Merge branch 'credentials' of git+ssh://gnunet.org/gnunet into credentials

7 files changed, 219 insertions, 81 deletions

diff --git a/src/credential/credential.h b/src/credential/credential.h
index 2acaf73a5..8b5cf6db9 100644
--- a/src/credential/credential.h
+++ b/src/credential/credential.h
@@ -50,6 +50,16 @@ struct VerifyMessage
   struct GNUNET_CRYPTO_EcdsaPublicKey issuer_key;
 
   /**
+   * Length of the issuer attribute
+   */
+  uint16_t issuer_attribute_len;
+
+  /**
+   * Length of the subject attribute
+   */
+  uint16_t subject_attribute_len;
+
+  /**
    * Unique identifier for this request (for key collisions).
    */
   uint32_t id GNUNET_PACKED;
diff --git a/src/credential/credential_api.c b/src/credential/credential_api.c
index 8d3c96ca8..3be2d8bbb 100644
--- a/src/credential/credential_api.c
+++ b/src/credential/credential_api.c
@@ -369,7 +369,7 @@ GNUNET_CREDENTIAL_verify (struct GNUNET_CREDENTIAL_Handle *handle,
   struct GNUNET_CREDENTIAL_Request *vr;
   size_t nlen;
 
-  if (NULL == issuer_attribute)
+  if (NULL == issuer_attribute || NULL == subject_attribute)
   {
     GNUNET_break (0);
     return NULL;
@@ -378,7 +378,7 @@ GNUNET_CREDENTIAL_verify (struct GNUNET_CREDENTIAL_Handle *handle,
   LOG (GNUNET_ERROR_TYPE_DEBUG,
        "Trying to verify `%s' in CREDENTIAL\n",
        issuer_attribute);
-  nlen = strlen (issuer_attribute) + 1;
+  nlen = strlen (issuer_attribute) + strlen (subject_attribute) + 1;
   if (nlen >= GNUNET_SERVER_MAX_MESSAGE_SIZE - sizeof (*vr))
   {
     GNUNET_break (0);
@@ -395,9 +395,14 @@ GNUNET_CREDENTIAL_verify (struct GNUNET_CREDENTIAL_Handle *handle,
   v_msg->id = htonl (vr->r_id);
   v_msg->subject_key = *subject_key;
   v_msg->issuer_key =  *issuer_key;
+  v_msg->issuer_attribute_len = htons(strlen(issuer_attribute));
+  v_msg->subject_attribute_len = htons(strlen(subject_attribute));
   GNUNET_memcpy (&v_msg[1],
+                 issuer_attribute,
+                 strlen (issuer_attribute));
+  GNUNET_memcpy (((char*)&v_msg[1]) + strlen (issuer_attribute),
                  subject_attribute,
-                 nlen);
+                 strlen (subject_attribute));
   GNUNET_CONTAINER_DLL_insert (handle->verify_head,
                                handle->verify_tail,
                                vr);
@@ -423,23 +428,32 @@ GNUNET_CREDENTIAL_issue (struct GNUNET_CREDENTIAL_Handle *handle,
                          const char *attribute)
 {
   struct GNUNET_CREDENTIAL_CredentialRecordData *crd;
+  struct GNUNET_CRYPTO_EccSignaturePurpose *purp;
 
   crd = GNUNET_malloc (sizeof (struct GNUNET_CREDENTIAL_CredentialRecordData) + strlen (attribute) + 1);
 
-  crd->purpose.size = htonl (strlen (attribute) + 1 +
-                             sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey) +
-                                               sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
-                                               sizeof (struct GNUNET_TIME_AbsoluteNBO));
-  crd->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CREDENTIAL);
+  purp = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey) +
+                        strlen (attribute) + 1);
+  purp->size = htonl (strlen (attribute) + 1 +
+                      sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey) +
+                                        sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose));
+  
+  purp->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CREDENTIAL);
   GNUNET_CRYPTO_ecdsa_key_get_public (issuer,
                                       &crd->issuer_key);
-
+  crd->subject_key = *subject;
   GNUNET_memcpy (&crd[1],
                  attribute,
                  strlen (attribute));
+  GNUNET_memcpy (&purp[1],
+                 subject,
+                 sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey));
+  GNUNET_memcpy (&purp[1] + sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey),
+                 attribute,
+                 strlen (attribute));
   if (GNUNET_OK !=
       GNUNET_CRYPTO_ecdsa_sign (issuer,
-                                &crd->purpose,
+                                purp,
                                 &crd->sig))
   {
     GNUNET_break (0);
diff --git a/src/credential/gnunet-credential.c b/src/credential/gnunet-credential.c
index eaad6d5cf..a7b92447b 100644
--- a/src/credential/gnunet-credential.c
+++ b/src/credential/gnunet-credential.c
@@ -180,6 +180,7 @@ identity_cb (void *cls,
 {
   const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey;
   struct GNUNET_CREDENTIAL_CredentialRecordData *crd;
+  char *res;
 
