dashpay · shumkov · May 19, 2026 · May 19, 2026 · May 19, 2026 · May 19, 2026
@@ -27,7 +27,7 @@ use platform_version::version::PlatformVersion;
 
 impl AddressFundingFromAssetLockTransitionMethodsV0 for AddressFundingFromAssetLockTransition {
     #[cfg(feature = "state-transition-signing")]
-    async fn try_from_asset_lock_with_signer<S: Signer<PlatformAddress>>(
+    async fn try_from_asset_lock_with_signer_and_private_key<S: Signer<PlatformAddress>>(
         asset_lock_proof: AssetLockProof,
         asset_lock_proof_private_key: &[u8],
         inputs: BTreeMap<PlatformAddress, (AddressNonce, Credits)>,
@@ -43,7 +43,7 @@ impl AddressFundingFromAssetLockTransitionMethodsV0 for AddressFundingFromAssetL
             .address_funding_from_asset_lock_transition
         {
             0 => Ok(
-                AddressFundingFromAssetLockTransitionV0::try_from_asset_lock_with_signer::<S>(
+                AddressFundingFromAssetLockTransitionV0::try_from_asset_lock_with_signer_and_private_key::<S>(
                     asset_lock_proof,
                     asset_lock_proof_private_key,
                     inputs,
@@ -56,7 +56,52 @@ impl AddressFundingFromAssetLockTransitionMethodsV0 for AddressFundingFromAssetL
                 .await?,
             ),
             version => Err(ProtocolError::UnknownVersionMismatch {
-                method: "AddressFundingFromAssetLockTransition::try_from_asset_lock_with_signer"
+                method:
+                    "AddressFundingFromAssetLockTransition::try_from_asset_lock_with_signer_and_private_key"
+                        .to_string(),
+                known_versions: vec![0],
+                received: version,
+            }),
+        }
+    }
+
+    #[cfg(all(feature = "state-transition-signing", feature = "core_key_wallet"))]
+    async fn try_from_asset_lock_with_signers<S, AS>(
+        asset_lock_proof: AssetLockProof,
+        asset_lock_proof_path: &::key_wallet::bip32::DerivationPath,
+        inputs: BTreeMap<PlatformAddress, (AddressNonce, Credits)>,
+        outputs: BTreeMap<PlatformAddress, Option<Credits>>,
+        fee_strategy: AddressFundsFeeStrategy,
+        signer: &S,
+        asset_lock_signer: &AS,
+        user_fee_increase: UserFeeIncrease,
+        platform_version: &PlatformVersion,
+    ) -> Result<StateTransition, ProtocolError>
+    where
+        S: Signer<PlatformAddress>,
+        AS: ::key_wallet::signer::Signer,
+    {
+        match platform_version
+            .dpp
+            .state_transition_conversion_versions
+            .address_funding_from_asset_lock_transition
+        {
+            0 => Ok(
+                AddressFundingFromAssetLockTransitionV0::try_from_asset_lock_with_signers::<S, AS>(
+                    asset_lock_proof,
+                    asset_lock_proof_path,
+                    inputs,
+                    outputs,
+                    fee_strategy,
+                    signer,
+                    asset_lock_signer,
+                    user_fee_increase,
+                    platform_version,
+                )
+                .await?,
+            ),
+            version => Err(ProtocolError::UnknownVersionMismatch {
+                method: "AddressFundingFromAssetLockTransition::try_from_asset_lock_with_signers"
                     .to_string(),
                 known_versions: vec![0],
                 received: version,

@@ -16,9 +16,24 @@ use crate::{prelude::UserFeeIncrease, state_transition::StateTransition, Protoco
 use platform_version::version::PlatformVersion;
 
 pub trait AddressFundingFromAssetLockTransitionMethodsV0 {
+    /// Build an `AddressFundingFromAssetLock` state transition where
+    /// the asset-lock-proof signature is produced from a raw private
+    /// key held in-process.
+    ///
+    /// `signer` signs each input's `AddressWitness` (one per
+    /// `inputs.keys()`) over the transition's signable bytes; the
+    /// outer state-transition signature is produced from
+    /// `asset_lock_proof_private_key` via
+    /// [`dashcore::signer::sign`].
+    ///
+    /// Prefer [`Self::try_from_asset_lock_with_signers`] when the
+    /// asset-lock key lives outside Rust (Swift / hardware wallet /
+    /// HSM): the `_with_signers` variant routes asset-lock signing
+    /// through an external [`key_wallet::signer::Signer`] so the
+    /// private key never crosses the FFI boundary as raw bytes.
     #[cfg(feature = "state-transition-signing")]
     #[allow(clippy::too_many_arguments)]
-    async fn try_from_asset_lock_with_signer<S: Signer<PlatformAddress>>(
+    async fn try_from_asset_lock_with_signer_and_private_key<S: Signer<PlatformAddress>>(
         asset_lock_proof: AssetLockProof,
         asset_lock_proof_private_key: &[u8],
         inputs: BTreeMap<PlatformAddress, (AddressNonce, Credits)>,
@@ -29,6 +44,36 @@ pub trait AddressFundingFromAssetLockTransitionMethodsV0 {
         platform_version: &PlatformVersion,
     ) -> Result<StateTransition, ProtocolError>;
 
