From 961b12dc5902593a0655f71d77ebd84a7b48825d Mon Sep 17 00:00:00 2001 From: Tomas Tauber <2410580+tomtau@users.noreply.github.com> Date: Tue, 21 Jul 2020 18:38:46 +0800 Subject: [PATCH] Problem: tdbe types are not up to date with latest design (fixes #1967) Solution: updated the data types according to the latest doc https://github.com/crypto-com/chain-docs/pull/179/files - chain-abci part was moved to extras module of mls for validation (when https://github.com/crypto-com/chain-docs/issues/141 is done implementation could go there) - in order not to break tx format, confidential init is still takes as Vec - as tdbe workflows aren't ready yet, a temporary wrapper was put in the client --- Cargo.lock | 2 + chain-abci/Cargo.toml | 9 +-- chain-abci/src/app/staking_event.rs | 8 +-- chain-abci/src/enclave_bridge/mod.rs | 2 +- chain-abci/src/staking/mod.rs | 15 ++-- chain-abci/src/staking/tx.rs | 16 ++--- chain-abci/src/tx_error.rs | 10 +-- chain-abci/tests/abci_app.rs | 4 +- chain-abci/tests/tx_validation.rs | 4 +- chain-core/src/init/config.rs | 7 +- chain-core/src/state/account.rs | 71 +++++++++++++++---- chain-core/src/state/validator/nodejoin.rs | 8 --- chain-tx-enclave-next/mls/src/extras/mod.rs | 8 +++ .../mls/src/extras/validation.rs | 39 ++++++++++ chain-tx-enclave-next/mls/src/lib.rs | 1 + client-cli/src/command/transaction_command.rs | 11 ++- client-common/Cargo.toml | 1 + client-common/src/lib.rs | 2 +- client-common/src/tendermint/mock.rs | 2 +- client-common/src/transaction.rs | 27 +++++++ client-rpc/src/rpc/staking_rpc.rs | 13 +++- cro-clib/src/transaction_staking.rs | 14 ++-- dev-utils/example-dev-conf.json | 2 +- dev-utils/src/commands/init_command.rs | 6 +- dev-utils/src/commands/keypackage_command.rs | 5 +- dev-utils/src/commands/test_vector_command.rs | 3 +- docker/config/devnet/dev-conf.json | 2 +- docker/config/devnet/tendermint/genesis.json | 4 +- integration-tests/bot/chainbot.py | 2 +- test-common/Cargo.toml | 1 + test-common/src/chain_env.rs | 50 +++++++++++-- 31 files changed, 269 insertions(+), 80 deletions(-) create mode 100644 chain-tx-enclave-next/mls/src/extras/mod.rs create mode 100644 chain-tx-enclave-next/mls/src/extras/validation.rs diff --git a/Cargo.lock b/Cargo.lock index 651e1c927..fed61ab5e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -763,6 +763,7 @@ dependencies = [ "indexmap", "itertools 0.9.0", "log", + "mls", "mock-utils", "num-bigint 0.2.6", "once_cell", @@ -4637,6 +4638,7 @@ dependencies = [ "hex 0.4.2", "kvdb-memorydb", "lazy_static", + "mls", "parity-scale-codec", "protobuf", "secp256k1", diff --git a/chain-abci/Cargo.toml b/chain-abci/Cargo.toml index b3213b5ed..2bada8922 100644 --- a/chain-abci/Cargo.toml +++ b/chain-abci/Cargo.toml @@ -24,10 +24,6 @@ mock-utils = { path = "../chain-tx-enclave/mock-utils" } mls = { path = "../chain-tx-enclave-next/mls" } ra-client = { path = "../chain-tx-enclave-next/enclave-ra/ra-client" } -aesm-client = {version = "0.5", features = ["sgxs"], optional = true } -enclave-runner = {version = "0.4", optional = true} -sgxs-loaders = {version = "0.2", optional = true} -tokio = { version = "0.2", optional = true } log = "0.4.11" env_logger = "0.7.1" @@ -46,6 +42,11 @@ parity-scale-codec = { features = ["derive"], version = "1.3" } thiserror = "1.0" [target.'cfg(target_os = "linux")'.dependencies] +aesm-client = {version = "0.5", features = ["sgxs"], optional = true } +enclave-runner = {version = "0.4", optional = true} +sgxs-loaders = {version = "0.2", optional = true} +tokio = { version = "0.2", optional = true } + enclave-u-common = { path = "../chain-tx-enclave/enclave-u-common", optional = true } sgx_types = { rev = "v1.1.2", git = "https://github.com/apache/teaclave-sgx-sdk.git", optional = true } sgx_urts = { rev = "v1.1.2", git = "https://github.com/apache/teaclave-sgx-sdk.git", optional = true } diff --git a/chain-abci/src/app/staking_event.rs b/chain-abci/src/app/staking_event.rs index a8f172f08..c4a819b17 100644 --- a/chain-abci/src/app/staking_event.rs +++ b/chain-abci/src/app/staking_event.rs @@ -357,7 +357,7 @@ impl fmt::Display for StakingCoinChange { #[cfg(test)] mod tests { use super::*; - use chain_core::state::account::ConfidentialInit; + use chain_core::state::account::{ConfidentialInit, MLSInit}; use chain_core::state::tendermint::TendermintValidatorPubKey; use chain_core::tx::fee::Fee; use std::str::FromStr; @@ -437,7 +437,7 @@ mod tests { assert_eq!( staking_diff.to_string(), - "{\"key\":\"CouncilNode\",\"value\":{\"name\":\"Council Node\",\"security_contact\":\"security@crypto.com\",\"confidential_init\":{\"keypackage\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\"},\"consensus_pubkey\":{\"type\":\"tendermint/PubKeyEd25519\",\"value\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\"}}}", + "{\"key\":\"CouncilNode\",\"value\":{\"name\":\"Council Node\",\"security_contact\":\"security@crypto.com\",\"confidential_init\":{\"init_payload\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\"},\"consensus_pubkey\":{\"type\":\"tendermint/PubKeyEd25519\",\"value\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\"}}}", ); } @@ -446,7 +446,7 @@ mod tests { let any_security_contact = Some(String::from("security@crypto.com")); let any_pub_key = TendermintValidatorPubKey::Ed25519([0u8; 32]); let any_cert = ConfidentialInit { - keypackage: [0u8; 32].to_vec(), + init_payload: MLSInit::Genesis([0u8; 32].to_vec()), }; CouncilNodeMeta::new_with_details( @@ -546,7 +546,7 @@ mod tests { let any_security_contact = Some(String::from("security@crypto.com")); let any_pub_key = TendermintValidatorPubKey::Ed25519([0u8; 32]); let any_cert = ConfidentialInit { - keypackage: [0u8; 32].to_vec(), + init_payload: MLSInit::Genesis([0u8; 32].to_vec()), }; CouncilNodeMeta::new_with_details( diff --git a/chain-abci/src/enclave_bridge/mod.rs b/chain-abci/src/enclave_bridge/mod.rs index 2789587a8..07cb2a390 100644 --- a/chain-abci/src/enclave_bridge/mod.rs +++ b/chain-abci/src/enclave_bridge/mod.rs @@ -6,7 +6,7 @@ pub mod mock; #[cfg(all(not(feature = "mock-enclave"), feature = "legacy", target_os = "linux"))] pub mod real; -#[cfg(feature = "edp")] +#[cfg(all(not(feature = "mock-enclave"), feature = "edp", target_os = "linux"))] pub mod edp; /// Abstracts over communication with an external part that does enclave calls diff --git a/chain-abci/src/staking/mod.rs b/chain-abci/src/staking/mod.rs index db37c0f1a..82f772d51 100644 --- a/chain-abci/src/staking/mod.rs +++ b/chain-abci/src/staking/mod.rs @@ -23,7 +23,8 @@ mod tests { use chain_core::tx::fee::Fee; use chain_storage::buffer::{Get, GetStaking, MemStore, StoreStaking}; use test_common::chain_env::{ - get_init_network_params, mock_council_node, mock_council_node_meta, DEFAULT_GENESIS_TIME, + get_init_network_params, mock_council_node_join, mock_council_node_meta, + DEFAULT_GENESIS_TIME, }; use super::*; @@ -118,7 +119,7 @@ mod tests { nonce, address: addr4, attributes: Default::default(), - node_meta: mock_council_node(val_pk4.clone()), + node_meta: mock_council_node_join(val_pk4.clone()), }; table .node_join(&mut store, DEFAULT_GENESIS_TIME + 10, 0, 0, &node_join) @@ -271,7 +272,7 @@ mod tests { nonce, address: addr1, attributes: Default::default(), - node_meta: mock_council_node(val_pk_new), + node_meta: mock_council_node_join(val_pk_new), }; assert!(matches!