minor renaming of signature values and improved documentation of signatures, also adding a few missing fields to signatures to address #3631

3 files changed, 207 insertions, 78 deletions

diff --git a/src/include/taler_crypto_lib.h b/src/include/taler_crypto_lib.h
index cfd588a52..5b45661b7 100644
--- a/src/include/taler_crypto_lib.h
+++ b/src/include/taler_crypto_lib.h
@@ -197,33 +197,45 @@ struct TALER_MasterSignatureP
 
 
 /**
- * Type of public keys for Taler coins.
+ * Type of public keys for Taler coins.  The same key material is used
+ * for ECDSA and ECDHE operations.
  */
 union TALER_CoinSpendPublicKeyP
 {
   /**
-   * Taler uses ECDSA for coins.
+   * Taler uses ECDSA for coins when signing deposit requests.
    */
   struct GNUNET_CRYPTO_EcdsaPublicKey ecdsa_pub;
+
+  /**
+   * Taler uses ECDH(E) for coin linkage during refresh operations.
+   */
+  struct GNUNET_CRYPTO_EcdhePublicKey ecdhe_pub;
 };
 
 
 /**
- * Type of private keys for Taler coins.
+ * Type of private keys for Taler coins.  The same key material is used
+ * for ECDSA and ECDHE operations.
  */
 union TALER_CoinSpendPrivateKeyP
 {
   /**
-   * Taler uses ECDSA for coins.
+   * Taler uses ECDSA for coins when signing deposit requests.
    */
   struct GNUNET_CRYPTO_EcdsaPrivateKey ecdsa_priv;
+
+  /**
+   * Taler uses ECDHE for coin linkage during refresh operations.
+   */
+  struct GNUNET_CRYPTO_EcdhePrivateKey ecdhe_priv;
 };
 
 
 /**
  * Type of signatures made with Taler coins.
  */
-union TALER_CoinSpendSignatureP
+struct TALER_CoinSpendSignatureP
 {
   /**
    * Taler uses ECDSA for coins.
diff --git a/src/include/taler_mintdb_plugin.h b/src/include/taler_mintdb_plugin.h
index 7cd3e9202..e6f87c4aa 100644
--- a/src/include/taler_mintdb_plugin.h
+++ b/src/include/taler_mintdb_plugin.h
@@ -186,7 +186,7 @@ struct Deposit
    * by @e h_wire in relation to the contract identified
    * by @e h_contract.
    */
-  union TALER_CoinSpendSignatureP csig;
+  struct TALER_CoinSpendSignatureP csig;
 
   /**
    * Public key of the merchant.  Enables later identification
@@ -268,7 +268,7 @@ struct RefreshMelt
   /**
    * Signature over the melting operation.
    */
-  union TALER_CoinSpendSignatureP coin_sig;
+  struct TALER_CoinSpendSignatureP coin_sig;
 
   /**
    * Hash of the refresh session this coin is melted into.
@@ -384,7 +384,7 @@ struct Lock
   /**
    * Signature over the locking operation.
    */
-  union TALER_CoinSpendSignatureP coin_sig;
+  struct TALER_CoinSpendSignatureP coin_sig;
 
   /**
    * How much value is being locked?
diff --git a/src/include/taler_signatures.h b/src/include/taler_signatures.h
index 8363c23dd..4e9418966 100644
--- a/src/include/taler_signatures.h
+++ b/src/include/taler_signatures.h
@@ -40,53 +40,47 @@
  */
 #define TALER_CNC_KAPPA 3
 
+/*********************************************/
+/* Mint offline signatures (with master key) */
+/*********************************************/
 
 /**
- * Purpose for signing public keys signed
- * by the mint master key.
+ * Purpose for signing public keys signed by the mint master key.
  */
-#define TALER_SIGNATURE_MINT_SIGNING_KEY_VALIDITY 1
+#define TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY 1
 
 /**
- * Purpose for denomination keys signed
- * by the mint master key.
+ * Purpose for denomination keys signed by the mint master key.
  */
-#define TALER_SIGNATURE_MINT_DENOMINATION_KEY_VALIDITY 2
+#define TALER_SIGNATURE_MASTER_DENOMINATION_KEY_VALIDITY 2
 
