new keyshare protocol (keyshare server parts)

CHANGELOG.md

@@ -43,11 +43,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   }
   ```
 - Renewal endpoint for keyshare attribute in the keyshare server (`/users/renewKeyshareAttribute`)
+- Keyshare server /api/v2/prove/... endpoints for the new keyshare protocol
 
 ### Changed
 - `KeyshareVerifyPin` function in irmaclient ensures the keyshare attribute is valid
-
-### Changed
 - Sending the account expiry email is done when user has only valid e-mail addresses
 - Strip unnecessary details from database errors
 

docs/keyshareFlow.puml

@@ -0,0 +1,79 @@
+@startuml
+skinparam backgroundColor #transparent
+participant "IRMA app" as app
+participant "requestor" as requestor
+participant "keyshare server" as keyshare
+participant "database" as db
+participant "mail server" as mail
+
+title Keyshare server endpoints
+
+app -> keyshare ++: POST /client/register <font color=#1D5B2A>signed</font> jwt:{pin, email, language, <font color=#1D5B2A>publickey</font>}
+keyshare -> keyshare: validate jwt
+keyshare -> db: Generate keyshare server account, \nincl secret <font color=#1D5B2A>and store publickey</font>
+keyshare -> mail: Send registration mail \nif address is specified
+keyshare -> keyshare: Issue keyshare credential
+return Invisible issuing of keyshare credential \n(directly via session endpoints in keyshare server)
+|||
+
+'already enrolled app: similar to the one sent by the irmaclient when changing your IRMA PIN code
+'note: hier komt een nieuwe jwt terug
+app -> keyshare ++: <font color=#1D5B2A> POST /users/register_publickey signed jwt:{id, pin, publickey}
+keyshare -> keyshare: <font color=#1D5B2A>validate jwt</font>
+keyshare -> keyshare: <font color=#1D5B2A>validate PIN</font>
+keyshare -> db: <font color=#1D5B2A>store publickey</font>
+return <font color=#1D5B2A>jwt</font>
+|||
+
+'get challenge
+app -> keyshare ++: <font color=#1D5B2A>POST /users/verify_start {id}
+keyshare -> keyshare: <font color=#1D5B2A>generate challenge
+return <font color=#1D5B2A>"pin_challengeresponse", challenge
+|||
+
+app -> keyshare ++: POST /users/verify/pin<font color=#1D5B2A>_challengeresponse</font> {id, pin, <font color=#1D5B2A>response</font>}
+keyshare -> db: fetch user
+keyshare -> keyshare: verify pin \n(incl reservePinCheck and blocking)
+keyshare -> keyshare: <font color=#1D5B2A>verify response which correponds to challenge
+return access token
+|||
+
+'reply attacks not possible, so no challenge-response needed
+app -> keyshare ++: POST /users/change/pin <font color=#1D5B2A>signed jwt</font>:{id, oldpin, newpin}
+keyshare -> db: fetch user
+keyshare -> keyshare: reserve pin check
+keyshare -> keyshare: <font color=#1D5B2A>validate jwt signature
+keyshare -> db: check old pin and update with new pin
+return OK
+|||
+
+app -> requestor: start session / get nonce
+return nonce
+|||
+
+' initial P_t from kss, new endpoint, do once before issuance
+app -> keyshare ++: <font color=#1D5B2A>POST /prove/getPs \n<font color=#1D5B2A>["irma-demo.IRMATube-1"] + access token
+return <font color=#1D5B2A>P_t
+|||
+
+app -> app: <font color=#1D5B2A>hw=hash(P,W_uu)
+|||
+
+app -> keyshare ++: POST /prove/getCommitments \n["irma-demo.IRMATube-1"] + <font color=#1D5B2A>h_w</font> + access token
+keyshare -> keyshare: verify token
+keyshare -> keyshare: generate commitments
+keyshare -> keyshare: <font color=#1D5B2A>store commitID for later requests</font>
+return commitments W_t
+|||
+
+app -> app: generate c = hash(nonce,P,W), s_u
+app -> keyshare ++: POST /prove/getResponse + \n<font color=#1D5B2A>nonce + s_u + W_u + P </font>+ access token
