diff options
author | Christian Grothoff <christian@grothoff.org> | 2020-12-24 14:48:50 +0100 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2020-12-24 14:48:50 +0100 |
commit | 247d1ca3e56461069c02481c7071b56e950fe78a (patch) | |
tree | f5d87d3579ff3e55fcecc44083176e685bd87753 /src/exchange-tools/taler-exchange-offline.c | |
parent | deed88fe3337059b2e1502939b7a5b55ee7417a8 (diff) | |
download | exchange-247d1ca3e56461069c02481c7071b56e950fe78a.tar.xz |
implement #6661: secm key pinning via configuration
Diffstat (limited to 'src/exchange-tools/taler-exchange-offline.c')
-rw-r--r-- | src/exchange-tools/taler-exchange-offline.c | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/src/exchange-tools/taler-exchange-offline.c b/src/exchange-tools/taler-exchange-offline.c index abcd52f22..97fc0b560 100644 --- a/src/exchange-tools/taler-exchange-offline.c +++ b/src/exchange-tools/taler-exchange-offline.c @@ -2331,6 +2331,74 @@ tofu_check (const struct TALER_SecurityModulePublicKeyP secm[2]) GNUNET_free (fn); return GNUNET_OK; } + else + { + char *key; + + /* check against SECMOD-keys pinned in configuration */ + if (GNUNET_OK == + GNUNET_CONFIGURATION_get_value_string (kcfg, + "exchange-offline", + "SECM_ESIGN_PUBKEY", + &key)) + { + struct TALER_SecurityModulePublicKeyP k; + + if (GNUNET_OK != + GNUNET_STRINGS_string_to_data (key, + strlen (key), + &k, + sizeof (k))) + { + GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, + "exchange-offline", + "SECM_ESIGN_PUBKEY", + "key malformed"); + GNUNET_free (key); + return GNUNET_SYSERR; + } + GNUNET_free (key); + if (0 != + GNUNET_memcmp (&k, + &secm[1])) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "ESIGN security module key does not match SECM_ESIGN_PUBKEY in configuration\n"); + return GNUNET_SYSERR; + } + } + if (GNUNET_OK == + GNUNET_CONFIGURATION_get_value_string (kcfg, + "exchange-offline", + "SECM_DENOM_PUBKEY", + &key)) + { + struct TALER_SecurityModulePublicKeyP k; + + if (GNUNET_OK != + GNUNET_STRINGS_string_to_data (key, + strlen (key), + &k, + sizeof (k))) + { + GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, + "exchange-offline", + "SECM_DENOM_PUBKEY", + "key malformed"); + GNUNET_free (key); + return GNUNET_SYSERR; + } + GNUNET_free (key); + if (0 != + GNUNET_memcmp (&k, + &secm[0])) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "DENOM security module key does not match SECM_DENOM_PUBKEY in configuration\n"); + return GNUNET_SYSERR; + } + } + } /* persist keys for future runs */ if (GNUNET_OK != GNUNET_DISK_fn_write (fn, |