( table.node_join(&mut store, DEFAULT_GENESIS_TIME + 3, 0, 0, &node_join), @@ -337,7 +338,7 @@ mod tests { nonce: staking.nonce + 1, address: addr, attributes: Default::default(), - node_meta: mock_council_node(val_pk_new.clone()), + node_meta: mock_council_node_join(val_pk_new.clone()), }; // change to new validator key let result = table.node_join(store, DEFAULT_GENESIS_TIME + 1, 1, 0, &node_join); @@ -392,7 +393,7 @@ mod tests { nonce: 0, address: addr_new, attributes: Default::default(), - node_meta: mock_council_node(val_pk1), + node_meta: mock_council_node_join(val_pk1), }; // can't join with used key assert!(matches!( @@ -469,7 +470,7 @@ mod tests { nonce, address: addr1, attributes: Default::default(), - node_meta: mock_council_node(val_pk1.clone()), + node_meta: mock_council_node_join(val_pk1.clone()), }; let mut init_params = get_init_network_params(Coin::zero()); @@ -795,7 +796,7 @@ mod tests { nonce: 1, address: addr2, attributes: Default::default(), - node_meta: mock_council_node(val_pk_new.clone()), + node_meta: mock_council_node_join(val_pk_new.clone()), }; table .node_join(&mut store, DEFAULT_GENESIS_TIME + 2, 0, 0, &tx) diff --git a/chain-abci/src/staking/tx.rs b/chain-abci/src/staking/tx.rs index 87ae3bb67..1baaa812c 100644 --- a/chain-abci/src/staking/tx.rs +++ b/chain-abci/src/staking/tx.rs @@ -9,8 +9,7 @@ use chain_core::state::tendermint::{BlockHeight, TendermintValidatorAddress}; use chain_core::state::validator::NodeJoinRequestTx; use chain_core::tx::fee::Fee; use chain_storage::buffer::StoreStaking; -use mls::{Codec, KeyPackage}; -use ra_client::ENCLAVE_CERT_VERIFIER; +use mls::extras::check_nodejoin; use super::table::{set_staking, StakingTable}; use crate::tx_error::{ @@ -40,13 +39,14 @@ impl StakingTable { let isv_svn = if cfg!(feature = "mock-enclave") { 0 } else { - let keypackage = KeyPackage::read_bytes(&tx.get_keypackage_payload()) - .ok_or(NodeJoinError::KeyPackageDecodeError)?; - let info = keypackage - .verify(&*ENCLAVE_CERT_VERIFIER, block_time) - .map_err(NodeJoinError::KeyPackageVerifyError)?; // FIXME: more tdbe-related checks that may be observable by abci -- e.g. key not in the mls tree already - info.quote.report_body.isv_svn + let (add, commit) = tx + .node_meta + .get_node_join_mls_init() + .ok_or(NodeJoinError::InvalidMLSInitData)?; + let r = check_nodejoin(add, commit, block_time) + .map_err(NodeJoinError::MLSInitVerifyError)?; + r.info.quote.report_body.isv_svn }; let new_isv_svn = if isv_svn > recent_isv_svn { diff --git a/chain-abci/src/tx_error.rs b/chain-abci/src/tx_error.rs index 8e76cdeaf..3eb2ee364 100644 --- a/chain-abci/src/tx_error.rs +++ b/chain-abci/src/tx_error.rs @@ -1,5 +1,5 @@ use chain_core::init::coin::{Coin, CoinError}; -use mls::keypackage; +use mls::extras::{self}; #[derive(thiserror::Error, Debug)] pub enum TxError { @@ -53,10 +53,10 @@ pub enum NodeJoinError { IsJailed, #[error("the used_validator_addresses queue is full")] UsedValidatorAddrFull, - #[error("key package decode failed")] - KeyPackageDecodeError, - #[error("invalid key package: {0}")] - KeyPackageVerifyError(#[from] keypackage::Error), + #[error("failed to decode Add proposal and Commit message")] + InvalidMLSInitData, + #[error("invalid mls init data: {0}")] + MLSInitVerifyError(#[from] extras::NodeJoinError), #[error("FIXME: WIP -- community node not yet supported")] WIPNotValidator, } diff --git a/chain-abci/tests/abci_app.rs b/chain-abci/tests/abci_app.rs index 9ddc8ef32..4b4c93ea1 100644 --- a/chain-abci/tests/abci_app.rs +++ b/chain-abci/tests/abci_app.rs @@ -57,7 +57,7 @@ use std::convert::TryInto; use std::str::FromStr; use std::sync::Arc; use test_common::chain_env::{ - mock_confidential_init, mock_council_node, ChainEnv, DEFAULT_GENESIS_TIME, + mock_confidential_init, mock_council_node_join, ChainEnv, DEFAULT_GENESIS_TIME, }; const