+keyshare -> keyshare: <font color=#1D5B2A>verify h_w
+keyshare -> keyshare: <font color=#1D5B2A>re-calculate c
+keyshare -> keyshare: log for MyIRMA
+keyshare -> keyshare: get commitment data from \nmemory store and build \nresponse with challenge
+return <font color=#1D5B2A>+signed jwt over challenge which is in ProofP
+
+app -> requestor: challenge/response, signed jwt, <font color=#1D5B2A>P=A*P_t || P=U*P_t
+
+@enduml

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.1
 	github.com/mdp/qrterminal v1.0.1
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/privacybydesign/gabi v0.0.0-20221012093643-8e978bfbb252
+	github.com/privacybydesign/gabi v0.0.0-20221212095008-68a086907750
 	github.com/sietseringers/go-sse v0.0.0-20200801161811-e2cf2c63ca50
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/cast v1.5.0

go.sum

@@ -103,7 +103,6 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
-github.com/fxamacker/cbor v1.5.0/go.mod h1:UjdWSysJckWsChYy9I5zMbkGvK4xXDR+LmDb8kPGYgA=
 github.com/fxamacker/cbor v1.5.1 h1:XjQWBgdmQyqimslUh5r4tUGmoqzHmBFQOImkWGi2awg=
 github.com/fxamacker/cbor v1.5.1/go.mod h1:3aPGItF174ni7dDzd6JZ206H8cmr4GDNBGpPa971zsU=
 github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8=
@@ -112,7 +111,6 @@ github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-co-op/gocron v1.28.3 h1:swTsge6u/1Ei51b9VLMz/YTzEzWpbsk5SiR7m5fklTI=
 github.com/go-co-op/gocron v1.28.3/go.mod h1:39f6KNSGVOU1LO/ZOoZfcSxwlsJDQOKSu8erN0SH48Y=
-github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -238,7 +236,6 @@ github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -302,8 +299,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/privacybydesign/gabi v0.0.0-20221012093643-8e978bfbb252 h1:q5BP7Eh/x1GCyIToZTBYQXELmO876ezbQvek7gJaBg4=
-github.com/privacybydesign/gabi v0.0.0-20221012093643-8e978bfbb252/go.mod h1:HQ6L5rKBY7qaqcheK6zpaVf7fhGWD0PvUAXJTDws+0M=
+github.com/privacybydesign/gabi v0.0.0-20221212095008-68a086907750 h1:3RuYOQTlArQ6Uw2TgySusmZGluP+18WdQL56YSfkM3Q=
+github.com/privacybydesign/gabi v0.0.0-20221212095008-68a086907750/go.mod h1:QZI8hX8Ff2GfZ7UJuxyWw3nAGgt2s5+U4hxY6rmwQvs=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
@@ -314,7 +311,6 @@ github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sietseringers/go-sse v0.0.0-20200801161811-e2cf2c63ca50 h1:vgWWQM2SnMoO9BiUZ2WFAYuYF6U0jNss9Vn/PZoi+tU=
 github.com/sietseringers/go-sse v0.0.0-20200801161811-e2cf2c63ca50/go.mod h1:W/QHK9G0i5yrmHvej5+hhoFMXTSZIWHGQRcpbGgqV9s=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
@@ -333,14 +329,12 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
 github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
@@ -362,7 +356,6 @@ github.com/timshannon/bolthold v0.0.0-20210913165410-232392fc8a6a/go.mod h1:iSvu
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/x-cray/logrus-prefixed-formatter v0.5.2 h1:00txxvfBM9muc0jiLIEAkAcIMJzfthRT6usrui8uGmg=
 github.com/x-cray/logrus-prefixed-formatter v0.5.2/go.mod h1:2duySbKsL6M18s5GU7VPsoEPHyzalCE06qoARUCeBBE=
-github.com/x448/float16 v0.8.3/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -387,7 +380,6 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
@@ -408,6 +400,7 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -501,7 +494,6 @@ golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

internal/keysharecore/operations.go

@@ -197,6 +197,35 @@ func (c *Core) verifyAccess(secrets UserSecrets, jwtToken string) (unencryptedUs
 	return s, nil
 }
 
+// GeneratePs generates a list of keyshare server P's, i.e. a list of R_0^keyshareSecret.
