Problem (WIP #1616): keypackage not verified in nodejointx / council …

…node data

Solution:
- record most recent isv_svn in chain state, warn when a new version appears
- use mock keypackage and make unit/integration tests running
  tempararily

chain-abci/Cargo.toml

@@ -37,7 +37,6 @@ structopt = "0.3"
 secp256k1zkp = { git = "https://github.com/crypto-com/rust-secp256k1-zkp.git", rev = "f8759809f6e3fed793b37166f7cd91c57cdb2eab", features = ["recovery", "endomorphism"] }
 parity-scale-codec = { features = ["derive"], version = "1.3" }
 thiserror = "1.0"
-rustls = { version = "0.17", features = ["dangerous_configuration"] }
 
 [target.'cfg(target_os = "linux")'.dependencies]
 enclave-u-common = { path = "../chain-tx-enclave/enclave-u-common" }

chain-abci/fuzz/Cargo.toml

@@ -16,10 +16,12 @@ kvdb = "0.6"
 kvdb-memorydb = "0.6"
 chain-storage = { path = "../../chain-storage" }
 chain-core = { path = "../../chain-core" }
+test-common = { path = "../../test-common" }
 abci = "0.7"
 protobuf = "2.10.0"
 serde_json = "1.0"
 hex = "0.4"
+base64 = "0.11"
 
 [dependencies.chain-abci]
 path = ".."

chain-abci/fuzz/fuzz_targets/abci_cycle.rs

@@ -21,6 +21,7 @@ use parity_scale_codec::Decode;
 use protobuf;
 use std::convert::TryInto;
 use std::sync::Arc;
+use test_common::chain_env::KEYPACKAGE_VECTOR;
 
 pub fn get_enclave_bridge_mock() -> MockClient {
     MockClient::new(0)
@@ -75,7 +76,7 @@ const TEST_GENESIS: &str = "{
           \"value\": \"MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA=\"
         },
         {
-          \"keypackage\": \"RklYTUU=\"
+          \"keypackage\": \"{}\"
         }
       ]
     }
@@ -99,7 +100,11 @@ fn init_request() -> RequestInitChain {
     let t = ::protobuf::well_known_types::Timestamp::new();
     let mut req = RequestInitChain::default();
     req.set_time(t);
-    req.set_app_state_bytes(TEST_GENESIS.as_bytes().to_vec());
+    req.set_app_state_bytes(
+        format!(TEST_GENESIS, base64::encode(KEYPACKAGE_VECTOR))
+            .as_bytes()
+            .to_vec(),
+    );
     req.set_chain_id(String::from(TEST_CHAIN_ID));
     req.set_validators(vec![validator].into());
     req.set_consensus_params(ConsensusParams {

chain-abci/src/app/app_init.rs

@@ -31,7 +31,6 @@ use chain_storage::buffer::{
 };
 use chain_storage::jellyfish::{compute_staking_root, sum_staking_coins, StakingGetter, Version};
 use chain_storage::{Storage, StoredChainState};
-use ra_client::EnclaveCertVerifier;
 
 /// ABCI app state snapshot
 #[derive(Serialize, Deserialize, Clone, Encode, Decode)]
@@ -55,6 +54,9 @@ pub struct ChainNodeState {
     pub staking_version: Version,
     /// Record the sum of all the coins in UTxO set
     pub utxo_coins: Coin,
+    /// Record the biggest enclave ISVSVN (Security Version Number of the Enclave) we've seen in
+    /// keypackage so far
+    pub enclave_isv_svn: u16,
 
     /// The parts of states which involved in computing app_hash
     pub top_level: ChainState,
@@ -87,6 +89,7 @@ impl ChainNodeState {
         rewards_pool: RewardsPoolState,
         network_params: NetworkParameters,
         staking_table: StakingTable,
+        enclave_isv_svn: u16,
     ) -> Self {
         ChainNodeState {
             last_block_height: BlockHeight::genesis(),
@@ -98,6 +101,7 @@ impl ChainNodeState {
             max_evidence_age,
             staking_version: 0,
             utxo_coins: Coin::zero(),
+            enclave_isv_svn,
             top_level: ChainState {
                 account_root,
                 rewards_pool,
@@ -137,8 +141,6 @@ pub struct ChainNodeApp<T: EnclaveProxy> {
     pub rewards_pool_updated: bool,
     /// address of tx query enclave to supply to clients (if any)
     pub tx_query_address: Option<String>,
-    /// Enclave certificate verifier
-    pub enclave_cert_verifier: EnclaveCertVerifier,
 
     /// consensus buffer of staking merkle trie storage
     pub staking_buffer: StakingBuffer,
@@ -225,14 +227,14 @@ fn get_voting_power(
 }
 
 pub fn init_app_hash(conf: &InitConfig, genesis_time: Timespec) -> H256 {
-    let (accounts, rp, _nodes) = conf
+    let state = conf
         .validate_config_get_genesis(genesis_time)
         .expect("distribution validation error");
 
     compute_app_hash(
         &MerkleTree::empty(),
-        &compute_staking_root(&accounts),
-        &rp,
+        &compute_staking_root(&state.accounts),
+        &state.rewards_pool,
         &NetworkParameters::Genesis(conf.network_params.clone()),
     )
 }
@@ -245,7 +247,6 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
         chain_id: &str,
         storage: Storage,
         tx_query_address: Option<String>,
-        enclave_cert_verifier: EnclaveCertVerifier,
     ) -> Self {
         let stored_genesis = storage.get_genesis_app_hash();
 