TEST_CHAIN_ID: &str = "test-00"; @@ -1064,7 +1064,7 @@ fn all_valid_tx_types_should_commit() { 1, addr.into(), StakedStateOpAttributes::new(0), - mock_council_node(TendermintValidatorPubKey::Ed25519([2u8; 32])), + mock_council_node_join(TendermintValidatorPubKey::Ed25519([2u8; 32])), ); let secp = Secp256k1::new(); let witness = StakedStateOpWitness::new(get_ecdsa_witness(&secp, &tx.id(), &secret_key)); diff --git a/chain-abci/tests/tx_validation.rs b/chain-abci/tests/tx_validation.rs index 02cd38f25..c8505f1ad 100644 --- a/chain-abci/tests/tx_validation.rs +++ b/chain-abci/tests/tx_validation.rs @@ -53,7 +53,7 @@ use std::fmt::Debug; use std::mem; use std::sync::Arc; use test_common::chain_env::{ - mock_confidential_init, mock_council_node_meta, DEFAULT_GENESIS_TIME, + mock_confidential_init_node_join, mock_council_node_meta, DEFAULT_GENESIS_TIME, }; fn verify_enclave_tx( @@ -1347,7 +1347,7 @@ fn prepare_nodejoin_transaction( "test".to_string(), None, TendermintValidatorPubKey::Ed25519([1u8; 32]), - mock_confidential_init(), + mock_confidential_init_node_join(), ), }; let witness = get_account_op_witness(secp, &tx.id(), &secret_key); diff --git a/chain-core/src/init/config.rs b/chain-core/src/init/config.rs index 23e47f9ba..f992522cb 100644 --- a/chain-core/src/init/config.rs +++ b/chain-core/src/init/config.rs @@ -3,7 +3,7 @@ use crate::init::address::RedeemAddress; use crate::init::coin::{sum_coins, Coin, CoinError}; pub use crate::init::params::*; use crate::state::account::{ - ConfidentialInit, CouncilNodeMeta, NodeName, NodeSecurityContact, StakedState, + ConfidentialInit, CouncilNodeMeta, MLSInit, NodeName, NodeSecurityContact, StakedState, StakedStateAddress, StakedStateDestination, }; use crate::state::tendermint::TendermintValidatorPubKey; @@ -200,7 +200,10 @@ impl InitConfig { let isv_svn = validators .iter() - .map(|v| verify_keypackage(genesis_time, &v.1.node_info.confidential_init.keypackage)) + .map(|v| match &v.1.node_info.confidential_init.init_payload { + MLSInit::Genesis(ref kp) => verify_keypackage(genesis_time, &kp), + _ => Err(DistributionError::KeyPackageDecodeError), + }) .collect::, _>>()? .into_iter() .max() diff --git a/chain-core/src/state/account.rs b/chain-core/src/state/account.rs index 12283023e..10ebe0ff3 100644 --- a/chain-core/src/state/account.rs +++ b/chain-core/src/state/account.rs @@ -33,6 +33,20 @@ pub type NodeName = String; /// optional security@... email pub type NodeSecurityContact = Option; +/// FIXME: Encode, Decode implementations when MLS payloads are stabilized +#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone, Encode, Decode)] +pub enum MLSInit { + /// KeyPackage + Genesis(Vec), + /// payloads retrieved from other node's TDBE + NodeJoin { + /// MLSPlaintext -- Add + add: Vec, + /// MLSPlaintext -- Commit + commit: Vec, + }, +} + /// the initial data a node submits to join a MLS group #[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone)] #[cfg_attr(not(feature = "mesalock_sgx"), derive(Serialize, Deserialize))] @@ -45,24 +59,29 @@ pub struct ConfidentialInit { deserialize_with = "deserialize_base64" ) )] - pub keypackage: Vec, + pub init_payload: MLSInit, } #[cfg(not(feature = "mesalock_sgx"))] -fn serialize_base64(keypackage: &[u8], serializer: S) -> Result +fn serialize_base64(init_payload: &MLSInit, serializer: S) -> Result where S: Serializer, { - base64::encode(keypackage).serialize(serializer) + match init_payload { + MLSInit::Genesis(kp) => base64::encode(kp).serialize(serializer), + _ => "FIXME".serialize(serializer), + } } #[cfg(not(feature = "mesalock_sgx"))] -fn deserialize_base64<'de, D>(deserializer: D) -> Result, D::Error> +fn deserialize_base64<'de, D>(deserializer: D) -> Result where D: Deserializer<'de>, { - base64::decode(String::deserialize(deserializer)?.as_bytes()) - .map_err(|e| D::Error::custom(format!