From 57c90547840ea2a073c950116303c54f9ef976f1 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Sat, 26 Dec 2020 15:55:34 +0100 Subject: implement #6161 --- src/auditor/Makefile.am | 1 + src/auditor/taler-auditor-httpd.c | 17 ++++++- src/auditor/taler-auditor-httpd.h | 6 +++ .../taler-auditor-httpd_deposit-confirmation.c | 54 ++++++++++++++++------ src/exchangedb/plugin_exchangedb_postgres.c | 47 +++++++++++++++++++ src/include/taler_exchangedb_plugin.h | 17 +++++++ 6 files changed, 126 insertions(+), 16 deletions(-) (limited to 'src') diff --git a/src/auditor/Makefile.am b/src/auditor/Makefile.am index 935f83549..79da458f3 100644 --- a/src/auditor/Makefile.am +++ b/src/auditor/Makefile.am @@ -148,6 +148,7 @@ taler_auditor_httpd_LDADD = \ $(top_builddir)/src/util/libtalerutil.la \ $(top_builddir)/src/json/libtalerjson.la \ $(top_builddir)/src/auditordb/libtalerauditordb.la \ + $(top_builddir)/src/exchangedb/libtalerexchangedb.la \ -lmicrohttpd \ -ljansson \ -lgnunetjson \ diff --git a/src/auditor/taler-auditor-httpd.c b/src/auditor/taler-auditor-httpd.c index d1e3c2de5..1f6413b26 100644 --- a/src/auditor/taler-auditor-httpd.c +++ b/src/auditor/taler-auditor-httpd.c @@ -29,6 +29,7 @@ #include #include "taler_mhd_lib.h" #include "taler_auditordb_lib.h" +#include "taler_exchangedb_lib.h" #include "taler-auditor-httpd_deposit-confirmation.h" #include "taler-auditor-httpd_exchanges.h" #include "taler-auditor-httpd_mhd.h" @@ -69,6 +70,11 @@ static struct GNUNET_CONFIGURATION_Handle *cfg; */ struct TALER_AUDITORDB_Plugin *TAH_plugin; +/** + * Our DB plugin to talk to the *exchange* database. + */ +struct TALER_EXCHANGEDB_Plugin *TAH_eplugin; + /** * Public key of this auditor. */ @@ -434,7 +440,14 @@ auditor_serve_process_config (void) (TAH_plugin = TALER_AUDITORDB_plugin_load (cfg))) { GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "Failed to initialize DB subsystem\n"); + "Failed to initialize DB subsystem to interact with auditor database\n"); + return GNUNET_SYSERR; + } + if (NULL == + (TAH_eplugin = TALER_EXCHANGEDB_plugin_load (cfg))) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Failed to initialize DB subsystem to query exchange database\n"); return GNUNET_SYSERR; } if (GNUNET_OK != @@ -729,6 +742,8 @@ main (int argc, } TALER_AUDITORDB_plugin_unload (TAH_plugin); TAH_plugin = NULL; + TALER_EXCHANGEDB_plugin_unload (TAH_eplugin); + TAH_eplugin = NULL; TEAH_DEPOSIT_CONFIRMATION_done (); return (GNUNET_SYSERR == ret) ? 1 : 0; } diff --git a/src/auditor/taler-auditor-httpd.h b/src/auditor/taler-auditor-httpd.h index 127c4dd8a..25e374277 100644 --- a/src/auditor/taler-auditor-httpd.h +++ b/src/auditor/taler-auditor-httpd.h @@ -25,6 +25,7 @@ #include #include "taler_auditordb_plugin.h" +#include "taler_exchangedb_plugin.h" /** @@ -32,6 +33,11 @@ */ extern struct TALER_AUDITORDB_Plugin *TAH_plugin; +/** + * Our DB plugin to talk to the *exchange* database. + */ +extern struct TALER_EXCHANGEDB_Plugin *TAH_eplugin; + /** * @brief Struct describing an URL and the handler for it. diff --git a/src/auditor/taler-auditor-httpd_deposit-confirmation.c b/src/auditor/taler-auditor-httpd_deposit-confirmation.c index 08a781f30..61263888f 100644 --- a/src/auditor/taler-auditor-httpd_deposit-confirmation.c +++ b/src/auditor/taler-auditor-httpd_deposit-confirmation.c @@ -35,7 +35,7 @@ /** * Cache of already verified exchange signing keys. Maps the hash of the * `struct TALER_ExchangeSigningKeyValidityPS` to the (static) string - * "verified". Access to this map is guarded by the #lock. + * "verified" or "revoked". Access to this map is guarded by the #lock. */ static struct GNUNET_CONTAINER_MultiHashMap *cache; @@ -66,7 +66,7 @@ verify_and_execute_deposit_confirmation ( enum GNUNET_DB_QueryStatus qs; struct GNUNET_TIME_Absolute now; struct GNUNET_HashCode h; - int cached; + const char *cached; struct TALER_ExchangeSigningKeyValidityPS skv = { .purpose.purpose = htonl (TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY), .purpose.size = htonl (sizeof (struct TALER_ExchangeSigningKeyValidityPS)), @@ -94,10 +94,9 @@ verify_and_execute_deposit_confirmation ( sizeof (skv), &h); GNUNET_assert (0 == pthread_mutex_lock (&lock)); - cached = GNUNET_CONTAINER_multihashmap_contains (cache, - &h); + cached = GNUNET_CONTAINER_multihashmap_get (cache, + &h); GNUNET_assert (0 == pthread_mutex_unlock (&lock)); - session = TAH_plugin->get_session (TAH_plugin->cls); if (NULL == session) { @@ -107,7 +106,7 @@ verify_and_execute_deposit_confirmation ( TALER_EC_GENERIC_DB_SETUP_FAILED, NULL); } - if (! cached) + if (NULL == cached) { /* Not in cache, need to verify the signature, persist it, and possibly cache it */ if (GNUNET_OK != @@ -139,18 +138,43 @@ verify_and_execute_deposit_confirmation ( TALER_EC_GENERIC_DB_STORE_FAILED, "exchange signing key"); } + cached = "verified"; + } + + if (0 == strcmp (cached, + "verified")) + { + struct TALER_MasterSignatureP master_sig; - /* Cache it, due to concurreny it might already be in the cache, - so we do not cache it twice but also don't insist on the 'put' to - succeed. */ - GNUNET_assert (0 == pthread_mutex_lock (&lock)); - (void) GNUNET_CONTAINER_multihashmap_put (cache, - &h, - "verified", - GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); - GNUNET_assert (0 == pthread_mutex_unlock (&lock)); + /* check for revocation */ + qs = TAH_eplugin->lookup_signkey_revocation (TAH_eplugin->cls, + NULL, + &es->exchange_pub, + &master_sig); + if (0 > qs) + { + GNUNET_break (GNUNET_DB_STATUS_HARD_ERROR == qs); + TALER_LOG_WARNING ( + "Failed to check for signing key revocation in database\n"); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_INTERNAL_SERVER_ERROR, + TALER_EC_GENERIC_DB_FETCH_FAILED, + "exchange signing key revocation"); + } + if (0 < qs) + cached = "revoked"; } + /* Cache it, due to concurreny it might already be in the cache, + so we do not cache it twice but also don't insist on the 'put' to + succeed. */ + GNUNET_assert (0 == pthread_mutex_lock (&lock)); + (void) GNUNET_CONTAINER_multihashmap_put (cache, + &h, + (void *) cached, + GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); + GNUNET_assert (0 == pthread_mutex_unlock (&lock)); + /* check deposit confirmation signature */ { struct TALER_DepositConfirmationPS dcs = { diff --git a/src/exchangedb/plugin_exchangedb_postgres.c b/src/exchangedb/plugin_exchangedb_postgres.c index 23e947875..4f49a219e 100644 --- a/src/exchangedb/plugin_exchangedb_postgres.c +++ b/src/exchangedb/plugin_exchangedb_postgres.c @@ -1555,6 +1555,13 @@ postgres_get_session (void *cls) ") VALUES " "($1, $2);", 2), + /* used in #postgres_insert_signkey_revocation() */ + GNUNET_PQ_make_prepare ("lookup_signkey_revocation", + "SELECT " + " master_sig" + " FROM signkey_revocations" + " WHERE exchange_pub=$1;", + 1), /* used in #postgres_insert_signkey() */ GNUNET_PQ_make_prepare ("insert_signkey", "INSERT INTO exchange_sign_keys " @@ -8491,6 +8498,46 @@ postgres_insert_signkey_revocation ( } +/** + * Obtain information about a revoked online signing key. + * + * @param cls closure + * @param session a session (can be NULL) + * @param exchange_pub exchange online signing key + * @param[out] master_sig set to signature affirming the revocation (if revoked) + * @return transaction status code + */ +static enum GNUNET_DB_QueryStatus +postgres_lookup_signkey_revocation ( + void *cls, + struct TALER_EXCHANGEDB_Session *session, + const struct TALER_ExchangePublicKeyP *exchange_pub, + struct TALER_MasterSignatureP *master_sig) +{ + struct PostgresClosure *pg = cls; + struct GNUNET_PQ_QueryParam params[] = { + GNUNET_PQ_query_param_auto_from_type (exchange_pub), + GNUNET_PQ_query_param_end + }; + struct GNUNET_PQ_ResultSpec rs[] = { + TALER_PQ_result_spec_auto_from_type ("master_sig", + master_sig), + GNUNET_PQ_result_spec_end + }; + + (void) cls; + if (NULL == session) + session = postgres_get_session (pg); + if (NULL == session) + return GNUNET_DB_STATUS_HARD_ERROR; + + return GNUNET_PQ_eval_prepared_singleton_select (session->conn, + "lookup_signkey_revocation", + params, + rs); +} + + /** * Lookup information about current denomination key. * diff --git a/src/include/taler_exchangedb_plugin.h b/src/include/taler_exchangedb_plugin.h index 8bf118a07..feca61fe3 100644 --- a/src/include/taler_exchangedb_plugin.h +++ b/src/include/taler_exchangedb_plugin.h @@ -3340,6 +3340,23 @@ struct TALER_EXCHANGEDB_Plugin const struct TALER_MasterSignatureP *master_sig); + /** + * Obtain information about a revoked online signing key. + * + * @param cls closure + * @param session a session (can be NULL) + * @param exchange_pub exchange online signing key that was revoked + * @param[out] master_sig signature affirming the revocation + * @return transaction status code + */ + enum GNUNET_DB_QueryStatus + (*lookup_signkey_revocation)( + void *cls, + struct TALER_EXCHANGEDB_Session *session, + const struct TALER_ExchangePublicKeyP *exchange_pub, + struct TALER_MasterSignatureP *master_sig); + + /** * Lookup information about current denomination key. * -- cgit v1.2.3