aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--contrib/mint-template/config/mint-keyup.conf3
-rw-r--r--src/mint-lib/mint_api.c13
-rw-r--r--src/mint-tools/taler-mint-keycheck.c3
-rw-r--r--src/mint-tools/taler-mint-keyup.c27
-rw-r--r--src/mint/taler-mint-httpd_keystate.c11
5 files changed, 52 insertions, 5 deletions
diff --git a/contrib/mint-template/config/mint-keyup.conf b/contrib/mint-template/config/mint-keyup.conf
index 9091c6c97..54b659bf6 100644
--- a/contrib/mint-template/config/mint-keyup.conf
+++ b/contrib/mint-template/config/mint-keyup.conf
@@ -3,6 +3,9 @@
# how long is one signkey valid?
signkey_duration = 4 weeks
+# how long are the signatures with the signkey valid?
+legal_duration = 2 years
+
# how long do we generate denomination and signing keys
# ahead of time?
lookahead_sign = 32 weeks 1 day
diff --git a/src/mint-lib/mint_api.c b/src/mint-lib/mint_api.c
index b3ee34d15..250d52ec1 100644
--- a/src/mint-lib/mint_api.c
+++ b/src/mint-lib/mint_api.c
@@ -250,10 +250,12 @@ parse_json_signkey (struct TALER_MINT_SigningPublicKey **_sign_key,
{
json_t *valid_from_obj;
json_t *valid_until_obj;
+ json_t *valid_legal_obj;
json_t *key_obj;
json_t *sig_obj;
const char *valid_from_enc;
const char *valid_until_enc;
+ const char *valid_legal_enc;
const char *key_enc;
const char *sig_enc;
struct TALER_MINT_SigningPublicKey *sign_key;
@@ -261,27 +263,35 @@ parse_json_signkey (struct TALER_MINT_SigningPublicKey **_sign_key,
struct GNUNET_CRYPTO_EddsaSignature sig;
struct GNUNET_TIME_Absolute valid_from;
struct GNUNET_TIME_Absolute valid_until;
+ struct GNUNET_TIME_Absolute valid_legal;
EXITIF (JSON_OBJECT != json_typeof (sign_key_obj));
EXITIF (NULL == (valid_from_obj = json_object_get (sign_key_obj,
"stamp_start")));
EXITIF (NULL == (valid_until_obj = json_object_get (sign_key_obj,
"stamp_expire")));
+ EXITIF (NULL == (valid_legal_obj = json_object_get (sign_key_obj,
+ "stamp_end")));
EXITIF (NULL == (key_obj = json_object_get (sign_key_obj, "key")));
EXITIF (NULL == (sig_obj = json_object_get (sign_key_obj, "master_sig")));
EXITIF (NULL == (valid_from_enc = json_string_value (valid_from_obj)));
EXITIF (NULL == (valid_until_enc = json_string_value (valid_until_obj)));
+ EXITIF (NULL == (valid_legal_enc = json_string_value (valid_legal_obj)));
EXITIF (NULL == (key_enc = json_string_value (key_obj)));
EXITIF (NULL == (sig_enc = json_string_value (sig_obj)));
EXITIF (GNUNET_SYSERR == parse_timestamp (&valid_from,
valid_from_enc));
EXITIF (GNUNET_SYSERR == parse_timestamp (&valid_until,
valid_until_enc));
+ EXITIF (GNUNET_SYSERR == parse_timestamp (&valid_legal,
+ valid_legal_enc));
EXITIF (52 != strlen (key_enc)); /* strlen(base32(char[32])) = 52 */
EXITIF (103 != strlen (sig_enc)); /* strlen(base32(char[64])) = 103 */
EXITIF (GNUNET_OK != GNUNET_STRINGS_string_to_data (sig_enc, 103,
&sig, sizeof (sig)));
- (void) memset (&sign_key_issue, 0, sizeof (sign_key_issue));
+ memset (&sign_key_issue,
+ 0,
+ sizeof (sign_key_issue));
EXITIF (GNUNET_SYSERR ==
GNUNET_CRYPTO_eddsa_public_key_from_string (key_enc,
52,
@@ -293,6 +303,7 @@ parse_json_signkey (struct TALER_MINT_SigningPublicKey **_sign_key,
sign_key_issue.master_public_key = *master_key;
sign_key_issue.start = GNUNET_TIME_absolute_hton (valid_from);
sign_key_issue.expire = GNUNET_TIME_absolute_hton (valid_until);
+ sign_key_issue.end = GNUNET_TIME_absolute_hton (valid_legal);
EXITIF (GNUNET_OK !=
GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY,
&sign_key_issue.purpose,
diff --git a/src/mint-tools/taler-mint-keycheck.c b/src/mint-tools/taler-mint-keycheck.c
index 06b544afa..41c3cba8f 100644
--- a/src/mint-tools/taler-mint-keycheck.c
+++ b/src/mint-tools/taler-mint-keycheck.c
@@ -60,7 +60,8 @@ signkeys_iter (void *cls,
if (ntohl (ski->issue.purpose.size) !=
(sizeof (struct TALER_MintSigningKeyValidityPS) -
- offsetof (struct TALER_MintSigningKeyValidityPS, purpose)))
