diff options
author | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-04-10 11:26:46 +0200 |
---|---|---|
committer | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-04-10 11:26:46 +0200 |
commit | b1af3dcf2ad69264883a398ab431fa99c7135f79 (patch) | |
tree | aed788ced81305b7cc7ed361c33fa9bb386bd087 /src/identity-provider | |
parent | e331d5f6dfb406f9c56d4b3cb69b671b317d6992 (diff) | |
download | gnunet-b1af3dcf2ad69264883a398ab431fa99c7135f79.tar.gz gnunet-b1af3dcf2ad69264883a398ab431fa99c7135f79.zip |
add attribute expiration
Diffstat (limited to 'src/identity-provider')
-rw-r--r-- | src/identity-provider/gnunet-idp.c | 13 | ||||
-rw-r--r-- | src/identity-provider/gnunet-service-identity-provider.c | 73 | ||||
-rw-r--r-- | src/identity-provider/identity_provider.h | 5 | ||||
-rw-r--r-- | src/identity-provider/identity_provider_api.c | 3 | ||||
-rw-r--r-- | src/identity-provider/plugin_rest_identity_provider.c | 16 |
5 files changed, 95 insertions, 15 deletions
diff --git a/src/identity-provider/gnunet-idp.c b/src/identity-provider/gnunet-idp.c index 995dd5775..95e9f398d 100644 --- a/src/identity-provider/gnunet-idp.c +++ b/src/identity-provider/gnunet-idp.c | |||
@@ -126,6 +126,11 @@ static struct GNUNET_IDENTITY_PROVIDER_Ticket ticket; | |||
126 | */ | 126 | */ |
127 | static struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attr_list; | 127 | static struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attr_list; |
128 | 128 | ||
129 | /** | ||
130 | * Attribute expiration interval | ||
131 | */ | ||
132 | static struct GNUNET_TIME_Relative exp_interval; | ||
133 | |||
129 | static void | 134 | static void |
130 | do_cleanup(void *cls) | 135 | do_cleanup(void *cls) |
131 | { | 136 | { |
@@ -272,6 +277,7 @@ iter_finished (void *cls) | |||
272 | idp_op = GNUNET_IDENTITY_PROVIDER_attribute_store (idp_handle, | 277 | idp_op = GNUNET_IDENTITY_PROVIDER_attribute_store (idp_handle, |
273 | pkey, | 278 | pkey, |
274 | claim, | 279 | claim, |
280 | &exp_interval, | ||
275 | &store_attr_cont, | 281 | &store_attr_cont, |
276 | NULL); | 282 | NULL); |
277 | 283 | ||
@@ -383,6 +389,7 @@ run (void *cls, | |||
383 | int | 389 | int |
384 | main(int argc, char *const argv[]) | 390 | main(int argc, char *const argv[]) |
385 | { | 391 | { |
392 | exp_interval = GNUNET_TIME_UNIT_HOURS; | ||
386 | struct GNUNET_GETOPT_CommandLineOption options[] = { | 393 | struct GNUNET_GETOPT_CommandLineOption options[] = { |
387 | 394 | ||
388 | GNUNET_GETOPT_option_string ('a', | 395 | GNUNET_GETOPT_option_string ('a', |
@@ -430,6 +437,12 @@ main(int argc, char *const argv[]) | |||
430 | NULL, | 437 | NULL, |
431 | gettext_noop ("Type of attribute"), | 438 | gettext_noop ("Type of attribute"), |
432 | &type_str), | 439 | &type_str), |
440 | GNUNET_GETOPT_option_relative_time ('E', | ||
441 | "expiration", | ||
442 | NULL, | ||
443 | gettext_noop ("Expiration interval of the attribute"), | ||
444 | &exp_interval), | ||
445 | |||
433 | GNUNET_GETOPT_OPTION_END | 446 | GNUNET_GETOPT_OPTION_END |
434 | }; | 447 | }; |
435 | return (GNUNET_OK == GNUNET_PROGRAM_run (argc, argv, "ct", | 448 | return (GNUNET_OK == GNUNET_PROGRAM_run (argc, argv, "ct", |