-/**
- * Purpose for the state of a reserve,
- * signed by the mint's signing key.
- */
-#define TALER_SIGNATURE_MINT_RESERVE_STATUS 3
 
-/**
- * Signature where the reserve key
- * confirms a withdraw request.
- */
-#define TALER_SIGNATURE_RESERVE_WITHDRAW_REQUEST 4
+/*********************************************/
+/* Mint online signatures (with signing key) */
+/*********************************************/
 
 /**
- * Signature using a coin key confirming the melting of
- * a coin.
+ * Purpose for the state of a reserve, signed by the mint's signing
+ * key.
  */
-#define TALER_SIGNATURE_COIN_MELT 5
+#define TALER_SIGNATURE_MINT_RESERVE_STATUS 32
 
 /**
- * Signature where the mint (current signing key)
- * confirms the no-reveal index for cut-and-choose and
- * the validity of the melted coins.
+ * Signature where the Mint confirms a deposit request.
  */
-#define TALER_SIGNATURE_MINT_MELT_RESPONSE 6
+#define TALER_SIGNATURE_MINT_CONFIRM_DEPOSIT 33
 
 /**
- * Signature where the Mint confirms a deposit request.
+ * Signature where the mint (current signing key) confirms the
+ * no-reveal index for cut-and-choose and the validity of the melted
+ * coins.
  */
-#define TALER_SIGNATURE_COIN_DEPOSIT 7
+#define TALER_SIGNATURE_MINT_CONFIRM_MELT 34
 
 /**
  * Signature where the Mint confirms the full /keys response set.
  */
-#define TALER_SIGNATURE_MINT_KEY_SET 8
+#define TALER_SIGNATURE_MINT_KEY_SET 35
 
 
 /***********************/
@@ -94,26 +88,34 @@
 /***********************/
 
 /**
- * Signature where the merchant confirms a contract
+ * Signature where the merchant confirms a contract (to the customer).
  */
 #define TALER_SIGNATURE_MERCHANT_CONTRACT 101
 
+/**
+ * Signature where the merchant confirms a refund (of a coin).
+ */
+#define TALER_SIGNATURE_MERCHANT_REFUND 102
+
+
 /*********************/
 /* Wallet signatures */
 /*********************/
 
 /**
- * Signature made by the wallet of a user to confirm a deposit permission
- * FIXME: this is #TALER_SIGNATURE_COIN_DEPOSIT already!
+ * Signature where the reserve key confirms a withdraw request.
  */
-#define TALER_SIGNATURE_WALLET_DEPOSIT 201
+#define TALER_SIGNATURE_WALLET_RESERVE_WITHDRAW 200
 
 /**
- * Signature made by the wallet of a user to confirm a incremental
- * deposit permission.
- * FIXME: this MIGHT also be #TALER_SIGNATURE_COIN_DEPOSIT already!
+ * Signature made by the wallet of a user to confirm a deposit of a coin.
  */
-#define TALER_SIGNATURE_WALLET_DEPOSIT_INCREMENTAL 202
+#define TALER_SIGNATURE_WALLET_COIN_DEPOSIT 201
+
+/**
+ * Signature using a coin key confirming the melting of a coin.
+ */
+#define TALER_SIGNATURE_WALLET_COIN_MELT 202
 
 
 
@@ -127,7 +129,8 @@ struct TALER_WithdrawRequestPS
 {
 
   /**
-   * Purpose must be #TALER_SIGNATURE_RESERVE_WITHDRAW_REQUEST.
+   * Purpose must be #TALER_SIGNATURE_WALLET_RESERVE_WITHDRAW.
+   * Used with an EdDSA signature of a `struct TALER_ReservePublicKeyP`.
    */
   struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
 
@@ -165,7 +168,8 @@ struct TALER_WithdrawRequestPS
 struct TALER_DepositRequestPS
 {
   /**
-   * Purpose must be #TALER_SIGNATURE_WALLET_DEPOSIT
+   * Purpose must be #TALER_SIGNATURE_WALLET_COIN_DEPOSIT.
+   * Used for an ECDSA signature with the `union TALER_CoinSpendPublicKeyP`.
    */
   struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
 
@@ -180,20 +184,68 @@ struct TALER_DepositRequestPS
   struct GNUNET_HashCode h_wire;
 
