exchange

Base system with REST service to issue digital coins, run by the payment service provider
Log | Files | Refs | Submodules | README | LICENSE
commit 6bfc96f4cefceb5735e3bbccbe8f2e0fa6f51b6d
parent 4cf9e0000cf1eb7a7fa36c3a09b26c0c828fdc94
Author: Christian Grothoff <christian@grothoff.org>
Date:   Tue, 16 Jan 2024 13:27:28 +0100

fix #8095

Diffstat:

Msrc/include/taler_exchange_service.h | 11++++++++---


Msrc/lib/exchange_api_batch_withdraw2.c | 4++--


2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/include/taler_exchange_service.h b/src/include/taler_exchange_service.h
@@ -1,6 +1,6 @@
 /*
    This file is part of TALER
-   Copyright (C) 2014-2023 Taler Systems SA
+   Copyright (C) 2014-2024 Taler Systems SA
 
    TALER is free software; you can redistribute it and/or modify it under the
    terms of the GNU Affero General Public License as published by the Free Software
@@ -2591,7 +2591,8 @@ typedef void
 /**
  * Withdraw multiple coins from the exchange using a /reserves/$RESERVE_PUB/batch-withdraw
  * request.  This API is typically used by a wallet to withdraw many coins from a
- * reserve.
+ * reserve.  The blind signatures are unblinded and verified before being returned
+ * to the caller at @a res_cb.
  *
  * Note that to ensure that no money is lost in case of hardware
  * failures, the caller must have committed (most of) the arguments to
@@ -2688,7 +2689,11 @@ struct TALER_EXCHANGE_Withdraw2Handle;
 /**
  * Withdraw a coin from the exchange using a /reserves/$RESERVE_PUB/withdraw
  * request.  This API is typically used by a merchant to withdraw a tip
- * where the blinding factor is unknown to the merchant.
+ * where the blinding factor is unknown to the merchant.  Note that unlike
+ * the #TALER_EXCHANGE_withdraw() API, this API neither unblinds the signatures
+ * nor can it verify that the exchange signatures are valid, so these tasks
+ * are left to the caller. Wallets probably should use #TALER_EXCHANGE_withdraw()
+ * which integrates these steps.
  *
  * Note that to ensure that no money is lost in case of hardware
  * failures, the caller must have committed (most of) the arguments to
diff --git a/src/lib/exchange_api_batch_withdraw2.c b/src/lib/exchange_api_batch_withdraw2.c
@@ -89,8 +89,8 @@ struct TALER_EXCHANGE_BatchWithdraw2Handle
 /**
  * We got a 200 OK response for the /reserves/$RESERVE_PUB/batch-withdraw operation.
  * Extract the coin's signature and return it to the caller.  The signature we
- * get from the exchange is for the blinded value.  Thus, we first must
- * unblind it and then should verify its validity against our coin's hash.
+ * get from the exchange is for the blinded value. As we do not have the
+ * blinding factor, the signature CANNOT be verified.
  *
  * If everything checks out, we return the unblinded signature
  * to the application via the callback.