("{}", e))) + let kp = base64::decode(String::deserialize(deserializer)?.as_bytes()) + .map_err(|e| D::Error::custom(format!("{}", e)))?; + // FIXME: non-genesis + Ok(MLSInit::Genesis(kp)) } /// Information common to different node types @@ -96,7 +115,10 @@ impl Encode for NodeCommonInfo { c.encode_to(dest); } }; - self.confidential_init.keypackage.encode_to(dest); + // 0.5 test vectors specified it as Vec blob + // FIXME: ok to break when stabilized in 0.6? will it break HW wallet parser? + let temp: Vec = self.confidential_init.init_payload.encode(); + temp.encode_to(dest); } } @@ -126,11 +148,14 @@ const MAX_STRING_LEN: usize = 255; impl Decode for NodeCommonInfo { fn decode(input: &mut I) -> Result { let (name, security_contact) = decode_name_security_contact(input)?; - let keypackage: Vec = Vec::decode(input)?; + // 0.5 test vectors specified it as Vec blob + // FIXME: ok to break when stabilized in 0.6? will it break HW wallet parser? + let temp: Vec = Vec::decode(input)?; + let init_payload = MLSInit::decode(&mut temp.as_ref())?; Ok(NodeCommonInfo { name, security_contact, - confidential_init: ConfidentialInit { keypackage }, + confidential_init: ConfidentialInit { init_payload }, }) } } @@ -160,7 +185,10 @@ impl Encode for CouncilNodeMeta { } }; self.consensus_pubkey.encode_to(dest); - self.node_info.confidential_init.keypackage.encode_to(dest); + // 0.5 test vectors specified it as Vec blob + // FIXME: ok to break when stabilized in 0.6? will it break HW wallet parser? + let temp: Vec = self.node_info.confidential_init.init_payload.encode(); + temp.encode_to(dest); } } @@ -171,12 +199,15 @@ impl Decode for CouncilNodeMeta { // where it was like this let (name, security_contact) = decode_name_security_contact(input)?; let consensus_pubkey = TendermintValidatorPubKey::decode(input)?; - let keypackage: Vec = Vec::decode(input)?; + // 0.5 test vectors specified it as Vec blob + // FIXME: ok to break when stabilized in 0.6? will it break HW wallet parser? + let temp: Vec = Vec::decode(input)?; + let init_payload = MLSInit::decode(&mut temp.as_ref())?; Ok(CouncilNodeMeta::new_with_details( name, security_contact, consensus_pubkey, - ConfidentialInit { keypackage }, + ConfidentialInit { init_payload }, )) } } @@ -235,6 +266,18 @@ impl Decode for NodeMetadata { } impl NodeMetadata { + /// retrieves the add and commit proposals (if any) + pub fn get_node_join_mls_init(&self) -> Option<(&[u8], &[u8])> { + let init_payload = match self { + NodeMetadata::CouncilNode(cm) => &cm.node_info.confidential_init.init_payload, + NodeMetadata::CommunityNode(info) => &info.confidential_init.init_payload, + }; + match init_payload { + MLSInit::NodeJoin { add, commit } => Some((add, commit)), + _ => None, + } + } + /// create an empty council node (in testing etc.) pub fn new_council_node( consensus_pubkey: TendermintValidatorPubKey, @@ -622,7 +665,9 @@ mod test { name, security_contact, TendermintValidatorPubKey::Ed25519(raw_pubkey), - ConfidentialInit { keypackage }, + ConfidentialInit { + init_payload: MLSInit::Genesis(keypackage), + }, ) } } diff --git a/chain-core/src/state/validator/nodejoin.rs b/chain-core/src/state/validator/nodejoin.rs index d12f6c493..e6423517f 100644 --- a/chain-core/src/state/validator/nodejoin.rs +++ b/chain-core/src/state/validator/nodejoin.rs @@ -64,14 +64,6 @@ impl Encode for NodeJoinRequestTx { impl TransactionId for NodeJoinRequestTx {} impl NodeJoinRequestTx { - /// returns the keypackage - pub fn get_keypackage_payload(&self) -> &[u8] { - match &self.node_meta { - NodeMetadata::CouncilNode(cm) => &cm.node_info.confidential_init.keypackage, - NodeMetadata::CommunityNode(cm) => &cm.confidential_init.keypackage, - } - } - /// constructs a new node join request transaction from the provided components #[inline] pub fn new( diff --git a/chain-tx-enclave-next/mls/src/extras/mod.rs b/chain-tx-enclave-next/mls/src/extras/mod.rs new file mode 100644 index 000000000..409434869 --- /dev/null +++ b/chain-tx-enclave-next/mls/src/extras/mod.rs @@ -0,0 +1,8 @@ +///! This module contains additional parts that are a part of the MLS draft spec, +///! but are required for resolving relevant open issues in the draft spec +///! or for extra conventions / operations: https://github.com/crypto-com/chain-docs/blob/master/docs/modules/tdbe.md. + +/// module for external validation +mod validation; + +pub use validation::{check_nodejoin, NodeJoinError, NodeJoinResult}; diff --git a/chain-tx-enclave-next/mls/src/extras/validation.rs b/chain-tx-enclave-next/mls/src/extras/validation.rs new file mode 100644 index 000000000..f49790135 --- /dev/null +++ b/chain-tx-enclave-next/mls/src/extras/validation.rs @@ -0,0 +1,39 @@ +use crate::keypackage::{self, Timespec}; +use crate::message::MLSPlaintext; +use crate::Codec; +use ra_client::{CertVerifyResult, ENCLAVE_CERT_VERIFIER}; + +/// FIXME: needs design/spec https://github.com/crypto-com/chain-docs/issues/141 +/// of possible errors +#[derive(thiserror::Error, Debug)] +pub enum NodeJoinError { + #[error("decoding failed")] + DecodeError, + #[error("verification error: {0}")] + VerifyError(#[from] keypackage::Error), +} + +/// FIXME: needs design/spec https://github.com/crypto-com/chain-docs/issues/141 +/// of what needs to be returned +pub struct NodeJoinResult { + pub info: CertVerifyResult, +} + +/// FIXME: needs design/spec https://github.com/crypto-com/chain-docs/issues/141 +/// this may need to be passed in more arguments, e.g. groupcontext or whatever the chain-abci +/// can maintain +pub fn check_nodejoin( + add_proposal: &[u8], + _commit: &[u8], + block_time: Timespec, +) -> Result { + // FIXME: many missing validations + let proposal = MLSPlaintext::read_bytes(add_proposal).ok_or(NodeJoinError::DecodeError)?; + let add = proposal.get_add().ok_or(NodeJoinError::DecodeError)?; + + let info = add + .key_package + .verify(&*ENCLAVE_CERT_VERIFIER, block_time) + .map_err(NodeJoinError::VerifyError)?; + Ok(NodeJoinResult { info }) +} diff --git a/chain-tx-enclave-next/mls/src/lib.rs b/chain-tx-enclave-next/mls/src/lib.rs index 0a6788e2a..fd2f315f0 100644 --- a/chain-tx-enclave-next/mls/src/lib.rs +++ b/chain-tx-enclave-next/mls/src/lib.rs @@ -3,6 +3,7 @@ pub mod astree; pub mod ciphersuite; pub mod credential; pub mod extensions; +pub mod extras; pub mod group; pub mod key; pub mod keypackage; diff --git a/client-cli/src/command/transaction_command.rs b/client-cli/src/command/transaction_command.rs index 6d0e7a72b..8a022d5be 100644 --- a/client-cli/src/command/transaction_command.rs +++ b/client-cli/src/command/transaction_command.rs @@ -10,7 +10,7 @@ use chain_core::common::{Timespec, HASH_SIZE_256}; use chain_core::init::coin::Coin; use chain_core::init::network::get_network_id; use chain_core::state::account::{ - ConfidentialInit, CouncilNodeMeta, StakedStateAddress, StakedStateOpAttributes, + ConfidentialInit, CouncilNodeMeta, MLSInit, StakedStateAddress, StakedStateOpAttributes, }; use chain_core::state::tendermint::TendermintValidatorPubKey; use chain_core::tx::data::access::{TxAccess, TxAccessPolicy}; @@ -35,6 +35,7 @@ use structopt::StructOpt; use unicase::eq_ascii; use crate::{ask_seckey, coin_from_str}; +use client_common::temporary_mls_init; use client_core::transaction_builder::UnsignedTransferTransaction; use