@@ -276,7 +277,6 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
             tx_validator,
             rewards_pool_updated: false,
             tx_query_address,
-            enclave_cert_verifier,
 
             staking_buffer: HashMap::new(),
             mempool_staking_buffer: HashMap::new(),
@@ -315,9 +315,6 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
             let _ = start_zmq(_conn_str, chain_hex_id, storage.get_read_only());
         }
 
-        let enclave_cert_verifier = EnclaveCertVerifier::new(Default::default())
-            .expect("enclave cert verifier init failed");
-
         if let Some(data) = storage.get_last_app_state() {
             info!("last app state stored");
             let mut last_state =
@@ -365,7 +362,6 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
                 chain_id,
                 storage,
                 tx_query_address,
-                enclave_cert_verifier,
             )
         } else {
             info!("no last app state stored");
@@ -390,7 +386,6 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
                 tx_validator,
                 rewards_pool_updated: false,
                 tx_query_address,
-                enclave_cert_verifier,
 
                 staking_buffer: HashMap::new(),
                 mempool_staking_buffer: HashMap::new(),
@@ -426,7 +421,7 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
             .get_seconds()
             .try_into()
             .expect("invalid genesis time");
-        let (accounts, rp, nodes) = conf
+        let state = conf
             .validate_config_get_genesis(genesis_time)
             .expect("distribution validation error");
 
@@ -440,11 +435,11 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
         }
 
         let network_params = NetworkParameters::Genesis(conf.network_params);
-        let new_account_root = self.storage.put_stakings(0, &accounts);
+        let new_account_root = self.storage.put_stakings(0, &state.accounts);
         let genesis_app_hash = compute_app_hash(
             &MerkleTree::empty(),
             &new_account_root,
-            &rp,
+            &state.rewards_pool,
             &network_params,
         );
 
@@ -454,19 +449,23 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
 
         check_and_store_consensus_params(
             req.consensus_params.as_ref(),
-            &nodes,
+            &state.validators,
             &network_params,
             &mut self.storage,
         );
 
         check_validators(
-            &nodes,
+            &state.validators,
             req.validators.clone().into_vec(),
             &conf.distribution,
         )
         .expect("validators in genesis configuration are not consistent with app_state");
 
-        let val_addresses = nodes.iter().map(|(addr, _)| *addr).collect::<Vec<_>>();
+        let val_addresses = state
+            .validators
+            .iter()
+            .map(|(addr, _)| *addr)
+            .collect::<Vec<_>>();
         let staking_table = StakingTable::from_genesis(
             &staking_getter!(self, 0),
             network_params.get_required_council_node_stake(),
@@ -479,9 +478,10 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
             genesis_time,
             max_evidence_age,
             new_account_root,
-            rp,
+            state.rewards_pool,
             network_params,
             staking_table,
+            state.isv_svn,
         );
         chain_storage::store_genesis_state(
             &mut kv_store!(self),

chain-abci/src/app/mod.rs

@@ -404,9 +404,11 @@ fn generate_tx_staking_change_event(tx_action: TxAction) -> Option<abci::Event>
                 fee,
                 ..
             } => Some(StakingEvent::Unbond(&unbond.0, unbond.1, unbonded_from, fee).into()),
-            TxPublicAction::NodeJoin(staking_address, council_node) => {
-                Some(StakingEvent::NodeJoin(&staking_address, council_node).into())
-            }
+            TxPublicAction::NodeJoin {
+                address,
+                council_node,
+                ..
+            } => Some(StakingEvent::NodeJoin(&address, council_node).into()),
             TxPublicAction::Unjail(staking_address) => {
                 Some(StakingEvent::Unjail(&staking_address).into())
             }

chain-abci/src/app/validate_tx.rs

@@ -1,6 +1,8 @@
 use super::{BufferType, ChainNodeApp, ChainNodeState};
 use crate::enclave_bridge::EnclaveProxy;
-use crate::storage::{process_public_tx, verify_enclave_tx, TxAction, TxEnclaveAction};
+use crate::storage::{
+    process_public_tx, verify_enclave_tx, TxAction, TxEnclaveAction, TxPublicAction,
+};
 use crate::tx_error::TxError;
 use abci::*;
 use chain_core::tx::data::TxId;
@@ -118,11 +120,18 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
                 let action = process_public_tx(
                     &mut staking_store!(self, state.staking_version, buffer_type),
                     &mut state.staking_table,
-                    &self.enclave_cert_verifier,
+                    state.enclave_isv_svn,
                     &extra_info,
                     &tx,
                 )?;
 
+                match action {
+                    TxPublicAction::NodeJoin { isv_svn, .. } => {
+                        state.enclave_isv_svn = isv_svn;
+                    }
+                    _ => {}
+                };
+
                 TxAction::Public(action)
             }
         };