diff --git a/src/identity-provider/gnunet-service-identity-provider.c b/src/identity-provider/gnunet-service-identity-provider.c index 207923d5e..a518d00ae 100644 --- a/src/identity-provider/gnunet-service-identity-provider.c +++ b/src/identity-provider/gnunet-service-identity-provider.c | |||
@@ -364,6 +364,11 @@ struct AttributeStoreHandle | |||
364 | struct GNUNET_IDENTITY_ATTRIBUTE_Claim *claim; | 364 | struct GNUNET_IDENTITY_ATTRIBUTE_Claim *claim; |
365 | 365 | ||
366 | /** | 366 | /** |
367 | * The attribute expiration interval | ||
368 | */ | ||
369 | struct GNUNET_TIME_Relative exp; | ||
370 | |||
371 | /** | ||
367 | * request id | 372 | * request id |
368 | */ | 373 | */ |
369 | uint32_t r_id; | 374 | uint32_t r_id; |
@@ -1308,12 +1313,29 @@ revocation_reissue_tickets (struct TicketRevocationHandle *rh) | |||
1308 | } | 1313 | } |
1309 | 1314 | ||
1310 | /** | 1315 | /** |
1311 | * Revoke next attribte by reencryption with | 1316 | * Failed to check for attribute |
1312 | * new ABE master | ||
1313 | */ | 1317 | */ |
1314 | static void | 1318 | static void |
1315 | reenc_next_attribute (struct TicketRevocationHandle *rh) | 1319 | check_attr_error (void *cls) |
1320 | { | ||
1321 | struct TicketRevocationHandle *rh = cls; | ||
1322 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1323 | "Unable to check for existing attribute\n"); | ||
1324 | send_revocation_finished (rh, GNUNET_SYSERR); | ||
1325 | cleanup_revoke_ticket_handle (rh); | ||
1326 | } | ||
1327 | |||
1328 | /** | ||
1329 | * Check for existing attribute and overwrite | ||
1330 | */ | ||
1331 | static void | ||
1332 | check_attr_cb (void *cls, | ||
1333 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone, | ||
1334 | const char *label, | ||
1335 | unsigned int rd_count, | ||
1336 | const struct GNUNET_GNSRECORD_Data *rd_old) | ||
1316 | { | 1337 | { |
1338 | struct TicketRevocationHandle *rh = cls; | ||
1317 | struct GNUNET_GNSRECORD_Data rd[1]; | 1339 | struct GNUNET_GNSRECORD_Data rd[1]; |
1318 | char* buf; | 1340 | char* buf; |
1319 | char* enc_buf; | 1341 | char* enc_buf; |
@@ -1323,15 +1345,11 @@ reenc_next_attribute (struct TicketRevocationHandle *rh) | |||
1323 | char* policy; | 1345 | char* policy; |
1324 | uint32_t attr_ver; | 1346 | uint32_t attr_ver; |
1325 | 1347 | ||
1326 | if (NULL == rh->attrs->list_head) | 1348 | |
1327 | { | ||
1328 | revocation_reissue_tickets (rh); | ||
1329 | return; | ||
1330 | } | ||
1331 | buf_size = GNUNET_IDENTITY_ATTRIBUTE_serialize_get_size (rh->attrs->list_head->claim); | 1349 | buf_size = GNUNET_IDENTITY_ATTRIBUTE_serialize_get_size (rh->attrs->list_head->claim); |
1332 | buf = GNUNET_malloc (buf_size); | 1350 | buf = GNUNET_malloc (buf_size); |
1333 | GNUNET_IDENTITY_ATTRIBUTE_serialize (rh->attrs->list_head->claim, | 1351 | GNUNET_IDENTITY_ATTRIBUTE_serialize (rh->attrs->list_head->claim, |
1334 | buf); | 1352 | buf); |
1335 | rh->attrs->list_head->claim->version++; | 1353 | rh->attrs->list_head->claim->version++; |
1336 | GNUNET_asprintf (&policy, "%s_%lu", | 1354 | GNUNET_asprintf (&policy, "%s_%lu", |
1337 | rh->attrs->list_head->claim->name, | 1355 | rh->attrs->list_head->claim->name, |
@@ -1342,10 +1360,10 @@ reenc_next_attribute (struct TicketRevocationHandle *rh) | |||
1342 | * Encrypt the attribute value and store in namestore | 1360 | * Encrypt the attribute value and store in namestore |
