1 files changed, 72 insertions, 30 deletions

diff --git a/src/include/taler_exchangedb_plugin.h b/src/include/taler_exchangedb_plugin.h
index 48fce4d9..7383913a 100644
--- a/src/include/taler_exchangedb_plugin.h
+++ b/src/include/taler_exchangedb_plugin.h
@@ -27,49 +27,72 @@
 #include "taler_signatures.h"
 
 
-GNUNET_NETWORK_STRUCT_BEGIN
-
 /**
- * @brief On disk format used for a exchange signing key.  Signing keys are used
- * by the exchange to affirm its messages, but not to create coins.
- * Includes the private key followed by the public information about
- * the signing key.
+ * Information about a denomination key.
  */
-struct TALER_EXCHANGEDB_PrivateSigningKeyInformationP
+struct TALER_EXCHANGEDB_DenominationKeyInformation
 {
+
   /**
-   * Private key part of the exchange's signing key.
+   * Signature over this struct to affirm the validity of the key.
    */
-  struct TALER_ExchangePrivateKeyP signkey_priv;
+  struct TALER_MasterSignatureP signature;
 
   /**
-   * Signature over @e issue
+   * Start time of the validity period for this key.
    */
-  struct TALER_MasterSignatureP master_sig;
+  struct GNUNET_TIME_Timestamp start;
 
   /**
-   * Public information about a exchange signing key.
+   * The exchange will sign fresh coins between @e start and this time.
+   * @e expire_withdraw will be somewhat larger than @e start to
+   * ensure a sufficiently large anonymity set, while also allowing
+   * the Exchange to limit the financial damage in case of a key being
+   * compromised.  Thus, exchanges with low volume are expected to have a
+   * longer withdraw period (@e expire_withdraw - @e start) than exchanges
+   * with high transaction volume.  The period may also differ between
+   * types of coins.  A exchange may also have a few denomination keys
+   * with the same value with overlapping validity periods, to address
+   * issues such as clock skew.
    */
-  struct TALER_ExchangeSigningKeyValidityPS issue;
+  struct GNUNET_TIME_Timestamp expire_withdraw;
 
-};
+  /**
+   * Coins signed with the denomination key must be spent or refreshed
+   * between @e start and this expiration time.  After this time, the
+   * exchange will refuse transactions involving this key as it will
+   * "drop" the table with double-spending information (shortly after)
+   * this time.  Note that wallets should refresh coins significantly
+   * before this time to be on the safe side.  @e expire_deposit must be
+   * significantly larger than @e expire_withdraw (by months or even
+   * years).
+   */
+  struct GNUNET_TIME_Timestamp expire_deposit;
 
+  /**
+   * When do signatures with this denomination key become invalid?
+   * After this point, these signatures cannot be used in (legal)
+   * disputes anymore, as the Exchange is then allowed to destroy its side
+   * of the evidence.  @e expire_legal is expected to be significantly
+   * larger than @e expire_deposit (by a year or more).
+   */
+  struct GNUNET_TIME_Timestamp expire_legal;
 
-/**
- * Information about a denomination key.
- */
-struct TALER_EXCHANGEDB_DenominationKeyInformationP
-{
+  /**
+   * The value of the coins signed with this denomination key.
+   */
+  struct TALER_Amount value;
 
   /**
-   * Signature over this struct to affirm the validity of the key.
+   * Fees for the coin.
    */
-  struct TALER_MasterSignatureP signature;
+  struct TALER_DenomFeeSet fees;
 
   /**
-   * Signed properties of the denomination key.
+   * Hash code of the denomination public key. (Used to avoid having
+   * the variable-size RSA key in this struct.)
    */
-  struct TALER_DenominationKeyValidityPS properties;
+  struct TALER_DenominationHashP denom_hash;
 
   /**
    * If denomination was setup for age restriction, non-zero age mask.
@@ -79,6 +102,8 @@ struct TALER_EXCHANGEDB_DenominationKeyInformationP
 };
 
 
+GNUNET_NETWORK_STRUCT_BEGIN
+
 /**
  * Signature of events signalling a reserve got funding.
  */
@@ -474,7 +499,7 @@ struct TALER_EXCHANGEDB_DenominationKey
   /**
    * Signed public information about a denomination key.
    */
-  struct TALER_EXCHANGEDB_DenominationKeyInformationP issue;
+  struct TALER_EXCHANGEDB_DenominationKeyInformation issue;
 };
 
