Support private keys in irma_configuration

irmaconfig.go

@@ -56,6 +56,7 @@ type Configuration struct {
 
 	kssPublicKeys map[SchemeManagerIdentifier]map[int]*rsa.PublicKey
 	publicKeys    map[IssuerIdentifier]map[int]*gabi.PublicKey
+	privateKeys   map[IssuerIdentifier]*gabi.PrivateKey
 	reverseHashes map[string]CredentialTypeIdentifier
 	initialized   bool
 	assets        string
@@ -142,6 +143,7 @@ func (conf *Configuration) clear() {
 	conf.DisabledSchemeManagers = make(map[SchemeManagerIdentifier]*SchemeManagerError)
 	conf.kssPublicKeys = make(map[SchemeManagerIdentifier]map[int]*rsa.PublicKey)
 	conf.publicKeys = make(map[IssuerIdentifier]map[int]*gabi.PublicKey)
+	conf.privateKeys = make(map[IssuerIdentifier]*gabi.PrivateKey)
 	conf.reverseHashes = make(map[string]CredentialTypeIdentifier)
 }
 
@@ -316,6 +318,49 @@ func relativePath(outer string, inner string) (string, error) {
 	return innerAbs[len(outerAbs)+1:], nil
 }
 
+// PrivateKey returns the specified private key, or nil if not present in the Configuration.
+func (conf *Configuration) PrivateKey(id IssuerIdentifier) (*gabi.PrivateKey, error) {
+	if sk := conf.privateKeys[id]; sk != nil {
+		return sk, nil
+	}
+
+	path := fmt.Sprintf(privkeyPattern, conf.Path, id.SchemeManagerIdentifier().Name(), id.Name())
+	files, err := filepath.Glob(path)
+	if err != nil {
+		return nil, err
+	}
+	if len(files) == 0 {
+		return nil, nil
+	}
+
+	// List private keys and get highest counter
+	counters := make([]int, 0, len(files))
+	for _, file := range files {
+		filename := filepath.Base(file)
+		count := filename[:len(filename)-4]
+		i, err := strconv.Atoi(count)
+		if err != nil {
+			return nil, err
+		}
+		counters = append(counters, i)
+	}
+	sort.Ints(counters)
+	counter := counters[len(counters)-1]
+
+	// Read private key
+	file := strings.Replace(path, "*", strconv.Itoa(counter), 1)
+	sk, err := gabi.NewPrivateKeyFromFile(file)
+	if err != nil {
+		return nil, err
+	}
+	if int(sk.Counter) != counter {
+		return nil, errors.Errorf("Private key %s of issuer %s has wrong <Counter>", file, id.String())
+	}
+	conf.privateKeys[id] = sk
+
+	return sk, nil
+}
+
 // PublicKey returns the specified public key, or nil if not present in the Configuration.
 func (conf *Configuration) PublicKey(id IssuerIdentifier, counter int) (*gabi.PublicKey, error) {
 	var haveIssuer, haveKey bool

server/core/handle.go

@@ -149,7 +149,8 @@ func (session *session) handlePostCommitments(commitments *irma.IssueCommitmentM
 	for i, cred := range request.Credentials {
 		id := cred.CredentialTypeID.IssuerIdentifier()
 		pk, _ := conf.IrmaConfiguration.PublicKey(id, cred.KeyCounter)
-		issuer := gabi.NewIssuer(conf.IssuerPrivateKeys[id], pk, one)
+		sk, _ := privatekey(id)
+		issuer := gabi.NewIssuer(sk, pk, one)
 		proof := commitments.Proofs[i+discloseCount].(*gabi.ProofU)
 		attributes, err := cred.AttributeList(conf.IrmaConfiguration, 0x03)
 		if err != nil {

server/core/helpers.go

@@ -41,8 +41,11 @@ func validateIssuanceRequest(request *irma.IssuanceRequest) error {
 	for _, cred := range request.Credentials {
 		// Check that we have the appropriate private key
 		iss := cred.CredentialTypeID.IssuerIdentifier()
-		privatekey, havekey := conf.IssuerPrivateKeys[iss]
-		if !havekey {
+		privatekey, err := privatekey(iss)
+		if err != nil {
+			return err
+		}
+		if privatekey == nil {
 			return errors.Errorf("missing private key of issuer %s", iss.String())
 		}
 		pubkey, err := conf.IrmaConfiguration.PublicKey(iss, int(privatekey.Counter))
@@ -72,6 +75,16 @@ func validateIssuanceRequest(request *irma.IssuanceRequest) error {
 	return nil
 }
 
+func privatekey(id irma.IssuerIdentifier) (sk *gabi.PrivateKey, err error) {
+	sk = conf.IssuerPrivateKeys[id]
+	if sk == nil {
+		if sk, err = conf.IrmaConfiguration.PrivateKey(id); err != nil {
+			return nil, err
+		}
+	}
+	return sk, nil
+}
+
 func (session *session) getProofP(commitments *irma.IssueCommitmentMessage, scheme irma.SchemeManagerIdentifier) (*gabi.ProofP, error) {
 	if session.kssProofs == nil {
 		session.kssProofs = make(map[irma.SchemeManagerIdentifier]*gabi.ProofP)