   /**
+   * Time when this request was generated.  Used, for example, to
+   * assess when (roughly) the income was achieved for tax purposes.
+   * Note that the Mint will only check that the timestamp is not "too
+   * far" into the future (i.e. several days).  The fact that the
+   * timestamp falls within the validity period of the coin's
+   * denomination key is irrelevant for the validity of the deposit
+   * request, as obviously the customer and merchant could conspire to
+   * set any timestamp.  Also, the Mint must accept very old deposit
+   * requests, as the merchant might have been unable to transmit the
+   * deposit request in a timely fashion (so back-dating is not
+   * prevented).
+   */
+  struct GNUNET_TIME_AbsoluteNBO timestamp;
+
+  /**
+   * How much time does the merchant have to issue a refund request?
+   * Zero if refunds are not allowed.  After this time, the coin
+   * cannot be refunded.
+   */
+  struct GNUNET_TIME_AbsoluteNBO refund_deadline;
+
+  /**
    * Merchant-generated transaction ID to detect duplicate
-   * transactions.
+   * transactions.  The merchant must communicate a merchant-unique ID
+   * to the customer for each transaction.  Note that different coins
+   * that are part of the same transaction can use the same
+   * transaction ID.  The transaction ID is useful for later disputes,
+   * and the merchant's contract offer (@e h_contract) with the
+   * customer should include the offer's term and transaction ID
+   * signed with a key from the merchant.
    */
   uint64_t transaction_id GNUNET_PACKED;
 
   /**
-   * Amount to be deposited, including fee.
+   * Amount to be deposited, including deposit fee charged by the
+   * mint.  This is the total amount that the coin's value at the mint
+   * will be reduced by.
    */
   struct TALER_AmountNBO amount_with_fee;
-  /* FIXME: we should probably also include the value of
-     the depositing fee here as well! */
 
   /**
-   * The coin's public key.
+   * Depositing fee charged by the mint.  This must match the Mint's
+   * denomination key's depositing fee.  If the client puts in an
+   * invalid deposit fee (too high or too low) that does not match the
+   * Mint's denomination key, the deposit operation is invalid and
+   * will be rejected by the mint.  The @e amount_with_fee minus the
+   * @e deposit_fee is the amount that will be transferred to the
+   * account identified by @e h_wire.
+   */
+  struct TALER_AmountNBO deposit_fee;
+
+  /**
+   * The Merchant's public key.  Allows the merchant to later refund
+   * the transaction.  All zeros if nobody is allowed to refund the
+   * transaction later.
+   */
+  struct TALER_MerchantPublicKeyP merchant;
+
+  /**
+   * The coin's public key.  This is the value that must have been
+   * signed (blindly) by the Mint.  The deposit request is to be
+   * signed by the corresponding private key (using ECDSA).
    */
   union TALER_CoinSpendPublicKeyP coin_pub;
 
@@ -207,7 +259,8 @@ struct TALER_DepositRequestPS
 struct TALER_DepositConfirmationPS
 {
   /**
-   * Purpose must be #TALER_SIGNATURE_COIN_DEPOSIT
+   * Purpose must be #TALER_SIGNATURE_MINT_CONFIRM_DEPOSIT.  Signed
+   * by a `struct TALER_MintPublicKeyP` using EdDSA.
    */
   struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
 
@@ -228,20 +281,36 @@ struct TALER_DepositConfirmationPS
   uint64_t transaction_id GNUNET_PACKED;
 
   /**
-   * Amount to be deposited, including fee.
+   * Time when this confirmation was generated.
    */
-  struct TALER_AmountNBO amount_with_fee;
+  struct GNUNET_TIME_AbsoluteNBO timestamp;
+
+  /**
+   * How much time does the @e merchant have to issue a refund
+   * request?  Zero if refunds are not allowed.  After this time, the
+   * coin cannot be refunded.  Note that the wire transfer will not be
+   * performed by the mint until the refund deadline.  This value
+   * is taken from the original deposit request.
+   */
+  struct GNUNET_TIME_AbsoluteNBO refund_deadline;
 
