Introduce a SignatoryManager service. #509
Conversation
| if let Ok(secret) = | ||
| <&crate::secret::Secret as TryInto<crate::nuts::nut10::Secret>>::try_into(&proof.secret) | ||
| { | ||
| // Checks and verifes known secret kinds. | ||
| // If it is an unknown secret kind it will be treated as a normal secret. | ||
| // Spending conditions will **not** be check. It is up to the wallet to ensure | ||
| // only supported secret kinds are used as there is no way for the mint to | ||
| // enforce only signing supported secrets as they are blinded at | ||
| // that point. | ||
| match secret.kind { | ||
| Kind::P2PK => { | ||
| proof.verify_p2pk()?; | ||
| } | ||
| Kind::HTLC => { | ||
| proof.verify_htlc()?; | ||
| } | ||
| } |
There was a problem hiding this comment.
Functionality like this should happen in the core mint instead of here. The message should be sent to the blind signer only if all checks are successful, including scripts etc.
| derivation_path, | ||
| Some(0), | ||
| unit.clone(), | ||
| max_order, |
There was a problem hiding this comment.
Possibly out of scope but it would be nice if this parameter would accept a slice of integers (all possible amounts) instead of a single exponent (max order).
crodas
force-pushed
the
proto/independent-signatory
branch
2 times, most recently
from
45d8352 to
a11988b
Compare
crodas
force-pushed
the
proto/independent-signatory
branch
from
a11988b to
a8c289e
Compare
|
@thesimplekid @callebtc Does it look better? Basically so far I have:
If this makes sense, |
There was a problem hiding this comment.
Move the signatory to their own repo.
You mean crate right?
This is a really good start and a structure that makes sense. I think there are still some open questions around what should be handled by the signatory and what by the mint. For example the proof verification I don't think the checking of p2pk and htlc conditions should be done by the signatory and it should only handle stuff that actually required the mint private keys. However, we do want to provide enough information that the signatory can be more then just a blind signer, doing ie rate limiting and we don't have a strong picture of what that will look like yet.
| Ok(blinded_signature) | ||
| } | ||
|
|
||
| async fn verify_proof(&self, proof: Proof) -> Result<(), Error> { |
There was a problem hiding this comment.
I don't think the full verification of the proof should be in the signatory only the verification of the signature.
crates/cdk-signatory/Cargo.toml
Outdated
| tonic = "0.12.3" | ||
| prost = "0.13.4" |
There was a problem hiding this comment.
These break MSRV, I'll figure that out on the management-rpc branch and report back
There was a problem hiding this comment.
I'll fix this, making this optional (only to compile the binary)
There was a problem hiding this comment.
I this fixed now @thesimplekid ?
crodas
force-pushed
the
proto/independent-signatory
branch
from
b8e13e4 to
77ead1b
Compare
crodas
force-pushed
the
proto/independent-signatory
branch
2 times, most recently
from
6178232 to
5c71573
Compare
crodas
force-pushed
the
proto/independent-signatory
branch
4 times, most recently
from
c9197b3 to
7fe0c8e
Compare
crodas
force-pushed
the
proto/independent-signatory
branch
10 times, most recently
from
55713c6 to
e06ec34
Compare
crodas
force-pushed
the
proto/independent-signatory
branch
3 times, most recently
from
c052ba1 to
a8fbfde
Compare
The SignatoryManager manager provides an API to interact with keysets, private keys, and all key-related operations, offering segregation between the mint and the most sensible part of the mind: the private keys. Although the default signatory runs in memory, it is completely isolated from the rest of the system and can only be communicated through the interface offered by the signatory manager. Only messages can be sent from the mintd to the Signatory trait through the Signatory Manager. This pull request sets the foundation for eventually being able to run the Signatory and all the key-related operations in a separate service, possibly in a foreign service, to offload risks, as described in cashubtc#476. The Signatory manager is concurrent and deferred any mechanism needed to handle concurrency to the Signatory trait.
crodas
force-pushed
the
proto/independent-signatory
branch
from
a8fbfde to
43227d3
Compare
Description
The SignatoryManager manager provides an API to interact with keysets, private keys, and all key-related operations, offering segregation between the mint and the most sensible part of the mind: the private keys.
Although the default signatory runs in memory, it is completely isolated from the rest of the system and can only be communicated through the interface offered by the signatory manager. Only messages can be sent from the mintd to the Signatory trait through the Signatory Manager.
This pull request sets the foundation for eventually being able to run the Signatory and all the key-related operations in a separate service, possibly in a foreign service, to offload risks, as described in #476.
The Signatory manager is concurrent and deferred any mechanism needed to handle concurrency to the Signatory trait.
TODO
Notes to the reviewers
Maybe a new terminology, other than Signatory and SignatoryManager can be used, but the idea I believe is solid.
Suggested CHANGELOG Updates
CHANGED
ADDED
REMOVED
FIXED
Checklist
just final-checkbefore committing