1 files changed, 174 insertions, 5 deletions

diff --git a/src/util/offline_signatures.c b/src/util/offline_signatures.c
index d0b644e7f..fbff850df 100644
--- a/src/util/offline_signatures.c
+++ b/src/util/offline_signatures.c
@@ -1,6 +1,6 @@
 /*
   This file is part of TALER
-  Copyright (C) 2020-2022 Taler Systems SA
+  Copyright (C) 2020-2023 Taler Systems SA
 
   TALER is free software; you can redistribute it and/or modify it under the
   terms of the GNU General Public License as published by the Free Software
@@ -27,6 +27,99 @@ GNUNET_NETWORK_STRUCT_BEGIN
 
 /**
  * @brief Signature made by the exchange offline key over the information of
+ * an AML officer status change.
+ */
+struct TALER_MasterAmlOfficerStatusPS
+{
+
+  /**
+   * Purpose is #TALER_SIGNATURE_MASTER_AML_KEY.   Signed
+   * by a `struct TALER_MasterPublicKeyP` using EdDSA.
+   */
+  struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
+
+  /**
+   * Time of the change.
+   */
+  struct GNUNET_TIME_TimestampNBO change_date;
+
+  /**
+   * Public key of the AML officer.
+   */
+  struct TALER_AmlOfficerPublicKeyP officer_pub;
+
+  /**
+   * Hash over the AML officer's name.
+   */
+  struct GNUNET_HashCode h_officer_name GNUNET_PACKED;
+
+  /**
+   * Bitmask: 1 if enabled; 2 for read-only access. in NBO.
+   */
+  uint32_t is_active GNUNET_PACKED;
+};
+GNUNET_NETWORK_STRUCT_END
+
+
+void
+TALER_exchange_offline_aml_officer_status_sign (
+  const struct TALER_AmlOfficerPublicKeyP *officer_pub,
+  const char *officer_name,
+  struct GNUNET_TIME_Timestamp change_date,
+  bool is_active,
+  bool read_only,
+  const struct TALER_MasterPrivateKeyP *master_priv,
+  struct TALER_MasterSignatureP *master_sig)
+{
+  struct TALER_MasterAmlOfficerStatusPS as = {
+    .purpose.purpose = htonl (TALER_SIGNATURE_MASTER_AML_KEY),
+    .purpose.size = htonl (sizeof (as)),
+    .change_date = GNUNET_TIME_timestamp_hton (change_date),
+    .officer_pub = *officer_pub,
+    .is_active = htonl ((is_active ? 1 : 0) + (read_only ? 2 : 0))
+  };
+
+  GNUNET_CRYPTO_hash (officer_name,
+                      strlen (officer_name) + 1,
+                      &as.h_officer_name);
+  GNUNET_CRYPTO_eddsa_sign (&master_priv->eddsa_priv,
+                            &as,
+                            &master_sig->eddsa_signature);
+}
+
+
+enum GNUNET_GenericReturnValue
+TALER_exchange_offline_aml_officer_status_verify (
+  const struct TALER_AmlOfficerPublicKeyP *officer_pub,
+  const char *officer_name,
+  struct GNUNET_TIME_Timestamp change_date,
+  bool is_active,
+  bool read_only,
+  const struct TALER_MasterPublicKeyP *master_pub,
+  const struct TALER_MasterSignatureP *master_sig)
+{
+  struct TALER_MasterAmlOfficerStatusPS as = {
+    .purpose.purpose = htonl (TALER_SIGNATURE_MASTER_AML_KEY),
+    .purpose.size = htonl (sizeof (as)),
+    .change_date = GNUNET_TIME_timestamp_hton (change_date),
+    .officer_pub = *officer_pub,
+    .is_active = htonl ((is_active ? 1 : 0) + (read_only ? 2 : 0))
+  };
+
+  GNUNET_CRYPTO_hash (officer_name,
+                      strlen (officer_name) + 1,
+                      &as.h_officer_name);
+  return GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_MASTER_AML_KEY,
+                                     &as,
+                                     &master_sig->eddsa_signature,
+                                     &master_pub->eddsa_pub);
+}
+
+
+GNUNET_NETWORK_STRUCT_BEGIN
+
+/**
+ * @brief Signature made by the exchange offline key over the information of
  * an auditor to be added to the exchange's set of auditors.
  */
 struct TALER_MasterAddAuditorPS
@@ -584,6 +677,22 @@ struct TALER_MasterAddWirePS
    * Hash over the exchange's payto URI.
    */
   struct TALER_PaytoHashP h_payto GNUNET_PACKED;
+
+  /**
+   * Hash over the conversion URL, all zeros if there
+   * is no conversion URL.
+   */
+  struct GNUNET_HashCode h_conversion_url;
+
+  /**
+   * Hash over the debit restrictions.
+   */
+  struct GNUNET_HashCode h_debit_restrictions;
+
+  /**
+   * Hash over the credit restrictions.
+   */
+  struct GNUNET_HashCode h_credit_restrictions;
 };
 