+func (c *Core) GeneratePs(secrets UserSecrets, accessToken string, keyIDs []irma.PublicKeyIdentifier) ([]*big.Int, error) {
+	// Validate input request and build key list
+	var keyList []*gabikeys.PublicKey
+	for _, keyID := range keyIDs {
+		key, ok := c.trustedKeys[keyID]
+		if !ok {
+			return nil, ErrKeyNotFound
+		}
+		keyList = append(keyList, key)
+	}
+
+	// Use verifyAccess to get the decrypted secrets. The access has already been verified in the
+	// middleware. We use the call merely to fetch the unencryptedUserSecrets here.
+	s, err := c.verifyAccess(secrets, accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	var ps []*big.Int
+
+	for _, key := range keyList {
+		ps = append(ps,
+			new(big.Int).Exp(key.R[0], s.KeyshareSecret, key.N))
+	}
+
+	return ps, nil
+}
+
 // GenerateCommitments generates keyshare commitments using the specified Idemix public key(s).
 func (c *Core) GenerateCommitments(secrets UserSecrets, accessToken string, keyIDs []irma.PublicKeyIdentifier) ([]*gabi.ProofPCommitment, uint64, error) {
 	// Validate input request and build key list
@@ -209,7 +238,8 @@ func (c *Core) GenerateCommitments(secrets UserSecrets, accessToken string, keyI
 		keyList = append(keyList, key)
 	}
 
-	// verify access and decrypt
+	// Use verifyAccess to get the decrypted secrets. The access has already been verified in the
+	// middleware. We use the call merely to fetch the unencryptedUserSecrets here.
 	s, err := c.verifyAccess(secrets, accessToken)
 	if err != nil {
 		return nil, 0, err
@@ -247,7 +277,52 @@ func (c *Core) GenerateResponse(secrets UserSecrets, accessToken string, commitI
 		return "", ErrKeyNotFound
 	}
 
-	// verify access and decrypt
+	// Use verifyAccess to get the decrypted secrets. The access has already been verified in the
+	// middleware. We use the call merely to fetch the unencryptedUserSecrets here.
+	s, err := c.verifyAccess(secrets, accessToken)
+	if err != nil {
+		return "", err
+	}
+
+	// Fetch commit
+	c.commitmentMutex.Lock()
+	commit, ok := c.commitmentData[commitID]
+	delete(c.commitmentData, commitID)
+	c.commitmentMutex.Unlock()
+	if !ok {
+		return "", ErrUnknownCommit
+	}
+
+	// Generate response
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
+		"ProofP": gabi.KeyshareResponseLegacy(s.KeyshareSecret, commit, challenge, key),
+		"iat":    time.Now().Unix(),
+		"sub":    "ProofP",
+		"iss":    c.jwtIssuer,
+	})
+	token.Header["kid"] = c.jwtPrivateKeyID
+	return token.SignedString(c.jwtPrivateKey)
+}
+
+// GenerateResponseV2 generates the response of a zero-knowledge proof of the keyshare secret, for a given previous commit and response request.
+// In older versions of the IRMA protocol (2.8 or below), issuers need a response that is linkable to earlier issuance sessions. In this case,
+// the ProofP.P will be set as well. The linkable parameter indicates whether the ProofP.P should be included.
+func (c *Core) GenerateResponseV2(
+	secrets UserSecrets,
+	accessToken string,
+	commitID uint64,
+	hashedComms gabi.KeyshareCommitmentRequest,
+	req gabi.KeyshareResponseRequest[irma.PublicKeyIdentifier],
+	keyID irma.PublicKeyIdentifier,
+	linkable bool) (string, error) {
+	// Validate request
+	key, ok := c.trustedKeys[keyID]
+	if !ok {
+		return "", ErrKeyNotFound
+	}
+
+	// Use verifyAccess to get the decrypted secrets. The access has already been verified in the
+	// middleware. We use the call merely to fetch the unencryptedUserSecrets here.