+ offsetof (struct TALER_MintSigningKeyValidityPS,
+ purpose)))
{
fprintf (stderr,
"Signing key `%s' has invalid purpose size\n",
diff --git a/src/mint-tools/taler-mint-keyup.c b/src/mint-tools/taler-mint-keyup.c
index cbeae646b..5cea08c55 100644
--- a/src/mint-tools/taler-mint-keyup.c
+++ b/src/mint-tools/taler-mint-keyup.c
@@ -429,11 +429,13 @@ get_anchor (const char *dir,
*
* @param start start time of the validity period for the key
* @param duration how long should the key be valid
+ * @param end when do all signatures by this key expire
* @param[out] pi set to the signing key information
*/
static void
create_signkey_issue_priv (struct GNUNET_TIME_Absolute start,
struct GNUNET_TIME_Relative duration,
+ struct GNUNET_TIME_Absolute end,
struct TALER_MINTDB_PrivateSigningKeyInformationP *pi)
{
struct GNUNET_CRYPTO_EddsaPrivateKey *priv;
@@ -446,6 +448,7 @@ create_signkey_issue_priv (struct GNUNET_TIME_Absolute start,
issue->start = GNUNET_TIME_absolute_hton (start);
issue->expire = GNUNET_TIME_absolute_hton (GNUNET_TIME_absolute_add (start,
duration));
+ issue->end = GNUNET_TIME_absolute_hton (end);
GNUNET_CRYPTO_eddsa_key_get_public (&pi->signkey_priv.eddsa_priv,
&issue->signkey_pub.eddsa_pub);
issue->purpose.purpose = htonl (TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY);
@@ -470,6 +473,7 @@ static int
mint_keys_update_signkeys ()
{
struct GNUNET_TIME_Relative signkey_duration;
+ struct GNUNET_TIME_Relative legal_duration;
struct GNUNET_TIME_Absolute anchor;
char *signkey_dir;
@@ -484,6 +488,25 @@ mint_keys_update_signkeys ()
"signkey_duration");
return GNUNET_SYSERR;
}
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_time (kcfg,
+ "mint_keys",
+ "legal_duration",
+ &legal_duration))
+ {
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "mint_keys",
+ "legal_duration");
+ return GNUNET_SYSERR;
+ }
+ if (signkey_duration.rel_value_us < legal_duration.rel_value_us)
+ {
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+ "mint_keys",
+ "legal_duration",
+ "must be longer than signkey_duration");
+ return GNUNET_SYSERR;
+ }
ROUND_TO_SECS (signkey_duration,
rel_value_us);
GNUNET_asprintf (&signkey_dir,
@@ -508,8 +531,11 @@ mint_keys_update_signkeys ()
const char *skf;
struct TALER_MINTDB_PrivateSigningKeyInformationP signkey_issue;
ssize_t nwrite;
+ struct GNUNET_TIME_Absolute end;
skf = get_signkey_file (anchor);
+ end = GNUNET_TIME_absolute_add (anchor,
+ legal_duration);
GNUNET_break (GNUNET_YES !=
GNUNET_DISK_file_test (skf));
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
@@ -517,6 +543,7 @@ mint_keys_update_signkeys ()
GNUNET_STRINGS_absolute_time_to_string (anchor));
create_signkey_issue_priv (anchor,
signkey_duration,
+ end,
&signkey_issue);
nwrite = GNUNET_DISK_fn_write (skf,
&signkey_issue,
diff --git a/src/mint/taler-mint-httpd_keystate.c b/src/mint/taler-mint-httpd_keystate.c
index 1745775bb..33407e020 100644
--- a/src/mint/taler-mint-httpd_keystate.c
+++ b/src/mint/taler-mint-httpd_keystate.c
@@ -250,17 +250,22 @@ static json_t *
sign_key_issue_to_json (const struct TALER_MintSigningKeyValidityPS *ski)
{
return
- json_pack ("{s:o, s:o, s:o, s:o}",
+ json_pack ("{s:o, s:o, s:o, s:o, s:o, s:o}",
"stamp_start",
TALER_json_from_abs (GNUNET_TIME_absolute_ntoh (ski->start)),
"stamp_expire",
TALER_json_from_abs (GNUNET_TIME_absolute_ntoh (ski->expire)),
+ "stamp_end",
+ TALER_json_from_abs (GNUNET_TIME_absolute_ntoh (ski->end)),
+ "master_pub",
+ TALER_json_from_data (&ski->master_public_key,
+ sizeof (struct TALER_MasterPublicKeyP)),
"master_sig",
TALER_json_from_data (&ski->signature,
- sizeof (struct GNUNET_CRYPTO_EddsaSignature)),
+ sizeof (struct TALER_MasterSignatureP)),
"key",
TALER_json_from_data (&ski->signkey_pub,
- sizeof (struct GNUNET_CRYPTO_EddsaPublicKey)));
+ sizeof (struct TALER_MintPublicKeyP)));
}
generated by cgit v1.2.3 (git 2.26.2) at 2024-11-10 09:57:45 +0000