From 4978b1e966af48a18cac86aa224b3c266a9531d7 Mon Sep 17 00:00:00 2001 From: Özgür Kesim Date: Wed, 2 Mar 2022 07:58:55 +0100 Subject: -amend missing parts to commit b20ddf0c8 - functions TALER_age_commitment_attest and TALER_age_commitment_verify implemented. - age restriction implementation moved into util/age_restriction.c --- src/util/crypto.c | 311 ------------------------------------------------------ 1 file changed, 311 deletions(-) (limited to 'src/util/crypto.c') diff --git a/src/util/crypto.c b/src/util/crypto.c index 8e6c89aa9..974566dc0 100644 --- a/src/util/crypto.c +++ b/src/util/crypto.c @@ -443,317 +443,6 @@ TALER_coin_pub_hash (const struct TALER_CoinSpendPublicKeyP *coin_pub, } -void -TALER_age_commitment_hash ( - const struct TALER_AgeCommitment *commitment, - struct TALER_AgeCommitmentHash *ahash) -{ - struct GNUNET_HashContext *hash_context; - struct GNUNET_HashCode hash; - - GNUNET_assert (NULL != ahash); - if (NULL == commitment) - { - memset (ahash, 0, sizeof(struct TALER_AgeCommitmentHash)); - return; - } - - GNUNET_assert (__builtin_popcount (commitment->mask.mask) - 1 == - commitment->num); - - hash_context = GNUNET_CRYPTO_hash_context_start (); - - for (size_t i = 0; i < commitment->num; i++) - { - GNUNET_CRYPTO_hash_context_read (hash_context, - &commitment->pub[i], - sizeof(struct - GNUNET_CRYPTO_EddsaPublicKey)); - } - - GNUNET_CRYPTO_hash_context_finish (hash_context, - &hash); - GNUNET_memcpy (&ahash->shash.bits, - &hash.bits, - sizeof(ahash->shash.bits)); -} - - -/* To a given age value between 0 and 31, returns the index of the age group - * defined by the given mask. - */ -static uint8_t -get_age_group ( - const struct TALER_AgeMask *mask, - uint8_t age) -{ - uint32_t m = mask->mask; - uint8_t i = 0; - - while (m > 0) - { - if (0 >= age) - break; - m = m >> 1; - i += m & 1; - age--; - } - return i; -} - - -enum GNUNET_GenericReturnValue -TALER_age_restriction_commit ( - const struct TALER_AgeMask *mask, - const uint8_t age, - const uint64_t salt, - struct TALER_AgeCommitmentProof *new) -{ - uint8_t num_pub = __builtin_popcount (mask->mask) - 1; - uint8_t num_priv = get_age_group (mask, age) - 1; - size_t i; - - GNUNET_assert (NULL != new); - GNUNET_assert (mask->mask & 1); /* fist bit must have been set */ - GNUNET_assert (0 <= num_priv); - GNUNET_assert (31 > num_priv); - GNUNET_assert (num_priv <= num_pub); - - new->commitment.mask.mask = mask->mask; - new->commitment.num = num_pub; - new->proof.num = num_priv; - - new->commitment.pub = GNUNET_new_array ( - num_pub, - struct TALER_AgeCommitmentPublicKeyP); - new->proof.priv = GNUNET_new_array ( - num_priv, - struct TALER_AgeCommitmentPrivateKeyP); - - /* Create as many private keys as we need and fill the rest of the - * public keys with valid curve points. - * We need to make sure that the public keys are proper points on the - * elliptic curve, so we can't simply fill the struct with random values. */ - for (i = 0; i < num_pub; i++) - { - uint64_t saltBE = htonl (salt + i); - struct TALER_AgeCommitmentPrivateKeyP key = {0}; - struct TALER_AgeCommitmentPrivateKeyP *priv = &key; - - /* Only save the private keys for age groups less than num_priv */ - if (i < num_priv) - priv = &new->proof.priv[i]; - - if (GNUNET_OK != - GNUNET_CRYPTO_kdf (priv, - sizeof (*priv), - &saltBE, - sizeof (saltBE), - "taler-age-commitment-derivation", - strlen ( - "taler-age-commitment-derivation"), - NULL, 0)) - goto FAIL; - - GNUNET_CRYPTO_eddsa_key_get_public (&priv->eddsa_priv, - &new->commitment.pub[i].eddsa_pub); - } - - return GNUNET_OK; - -FAIL: - GNUNET_free (new->commitment.pub); - GNUNET_free (new->proof.priv); - return GNUNET_SYSERR; -} - - -enum GNUNET_GenericReturnValue -TALER_age_commitment_derive ( - const struct TALER_AgeCommitmentProof *orig, - const uint64_t salt, - struct TALER_AgeCommitmentProof *new) -{ - struct GNUNET_CRYPTO_EccScalar scalar; - uint64_t saltBT = htonl (salt); - int64_t factor; - - GNUNET_assert (GNUNET_OK == - GNUNET_CRYPTO_kdf ( - &factor, - sizeof (factor), - &saltBT, - sizeof (saltBT), - "taler-age-restriction-derivation", - strlen ("taler-age-restriction-derivation"), - NULL, 0)); - - GNUNET_CRYPTO_ecc_scalar_from_int (factor, &scalar); - - /* - * age commitment consists of GNUNET_CRYPTO_Eddsa{Private,Public}Key - * - * GNUNET_CRYPTO_EddsaPrivateKey is a - * unsigned char d[256 / 8]; - * - * GNUNET_CRYPTO_EddsaPublicKey is a - * unsigned char q_y[256 / 8]; - * - * We want to multiply, both, the Private Key by an integer factor and the - * public key (point on curve) with the equivalent scalar. - * - * From the salt we will derive - * 1. a scalar to multiply the public keys with - * 2. a factor to multiply the private key with - * - * Invariants: - * point*scalar == public(private*factor) - * - * A point on a curve is GNUNET_CRYPTO_EccPoint which is - * unsigned char v[256 / 8]; - * - * A ECC scalar for use in point multiplications is a - * GNUNET_CRYPTO_EccScalar which is a - * unsigned char v[256 / 8]; - * */ - - GNUNET_assert (NULL != new); - GNUNET_assert (orig->commitment.num== __builtin_popcount ( - orig->commitment.mask.mask) - 1); - GNUNET_assert (orig->proof.num <= orig->commitment.num); - - new->commitment.mask = orig->commitment.mask; - new->commitment.num = orig->commitment.num; - new->proof.num = orig->proof.num; - new->commitment.pub = GNUNET_new_array ( - new->commitment.num, - struct TALER_AgeCommitmentPublicKeyP); - new->proof.priv = GNUNET_new_array ( - new->proof.num, - struct TALER_AgeCommitmentPrivateKeyP); - - /* scalar multiply the public keys on the curve */ - for (size_t i = 0; i < orig->commitment.num; i++) - { - /* We shift all keys by the same scalar */ - struct GNUNET_CRYPTO_EccPoint *p = (struct - GNUNET_CRYPTO_EccPoint *) &orig-> - commitment.pub[i]; - struct GNUNET_CRYPTO_EccPoint *np = (struct - GNUNET_CRYPTO_EccPoint *) &new-> - commitment.pub[i]; - if (GNUNET_OK != - GNUNET_CRYPTO_ecc_pmul_mpi ( - p, - &scalar, - np)) - goto FAIL; - - } - - /* multiply the private keys */ - /* we borough ideas from GNUNET_CRYPTO_ecdsa_private_key_derive */ - { - for (size_t i = 0; i < orig->proof.num; i++) - { - uint8_t dc[32]; - gcry_mpi_t f, x, d, n; - gcry_ctx_t ctx; - - GNUNET_assert (0==gcry_mpi_ec_new (&ctx, NULL, "Ed25519")); - n = gcry_mpi_ec_get_mpi ("n", ctx, 1); - - GNUNET_CRYPTO_mpi_scan_unsigned (&f, (unsigned char*) &factor, - sizeof(factor)); - - for (size_t j = 0; j < 32; j++) - dc[i] = orig->proof.priv[i].eddsa_priv.d[31 - j]; - GNUNET_CRYPTO_mpi_scan_unsigned (&x, dc, sizeof(dc)); - - d = gcry_mpi_new (256); - gcry_mpi_mulm (d, f, x, n); - GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); - - for (size_t j = 0; j <32; j++) - new->proof.priv[i].eddsa_priv.d[j] = dc[31 - 1]; - - sodium_memzero (dc, sizeof(dc)); - gcry_mpi_release (d); - gcry_mpi_release (x); - gcry_mpi_release (n); - gcry_mpi_release (f); - gcry_ctx_release (ctx); - - /* TODO: add test to make sure that the calculated private key generate - * the same public keys */ - } - - } - - return GNUNET_OK; - -FAIL: - GNUNET_free (new->commitment.pub); - GNUNET_free (new->proof.priv); - return GNUNET_SYSERR; -} - - -void -TALER_age_commitment_free ( - struct TALER_AgeCommitment *commitment) -{ - if (NULL == commitment) - return; - - if (NULL != commitment->pub) - { - GNUNET_free (commitment->pub); - commitment->pub = NULL; - } - GNUNET_free (commitment); -} - - -void -TALER_age_proof_free ( - struct TALER_AgeProof *proof) -{ - if (NULL != proof->priv) - { - GNUNET_CRYPTO_zero_keys ( - proof->priv, - sizeof(*proof->priv) * proof->num); - - GNUNET_free (proof->priv); - proof->priv = NULL; - } - GNUNET_free (proof); -} - - -void -TALER_age_commitment_proof_free ( - struct TALER_AgeCommitmentProof *cp) -{ - if (NULL != cp->proof.priv) - { - GNUNET_CRYPTO_zero_keys ( - cp->proof.priv, - sizeof(*cp->proof.priv) * cp->proof.num); - - GNUNET_free (cp->proof.priv); - cp->proof.priv = NULL; - } - - if (NULL != cp->commitment.pub) - { - GNUNET_free (cp->commitment.pub); - cp->commitment.pub = NULL; - } -} - - enum GNUNET_GenericReturnValue TALER_coin_ev_hash (const struct TALER_BlindedPlanchet *blinded_planchet, const struct TALER_DenominationHashP *denom_hash, -- cgit v1.2.3