1343 | */ | 1361 | */ |
1344 | enc_size = GNUNET_ABE_cpabe_encrypt (buf, | 1362 | enc_size = GNUNET_ABE_cpabe_encrypt (buf, |
1345 | buf_size, | 1363 | buf_size, |
1346 | policy, //Policy | 1364 | policy, //Policy |
1347 | rh->abe_key, | 1365 | rh->abe_key, |
1348 | (void**)&enc_buf); | 1366 | (void**)&enc_buf); |
1349 | GNUNET_free (buf); | 1367 | GNUNET_free (buf); |
1350 | if (GNUNET_SYSERR == enc_size) | 1368 | if (GNUNET_SYSERR == enc_size) |
1351 | { | 1369 | { |
@@ -1371,7 +1389,7 @@ reenc_next_attribute (struct TicketRevocationHandle *rh) | |||
1371 | rd[0].data = rd_buf; | 1389 | rd[0].data = rd_buf; |
1372 | rd[0].record_type = GNUNET_GNSRECORD_TYPE_ID_ATTR; | 1390 | rd[0].record_type = GNUNET_GNSRECORD_TYPE_ID_ATTR; |
1373 | rd[0].flags = GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION; | 1391 | rd[0].flags = GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION; |
1374 | rd[0].expiration_time = GNUNET_TIME_UNIT_HOURS.rel_value_us; //TODO sane? | 1392 | rd[0].expiration_time = rd_old[0].expiration_time; |
1375 | rh->ns_qe = GNUNET_NAMESTORE_records_store (ns_handle, | 1393 | rh->ns_qe = GNUNET_NAMESTORE_records_store (ns_handle, |
1376 | &rh->identity, | 1394 | &rh->identity, |
1377 | rh->attrs->list_head->claim->name, | 1395 | rh->attrs->list_head->claim->name, |
@@ -1383,6 +1401,30 @@ reenc_next_attribute (struct TicketRevocationHandle *rh) | |||
1383 | GNUNET_free (rd_buf); | 1401 | GNUNET_free (rd_buf); |
1384 | } | 1402 | } |
1385 | 1403 | ||
1404 | |||
1405 | /** | ||
1406 | * Revoke next attribte by reencryption with | ||
1407 | * new ABE master | ||
1408 | */ | ||
1409 | static void | ||
1410 | reenc_next_attribute (struct TicketRevocationHandle *rh) | ||
1411 | { | ||
1412 | if (NULL == rh->attrs->list_head) | ||
1413 | { | ||
1414 | revocation_reissue_tickets (rh); | ||
1415 | return; | ||
1416 | } | ||
1417 | /* First check if attribute still exists */ | ||
1418 | rh->ns_qe = GNUNET_NAMESTORE_records_lookup (ns_handle, | ||
1419 | &rh->identity, | ||
1420 | rh->attrs->list_head->claim->name, | ||
1421 | &check_attr_error, | ||
1422 | rh, | ||
1423 | &check_attr_cb, | ||
1424 | rh); | ||
1425 | } | ||
1426 | |||
1427 | |||
1386 | /** | 1428 | /** |
1387 | * Namestore callback after revoked attribute | 1429 | * Namestore callback after revoked attribute |
1388 | * is stored | 1430 | * is stored |
@@ -1878,7 +1920,7 @@ attr_store_task (void *cls) | |||
1878 | rd[0].data = rd_buf; | 1920 | rd[0].data = rd_buf; |
1879 | rd[0].record_type = GNUNET_GNSRECORD_TYPE_ID_ATTR; | 1921 | rd[0].record_type = GNUNET_GNSRECORD_TYPE_ID_ATTR; |
1880 | rd[0].flags = GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION; | 1922 | rd[0].flags = GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION; |
1881 | rd[0].expiration_time = GNUNET_TIME_UNIT_HOURS.rel_value_us; //TODO sane? | 1923 | rd[0].expiration_time = as_handle->exp.rel_value_us; |
1882 | as_handle->ns_qe = GNUNET_NAMESTORE_records_store (ns_handle, | 1924 | as_handle->ns_qe = GNUNET_NAMESTORE_records_store (ns_handle, |
1883 | &as_handle->identity, | 1925 | &as_handle->identity, |
1884 | as_handle->claim->name, | 1926 | as_handle->claim->name, |
@@ -1936,6 +1978,7 @@ handle_attribute_store_message (void *cls, | |||
1936 | 1978 | ||