 GNUNET_NETWORK_STRUCT_END
@@ -592,6 +701,9 @@ GNUNET_NETWORK_STRUCT_END
 void
 TALER_exchange_offline_wire_add_sign (
   const char *payto_uri,
+  const char *conversion_url,
+  const json_t *debit_restrictions,
+  const json_t *credit_restrictions,
   struct GNUNET_TIME_Timestamp now,
   const struct TALER_MasterPrivateKeyP *master_priv,
   struct TALER_MasterSignatureP *master_sig)
@@ -604,6 +716,14 @@ TALER_exchange_offline_wire_add_sign (
 
   TALER_payto_hash (payto_uri,
                     &kv.h_payto);
+  if (NULL != conversion_url)
+    GNUNET_CRYPTO_hash (conversion_url,
+                        strlen (conversion_url) + 1,
+                        &kv.h_conversion_url);
+  TALER_json_hash (debit_restrictions,
+                   &kv.h_debit_restrictions);
+  TALER_json_hash (credit_restrictions,
+                   &kv.h_credit_restrictions);
   GNUNET_CRYPTO_eddsa_sign (&master_priv->eddsa_priv,
                             &kv,
                             &master_sig->eddsa_signature);
@@ -613,6 +733,9 @@ TALER_exchange_offline_wire_add_sign (
 enum GNUNET_GenericReturnValue
 TALER_exchange_offline_wire_add_verify (
   const char *payto_uri,
+  const char *conversion_url,
+  const json_t *debit_restrictions,
+  const json_t *credit_restrictions,
   struct GNUNET_TIME_Timestamp sign_time,
   const struct TALER_MasterPublicKeyP *master_pub,
   const struct TALER_MasterSignatureP *master_sig)
@@ -625,6 +748,14 @@ TALER_exchange_offline_wire_add_verify (
 
   TALER_payto_hash (payto_uri,
                     &aw.h_payto);
+  if (NULL != conversion_url)
+    GNUNET_CRYPTO_hash (conversion_url,
+                        strlen (conversion_url) + 1,
+                        &aw.h_conversion_url);
+  TALER_json_hash (debit_restrictions,
+                   &aw.h_debit_restrictions);
+  TALER_json_hash (credit_restrictions,
+                   &aw.h_credit_restrictions);
   return
     GNUNET_CRYPTO_eddsa_verify (
     TALER_SIGNATURE_MASTER_ADD_WIRE,
@@ -874,9 +1005,9 @@ TALER_exchange_offline_global_fee_sign (
   const struct TALER_MasterPrivateKeyP *master_priv,
   struct TALER_MasterSignatureP *master_sig)
 {
-  struct TALER_MasterGlobalFeePS kv = {
+  struct TALER_MasterGlobalFeePS wf = {
     .purpose.purpose = htonl (TALER_SIGNATURE_MASTER_GLOBAL_FEES),
-    .purpose.size = htonl (sizeof (kv)),
+    .purpose.size = htonl (sizeof (wf)),
     .start_date = GNUNET_TIME_timestamp_hton (start_time),
     .end_date = GNUNET_TIME_timestamp_hton (end_time),
     .purse_timeout = GNUNET_TIME_relative_hton (purse_timeout),
@@ -884,10 +1015,10 @@ TALER_exchange_offline_global_fee_sign (
     .purse_account_limit = htonl (purse_account_limit)
   };
 