mls::extensions::LifeTimeExt; @@ -1134,6 +1135,7 @@ fn ask_keypackage() -> Result> { Ok(keypackage) } +/// FIXME: take Add + Commit instead of keypackage fn ask_node_metadata(keypackage: Option) -> Result { ask("Enter validator node name: "); let name = text().chain(|| (ErrorKind::IoError, "Unable to read validator node name"))?; @@ -1171,13 +1173,16 @@ fn ask_node_metadata(keypackage: Option) -> Result { let mut pubkey_bytes = [0; 32]; pubkey_bytes.copy_from_slice(&decoded_pubkey); - + // FIXME: MLSPlaintexts instead of keypackage Ok(CouncilNodeMeta::new_with_details( name, None, TendermintValidatorPubKey::Ed25519(pubkey_bytes), ConfidentialInit { - keypackage: keypackage_raw, + init_payload: MLSInit::NodeJoin { + add: temporary_mls_init(keypackage_raw), + commit: vec![], + }, }, )) } diff --git a/client-common/Cargo.toml b/client-common/Cargo.toml index 73bd2216e..45239404a 100644 --- a/client-common/Cargo.toml +++ b/client-common/Cargo.toml @@ -10,6 +10,7 @@ chain-tx-filter = { path = "../chain-tx-filter" } enclave-protocol = { path = "../enclave-protocol" } mock-utils = { path = "../chain-tx-enclave/mock-utils" } ra-client = { path = "../chain-tx-enclave-next/enclave-ra/ra-client" } +mls = { path = "../chain-tx-enclave-next/mls" } aes = "0.4" aes-gcm-siv = "0.5" diff --git a/client-common/src/lib.rs b/client-common/src/lib.rs index 0aa7cd9a1..dcd32fd0c 100644 --- a/client-common/src/lib.rs +++ b/client-common/src/lib.rs @@ -23,7 +23,7 @@ pub use seckey::SecKey; #[doc(inline)] pub use storage::{SecureStorage, Storage}; #[doc(inline)] -pub use transaction::{SignedTransaction, Transaction, TransactionInfo}; +pub use transaction::{temporary_mls_init, SignedTransaction, Transaction, TransactionInfo}; use secp256k1::{All, Secp256k1}; diff --git a/client-common/src/tendermint/mock.rs b/client-common/src/tendermint/mock.rs index fb254192a..44ad9fdc5 100644 --- a/client-common/src/tendermint/mock.rs +++ b/client-common/src/tendermint/mock.rs @@ -82,7 +82,7 @@ const DEFAULT_GENESIS_JSON: &str = r#"{ "type": "tendermint/PubKeyEd25519", "value": "2H0sZxyy5iOU6q0/F+ZCQ3MyJJxg8odE5NMsGIyfFV0=" }, - {"keypackage": "RklYTUU="} + {"init_payload": "RklYTUU="} ] } } diff --git a/client-common/src/transaction.rs b/client-common/src/transaction.rs index 742715d8d..7ae436170 100644 --- a/client-common/src/transaction.rs +++ b/client-common/src/transaction.rs @@ -11,6 +11,10 @@ use chain_core::tx::data::output::TxOut; use chain_core::tx::data::{Tx, TxId}; use chain_core::tx::witness::TxWitness; use chain_core::tx::{PlainTxAux, TransactionId, TxWithOutputs}; +use mls::{ + message::Add, message::ContentType, message::MLSPlaintext, message::MLSPlaintextCommon, + message::Proposal, message::Sender, message::SenderType, Codec, KeyPackage, +}; /// A struct which the sender can download and the receiver can import #[derive(Debug, Clone, PartialEq, Serialize, Deserialize, Encode, Decode)] @@ -154,3 +158,26 @@ impl Into for SignedTransaction { } } } + +/// temporary hack +/// FIXME: detele this, the correct payload should be fetched via TDBE connecting to other node's TDBE +/// when that's implemented + validated +pub fn temporary_mls_init(kp: Vec) -> Vec { + let key_package = KeyPackage::read_bytes(&kp).expect("it was validated before"); + let sender = Sender { + sender_type: SenderType::Member, + sender: 0, + }; + let add_content = MLSPlaintextCommon { + group_id: vec![], + epoch: 0, + sender, + authenticated_data: vec![], + content: ContentType::Proposal(Proposal::Add(Add { key_package })), + }; + MLSPlaintext { + content: add_content, + signature: vec![], + } + .get_encoding() +} diff --git a/client-rpc/src/rpc/staking_rpc.rs b/client-rpc/src/rpc/staking_rpc.rs index f1fa5db31..1e012b81a 