   el = NULL;
   if (NULL == ego)
@@ -200,10 +201,11 @@ identity_cb (void *cls,
                                  privkey,
                                  &subject_pkey,
                                  issuer_attr);
-  printf ("Success.\n");
-  printf (GNUNET_GNSRECORD_value_to_string (GNUNET_GNSRECORD_TYPE_CREDENTIAL,
-                                            crd,
-                                            sizeof (crd) + strlen (issuer_attr) + 1));
+  res =  GNUNET_GNSRECORD_value_to_string (GNUNET_GNSRECORD_TYPE_CREDENTIAL,
+                                           crd,
+                                           sizeof (struct GNUNET_CREDENTIAL_CredentialRecordData) + strlen (issuer_attr) + 1);
+  printf ("%s\n", res);
+  GNUNET_SCHEDULER_shutdown ();
 }
 
 
@@ -225,15 +227,6 @@ run (void *cls,
 {
 
   cfg = c;
-  credential = GNUNET_CREDENTIAL_connect (cfg);
-
-  if (NULL == credential)
-  {
-    fprintf (stderr,
-             _("Failed to connect to CREDENTIAL\n"));
-    return;
-  }
-
 
 
   tt = GNUNET_SCHEDULER_add_delayed (timeout,
@@ -281,6 +274,22 @@ run (void *cls,
                issuer_key);
       GNUNET_SCHEDULER_shutdown ();
     }
+    credential = GNUNET_CREDENTIAL_connect (cfg);
+
+    if (NULL == credential)
+    {
+      fprintf (stderr,
+               _("Failed to connect to CREDENTIAL\n"));
+      GNUNET_SCHEDULER_shutdown ();
+    }
+
+    if (NULL == issuer_attr || NULL == subject_credential)
+    {
+      fprintf (stderr,
+               _("You must provide issuer and subject attributes\n"));
+      GNUNET_SCHEDULER_shutdown ();
+    }
+
 
     verify_request = GNUNET_CREDENTIAL_verify(credential,
                                               &issuer_pkey,
@@ -332,7 +341,7 @@ main (int argc, char *const *argv)
     {'s', "subject", "PKEY",
       gettext_noop ("The public key of the subject to lookup the credential for"), 1,
       &GNUNET_GETOPT_set_string, &subject_key},
-    {'c', "credential", "CRED",
+    {'b', "credential", "CRED",
       gettext_noop ("The name of the credential presented by the subject"), 1,
       &GNUNET_GETOPT_set_string, &subject_credential},
     {'i', "issuer", "PKEY",
diff --git a/src/credential/gnunet-service-credential.c b/src/credential/gnunet-service-credential.c
index 047ea0075..792d8741e 100644
--- a/src/credential/gnunet-service-credential.c
+++ b/src/credential/gnunet-service-credential.c
@@ -228,9 +228,7 @@ check_verify (void *cls,
                     const struct VerifyMessage *v_msg)
 {
   size_t msg_size;
-  size_t attr_len;
-  const char* s_attr;
-  const char* i_attr;
+  const char* attrs;
 
