verify we have the private key for an identity before signing#1790
verify we have the private key for an identity before signing#1790HayimShaul wants to merge 6 commits into
Conversation
|
@adecaro could you please have a look at that PR? I need your help here. Thanks a lot. |
08b4b54 to
cb97f37
Compare
| // Step 2: Verify we possess the private key by attempting to retrieve the signer | ||
| // This proves ownership, not just visibility | ||
| if !w.Remote() { | ||
| _, err = w.GetSigner(context.Context(), suppliedIdentity) |
There was a problem hiding this comment.
please, can you explain why w.Contains does not guarantee that we are also able to sign with this identity? Under which condition does this happen?
There was a problem hiding this comment.
w.Contains queries a wallet-to-identity mapping table — it answers "was this identity ever registered/bound to this wallet?" by checking a DB row written by BindIdentity or RegisterRecipientData. GetSigner is a completely separate question: "can I produce a cryptographic signature right now?" which requires the private key to be locally available and is answered by attempting to reconstruct a live signer via DeserializeSigner against a different store (StoreSignerInfo/the local key store). The two stores are populated by entirely independent code paths, so an identity can be fully enrolled in the wallet — its bytes bound to the wallet ID, its audit info persisted — while the private key never existed on this node. The canonical example is a remote/KMS wallet (IsRemote() == true, meaning userKeySKI == nil for Idemix or sID == nil for X.509) and an Idemix pseudonym registered as a counterparty recipient (where only BindIdentity + RegisterRecipientData were called, never RegisterSigner).
c97c2f7 to
bddcf40
Compare
3ff66c8 to
b1f8328
Compare
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
3c6c10f to
fff9543
Compare
Verify we have the secret key for an id given in Echo Path matches a key in our wallet.
Addresses issue #1638