-  TALER_global_fee_set_hton (&kv.fees,
+  TALER_global_fee_set_hton (&wf.fees,
                              fees);
   GNUNET_CRYPTO_eddsa_sign (&master_priv->eddsa_priv,
-                            &kv,
+                            &wf,
                             &master_sig->eddsa_signature);
 }
 
@@ -1002,6 +1133,22 @@ struct TALER_MasterWireDetailsPS
    */
   struct TALER_PaytoHashP h_wire_details GNUNET_PACKED;
 
+  /**
+   * Hash over the conversion URL, all zeros if there
+   * is no conversion URL.
+   */
+  struct GNUNET_HashCode h_conversion_url;
+
+  /**
+   * Hash over the debit restrictions.
+   */
+  struct GNUNET_HashCode h_debit_restrictions;
+
+  /**
+   * Hash over the credit restrictions.
+   */
+  struct GNUNET_HashCode h_credit_restrictions;
+
 };
 
 GNUNET_NETWORK_STRUCT_END
@@ -1010,6 +1157,9 @@ GNUNET_NETWORK_STRUCT_END
 enum GNUNET_GenericReturnValue
 TALER_exchange_wire_signature_check (
   const char *payto_uri,
+  const char *conversion_url,
+  const json_t *debit_restrictions,
+  const json_t *credit_restrictions,
   const struct TALER_MasterPublicKeyP *master_pub,
   const struct TALER_MasterSignatureP *master_sig)
 {
@@ -1020,6 +1170,14 @@ TALER_exchange_wire_signature_check (
 
   TALER_payto_hash (payto_uri,
                     &wd.h_wire_details);
+  if (NULL != conversion_url)
+    GNUNET_CRYPTO_hash (conversion_url,
+                        strlen (conversion_url) + 1,
+                        &wd.h_conversion_url);
+  TALER_json_hash (debit_restrictions,
+                   &wd.h_debit_restrictions);
+  TALER_json_hash (credit_restrictions,
+                   &wd.h_credit_restrictions);
   return GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_MASTER_WIRE_DETAILS,
                                      &wd,
                                      &master_sig->eddsa_signature,
@@ -1030,6 +1188,9 @@ TALER_exchange_wire_signature_check (
 void
 TALER_exchange_wire_signature_make (
   const char *payto_uri,
+  const char *conversion_url,
+  const json_t *debit_restrictions,
+  const json_t *credit_restrictions,
   const struct TALER_MasterPrivateKeyP *master_priv,
   struct TALER_MasterSignatureP *master_sig)
 {
@@ -1040,6 +1201,14 @@ TALER_exchange_wire_signature_make (
 
   TALER_payto_hash (payto_uri,
                     &wd.h_wire_details);
+  if (NULL != conversion_url)
+    GNUNET_CRYPTO_hash (conversion_url,
+                        strlen (conversion_url) + 1,
+                        &wd.h_conversion_url);
+  TALER_json_hash (debit_restrictions,
+                   &wd.h_debit_restrictions);
+  TALER_json_hash (credit_restrictions,
+                   &wd.h_credit_restrictions);
   GNUNET_CRYPTO_eddsa_sign (&master_priv->eddsa_priv,
                             &wd,
                             &master_sig->eddsa_signature);