   msg_size = ntohs (v_msg->header.size);
   if (msg_size < sizeof (struct VerifyMessage))
@@ -238,17 +236,16 @@ check_verify (void *cls,
     GNUNET_break (0);
     return GNUNET_SYSERR;
   }
-  i_attr = (const char *) &v_msg[1];
-  if ( ('\0' != i_attr[v_msg->header.size - sizeof (struct VerifyMessage) - 1]) ||
-       (strlen (i_attr) > GNUNET_CREDENTIAL_MAX_LENGTH) )
+  if ((ntohs (v_msg->issuer_attribute_len) > GNUNET_CREDENTIAL_MAX_LENGTH) ||
+      (ntohs (v_msg->subject_attribute_len) > GNUNET_CREDENTIAL_MAX_LENGTH))
   {
     GNUNET_break (0);
     return GNUNET_SYSERR;
   }
-  attr_len = strlen (i_attr);
-  s_attr = ((const char *) &v_msg[1]) + attr_len + 1;
-  if ( ('\0' != s_attr[v_msg->header.size - sizeof (struct VerifyMessage) - 1]) ||
-       (strlen (s_attr) > GNUNET_CREDENTIAL_MAX_LENGTH) )
+  attrs = (const char *) &v_msg[1];
+  
+  if ( ('\0' != attrs[ntohs(v_msg->header.size) - sizeof (struct VerifyMessage) - 1]) ||
+       (strlen (attrs) > GNUNET_CREDENTIAL_MAX_LENGTH * 2) )
   {
     GNUNET_break (0);
     return GNUNET_SYSERR;
@@ -328,8 +325,8 @@ send_lookup_response (void* cls,
   struct GNUNET_MQ_Envelope *env;
   struct VerifyResultMessage *rmsg;
   const struct GNUNET_CREDENTIAL_CredentialRecordData *crd;
+  struct GNUNET_CRYPTO_EccSignaturePurpose *purp;
   struct CredentialRecordEntry *cr_entry;
-  int cred_verified;
 
   cred_record_count = 0;
   struct AttributeRecordEntry *attr_entry;
@@ -361,14 +358,23 @@ send_lookup_response (void* cls,
     GNUNET_CONTAINER_DLL_insert_tail (vrh->cred_chain_head,
                                       vrh->cred_chain_tail,
                                       cr_entry);
-
+    purp = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
+                          sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey) +
+                          strlen ((char*)&crd[1]) +1 );
+    purp->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
+                        sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey) +
+                        strlen ((char*)&crd[1]) +1 );
+
+    purp->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CREDENTIAL);
     if(GNUNET_OK == GNUNET_CRYPTO_ecdsa_verify(GNUNET_SIGNATURE_PURPOSE_CREDENTIAL, 
-                                               &crd->purpose,
-                                               &crd->sig, &crd->issuer_key))
-    {   
-      cred_verified = GNUNET_YES;
+                                               purp,
+                                               &crd->sig,
+                                               &crd->issuer_key))
+    {
+      GNUNET_free (purp);
       break;
     }
+    GNUNET_free (purp);
 
   }
 
@@ -394,7 +400,6 @@ send_lookup_response (void* cls,
   }
 
 
-
   /**
    * TODO
    * Start resolution of Attribute delegations from issuer
@@ -466,12 +471,12 @@ static void
 handle_verify (void *cls,
                const struct VerifyMessage *v_msg) 
 {
+  char attrs[GNUNET_CREDENTIAL_MAX_LENGTH*2 + 1];
   char issuer_attribute[GNUNET_CREDENTIAL_MAX_LENGTH + 1];
   char subject_attribute[GNUNET_CREDENTIAL_MAX_LENGTH + 1];
-  size_t issuer_attribute_len;
   struct VerifyRequestHandle *vrh;
   struct GNUNET_SERVICE_Client *client = cls;
-  char *attrptr = issuer_attribute;
+  char *attrptr = attrs;
   const char *utf_in;
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
@@ -479,10 +484,11 @@ handle_verify (void *cls,
 
