diff options
| author | Özgür Kesim <oec-taler@kesim.org> | 2021-12-01 15:25:33 +0100 |
|---|---|---|
| committer | Özgür Kesim <oec-taler@kesim.org> | 2021-12-01 15:25:33 +0100 |
| commit | 54c62f3ab9a38f734601e3af3bfa97b3587dd634 (patch) | |
| tree | e7e1ded8e5b6b8151996f16f27f96d61534e9946 | |
| parent | 41aba39f0fccc8ba30ba78995880aa07704dbb25 (diff) | |
| download | exchange-54c62f3ab9a38f734601e3af3bfa97b3587dd634.tar.xz | |
[age restriction] progress 6/n
lift logic for detection of age restriction of a denomination out from
taler-exchange-secmod-rsa.c to taler-exchange_httpd_keys.c
| -rw-r--r-- | src/exchange/taler-exchange-httpd_keys.c | 117 | ||||
| -rw-r--r-- | src/include/taler_crypto_lib.h | 4 | ||||
| -rw-r--r-- | src/include/taler_exchangedb_plugin.h | 15 | ||||
| -rw-r--r-- | src/include/taler_extensions.h | 4 | ||||
| -rw-r--r-- | src/lib/exchange_api_deposit.c | 32 | ||||
| -rw-r--r-- | src/util/crypto_helper_rsa.c | 6 | ||||
| -rw-r--r-- | src/util/taler-exchange-secmod-rsa.c | 50 | ||||
| -rw-r--r-- | src/util/taler-exchange-secmod-rsa.h | 5 | ||||
| -rw-r--r-- | src/util/test_helper_rsa.c | 6 |
9 files changed, 129 insertions, 110 deletions
diff --git a/src/exchange/taler-exchange-httpd_keys.c b/src/exchange/taler-exchange-httpd_keys.c index 2218d02ee..6ac39aa80 100644 --- a/src/exchange/taler-exchange-httpd_keys.c +++ b/src/exchange/taler-exchange-httpd_keys.c @@ -1,18 +1,18 @@ /* - This file is part of TALER - Copyright (C) 2020, 2021 Taler Systems SA + This file is part of TALER + Copyright (C) 2020, 2021 Taler Systems SA - TALER is free software; you can redistribute it and/or modify it under the - terms of the GNU Affero General Public License as published by the Free Software - Foundation; either version 3, or (at your option) any later version. + TALER is free software; you can redistribute it and/or modify it under the + terms of the GNU Affero General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. - TALER is distributed in the hope that it will be useful, but WITHOUT ANY - WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR - A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. + TALER is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. - You should have received a copy of the GNU Affero General Public License along with - TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> -*/ + You should have received a copy of the GNU Affero General Public License along with + TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> + */ /** * @file taler-exchange-httpd_keys.c * @brief management of our various keys @@ -674,6 +674,60 @@ destroy_key_helpers (struct HelperState *hs) /** + * Looks up the AGE_RESTRICTED setting for a denomination in the config and + * returns the age restriction (mask) accordingly. + * + * FIXME: The mask is currently taken from the config. However, It MUST come + * from the database where it has been persisted after a signed call to the + * /management/extension API (TODO). + * + * @param section_name Section in the configuration for the particular + * denomination. + */ +static struct TALER_AgeMask +load_age_mask (const char*section_name) +{ + static const struct TALER_AgeMask null_mask = {0}; + struct TALER_AgeMask age_mask = {0}; + + /* FIXME-oec: get age_mask from database, not from config */ + if (TALER_EXTENSION_OK != TALER_get_age_mask (TEH_cfg, &age_mask)) + { + GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, + TALER_EXTENSION_SECTION_AGE_RESTRICTION, + "AGE_GROUPS", + "must be of form a:b:...:n:m, where 0<a<b<...<n<m<32\n"); + return null_mask; + } + + if (age_mask.mask == 0) + { + return null_mask; + } + + if (GNUNET_OK == (GNUNET_CONFIGURATION_have_value ( + TEH_cfg, + section_name, + "AGE_RESTRICTED"))) + { + enum GNUNET_GenericReturnValue ret; + if (GNUNET_SYSERR == (ret = GNUNET_CONFIGURATION_get_value_yesno (TEH_cfg, + section_name, + "AGE_RESTRICTED"))) + { + GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, + section_name, + "AGE_RESTRICTED", + "Value must be YES or NO\n"); + return null_mask; + } + } + + return age_mask; +} + + +/** * Function called with information about available keys for signing. Usually * only called once per key upon connect. Also called again in case a key is * being revoked, in that case with an @a end_time of zero. @@ -690,7 +744,6 @@ destroy_key_helpers (struct HelperState *hs) * @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged * The signature was already verified against @a sm_pub. - * @param age_restricted true, if denomination is age restricted */ static void helper_rsa_cb ( @@ -701,8 +754,7 @@ helper_rsa_cb ( const struct TALER_RsaPubHashP *h_rsa, const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub, - const struct TALER_SecurityModuleSignatureP *sm_sig, - bool age_restricted) + const struct TALER_SecurityModuleSignatureP *sm_sig) { struct HelperState *hs = cls; struct HelperDenomination *hd; @@ -734,17 +786,8 @@ helper_rsa_cb ( TALER_denom_pub_deep_copy (&hd->denom_pub, denom_pub); GNUNET_assert (TALER_DENOMINATION_RSA == hd->denom_pub.cipher); - - /* Set age restriction, if applicable */ - hd->denom_pub.age_mask.mask = 0; - if (age_restricted) - { - /* FIXME-oec: get age mask from global */ - GNUNET_assert (TALER_EXTENSION_OK == TALER_get_age_mask (TEH_cfg, - &hd->denom_pub. - age_mask)); - } - + /* load the age mask for the denomination, if applicable */ + hd->denom_pub.age_mask = load_age_mask (section_name); TALER_denom_pub_hash (&hd->denom_pub, &hd->h_denom_pub); hd->section_name = GNUNET_strdup (section_name); @@ -2278,24 +2321,25 @@ TEH_keys_get_handler (struct TEH_RequestContext *rc, MHD_HTTP_OK, (MHD_YES == TALER_MHD_can_compress (rc->connection)) - ? krd->response_compressed - : krd->response_uncompressed); + ? krd->response_compressed + : krd->response_uncompressed); } } /** - * Load fees and expiration times (!) for the denomination type configured in - * section @a section_name. Before calling this function, the `start` and - * `validity_duration` times must already be initialized in @a meta. + * Load extension data, like fees, expiration times (!) and age restriction + * flags for the denomination type configured in section @a section_name. + * Before calling this function, the `start` and `validity_duration` times must + * already be initialized in @a meta. * * @param section_name section in the configuration to use * @param[in,out] meta denomination type data to complete * @return #GNUNET_OK on success */ static enum GNUNET_GenericReturnValue -load_fees (const char *section_name, - struct TALER_EXCHANGEDB_DenominationKeyMetaData *meta) +load_extension_data (const char *section_name, + struct TALER_EXCHANGEDB_DenominationKeyMetaData *meta) { struct GNUNET_TIME_Relative deposit_duration; struct GNUNET_TIME_Relative legal_duration; @@ -2408,6 +2452,7 @@ load_fees (const char *section_name, TEH_currency); return GNUNET_SYSERR; } + meta->age_restrictions = load_age_mask (section_name); return GNUNET_OK; } @@ -2440,8 +2485,8 @@ TEH_keys_load_fees (const struct TALER_DenominationHash *h_denom_pub, meta->start = hd->start_time; meta->expire_withdraw = GNUNET_TIME_absolute_add (meta->start, hd->validity_duration); - ok = load_fees (hd->section_name, - meta); + ok = load_extension_data (hd->section_name, + meta); if (GNUNET_OK == ok) { GNUNET_assert (TALER_DENOMINATION_INVALID != hd->denom_pub.cipher); @@ -2542,8 +2587,8 @@ add_future_denomkey_cb (void *cls, meta.expire_withdraw = GNUNET_TIME_absolute_add (meta.start, hd->validity_duration); if (GNUNET_OK != - load_fees (hd->section_name, - &meta)) + load_extension_data (hd->section_name, + &meta)) { /* Woops, couldn't determine fee structure!? */ return GNUNET_OK; diff --git a/src/include/taler_crypto_lib.h b/src/include/taler_crypto_lib.h index 9e744c8dc..ea53efb66 100644 --- a/src/include/taler_crypto_lib.h +++ b/src/include/taler_crypto_lib.h @@ -1362,7 +1362,6 @@ struct TALER_CRYPTO_RsaDenominationHelper; * @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged * The signature was already verified against @a sm_pub. - * @param age_restricted true, if denomnation has age restriction set */ typedef void (*TALER_CRYPTO_RsaDenominationKeyStatusCallback)( @@ -1373,8 +1372,7 @@ typedef void const struct TALER_RsaPubHashP *h_rsa, const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub, - const struct TALER_SecurityModuleSignatureP *sm_sig, - bool age_restricted); + const struct TALER_SecurityModuleSignatureP *sm_sig); /** diff --git a/src/include/taler_exchangedb_plugin.h b/src/include/taler_exchangedb_plugin.h index 47504e510..9a1dc78b6 100644 --- a/src/include/taler_exchangedb_plugin.h +++ b/src/include/taler_exchangedb_plugin.h @@ -630,9 +630,20 @@ struct TALER_EXCHANGEDB_DenominationKeyMetaData struct TALER_Amount fee_refund; /** - * Indication if age restriction is set for this denomination + * Age restriction for the denomination. (can be zero). If not zero, the bits + * set in the mask mark the edges at the beginning of a next age group. F.e. + * for the age groups + * 0-7, 8-9, 10-11, 12-14, 14-15, 16-17, 18-21, 21-* + * the following bits are set: + * + * 31 24 16 8 0 + * | | | | | + * oooooooo oo1oo1o1 o1o1o1o1 ooooooo1 + * + * A value of 0 means that the denomination does not support the extension for + * age-restriction. */ - bool age_restricted; + struct TALER_AgeMask age_restrictions; }; diff --git a/src/include/taler_extensions.h b/src/include/taler_extensions.h index 1ef97b2e9..c4e9d1f5a 100644 --- a/src/include/taler_extensions.h +++ b/src/include/taler_extensions.h @@ -39,8 +39,8 @@ enum TALER_EXTENSION_ReturnValue * TALER Age Restriction Extensions */ -#define TALER_EXTENSION_SECTION_AGE_RESTRICTION TALER_EXTENSION_SECTION_PREFIX \ - "agerestriction" +#define TALER_EXTENSION_SECTION_AGE_RESTRICTION (TALER_EXTENSION_SECTION_PREFIX \ + "agerestriction") /** * The default age mask represents the age groups diff --git a/src/lib/exchange_api_deposit.c b/src/lib/exchange_api_deposit.c index 7fc8bb6b7..bb935514b 100644 --- a/src/lib/exchange_api_deposit.c +++ b/src/lib/exchange_api_deposit.c @@ -1,19 +1,19 @@ /* - This file is part of TALER - Copyright (C) 2014-2021 Taler Systems SA + This file is part of TALER + Copyright (C) 2014-2021 Taler Systems SA - TALER is free software; you can redistribute it and/or modify it under the - terms of the GNU General Public License as published by the Free Software - Foundation; either version 3, or (at your option) any later version. + TALER is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. - TALER is distributed in the hope that it will be useful, but WITHOUT ANY - WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR - A PARTICULAR PURPOSE. See the GNU General Public License for more details. + TALER is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License along with - TALER; see the file COPYING. If not, see - <http://www.gnu.org/licenses/> -*/ + You should have received a copy of the GNU General Public License along with + TALER; see the file COPYING. If not, see + <http://www.gnu.org/licenses/> + */ /** * @file lib/exchange_api_deposit.c * @brief Implementation of the /deposit request of the exchange's HTTP API @@ -405,7 +405,7 @@ handle_deposit_finished (void *cls, dr.hr.ec = TALER_JSON_get_error_code (j); dr.hr.hint = TALER_JSON_get_error_hint (j); /* Nothing really to verify, this should never - happen, we should pass the JSON reply to the application */ + happen, we should pass the JSON reply to the application */ break; case MHD_HTTP_CONFLICT: /* Double spending; check signatures on transaction history */ @@ -514,7 +514,7 @@ verify_signatures (const struct TALER_EXCHANGE_DenomPublicKey *dki, .coin_pub = *coin_pub, .denom_pub_hash = *denom_pub_hash, .denom_sig = *denom_sig, - .age_commitment_hash = { 0 } /* FIXME-Oec */ + .age_commitment_hash = {{{0}}} /* FIXME-Oec */ }; if (GNUNET_YES != @@ -629,8 +629,8 @@ TALER_EXCHANGE_deposit ( &h_wire, h_contract_terms, (NULL != extension_details) - ? &ech - : NULL, + ? &ech + : NULL, coin_pub, denom_sig, denom_pub, diff --git a/src/util/crypto_helper_rsa.c b/src/util/crypto_helper_rsa.c index d4deec0d1..85741d5e5 100644 --- a/src/util/crypto_helper_rsa.c +++ b/src/util/crypto_helper_rsa.c @@ -239,8 +239,7 @@ handle_mt_avail (struct TALER_CRYPTO_RsaDenominationHelper *dh, &h_rsa, &denom_pub, &kan->secm_pub, - &kan->secm_sig, - (kan->age_restricted > 0)); + &kan->secm_sig); TALER_denom_pub_free (&denom_pub); } return GNUNET_OK; @@ -276,8 +275,7 @@ handle_mt_purge (struct TALER_CRYPTO_RsaDenominationHelper *dh, &pn->h_rsa, NULL, NULL, - NULL, - false); + NULL); return GNUNET_OK; } diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c index 4dfb2e3aa..5fd6049a7 100644 --- a/src/util/taler-exchange-secmod-rsa.c +++ b/src/util/taler-exchange-secmod-rsa.c @@ -1,18 +1,18 @@ /* - This file is part of TALER - Copyright (C) 2014-2021 Taler Systems SA + This file is part of TALER + Copyright (C) 2014-2021 Taler Systems SA - TALER is