 	s, err := c.verifyAccess(secrets, accessToken)
 	if err != nil {
 		return "", err
@@ -262,9 +337,28 @@ func (c *Core) GenerateResponse(secrets UserSecrets, accessToken string, commitI
 		return "", ErrUnknownCommit
 	}
 
+	proofP, err := gabi.KeyshareResponse(s.KeyshareSecret, commit, hashedComms, req, c.trustedKeys)
+	if err != nil {
+		return "", err
+	}
+
+	if uint(proofP.C.BitLen()) > gabikeys.DefaultSystemParameters[1024].Lh || proofP.C.Cmp(big.NewInt(0)) < 0 {
+		return "", ErrInvalidChallenge
+	}
+
+	// If the session involves a legacy issuer that doesn't understand the new keyshare protocol,
+	// return a legacy ProofP of the old keyshare protocol, differing as follows to a normal ProofP:
+	// - Includes P = R_0^userSecret in the Proof.P field (making the ProofP linkable)
+	// - The response in ProofP.SResponse should be just our response, not with the user's response added
+	//   as done by added earlier in `gabi.KeyshareResponse()` above, so we subtract the user's response from it.
+	if linkable {
+		proofP.P = new(big.Int).Exp(key.R[0], s.KeyshareSecret, key.N)
+		proofP.SResponse.Sub(proofP.SResponse, req.UserResponse)
+	}
+
 	// Generate response
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
-		"ProofP": gabi.KeyshareResponse(s.KeyshareSecret, commit, challenge, key),
+		"ProofP": proofP,
 		"iat":    time.Now().Unix(),
 		"sub":    "ProofP",
 		"iss":    c.jwtIssuer,

internal/keysharecore/operations_test.go

@@ -182,6 +182,10 @@ func TestProofFunctionality(t *testing.T) {
 		jwtt, err := validateAuth(t, c, signer, secrets, pin)
 		require.NoError(t, err)
 
+		// For issuance, initially get P_t
+		_, err = c.GeneratePs(secrets, jwtt, []irma.PublicKeyIdentifier{irma.PublicKeyIdentifier{Issuer: irma.NewIssuerIdentifier("test"), Counter: 1}})
+		require.NoError(t, err)
+
 		// Get keyshare commitment
 		W, commitID, err := c.GenerateCommitments(secrets, jwtt, []irma.PublicKeyIdentifier{irma.PublicKeyIdentifier{Issuer: irma.NewIssuerIdentifier("test"), Counter: 1}})
 		require.NoError(t, err)
@@ -246,6 +250,10 @@ func TestCorruptedUserSecrets(t *testing.T) {
 		_, err = changePin(t, c, signer, secrets, pin, pin)
 		assert.Error(t, err, "ChangePin accepts corrupted keyshare user secrets")
 
+		// GeneratePs
+		_, err = c.GeneratePs(secrets, jwtt, []irma.PublicKeyIdentifier{irma.PublicKeyIdentifier{Issuer: irma.NewIssuerIdentifier("test"), Counter: 1}})
+		assert.Error(t, err, "GeneratePs accepts corrupted keyshare user secrets")
+
 		// GenerateCommitments
 		_, _, err = c.GenerateCommitments(secrets, jwtt, []irma.PublicKeyIdentifier{irma.PublicKeyIdentifier{Issuer: irma.NewIssuerIdentifier("test"), Counter: 1}})
 		assert.Error(t, err, "GenerateCommitments accepts corrupted keyshare user secrets")
@@ -313,6 +321,10 @@ func TestMissingKey(t *testing.T) {
 		jwtt, err := validateAuth(t, c, signer, secrets, pin)
 		require.NoError(t, err)
 
+		// GeneratePs
+		_, err = c.GeneratePs(secrets, jwtt, []irma.PublicKeyIdentifier{irma.PublicKeyIdentifier{Issuer: irma.NewIssuerIdentifier("DNE"), Counter: 1}})
+		assert.Error(t, err, "Missing key not detected by generatePs")
+
 		// GenerateCommitments
 		_, _, err = c.GenerateCommitments(secrets, jwtt, []irma.PublicKeyIdentifier{irma.PublicKeyIdentifier{Issuer: irma.NewIssuerIdentifier("DNE"), Counter: 1}})
 		assert.Error(t, err, "Missing key not detected by generateCommitments")