   utf_in = (const char *) &v_msg[1];
   GNUNET_STRINGS_utf8_tolower (utf_in, attrptr);
-  issuer_attribute_len = strlen (utf_in);
-  utf_in = (const char *) (&v_msg[1] + issuer_attribute_len + 1);
-  attrptr = subject_attribute;
-  GNUNET_STRINGS_utf8_tolower (utf_in, attrptr);
+
+  GNUNET_memcpy (issuer_attribute, attrs, ntohs (v_msg->issuer_attribute_len));
+  issuer_attribute[ntohs (v_msg->issuer_attribute_len)] = '\0';
+  GNUNET_memcpy (subject_attribute, attrs+strlen(issuer_attribute), ntohs (v_msg->subject_attribute_len));
+  subject_attribute[ntohs (v_msg->subject_attribute_len)] = '\0';
   vrh = GNUNET_new (struct VerifyRequestHandle);
   GNUNET_CONTAINER_DLL_insert (vrh_head, vrh_tail, vrh);
   vrh->client = client;
diff --git a/src/credential/plugin_gnsrecord_credential.c b/src/credential/plugin_gnsrecord_credential.c
index c7cbb8bdd..f6aec9bcc 100644
--- a/src/credential/plugin_gnsrecord_credential.c
+++ b/src/credential/plugin_gnsrecord_credential.c
@@ -73,33 +73,36 @@ credential_value_to_string (void *cls,
    }
    case GNUNET_GNSRECORD_TYPE_CREDENTIAL:
    {
-    struct GNUNET_CREDENTIAL_CredentialRecordData cred;
-    char *cred_str;
-    char *subject_pkey;
-    char *issuer_pkey;
-    if (data_size < sizeof (struct GNUNET_CREDENTIAL_CredentialRecordData))
-        return NULL; /* malformed */
-    memcpy (&cred,
-              data,
-              sizeof (cred));
-    cdata = data;  
-    subject_pkey = GNUNET_CRYPTO_ecdsa_public_key_to_string (&cred.subject_key);
-    issuer_pkey = GNUNET_CRYPTO_ecdsa_public_key_to_string (&cred.issuer_key);
-
+     struct GNUNET_CREDENTIAL_CredentialRecordData cred;
+     char *cred_str;
+     char *subject_pkey;
+     char *issuer_pkey;
+     char *signature;
+     
+     if (data_size < sizeof (struct GNUNET_CREDENTIAL_CredentialRecordData))
+       return NULL; /* malformed */
+     memcpy (&cred,
+             data,
+             sizeof (cred));
+     cdata = data;  
+     subject_pkey = GNUNET_CRYPTO_ecdsa_public_key_to_string (&cred.subject_key);
+     issuer_pkey = GNUNET_CRYPTO_ecdsa_public_key_to_string (&cred.issuer_key);
+     GNUNET_STRINGS_base64_encode ((char*)&cred.sig,
+                                   sizeof (struct GNUNET_CRYPTO_EcdsaSignature),
+                                   &signature);
      GNUNET_asprintf (&cred_str,
-                     "%s %s %s",
-                     subject_pkey,
-                     issuer_pkey,
-                     &cdata[sizeof (cred)]);
-      GNUNET_free (subject_pkey);
-      GNUNET_free (issuer_pkey);
-
-
-
-    return cred_str;
-    }
-  default:
-    return NULL;
+                      "%s.%s -> %s sig:%s",
+                      issuer_pkey,
+                      &cdata[sizeof (cred)],
+                      subject_pkey,
+                      signature);
+     GNUNET_free (subject_pkey);
+     GNUNET_free (issuer_pkey);
+     GNUNET_free (signature);
+     return cred_str;
+   }
+   default:
+   return NULL;
   }
 }
 
@@ -117,10 +120,10 @@ credential_value_to_string (void *cls,
  */
 static int
 credential_string_to_value (void *cls,
-                     uint32_t type,
-                     const char *s,
-                     void **data,
-                     size_t *data_size)
+                            uint32_t type,
+                            const char *s,
+                            void **data,
+                            size_t *data_size)
 {
   if (NULL == s)
     return GNUNET_SYSERR;
@@ -137,12 +140,15 @@ credential_string_to_value (void *cls,
         char subject_pkey[enclen + 1];
         char issuer_pkey[enclen + 1];
         char name[253 + 1];
+        char signature[128]; //TODO max payload size
+        struct GNUNET_CRYPTO_EcdsaSignature *sig;
 
