summaryrefslogtreecommitdiff
path: root/src/util
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2020-11-23 16:36:07 +0100
committerChristian Grothoff <christian@grothoff.org>2020-11-23 16:36:07 +0100
commit3e37c63fbd0abff5d0d05eea60a05f6b28598ee6 (patch)
treec1fe78a141dfae1ebf24fa866940d77ac2dcb791 /src/util
parentc0a6e13b3c8bd7a8321bb11fde917869d67dcbc1 (diff)
downloadexchange-3e37c63fbd0abff5d0d05eea60a05f6b28598ee6.tar.gz
exchange-3e37c63fbd0abff5d0d05eea60a05f6b28598ee6.tar.bz2
exchange-3e37c63fbd0abff5d0d05eea60a05f6b28598ee6.zip
implement sm signing of key announcements
Diffstat (limited to 'src/util')
-rw-r--r--src/util/crypto_helper_denom.c28
-rw-r--r--src/util/taler-helper-crypto-eddsa.c50
-rw-r--r--src/util/taler-helper-crypto-eddsa.h11
-rw-r--r--src/util/taler-helper-crypto-rsa.c55
-rw-r--r--src/util/taler-helper-crypto-rsa.h11
-rw-r--r--src/util/test_helper_rsa.conf2
6 files changed, 152 insertions, 5 deletions
diff --git a/src/util/crypto_helper_denom.c b/src/util/crypto_helper_denom.c
index b999be02a..a216d305b 100644
--- a/src/util/crypto_helper_denom.c
+++ b/src/util/crypto_helper_denom.c
@@ -20,6 +20,7 @@
*/
#include "platform.h"
#include "taler_util.h"
+#include "taler_signatures.h"
#include "taler-helper-crypto-rsa.h"
@@ -276,7 +277,12 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
{
struct TALER_DenominationPublicKey denom_pub;
- struct GNUNET_HashCode h_denom_pub;
+ struct TALER_DenominationKeyAnnouncementPS dka = {
+ .purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
+ .purpose.size = htonl (sizeof (dka)),
+ .anchor_time = kan->anchor_time,
+ .duration_withdraw = kan->duration_withdraw
+ };
denom_pub.rsa_public_key
= GNUNET_CRYPTO_rsa_public_key_decode (buf,
@@ -287,13 +293,25 @@ handle_mt_avail (struct TALER_CRYPTO_DenominationHelper *dh,
return GNUNET_SYSERR;
}
GNUNET_CRYPTO_rsa_public_key_hash (denom_pub.rsa_public_key,
- &h_denom_pub);
+ &dka.h_denom_pub);
+ if (GNUNET_OK !=
+ GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_SM_DENOMINATION_KEY,
+ &dka,
+ &kan->secm_sig.eddsa_signature,
+ &kan->secm_pub.eddsa_pub))
+ {
+ GNUNET_break_op (0);
+ GNUNET_CRYPTO_rsa_public_key_free (denom_pub.rsa_public_key);
+ return GNUNET_SYSERR;
+ }
dh->dkc (dh->dkc_cls,
section_name,
GNUNET_TIME_absolute_ntoh (kan->anchor_time),
GNUNET_TIME_relative_ntoh (kan->duration_withdraw),
- &h_denom_pub,
- &denom_pub);
+ &dka.h_denom_pub,
+ &denom_pub,
+ &kan->secm_pub,
+ &kan->secm_sig);
GNUNET_CRYPTO_rsa_public_key_free (denom_pub.rsa_public_key);
}
return GNUNET_OK;
@@ -324,6 +342,8 @@ handle_mt_purge (struct TALER_CRYPTO_DenominationHelper *dh,
GNUNET_TIME_UNIT_ZERO_ABS,
GNUNET_TIME_UNIT_ZERO,
&pn->h_denom_pub,
+ NULL,
+ NULL,
NULL);
return GNUNET_OK;
}
diff --git a/src/util/taler-helper-crypto-eddsa.c b/src/util/taler-helper-crypto-eddsa.c
index 2f6a6cc9e..a20ffd794 100644
--- a/src/util/taler-helper-crypto-eddsa.c
+++ b/src/util/taler-helper-crypto-eddsa.c
@@ -44,6 +44,8 @@
#include <pthread.h>
#include <sys/eventfd.h>
#include "taler_error_codes.h"
+#include "taler_signatures.h"
+
/**
* One particular key.
