.eddsa_signature,
- &kan->secm_pub.eddsa_pub))
+ TALER_exchange_secmod_rsa_verify (
+ &h_denom_pub,
+ section_name,
+ GNUNET_TIME_absolute_ntoh (kan->anchor_time),
+ GNUNET_TIME_relative_ntoh (kan->duration_withdraw),
+ &kan->secm_pub,
+ &kan->secm_sig))
{
GNUNET_break_op (0);
GNUNET_CRYPTO_rsa_public_key_free (denom_pub.rsa_public_key);
@@ -311,7 +306,7 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
section_name,
GNUNET_TIME_absolute_ntoh (kan->anchor_time),
GNUNET_TIME_relative_ntoh (kan->duration_withdraw),
- &dka.h_denom_pub,
+ &h_denom_pub,
&denom_pub,
&kan->secm_pub,
&kan->secm_sig);
diff --git a/src/util/crypto_helper_esign.c b/src/util/crypto_helper_esign.c
index f21d013f..fde7f48e 100644
--- a/src/util/crypto_helper_esign.c
+++ b/src/util/crypto_helper_esign.c
@@ -258,31 +258,23 @@ handle_mt_avail (struct TALER_CRYPTO_ExchangeSignHelper *esh,
GNUNET_break_op (0);
return GNUNET_SYSERR;
}
+ if (GNUNET_OK !=
+ TALER_exchange_secmod_eddsa_verify (
+ &kan->exchange_pub,
+ GNUNET_TIME_absolute_ntoh (kan->anchor_time),
+ GNUNET_TIME_relative_ntoh (kan->duration),
+ &kan->secm_pub,
+ &kan->secm_sig))
{
- struct TALER_SigningKeyAnnouncementPS ska = {
- .purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
- .purpose.size = htonl (sizeof (ska)),
- .exchange_pub = kan->exchange_pub,
- .anchor_time = kan->anchor_time,
- .duration = kan->duration
- };
-
- if (GNUNET_OK !=
- GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_SIGNING_KEY,
- &ska,
- &kan->secm_sig.eddsa_signature,
- &kan->secm_pub.eddsa_pub))
- {
- GNUNET_break_op (0);
- return GNUNET_SYSERR;
- }
- esh->ekc (esh->ekc_cls,
- GNUNET_TIME_absolute_ntoh (kan->anchor_time),
- GNUNET_TIME_relative_ntoh (kan->duration),
- &kan->exchange_pub,
- &kan->secm_pub,
- &kan->secm_sig);
+ GNUNET_break_op (0);
+ return GNUNET_SYSERR;
}
+ esh->ekc (esh->ekc_cls,
+ GNUNET_TIME_absolute_ntoh (kan->anchor_time),
+ GNUNET_TIME_relative_ntoh (kan->duration),
+ &kan->exchange_pub,
+ &kan->secm_pub,
+ &kan->secm_sig);
return GNUNET_OK;
}
diff --git a/src/util/secmod_signatures.c b/src/util/secmod_signatures.c
new file mode 100644
index 00000000..5a2e338c
--- /dev/null
+++ b/src/util/secmod_signatures.c
@@ -0,0 +1,126 @@
+/*
+ This file is part of TALER
+ Copyright (C) 2020 Taler Systems SA
+
+ TALER is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
+*/
+/**
+ * @file secmod_signatures.c
+ * @brief Utility functions for Taler security module signatures
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "taler_util.h"
+#include "taler_signatures.h"
+
+
+void
+TALER_exchange_secmod_eddsa_sign (
+ const struct TALER_ExchangePublicKeyP *exchange_pub,
+ struct GNUNET_TIME_Absolute start_sign,
+ struct GNUNET_TIME_Relative duration,
+ const struct TALER_SecurityModulePrivateKeyP *secm_priv,
+ struct TALER_SecurityModuleSignatureP *secm_sig)
+{
+ struct TALER_SigningKeyAnnouncementPS ska = {
+ .purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
+ .purpose.size = htonl (sizeof (ska)),
+ .exchange_pub = *exchange_pub,
+ .anchor_time = GNUNET_TIME_absolute_hton (start_sign),
+ .duration = GNUNET_TIME_relative_hton (duration)
+ };
+
+ GNUNET_CRYPTO_eddsa_sign (&secm_priv->eddsa_priv,
+ &ska,
+ &secm_sig->eddsa_signature);
+}
+
+
+int
+TALER_exchange_secmod_eddsa_verify (
+ const struct TALER_ExchangePublicKeyP *exchange_pub,
+ struct GNUNET_TIME_Absolute start_sign,
+ struct GNUNET_TIME_Relative duration,
+ const struct TALER_SecurityModulePublicKeyP *secm_pub,
+ const struct TALER_SecurityModuleSignatureP *secm_sig)
+{
+ struct TALER_SigningKeyAnnouncementPS ska = {
+ .purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
+ .purpose.size = htonl (sizeof (ska)),
+ .exchange_pub = *exchange_pub,
+ .anchor_time = GNUNET_TIME_absolute_hton (start_sign),
+ .duration = GNUNET_TIME_relative_hton (duration)
+ };
+
+ return
+ GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_SIGNING_KEY,
+ &ska,
+ &secm_sig->eddsa_signature,
+ &secm_pub->eddsa_pub);
+}
+
+
+void
+TALER_exchange_secmod_rsa_sign (
+ const struct GNUNET_HashCode *h_denom_pub,
+ const char *section_name,