-  /* FIXME: we should probably also include the value of
-     the depositing fee here as well! */
+  /**
+   * Amount to be deposited, excluding fee.  Calculated from the
+   * amount with fee and the fee from the deposit request.
+   */
+  struct TALER_AmountNBO amount_without_fee;
 
   /**
-   * The coin's public key.
+   * The coin's public key.  This is the value that must have been
+   * signed (blindly) by the Mint.  The deposit request is to be
+   * signed by the corresponding private key (using ECDSA).
    */
   union TALER_CoinSpendPublicKeyP coin_pub;
 
   /**
-   * The Merchant's public key.
+   * The Merchant's public key.  Allows the merchant to later refund
+   * the transaction.  All zeros if nobody is allowed to refund the
+   * transaction later.
    */
   struct TALER_MerchantPublicKeyP merchant;
 
@@ -249,13 +318,14 @@ struct TALER_DepositConfirmationPS
 
 
 /**
- * Message signed by a coin to indicate that the coin should
- * be melted.
+ * Message signed by a coin to indicate that the coin should be
+ * melted.
  */
 struct TALER_RefreshMeltCoinAffirmationPS
 {
   /**
-   * Purpose is #TALER_SIGNATURE_COIN_MELT.
+   * Purpose is #TALER_SIGNATURE_WALLET_COIN_MELT.
+   * Used for an ECDSA signature with the `union TALER_CoinSpendPublicKeyP`.
    */
   struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
 
@@ -274,11 +344,21 @@ struct TALER_RefreshMeltCoinAffirmationPS
    */
   struct TALER_AmountNBO amount_with_fee;
 
-  /* FIXME: we should probably also include the value of
-     the melting fee here as well! */
+  /**
+   * Melting fee charged by the mint.  This must match the Mint's
+   * denomination key's melting fee.  If the client puts in an invalid
+   * melting fee (too high or too low) that does not match the Mint's
+   * denomination key, the melting operation is invalid and will be
+   * rejected by the mint.  The @e amount_with_fee minus the @e
+   * melt_fee is the amount that will be credited to the melting
+   * session.
+   */
+  struct TALER_AmountNBO melt_fee;
 
   /**
-   * The coin's public key.
+   * The coin's public key.  This is the value that must have been
+   * signed (blindly) by the Mint.  The deposit request is to be
+   * signed by the corresponding private key (using ECDSA).
    */
   union TALER_CoinSpendPublicKeyP coin_pub;
 };
@@ -293,7 +373,8 @@ struct TALER_RefreshMeltCoinAffirmationPS
 struct TALER_RefreshMeltConfirmationPS
 {
   /**
-   * Purpose is #TALER_SIGNATURE_MINT_MELT_RESPONSE.
+   * Purpose is #TALER_SIGNATURE_MINT_CONFIRM_MELT.   Signed
+   * by a `struct TALER_MintPublicKeyP` using EdDSA.
    */
   struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
 
@@ -303,7 +384,8 @@ struct TALER_RefreshMeltConfirmationPS
   struct GNUNET_HashCode session_hash;
 
   /**
-   * Index that the client will not have to reveal.
+   * Index that the client will not have to reveal, in NBO.
+   * Must be smaller than #TALER_CNC_KAPPA.
    */
   uint16_t noreveal_index GNUNET_PACKED;
 };
@@ -322,7 +404,7 @@ struct TALER_MintSigningKeyValidityPS
   struct TALER_MasterSignatureP signature;
 
   /**
-   * Purpose is #TALER_SIGNATURE_MINT_SIGNING_KEY_VALIDITY.
+   * Purpose is #TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY.
    */
   struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
 
@@ -338,14 +420,25 @@ struct TALER_MintSigningKeyValidityPS
   struct GNUNET_TIME_AbsoluteNBO start;
 
   /**
-   * When does this signing key expire? Note: This is
-   * currently when the Mint will definitively stop using it.
-   * This does not mean that all signatures with tkey key are
-   * afterwards invalid.
+   * When does this signing key expire? Note: This is currently when
+   * the Mint will definitively stop using it.  Signatures made with
+   * the key remain valid until @e end.  When checking validity periods,
+   * clients should allow for some overlap between keys and tolerate
+   * the use of either key during the overlap time (due to the
+   * possibility of clock skew).
    */
   struct GNUNET_TIME_AbsoluteNBO expire;
 