+    /// Build an `AddressFundingFromAssetLock` state transition where
+    /// the asset-lock-proof signature is produced by an external
+    /// [`key_wallet::signer::Signer`].
+    ///
+    /// `signer` (`S: Signer<PlatformAddress>`) signs each input's
+    /// `AddressWitness` (same as the legacy
+    /// `try_from_asset_lock_with_signer_and_private_key` path), while
+    /// `asset_lock_signer` (`AS: ::key_wallet::signer::Signer`)
+    /// produces the outer state-transition ECDSA signature for the
+    /// key at `asset_lock_proof_path` — atomically deriving, signing,
+    /// and zeroising inside the signer's trust boundary. This is the
+    /// signing path used by hosts that hold their private keys outside
+    /// Rust (the iOS Swift SDK, hardware wallets, remote signers).
+    #[cfg(all(feature = "state-transition-signing", feature = "core_key_wallet"))]
+    #[allow(clippy::too_many_arguments)]
+    async fn try_from_asset_lock_with_signers<S, AS>(
+        asset_lock_proof: AssetLockProof,
+        asset_lock_proof_path: &::key_wallet::bip32::DerivationPath,
+        inputs: BTreeMap<PlatformAddress, (AddressNonce, Credits)>,
+        outputs: BTreeMap<PlatformAddress, Option<Credits>>,
+        fee_strategy: AddressFundsFeeStrategy,
+        signer: &S,
+        asset_lock_signer: &AS,
+        user_fee_increase: UserFeeIncrease,
+        platform_version: &PlatformVersion,
+    ) -> Result<StateTransition, ProtocolError>
+    where
+        S: Signer<PlatformAddress>,
+        AS: ::key_wallet::signer::Signer;
+
     /// Get State Transition Type
     fn get_type() -> StateTransitionType {
         StateTransitionType::AddressFundingFromAssetLock

@@ -22,7 +22,7 @@ use platform_version::version::PlatformVersion;
 
 impl AddressFundingFromAssetLockTransitionMethodsV0 for AddressFundingFromAssetLockTransitionV0 {
     #[cfg(feature = "state-transition-signing")]
-    async fn try_from_asset_lock_with_signer<S: Signer<PlatformAddress>>(
+    async fn try_from_asset_lock_with_signer_and_private_key<S: Signer<PlatformAddress>>(
         asset_lock_proof: AssetLockProof,
         asset_lock_proof_private_key: &[u8],
         inputs: BTreeMap<PlatformAddress, (AddressNonce, Credits)>,
@@ -32,13 +32,6 @@ impl AddressFundingFromAssetLockTransitionMethodsV0 for AddressFundingFromAssetL
         user_fee_increase: UserFeeIncrease,
         _platform_version: &PlatformVersion,
     ) -> Result<StateTransition, ProtocolError> {
-        tracing::debug!("try_from_asset_lock_with_signer: Started");
-        tracing::debug!(
-            input_count = inputs.len(),
-            output_count = outputs.len(),
-            "try_from_asset_lock_with_signer"
-        );
-
         // Create the unsigned transition
         let mut address_funding_transition = AddressFundingFromAssetLockTransitionV0 {
             asset_lock_proof,
@@ -65,7 +58,63 @@ impl AddressFundingFromAssetLockTransitionMethodsV0 for AddressFundingFromAssetL
         }
         address_funding_transition.input_witnesses = input_witnesses;
 