1937 | as_handle->r_id = ntohl (sam->id); | 1979 | as_handle->r_id = ntohl (sam->id); |
1938 | as_handle->identity = sam->identity; | 1980 | as_handle->identity = sam->identity; |
1981 | as_handle->exp.rel_value_us = GNUNET_ntohll (sam->exp); | ||
1939 | GNUNET_CRYPTO_ecdsa_key_get_public (&sam->identity, | 1982 | GNUNET_CRYPTO_ecdsa_key_get_public (&sam->identity, |
1940 | &as_handle->identity_pkey); | 1983 | &as_handle->identity_pkey); |
1941 | 1984 | ||
diff --git a/src/identity-provider/identity_provider.h b/src/identity-provider/identity_provider.h index b1fe6e1fd..625b8f96d 100644 --- a/src/identity-provider/identity_provider.h +++ b/src/identity-provider/identity_provider.h | |||
@@ -54,6 +54,11 @@ struct AttributeStoreMessage | |||
54 | uint32_t attr_len GNUNET_PACKED; | 54 | uint32_t attr_len GNUNET_PACKED; |
55 | 55 | ||
56 | /** | 56 | /** |
57 | * The expiration interval of the attribute | ||
58 | */ | ||
59 | uint64_t exp GNUNET_PACKED; | ||
60 | |||
61 | /** | ||
57 | * Identity | 62 | * Identity |
58 | */ | 63 | */ |
59 | struct GNUNET_CRYPTO_EcdsaPrivateKey identity; | 64 | struct GNUNET_CRYPTO_EcdsaPrivateKey identity; |
diff --git a/src/identity-provider/identity_provider_api.c b/src/identity-provider/identity_provider_api.c index e993a1ac7..21ce6e3d6 100644 --- a/src/identity-provider/identity_provider_api.c +++ b/src/identity-provider/identity_provider_api.c | |||
@@ -908,6 +908,7 @@ GNUNET_IDENTITY_PROVIDER_disconnect (struct GNUNET_IDENTITY_PROVIDER_Handle *h) | |||
908 | * @param h handle to the identity provider | 908 | * @param h handle to the identity provider |
909 | * @param pkey private key of the identity | 909 | * @param pkey private key of the identity |
910 | * @param attr the attribute value | 910 | * @param attr the attribute value |
911 | * @param exp_interval the relative expiration interval for the attribute | ||
911 | * @param cont continuation to call when done | 912 | * @param cont continuation to call when done |
912 | * @param cont_cls closure for @a cont | 913 | * @param cont_cls closure for @a cont |
913 | * @return handle to abort the request | 914 | * @return handle to abort the request |
@@ -916,6 +917,7 @@ struct GNUNET_IDENTITY_PROVIDER_Operation * | |||
916 | GNUNET_IDENTITY_PROVIDER_attribute_store (struct GNUNET_IDENTITY_PROVIDER_Handle *h, | 917 | GNUNET_IDENTITY_PROVIDER_attribute_store (struct GNUNET_IDENTITY_PROVIDER_Handle *h, |
917 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey, | 918 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey, |
918 | const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr, | 919 | const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr, |
920 | const struct GNUNET_TIME_Relative *exp_interval, | ||
919 | GNUNET_IDENTITY_PROVIDER_ContinuationWithStatus cont, | 921 | GNUNET_IDENTITY_PROVIDER_ContinuationWithStatus cont, |
920 | void *cont_cls) | 922 | void *cont_cls) |
921 | { | 923 | { |
@@ -937,6 +939,7 @@ GNUNET_IDENTITY_PROVIDER_attribute_store (struct GNUNET_IDENTITY_PROVIDER_Handle | |||
937 | GNUNET_MESSAGE_TYPE_IDENTITY_PROVIDER_ATTRIBUTE_STORE); | 939 | GNUNET_MESSAGE_TYPE_IDENTITY_PROVIDER_ATTRIBUTE_STORE); |
938 | sam->identity = *pkey; | 940 | sam->identity = *pkey; |
939 | sam->id = htonl (op->r_id); | 941 | sam->id = htonl (op->r_id); |