 
@@ -2188,7 +2213,7 @@ typedef void
 (*TALER_EXCHANGEDB_DenominationCallback)(
   void *cls,
   const struct TALER_DenominationPublicKey *denom_pub,
-  const struct TALER_EXCHANGEDB_DenominationKeyInformationP *issue);
+  const struct TALER_EXCHANGEDB_DenominationKeyInformation *issue);
 
 
 /**
@@ -2385,7 +2410,7 @@ struct TALER_EXCHANGEDB_Plugin
   (*insert_denomination_info)(
     void *cls,
     const struct TALER_DenominationPublicKey *denom_pub,
-    const struct TALER_EXCHANGEDB_DenominationKeyInformationP *issue);
+    const struct TALER_EXCHANGEDB_DenominationKeyInformation *issue);
 
 
   /**
@@ -2400,7 +2425,7 @@ struct TALER_EXCHANGEDB_Plugin
   (*get_denomination_info)(
     void *cls,
     const struct TALER_DenominationHashP *denom_pub_hash,
-    struct TALER_EXCHANGEDB_DenominationKeyInformationP *issue);
+    struct TALER_EXCHANGEDB_DenominationKeyInformation *issue);
 
 
   /**
@@ -4391,6 +4416,10 @@ struct TALER_EXCHANGEDB_Plugin
    * @param pub_ckey ephemeral key for DH used to encrypt the contract
    * @param econtract_size number of bytes in @a econtract
    * @param econtract the encrypted contract
+   * @param[out] in_conflict set to true if @a econtract
+   *             conflicts with an existing contract;
+   *             in this case, the return value will be
+   *             #GNUNET_DB_STATUS_SUCCESS_ONE despite the failure
    * @return transaction status code
    */
   enum GNUNET_DB_QueryStatus
@@ -4398,7 +4427,8 @@ struct TALER_EXCHANGEDB_Plugin
                      const struct TALER_PurseContractPublicKeyP *purse_pub,
                      const struct TALER_ContractDiffiePublicP *pub_ckey,
                      size_t econtract_size,
-                     const void *econtract);
+                     const void *econtract,
+                     bool *in_conflict);
 
 
   /**
@@ -4430,6 +4460,10 @@ struct TALER_EXCHANGEDB_Plugin
    * @param age_limit age limit to enforce for payments into the purse
    * @param amount target amount (with fees) to be put into the purse
    * @param purse_sig signature with @a purse_pub's private key affirming the above
+   * @param[out] in_conflict set to true if the meta data
+   *             conflicts with an existing purse;
+   *             in this case, the return value will be
+   *             #GNUNET_DB_STATUS_SUCCESS_ONE despite the failure
    * @return transaction status code
    */
   enum GNUNET_DB_QueryStatus
@@ -4441,7 +4475,8 @@ struct TALER_EXCHANGEDB_Plugin
     const struct TALER_PrivateContractHashP *h_contract_terms,
     uint32_t age_limit,
     const struct TALER_Amount *amount,
-    const struct TALER_PurseContractSignatureP *purse_sig);
+    const struct TALER_PurseContractSignatureP *purse_sig,
+    bool *in_conflict);
 
 
   /**
@@ -4509,6 +4544,11 @@ struct TALER_EXCHANGEDB_Plugin
    * @param coin_pub coin to deposit (debit)
    * @param amount fraction of the coin's value to deposit
    * @param coin_sig signature affirming the operation
+   * @param amount_minus_fee amount to add to the purse
+   * @param[out] balance_ok set to false if the coin's
+   *        remaining balance is below @a amount;
+   *             in this case, the return value will be
+   *             #GNUNET_DB_STATUS_SUCCESS_ONE despite the failure
    * @return transaction status code
    */
   enum GNUNET_DB_QueryStatus
@@ -4517,7 +4557,9 @@ struct TALER_EXCHANGEDB_Plugin
     const struct TALER_PurseContractPublicKeyP *purse_pub,
     const struct TALER_CoinSpendPublicKeyP *coin_pub,
     const struct TALER_Amount *amount,
-    const struct TALER_CoinSpendSignatureP *coin_sig);
+    const struct TALER_CoinSpendSignatureP *coin_sig,
+    const struct TALER_Amount *amount_minus_fee,
+    bool *balance_ok);
 
 
   /**