-        if (5 != SSCANF (s,
-                         "%52s %52s %253s",
-                         subject_pkey,
+        if (4 != SSCANF (s,
+                         "%52s.%253s -> %52s sig:%s",
                          issuer_pkey,
-                         name))
+                         name,
+                         subject_pkey,
+                         signature))
         {
           GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                       _("Unable to parse CRED record string `%s'\n"),
@@ -157,6 +163,11 @@ credential_string_to_value (void *cls,
         GNUNET_CRYPTO_ecdsa_public_key_from_string (issuer_pkey,
                                                     strlen (issuer_pkey),
                                                     &cred->issuer_key);
+        GNUNET_STRINGS_base64_decode (signature,
+                                      strlen (signature),
+                                      (char**)&sig);
+        cred->sig = *sig;
+        GNUNET_free (sig);
         GNUNET_memcpy (&cred[1],
                        name,
                        strlen (name));
diff --git a/src/credential/test_credential_issue.sh b/src/credential/test_credential_issue.sh
new file mode 100755
index 000000000..95eac2957
--- /dev/null
+++ b/src/credential/test_credential_issue.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+trap "gnunet-arm -e -c test_credential_lookup.conf" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_credential_lookup.conf -s PATHS -o GNUNET_HOME -f`
+
+#  (1) PKEY1.user -> PKEY2.resu.user
+#  (2) PKEY2.resu -> PKEY3
+#  (3) PKEY3.user -> PKEY4
+
+
+which timeout &> /dev/null && DO_TIMEOUT="timeout 30"
+
+TEST_ATTR="test"
+gnunet-arm -s -c test_credential_lookup.conf
+gnunet-identity -C testissuer -c test_credential_lookup.conf
+gnunet-identity -C testsubject -c test_credential_lookup.conf
+SUBJECT_KEY=$(gnunet-identity -d -c test_credential_lookup.conf | grep testsubject | awk '{print $3}')
+ISSUER_KEY=$(gnunet-identity -d -c test_credential_lookup.conf | grep testissuer | awk '{print $3}')
+#TODO1 Get credential and store it with subject (3)
+$DO_TIMEOUT gnunet-credential --issue --ego=testissuer --subject=$SUBJECT_KEY --attribute=$TEST_ATTR -c test_credential_lookup.conf
+STATUS=$?
+
+gnunet-arm -e -c test_credential_lookup.conf
+exit $STATUS
diff --git a/src/credential/test_credential_verify_simple.sh b/src/credential/test_credential_verify_simple.sh
new file mode 100755
index 000000000..73ea24137
--- /dev/null
+++ b/src/credential/test_credential_verify_simple.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+trap "gnunet-arm -e -c test_credential_lookup.conf" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_credential_lookup.conf -s PATHS -o GNUNET_HOME -f`
+
+#  (3) Isser.user -> Subject
+
+
+which timeout &> /dev/null && DO_TIMEOUT="timeout 30"
+gnunet-arm -s -c test_credential_lookup.conf
+gnunet-identity -C testissuer -c test_credential_lookup.conf
+gnunet-identity -C testsubject -c test_credential_lookup.conf
+
+TEST_ATTR="user"
+SUBJECT_KEY=$(gnunet-identity -d -c test_credential_lookup.conf | grep testsubject | awk '{print $3}')
+ISSUER_KEY=$(gnunet-identity -d -c test_credential_lookup.conf | grep testissuer | awk '{print $3}')
+CRED=`$DO_TIMEOUT gnunet-credential --issue --ego=testissuer --subject=$SUBJECT_KEY --attribute=$TEST_ATTR -c test_credential_lookup.conf`
+
+TEST_CREDENTIAL="t1"
+gnunet-namestore -p -z testsubject -a -n $TEST_CREDENTIAL -t CRED -V "$CRED" -e 5m -c test_credential_lookup.conf
+
+#TODO2 Add -z swich like in gnunet-gns
+#RES_CRED=`$DO_TIMEOUT gnunet-credential --verify --issuer=$ISSUER_KEY --attribute="$TEST_ATTR" --subject=$SUBJECT_KEY --credential=$TEST_CREDENTIAL -c test_credential_lookup.conf`
+valgrind gnunet-credential --verify --issuer=$ISSUER_KEY --attribute=$TEST_ATTR --subject=$SUBJECT_KEY --credential=$TEST_CREDENTIAL -c test_credential_lookup.conf
+
+#TODO cleanup properly
+gnunet-namestore -z testsubject -d -n $TEST_CREDENTIAL -t CRED -e never -c test_credential_lookup.conf
+gnunet-identity -D testsubject -c test_credential_lookup.conf
+gnunet-arm -e -c test_credential_lookup.conf
+
+#TODO3 proper test
+exit 0
+
+if [ "$RES_CRED" == "Ok!" ]
+then
+  exit 0
+else
+  echo "FAIL: Failed to verify credential $RES_IP."
+  exit 1
+fi