From 6e070416c3c04a6277fc890125150b027a5fdf7a Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Sat, 20 Jun 2015 23:19:21 +0200 Subject: generate /keys signature as binary-only --- src/include/taler_mint_service.h | 11 ++++++ src/mint-lib/mint_api_handle.c | 66 +++++++++++++++++++++++++++++++----- src/mint/taler-mint-httpd_keystate.c | 4 +-- 3 files changed, 70 insertions(+), 11 deletions(-) diff --git a/src/include/taler_mint_service.h b/src/include/taler_mint_service.h index 2f641241f..7ebb5dade 100644 --- a/src/include/taler_mint_service.h +++ b/src/include/taler_mint_service.h @@ -300,6 +300,17 @@ void TALER_MINT_disconnect (struct TALER_MINT_Handle *mint); +/** + * Obtain the current signing key from the mint. + * + * @param keys the mint's key set + * @return sk current online signing key for the mint, NULL on error + */ +const struct TALER_MintPublicKeyP * +TALER_MINT_get_signing_key (struct TALER_MINT_Keys *keys); + + + #if 0 // FIXME: API below with json-crap is too low-level... diff --git a/src/mint-lib/mint_api_handle.c b/src/mint-lib/mint_api_handle.c index 9d6c4b0a0..2f348d475 100644 --- a/src/mint-lib/mint_api_handle.c +++ b/src/mint-lib/mint_api_handle.c @@ -308,13 +308,15 @@ parse_json_signkey (struct TALER_MINT_SigningPublicKey *sign_key, * @param[out] denom_key where to return the result * @param[in] denom_key_obj json to parse * @param master_key master key to use to verify signature + * @param hash_context where to accumulate data for signature verification * @return #GNUNET_OK if all is fine, #GNUNET_SYSERR if the signature is * invalid or the json malformed. */ static int parse_json_denomkey (struct TALER_MINT_DenomPublicKey *denom_key, json_t *denom_key_obj, - struct TALER_MasterPublicKeyP *master_key) + struct TALER_MasterPublicKeyP *master_key, + struct GNUNET_HashContext *hash_context) { struct GNUNET_TIME_Absolute valid_from; struct GNUNET_TIME_Absolute withdraw_valid_until; @@ -387,6 +389,9 @@ parse_json_denomkey (struct TALER_MINT_DenomPublicKey *denom_key, &denom_key_issue.purpose, &sig, &master_key->eddsa_pub)); + GNUNET_CRYPTO_hash_context_read (hash_context, + &denom_key_issue.denom_hash, + sizeof (struct GNUNET_HashCode)); denom_key->key.rsa_public_key = pk; denom_key->valid_from = valid_from; denom_key->withdraw_valid_until = withdraw_valid_until; @@ -416,15 +421,22 @@ decode_keys_json (json_t *resp_obj, struct TALER_MINT_Keys *key_data) { struct GNUNET_TIME_Absolute list_issue_date; + struct TALER_MintSignatureP sig; + struct TALER_MintKeySetPS ks; + struct GNUNET_HashContext *hash_context; + const struct TALER_MintPublicKeyP *pub; if (JSON_OBJECT != json_typeof (resp_obj)) return GNUNET_SYSERR; + hash_context = GNUNET_CRYPTO_hash_context_start (); /* parse the master public key and issue date of the response */ { struct MAJ_Specification spec[] = { MAJ_spec_fixed_auto ("master_public_key", &key_data->master_pub), + MAJ_spec_fixed_auto ("eddsa_sig", + &sig), MAJ_spec_absolute_time ("list_issue_date", &list_issue_date), MAJ_spec_end @@ -476,19 +488,34 @@ decode_keys_json (json_t *resp_obj, EXITIF (GNUNET_SYSERR == parse_json_denomkey (&key_data->denom_keys[index], denom_key_obj, - &key_data->master_pub)); + &key_data->master_pub, + hash_context)); } } return GNUNET_OK; - /* FIXME: parse the auditor keys */ - - /* FIXME: parse 'eddsa_sig' */ - - /* FIXME: validate signature... */ - - EXITIF_exit: + /* FIXME: parse the auditor keys (#3847) */ + + /* Validate signature... */ + ks.purpose.size = htonl (sizeof (ks)); + ks.purpose.purpose = htonl (TALER_SIGNATURE_MINT_KEY_SET); + ks.list_issue_date = GNUNET_TIME_absolute_hton (list_issue_date); + GNUNET_CRYPTO_hash_context_finish (hash_context, + &ks.hc); + hash_context = NULL; + pub = TALER_MINT_get_signing_key (key_data); + EXITIF (NULL == pub); + EXITIF (GNUNET_OK != + GNUNET_CRYPTO_eddsa_verify (TALER_SIGNATURE_MINT_KEY_SET, + &ks.purpose, + &sig.eddsa_signature, + &pub->eddsa_pub)); return GNUNET_OK; + EXITIF_exit: + + if (NULL != hash_context) + GNUNET_CRYPTO_hash_context_abort (hash_context); + return GNUNET_SYSERR; } @@ -715,4 +742,25 @@ TALER_MINT_disconnect (struct TALER_MINT_Handle *mint) } +/** + * Obtain the current signing key from the mint. + * + * @param keys the mint's key set + * @return sk current online signing key for the mint, NULL on error + */ +const struct TALER_MintPublicKeyP * +TALER_MINT_get_signing_key (struct TALER_MINT_Keys *keys) +{ + struct GNUNET_TIME_Absolute now; + unsigned int i; + + now = GNUNET_TIME_absolute_get (); + for (i=0;inum_sign_keys;i++) + if ( (keys->sign_keys[i].valid_from.abs_value_us <= now.abs_value_us) && + (keys->sign_keys[i].valid_until.abs_value_us > now.abs_value_us) ) + return &keys->sign_keys[i].key; + return NULL; +} + + /* end of mint_api_handle.c */ diff --git a/src/mint/taler-mint-httpd_keystate.c b/src/mint/taler-mint-httpd_keystate.c index c39de1ebc..2e81c8064 100644 --- a/src/mint/taler-mint-httpd_keystate.c +++ b/src/mint/taler-mint-httpd_keystate.c @@ -525,8 +525,8 @@ TMH_KS_acquire (void) "signkeys", key_state->sign_keys_array, "denoms", key_state->denom_keys_array, "list_issue_date", TALER_json_from_abs (key_state->reload_time), - "eddsa_sig", TALER_json_from_eddsa_sig (&ks.purpose, - &sig.eddsa_signature)); + "eddsa_sig", TALER_json_from_data (&sig, + sizeof (struct TALER_MintSignatureP))); key_state->keys_json = json_dumps (keys, JSON_INDENT (2)); json_decref (keys); -- cgit v1.2.3