+ struct GNUNET_TIME_Absolute start_sign,
+ struct GNUNET_TIME_Relative duration,
+ const struct TALER_SecurityModulePrivateKeyP *secm_priv,
+ struct TALER_SecurityModuleSignatureP *secm_sig)
+{
+ struct TALER_DenominationKeyAnnouncementPS dka = {
+ .purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
+ .purpose.size = htonl (sizeof (dka)),
+ .h_denom_pub = *h_denom_pub,
+ .anchor_time = GNUNET_TIME_absolute_hton (start_sign),
+ .duration_withdraw = GNUNET_TIME_relative_hton (duration)
+ };
+
+ GNUNET_CRYPTO_hash (section_name,
+ strlen (section_name) + 1,
+ &dka.h_section_name);
+ GNUNET_CRYPTO_eddsa_sign (&secm_priv->eddsa_priv,
+ &dka,
+ &secm_sig->eddsa_signature);
+
+}
+
+
+int
+TALER_exchange_secmod_rsa_verify (
+ const struct GNUNET_HashCode *h_denom_pub,
+ const char *section_name,
+ struct GNUNET_TIME_Absolute start_sign,
+ struct GNUNET_TIME_Relative duration,
+ const struct TALER_SecurityModulePublicKeyP *secm_pub,
+ const struct TALER_SecurityModuleSignatureP *secm_sig)
+{
+ struct TALER_DenominationKeyAnnouncementPS dka = {
+ .purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
+ .purpose.size = htonl (sizeof (dka)),
+ .anchor_time = GNUNET_TIME_absolute_hton (start_sign),
+ .duration_withdraw = GNUNET_TIME_relative_hton (duration)
+ };
+
+ GNUNET_CRYPTO_hash (section_name,
+ strlen (section_name) + 1,
+ &dka.h_section_name);
+ return
+ GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_DENOMINATION_KEY,
+ &dka,
+ &secm_sig->eddsa_signature,
+ &secm_pub->eddsa_pub);
+}
+
+
+/* end of secmod_signatures.c */
diff --git a/src/util/taler-helper-crypto-eddsa.c b/src/util/taler-helper-crypto-eddsa.c
index e5147b2b..af1cc24d 100644
--- a/src/util/taler-helper-crypto-eddsa.c
+++ b/src/util/taler-helper-crypto-eddsa.c
@@ -606,13 +606,6 @@ static int
notify_client_key_add (struct Client *client,
const struct Key *key)
{
- struct TALER_SigningKeyAnnouncementPS ska = {
- .purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
- .purpose.size = htonl (sizeof (ska)),
- .exchange_pub = key->exchange_pub,
- .anchor_time = GNUNET_TIME_absolute_hton (key->anchor),
- .duration = GNUNET_TIME_relative_hton (duration)
- };
struct TALER_CRYPTO_EddsaKeyAvailableNotification an = {
.header.size = htons (sizeof (an)),
.header.type = htons (TALER_HELPER_EDDSA_MT_AVAIL),
@@ -622,9 +615,11 @@ notify_client_key_add (struct Client *client,
.secm_pub = smpub
};
- GNUNET_CRYPTO_eddsa_sign (&smpriv.eddsa_priv,
- &ska,
- &an.secm_sig.eddsa_signature);
+ TALER_exchange_secmod_eddsa_sign (&key->exchange_pub,
+ key->anchor,
+ duration,
+ &smpriv,
+ &an.secm_sig);
if (GNUNET_OK !=
transmit (&client->addr,
client->addr_size,
diff --git a/src/util/taler-helper-crypto-rsa.c b/src/util/taler-helper-crypto-rsa.c
index 97705674..aeb747d9 100644
--- a/src/util/taler-helper-crypto-rsa.c
+++ b/src/util/taler-helper-crypto-rsa.c
@@ -708,22 +708,12 @@ notify_client_dk_add (struct Client *client,
{
struct Denomination *denom = dk->denom;
size_t nlen = strlen (denom->section) + 1;
- struct TALER_DenominationKeyAnnouncementPS dka = {
- .purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
- .purpose.size = htonl (sizeof (dka)),
- .h_denom_pub = dk->h_denom_pub,
- .anchor_time = GNUNET_TIME_absolute_hton (dk->anchor),
- .duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw)
- };
struct TALER_CRYPTO_RsaKeyAvailableNotification *an;
size_t buf_len;
void *buf;
void *p;
size_t tlen;
- GNUNET_CRYPTO_hash (denom->section,
- nlen,
- &dka.h_section_name);
buf_len = GNUNET_CRYPTO_rsa_public_key_encode (dk->denom_pub.rsa_public_key,
&buf);
GNUNET_assert (buf_len < UINT16_MAX);
@@ -737,9 +727,12 @@ notify_client_dk_add (struct Client *client,
an->section_name_len = htons ((uint16_t) nlen);
an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor);
an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw);
- GNUNET_CRYPTO_eddsa_sign (&smpriv.eddsa_priv,
- &dka,
- &an->secm_sig.eddsa_signature);
+ TALER_exchange_secmod_rsa_sign (&dk->h_denom_pub,
+ denom->section,
+ dk->anchor,
+ denom->duration_withdraw,
+ &smpriv,
+ &an->secm_sig);
an->secm_pub = smpub;
p = (void *) &an[1];
memcpy (p,