   /**
+   * When do signatures with this signing key become invalid?  After
+   * this point, these signatures cannot be used in (legal) disputes
+   * anymore, as the Mint is then allowed to destroy its side of the
+   * evidence.  @e end is expected to be significantly larger than @e
+   * expire (by a year or more).
+   */
+  struct GNUNET_TIME_AbsoluteNBO end;
+
+  /**
    * The public online signing key that the mint will use
    * between @e start and @e expire.
    */
@@ -362,7 +455,8 @@ struct TALER_MintKeySetPS
 {
 
   /**
-   * Purpose is #TALER_SIGNATURE_MINT_KEY_SET
+   * Purpose is #TALER_SIGNATURE_MINT_KEY_SET.   Signed
+   * by a `struct TALER_MintPublicKeyP` using EdDSA.
    */
   struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
 
@@ -372,7 +466,11 @@ struct TALER_MintKeySetPS
   struct GNUNET_TIME_AbsoluteNBO list_issue_date;
 
   /**
-   * Hash over the "inner" JSON with the key set.
+   * Hash over the "inner" JSON with the key set.  FIXME: The use of
+   * JSON as what is being signed here is a bit of a hack, as the
+   * result depends on the JSON indentation and being canonical.
+   * We should consider using a more well-defined binary format to
+   * sign. (#3739)
    */
   struct GNUNET_HashCode hc;
 };
@@ -385,13 +483,12 @@ struct TALER_MintKeySetPS
 struct TALER_DenominationKeyValidityPS
 {
   /**
-   * Signature over this struct to affirm the validity
-   * of the key.
+   * Signature over this struct to affirm the validity of the key.
    */
   struct TALER_MasterSignatureP signature;
 
   /**
-   * Purpose is #TALER_SIGNATURE_MINT_DENOMINATION_KEY_VALIDITY.
+   * Purpose is #TALER_SIGNATURE_MASTER_DENOMINATION_KEY_VALIDITY.
    */
   struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
 
@@ -407,8 +504,16 @@ struct TALER_DenominationKeyValidityPS
   struct GNUNET_TIME_AbsoluteNBO start;
 
   /**
-   * The mint will sign fresh coins between @e start and
-   * this time.
+   * The mint will sign fresh coins between @e start and this time.
+   * @e expire_withdraw will be somewhat larger than @e start to
+   * ensure a sufficiently large anonymity set, while also allowing
+   * the Mint to limit the financial damage in case of a key being
+   * compromised.  Thus, mints with low volume are expected to have a
+   * longer withdraw period (@e expire_withdraw - @e start) than mints
+   * with high transaction volume.  The period may also differ between
+   * types of coins.  A mint may also have a few denomination keys
+   * with the same value with overlapping validity periods, to address
+   * issues such as clock skew.
    */
   struct GNUNET_TIME_AbsoluteNBO expire_withdraw;
 
@@ -418,11 +523,22 @@ struct TALER_DenominationKeyValidityPS
    * mint will refuse transactions involving this key as it will
    * "drop" the table with double-spending information (shortly after)
    * this time.  Note that wallets should refresh coins significantly
-   * before this time to be on the safe side.
+   * before this time to be on the safe side.  @e expire_spend must be
+   * significantly larger than @e expire_withdraw (by months or even
+   * years).
    */
   struct GNUNET_TIME_AbsoluteNBO expire_spend;
 
   /**
+   * When do signatures with this denomination key become invalid?
+   * After this point, these signatures cannot be used in (legal)
+   * disputes anymore, as the Mint is then allowed to destroy its side
+   * of the evidence.  @e expire_legal is expected to be significantly
+   * larger than @e expire_spend (by a year or more).
+   */
+  struct GNUNET_TIME_AbsoluteNBO expire_legal;
+
+  /**
    * The value of the coins signed with this denomination key.
    */
   struct TALER_AmountNBO value;
@@ -446,7 +562,8 @@ struct TALER_DenominationKeyValidityPS
   struct TALER_AmountNBO fee_refresh;
 
   /**
-   * Hash code of the denomination public key.
+   * Hash code of the denomination public key. (Used to avoid having
+   * the variable-size RSA key this struct.)
    */
   struct GNUNET_HashCode denom_hash;