@@ -172,6 +174,12 @@ struct WorkItem
/**
+ * Private key of this security module. Used to sign denomination key
+ * announcements.
+ */
+static struct TALER_SecurityModulePrivateKeyP smpriv;
+
+/**
* Head of DLL of actual keys, sorted by anchor.
*/
static struct Key *keys_head;
@@ -593,6 +601,13 @@ static int
notify_client_key_add (struct Client *client,
const struct Key *key)
{
+ struct TALER_SigningKeyAnnouncementPS ska = {
+ .purpose.purpose = htonl (TALER_SIGNATURE_SM_SIGNING_KEY),
+ .purpose.size = htonl (sizeof (ska)),
+ .exchange_pub = key->exchange_pub,
+ .anchor_time = GNUNET_TIME_absolute_hton (key->anchor),
+ .duration_withdraw = GNUNET_TIME_relative_hton (duration)
+ };
struct TALER_CRYPTO_EddsaKeyAvailableNotification an = {
.header.size = htons (sizeof (an)),
.header.type = htons (TALER_HELPER_EDDSA_MT_AVAIL),
@@ -601,6 +616,9 @@ notify_client_key_add (struct Client *client,
.exchange_pub = key->exchange_pub
};
+ GNUNET_CRYPTO_eddsa_sign (&smpriv.eddsa_priv,
+ &ska,
+ &an.secm_sig.eddsa_signature);
if (GNUNET_OK !=
transmit (&client->addr,
client->addr_size,
@@ -1363,6 +1381,38 @@ run (void *cls,
now = GNUNET_TIME_absolute_get ();
}
GNUNET_TIME_round_abs (&now);
+
+ {
+ char *pfn;
+
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_filename (kcfg,
+ "taler-helper-crypto-eddsa",
+ "SM_PRIV_KEY",
+ &pfn))
+ {
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-helper-crypto-eddsa",
+ "SM_PRIV_KEY");
+ global_ret = 1;
+ return;
+ }
+ if (GNUNET_SYSERR ==
+ GNUNET_CRYPTO_eddsa_key_from_file (pfn,
+ GNUNET_YES,
+ &smpriv.eddsa_priv))
+ {
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+ "taler-helper-crypto-rsa",
+ "SM_PRIV_KEY",
+ "Could not use file to persist private key");
+ GNUNET_free (pfn);
+ global_ret = 1;
+ return;
+ }
+ GNUNET_free (pfn);
+ }
+
if (GNUNET_OK !=
load_durations ())
{
diff --git a/src/util/taler-helper-crypto-eddsa.h b/src/util/taler-helper-crypto-eddsa.h
index 215af566c..fe6ca4055 100644
--- a/src/util/taler-helper-crypto-eddsa.h
+++ b/src/util/taler-helper-crypto-eddsa.h
@@ -59,6 +59,17 @@ struct TALER_CRYPTO_EddsaKeyAvailableNotification
struct GNUNET_TIME_RelativeNBO duration;
/**
+ * Public key used to generate the @e sicm_sig.
+ */
+ struct TALER_SecurityModulePublicKeyP secm_pub;
+
+ /**
+ * Signature affirming the announcement, of
+ * purpose #TALER_SIGNATURE_SM_SIGNING_KEY.
+ */
+ struct TALER_SecurityModuleSignatureP secm_sig;
+
+ /**
* The public key.
*/
struct TALER_ExchangePublicKeyP exchange_pub;
diff --git a/src/util/taler-helper-crypto-rsa.c b/src/util/taler-helper-crypto-rsa.c
index e72a7824b..af9c76ef2 100644
--- a/src/util/taler-helper-crypto-rsa.c
+++ b/src/util/taler-helper-crypto-rsa.c
@@ -44,6 +44,8 @@
#include <pthread.h>
#include <sys/eventfd.h>
#include "taler_error_codes.h"
+#include "taler_signatures.h"
+
/**
* Information we keep per denomination.
@@ -244,6 +246,12 @@ struct WorkItem
static int global_ret;
/**
+ * Private key of this security module. Used to sign denomination key
+ * announcements.