-        tracing::debug!("try_from_asset_lock_with_signer: Successfully created transition");
         Ok(address_funding_transition.into())
     }
+
+    #[cfg(all(feature = "state-transition-signing", feature = "core_key_wallet"))]
+    async fn try_from_asset_lock_with_signers<S, AS>(
+        asset_lock_proof: AssetLockProof,
+        asset_lock_proof_path: &::key_wallet::bip32::DerivationPath,
+        inputs: BTreeMap<PlatformAddress, (AddressNonce, Credits)>,
+        outputs: BTreeMap<PlatformAddress, Option<Credits>>,
+        fee_strategy: AddressFundsFeeStrategy,
+        signer: &S,
+        asset_lock_signer: &AS,
+        user_fee_increase: UserFeeIncrease,
+        _platform_version: &PlatformVersion,
+    ) -> Result<StateTransition, ProtocolError>
+    where
+        S: Signer<PlatformAddress>,
+        AS: ::key_wallet::signer::Signer,
+    {
+        // Build the unsigned inner transition. The outer wrapper
+        // signature and the per-input witnesses are both
+        // `#[platform_signable(exclude_from_sig_hash)]`, so they
+        // don't affect the signable bytes the per-input signer
+        // produces — we can compute signable bytes once with both
+        // empty.
+        let mut address_funding_transition = AddressFundingFromAssetLockTransitionV0 {
+            asset_lock_proof,
+            inputs: inputs.clone(),
+            outputs,
+            fee_strategy,
+            user_fee_increase,
+            signature: Default::default(),
+            input_witnesses: Vec::new(),
+        };
+
+        let state_transition: StateTransition = address_funding_transition.clone().into();
+        let signable_bytes = state_transition.signable_bytes()?;
+
+        // Sign per-input witnesses up front so the input_witnesses
+        // field is populated before we hand the inner over to the
+        // outer ST for the asset-lock signature.
+        let mut input_witnesses: Vec<AddressWitness> = Vec::with_capacity(inputs.len());
+        for address in inputs.keys() {
+            input_witnesses.push(signer.sign_create_witness(address, &signable_bytes).await?);
+        }
+        address_funding_transition.input_witnesses = input_witnesses;
+
+        // Build the outer ST and route the asset-lock-proof signature
+        // through the external `Signer`. The derive + sign + zeroise
+        // sequence happens inside the signer — the host never sees a
+        // raw private key, only a 32-byte digest goes in and a
+        // serialised signature comes out.
+        let mut state_transition: StateTransition = address_funding_transition.into();
+        state_transition
+            .sign_with_core_signer(asset_lock_proof_path, asset_lock_signer)
+            .await?;
+
+        Ok(state_transition)
+    }
 }
@@ -386,7 +386,7 @@ mod tests {
         fee_strategy: Vec<AddressFundsFeeStrategyStep>,
         user_fee_increase: u16,
     ) -> StateTransition {
-        AddressFundingFromAssetLockTransitionV0::try_from_asset_lock_with_signer(
+        AddressFundingFromAssetLockTransitionV0::try_from_asset_lock_with_signer_and_private_key(
             asset_lock_proof,
             asset_lock_private_key,
             inputs,

@@ -2609,7 +2609,7 @@ impl NetworkStrategy {
 
         tracing::debug!(?outputs, "Preparing funding transition");
         let funding_transition =
-            AddressFundingFromAssetLockTransitionV0::try_from_asset_lock_with_signer(
+            AddressFundingFromAssetLockTransitionV0::try_from_asset_lock_with_signer_and_private_key(
                 asset_lock_proof,
                 asset_lock_private_key.as_slice(),
                 BTreeMap::new(),

@@ -17,7 +17,7 @@
 
 use dashcore::hashes::Hash;
 use dpp::identity::accessors::IdentityGettersV0;
-use platform_wallet::wallet::identity::types::funding::IdentityFunding;
+use platform_wallet::AssetLockFunding;
 use rs_sdk_ffi::{SignerHandle, VTableSigner};
 
 use crate::check_ptr;
@@ -105,7 +105,7 @@ pub unsafe extern "C" fn platform_wallet_register_identity_with_funding_signer(
             };
             identity_wallet
                 .register_identity_with_funding(
-                    IdentityFunding::FromWalletBalance {
+                    AssetLockFunding::FromWalletBalance {
                         amount_duffs,
                         account_index,
                     },
@@ -141,7 +141,7 @@ pub unsafe extern "C" fn platform_wallet_register_identity_with_funding_signer(
 /// user now wants to consume the lock from the
 /// "Fund from unused Asset Lock" picker in `CreateIdentityView`.
 ///
-/// The Rust side dispatches via [`IdentityFunding::FromExistingAssetLock`]
+/// The Rust side dispatches via [`AssetLockFunding::FromExistingAssetLock`]
 /// inside the same `register_identity_with_funding` helper used by the
 /// wallet-balance path — the resume logic and IS→CL fallback live
 /// there, not here. This FFI is a thin marshaler.
@@ -220,7 +220,7 @@ pub unsafe extern "C" fn platform_wallet_resume_identity_with_existing_asset_loc
             };
             identity_wallet
                 .register_identity_with_funding(
-                    IdentityFunding::FromExistingAssetLock {
+                    AssetLockFunding::FromExistingAssetLock {
                         out_point: resume_outpoint,
                     },
                     identity_index,

@@ -204,7 +204,7 @@ pub unsafe fn parse_outputs(
 }
 
 // ---------------------------------------------------------------------------
-// Funding address entry (for fund_from_asset_lock)
+// Funding address entry (for top_up)
 // ---------------------------------------------------------------------------
 
 /// Address entry for asset lock funding. Exactly one must have `has_balance = false`.

@@ -2,15 +2,15 @@
 //!
 //! Mirrors the structure of `platform_wallet::wallet::platform_addresses`.
 
-mod fund_from_asset_lock;
 mod sync;
+mod top_up;
 mod transfer;
 mod wallet;
 mod withdrawal;
 
 // Re-export all FFI types and functions.
-pub use fund_from_asset_lock::*;
 pub use sync::*;
+pub use top_up::*;
 pub use transfer::*;
 pub use wallet::*;
 pub use withdrawal::*;