Introduce a SignatoryManager service. #509
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
callebtc
reviewed
Dec 23, 2024
Comment on lines
242
to
258
| if let Ok(secret) = | ||
| <&crate::secret::Secret as TryInto<crate::nuts::nut10::Secret>>::try_into(&proof.secret) | ||
| { | ||
| // Checks and verifes known secret kinds. | ||
| // If it is an unknown secret kind it will be treated as a normal secret. | ||
| // Spending conditions will **not** be check. It is up to the wallet to ensure | ||
| // only supported secret kinds are used as there is no way for the mint to | ||
| // enforce only signing supported secrets as they are blinded at | ||
| // that point. | ||
| match secret.kind { | ||
| Kind::P2PK => { | ||
| proof.verify_p2pk()?; | ||
| } | ||
| Kind::HTLC => { | ||
| proof.verify_htlc()?; | ||
| } | ||
| } |
There was a problem hiding this comment.
Functionality like this should happen in the core mint instead of here. The message should be sent to the blind signer only if all checks are successful, including scripts etc.
| derivation_path, | ||
| Some(0), | ||
| unit.clone(), | ||
| max_order, |
There was a problem hiding this comment.
Possibly out of scope but it would be nice if this parameter would accept a slice of integers (all possible amounts) instead of a single exponent (max order).
2 tasks
crodas
force-pushed
the
proto/independent-signatory
branch
2 times, most recently
from
45d8352 to
a11988b
Compare
The SignatoryManager manager provides an API to interact with keysets, private keys, and all key-related operations, offering segregation between the mint and the most sensible part of the mind: the private keys. Although the default signatory runs in memory, it is completely isolated from the rest of the system and can only be communicated through the interface offered by the signatory manager. Only messages can be sent from the mintd to the Signatory trait through the Signatory Manager. This pull request sets the foundation for eventually being able to run the Signatory and all the key-related operations in a separate service, possibly in a foreign service, to offload risks, as described in cashubtc#476. The Signatory manager is concurrent and deferred any mechanism needed to handle concurrency to the Signatory trait.
crodas
force-pushed
the
proto/independent-signatory
branch
from
a11988b to
a8c289e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The SignatoryManager manager provides an API to interact with keysets, private keys, and all key-related operations, offering segregation between the mint and the most sensible part of the mind: the private keys.
Although the default signatory runs in memory, it is completely isolated from the rest of the system and can only be communicated through the interface offered by the signatory manager. Only messages can be sent from the mintd to the Signatory trait through the Signatory Manager.
This pull request sets the foundation for eventually being able to run the Signatory and all the key-related operations in a separate service, possibly in a foreign service, to offload risks, as described in #476.
The Signatory manager is concurrent and deferred any mechanism needed to handle concurrency to the Signatory trait.
TODO
Notes to the reviewers
Maybe a new terminology, other than Signatory and SignatoryManager can be used, but the idea I believe is solid.
Suggested CHANGELOG Updates
CHANGED
ADDED
REMOVED
FIXED
Checklist
just final-checkbefore committing