942 | sam->exp = GNUNET_htonll (exp_interval->rel_value_us); | ||
940 | 943 | ||
941 | GNUNET_IDENTITY_ATTRIBUTE_serialize (attr, | 944 | GNUNET_IDENTITY_ATTRIBUTE_serialize (attr, |
942 | (char*)&sam[1]); | 945 | (char*)&sam[1]); |
diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index 398d09cd2..03279983b 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c | |||
@@ -546,6 +546,7 @@ add_attribute_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
546 | const char* identity; | 546 | const char* identity; |
547 | const char* name_str; | 547 | const char* name_str; |
548 | const char* value_str; | 548 | const char* value_str; |
549 | const char* exp_str; | ||
549 | 550 | ||
550 | struct RequestHandle *handle = cls; | 551 | struct RequestHandle *handle = cls; |
551 | struct EgoEntry *ego_entry; | 552 | struct EgoEntry *ego_entry; |
@@ -553,9 +554,11 @@ add_attribute_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
553 | struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attribute; | 554 | struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attribute; |
554 | struct GNUNET_JSONAPI_Document *json_obj; | 555 | struct GNUNET_JSONAPI_Document *json_obj; |
555 | struct GNUNET_JSONAPI_Resource *json_res; | 556 | struct GNUNET_JSONAPI_Resource *json_res; |
557 | struct GNUNET_TIME_Relative exp; | ||
556 | char term_data[handle->rest_handle->data_size+1]; | 558 | char term_data[handle->rest_handle->data_size+1]; |
557 | json_t *value_json; | 559 | json_t *value_json; |
558 | json_t *data_json; | 560 | json_t *data_json; |
561 | json_t *exp_json; | ||
559 | json_error_t err; | 562 | json_error_t err; |
560 | struct GNUNET_JSON_Specification docspec[] = { | 563 | struct GNUNET_JSON_Specification docspec[] = { |
561 | GNUNET_JSON_spec_jsonapi_document (&json_obj), | 564 | GNUNET_JSON_spec_jsonapi_document (&json_obj), |
@@ -635,6 +638,18 @@ add_attribute_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
635 | return; | 638 | return; |
636 | } | 639 | } |
637 | name_str = GNUNET_JSONAPI_resource_get_id (json_res); | 640 | name_str = GNUNET_JSONAPI_resource_get_id (json_res); |
641 | exp_json = GNUNET_JSONAPI_resource_read_attr (json_res, | ||
642 | "exp"); | ||
643 | exp_str = json_string_value (exp_json); | ||
644 | if (NULL == exp_str) { | ||
645 | exp = GNUNET_TIME_UNIT_HOURS; | ||
646 | } else { | ||
647 | if (GNUNET_OK != GNUNET_STRINGS_fancy_time_to_relative (exp_str, | ||
648 | &exp)) { | ||
649 | exp = GNUNET_TIME_UNIT_HOURS; | ||
650 | } | ||
651 | } | ||
652 | |||
638 | value_json = GNUNET_JSONAPI_resource_read_attr (json_res, | 653 | value_json = GNUNET_JSONAPI_resource_read_attr (json_res, |
639 | "value"); | 654 | "value"); |
640 | value_str = json_string_value (value_json); | 655 | value_str = json_string_value (value_json); |
@@ -646,6 +661,7 @@ add_attribute_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
646 | handle->idp_op = GNUNET_IDENTITY_PROVIDER_attribute_store (handle->idp, | 661 | handle->idp_op = GNUNET_IDENTITY_PROVIDER_attribute_store (handle->idp, |
647 | identity_priv, | 662 | identity_priv, |
648 | attribute, | 663 | attribute, |
664 | &exp, | ||
649 | &finished_cont, | 665 | &finished_cont, |
650 | handle); | 666 | handle); |
651 | GNUNET_free (attribute); | 667 | GNUNET_free (attribute); |