+ */
+static struct TALER_SecurityModulePrivateKeyP smpriv;
+
+/**
* Number of worker threads to use. Default (0) is to use one per CPU core
* available.
* Length of the #workers array.
@@ -693,14 +701,24 @@ static int
notify_client_dk_add (struct Client *client,
const struct DenominationKey *dk)
{
- struct TALER_CRYPTO_RsaKeyAvailableNotification *an;
struct Denomination *denom = dk->denom;
size_t nlen = strlen (denom->section) + 1;
+ struct TALER_DenominationKeyAnnouncementPS dka = {
+ .purpose.purpose = htonl (TALER_SIGNATURE_SM_DENOMINATION_KEY),
+ .purpose.size = htonl (sizeof (dka)),
+ .h_denom_pub = dk->h_denom_pub,
+ .anchor_time = GNUNET_TIME_absolute_hton (dk->anchor),
+ .duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw)
+ };
+ struct TALER_CRYPTO_RsaKeyAvailableNotification *an;
size_t buf_len;
void *buf;
void *p;
size_t tlen;
+ GNUNET_CRYPTO_hash (denom->section,
+ nlen,
+ &dka.h_section_name);
buf_len = GNUNET_CRYPTO_rsa_public_key_encode (dk->denom_pub.rsa_public_key,
&buf);
GNUNET_assert (buf_len < UINT16_MAX);
@@ -714,6 +732,9 @@ notify_client_dk_add (struct Client *client,
an->section_name_len = htons ((uint16_t) nlen);
an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor);
an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw);
+ GNUNET_CRYPTO_eddsa_sign (&smpriv.eddsa_priv,
+ &dka,
+ &an->secm_sig.eddsa_signature);
p = (void *) &an[1];
memcpy (p,
buf,
@@ -1742,6 +1763,38 @@ run (void *cls,
now = GNUNET_TIME_absolute_get ();
}
GNUNET_TIME_round_abs (&now);
+
+ {
+ char *pfn;
+
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_filename (kcfg,
+ "taler-helper-crypto-rsa",
+ "SM_PRIV_KEY",
+ &pfn))
+ {
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-helper-crypto-rsa",
+ "SM_PRIV_KEY");
+ global_ret = 1;
+ return;
+ }
+ if (GNUNET_SYSERR ==
+ GNUNET_CRYPTO_eddsa_key_from_file (pfn,
+ GNUNET_YES,
+ &smpriv.eddsa_priv))
+ {
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+ "taler-helper-crypto-rsa",
+ "SM_PRIV_KEY",
+ "Could not use file to persist private key");
+ GNUNET_free (pfn);
+ global_ret = 1;
+ return;
+ }
+ GNUNET_free (pfn);
+ }
+
if (GNUNET_OK !=
load_durations ())
{
diff --git a/src/util/taler-helper-crypto-rsa.h b/src/util/taler-helper-crypto-rsa.h
index d2bc07f7a..d7617e551 100644
--- a/src/util/taler-helper-crypto-rsa.h
+++ b/src/util/taler-helper-crypto-rsa.h
@@ -63,6 +63,17 @@ struct TALER_CRYPTO_RsaKeyAvailableNotification
*/
struct GNUNET_TIME_RelativeNBO duration_withdraw;
+ /**
+ * Public key used to generate the @e sicm_sig.
+ */
+ struct TALER_SecurityModulePublicKeyP secm_pub;
+
+ /**
+ * Signature affirming the announcement, of
+ * purpose #TALER_SIGNATURE_SM_DENOMINATION_KEY.
+ */
+ struct TALER_SecurityModuleSignatureP secm_sig;
+
/* followed by @e pub_size bytes of the public key */
/* followed by @e section_name bytes of the configuration section name
diff --git a/src/util/test_helper_rsa.conf b/src/util/test_helper_rsa.conf
index 9880ae153..2bce81122 100644
--- a/src/util/test_helper_rsa.conf
+++ b/src/util/test_helper_rsa.conf
@@ -7,3 +7,5 @@ lookahead_sign = 5 minutes
overlap_duration = 1 s
KEY_DIR = ${TALER_RUNTIME_DIR}/test_helper_rsa/
UNIXPATH = ${TALER_RUNTIME_DIR}test_helper_rsa.unix
+
+SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-helper-crypto-rsa/.private-key