free software; you can redistribute it and/or modify it under the - terms of the GNU General Public License as published by the Free Software - Foundation; either version 3, or (at your option) any later version. + TALER is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. - TALER is distributed in the hope that it will be useful, but WITHOUT ANY - WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR - A PARTICULAR PURPOSE. See the GNU General Public License for more details. + TALER is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License along with - TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> - */ + You should have received a copy of the GNU General Public License along with + TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> +*/ /** * @file util/taler-exchange-secmod-rsa.c * @brief Standalone process to perform private key RSA operations @@ -156,11 +156,6 @@ struct Denomination * Length of (new) RSA keys (in bits). */ uint32_t rsa_keysize; - - /** - * Is the denomination age restricted? 0 == false - */ - uint8_t age_restricted; }; @@ -263,7 +258,6 @@ notify_client_dk_add (struct TES_Client *client, an->section_name_len = htons ((uint16_t) nlen); an->anchor_time = GNUNET_TIME_absolute_hton (dk->anchor); an->duration_withdraw = GNUNET_TIME_relative_hton (denom->duration_withdraw); - an->age_restricted = denom->age_restricted; TALER_exchange_secmod_rsa_sign (&dk->h_rsa, denom->section, dk->anchor, @@ -1262,24 +1256,6 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, } denom->rsa_keysize = (unsigned int) rsa_keysize; denom->section = GNUNET_strdup (ct); - if (GNUNET_OK == (GNUNET_CONFIGURATION_have_value (cfg, - ct, - "AGE_RESTRICTED"))) - { - enum GNUNET_GenericReturnValue ret; - if (GNUNET_SYSERR == (ret = GNUNET_CONFIGURATION_get_value_yesno (cfg, - ct, - "AGE_RESTRICTED"))) - { - GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, - ct, - "AGE_RESTRICTED", - "Value must be YES or NO\n"); - return GNUNET_SYSERR; - } - denom->age_restricted = (ret == GNUNET_OK) ? 1 : 0; - } - return GNUNET_OK; } @@ -1546,8 +1522,8 @@ main (int argc, (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH); /* force linker to link against libtalerutil; if we do - not do this, the linker may "optimize" libtalerutil - away and skip #TALER_OS_init(), which we do need */ + not do this, the linker may "optimize" libtalerutil + away and skip #TALER_OS_init(), which we do need */ TALER_OS_init (); now = now_tmp = GNUNET_TIME_absolute_get (); ret = GNUNET_PROGRAM_run (argc, argv, diff --git a/src/util/taler-exchange-secmod-rsa.h b/src/util/taler-exchange-secmod-rsa.h index 9207e705a..b0fdfbd96 100644 --- a/src/util/taler-exchange-secmod-rsa.h +++ b/src/util/taler-exchange-secmod-rsa.h @@ -77,11 +77,6 @@ struct TALER_CRYPTO_RsaKeyAvailableNotification */ struct TALER_SecurityModuleSignatureP secm_sig; - /** - * Indicator for age restriction - */ - uint8_t age_restricted; - /* followed by @e pub_size bytes of the RSA public key */ /* followed by @e section_name bytes of the configuration section name diff --git a/src/util/test_helper_rsa.c b/src/util/test_helper_rsa.c index 6377a39d8..14ff2bfab 100644 --- a/src/util/test_helper_rsa.c +++ b/src/util/test_helper_rsa.c @@ -133,7 +133,6 @@ free_keys (void) * @param sm_pub public key of the security module, NULL if the key was revoked or purged * @param sm_sig signature from the security module, NULL if the key was revoked or purged * The signature was already verified against @a sm_pub. - * @param age_restricted indication if denomination is age restricted */ static void key_cb (void *cls, @@ -143,13 +142,11 @@ key_cb (void *cls, const struct TALER_RsaPubHashP *h_rsa, const struct TALER_DenominationPublicKey *denom_pub, const struct TALER_SecurityModulePublicKeyP *sm_pub, - const struct TALER_SecurityModuleSignatureP *sm_sig, - bool age_restricted) + const struct TALER_SecurityModuleSignatureP *sm_sig) { (void) cls; (void) sm_pub; (void) sm_sig; - (void) age_restricted; GNUNET_log (GNUNET_ERROR_TYPE_INFO, "Key notification about key %s in `%s'\n", GNUNET_h2s (&h_rsa->hash), @@ -189,7 +186,6 @@ key_cb (void *cls, keys[i].validity_duration = validity_duration; TALER_denom_pub_deep_copy (&keys[i].denom_pub, denom_pub); - /* FIXME-oec: take age_restriction into account!? */ num_keys++; return; } |