100644 --- a/client-rpc/src/rpc/staking_rpc.rs +++ b/client-rpc/src/rpc/staking_rpc.rs @@ -7,7 +7,8 @@ use jsonrpc_derive::rpc; use crate::{rpc_error_from_string, to_rpc_error}; use chain_core::init::coin::Coin; use chain_core::state::account::{ - ConfidentialInit, CouncilNodeMeta, StakedState, StakedStateAddress, StakedStateOpAttributes, + ConfidentialInit, CouncilNodeMeta, MLSInit, StakedState, StakedStateAddress, + StakedStateOpAttributes, }; use chain_core::state::tendermint::TendermintValidatorPubKey; use chain_core::tx::data::access::{TxAccess, TxAccessPolicy}; @@ -15,6 +16,7 @@ use chain_core::tx::data::address::ExtendedAddr; use chain_core::tx::data::attribute::TxAttributes; use chain_core::tx::data::input::TxoPointer; use chain_core::tx::data::output::TxOut; +use client_common::temporary_mls_init; use client_common::{Error, ErrorKind, PublicKey, Result as CommonResult, ResultExt, Transaction}; use client_core::wallet::WalletRequest; use client_core::WalletClient; @@ -439,6 +441,7 @@ where } } +/// FIXME: take Add + Commit instead of keypackage fn get_node_metadata( validator_name: &str, validator_pubkey: &str, @@ -464,6 +467,7 @@ fn get_node_metadata( let mut pubkey_bytes = [0; 32]; pubkey_bytes.copy_from_slice(&decoded_pubkey); + // FIXME: MLSPlaintexts instead of keypackage let keypackage = base64::decode(keypackage) .err_kind(ErrorKind::InvalidInput, || "invalid base64") .map_err(to_rpc_error)?; @@ -472,6 +476,11 @@ fn get_node_metadata( validator_name.to_string(), None, TendermintValidatorPubKey::Ed25519(pubkey_bytes), - ConfidentialInit { keypackage }, + ConfidentialInit { + init_payload: MLSInit::NodeJoin { + add: temporary_mls_init(keypackage), + commit: vec![], + }, + }, )) } diff --git a/cro-clib/src/transaction_staking.rs b/cro-clib/src/transaction_staking.rs index 80285cf64..ef511785b 100644 --- a/cro-clib/src/transaction_staking.rs +++ b/cro-clib/src/transaction_staking.rs @@ -2,12 +2,13 @@ use crate::types::get_string; use crate::types::{CroAddress, CroAddressPtr, CroResult}; pub use chain_core::init::network::Network; use chain_core::state::account::{ - ConfidentialInit, NodeMetadata, StakedStateAddress, StakedStateOpAttributes, + ConfidentialInit, MLSInit, NodeMetadata, StakedStateAddress, StakedStateOpAttributes, StakedStateOpWitness, UnjailTx, }; use chain_core::state::tendermint::TendermintValidatorPubKey; use chain_core::state::validator::NodeJoinRequestTx; use chain_core::tx::{TxAux, TxPublicAux}; +use client_common::temporary_mls_init; use client_common::{ErrorKind, PrivateKeyAction, Result, ResultExt, Transaction}; use parity_scale_codec::Encode; use std::os::raw::c_char; @@ -82,7 +83,7 @@ pub unsafe extern "C" fn cro_unjai( /// validator_name_user: validator name, null terminated string /// validator_contact_user: validator contact, null terminated string /// validator_pubkey_user: validator pubkey,ed25519 pubkey raw size= 32 bytes , base64 encoded null terminated string, - +/// FIXME: Add+Commit instead of keypackage #[allow(clippy::too_many_arguments)] fn create_encoded_signed_join( network: u8, @@ -108,13 +109,18 @@ fn create_encoded_signed_join( "Unable to get validator pubkey", ) })?; - + // FIXME: MLSPlaintexts instead of keypackage let node_metadata = NodeMetadata::new_council_node_with_details( validator_name.to_string(), Some(validator_contact.to_string()), // 32 bytes pubkey, - ConfidentialInit { keypackage }, + ConfidentialInit { + init_payload: MLSInit::NodeJoin { + add: temporary_mls_init(keypackage), + commit: vec![], + }, + }, ); let transaction: NodeJoinRequestTx = NodeJoinRequestTx { nonce, diff --git a/dev-utils/example-dev-conf.json b/dev-utils/example-dev-conf.json index 848d731fc..263bd69f5 100644 --- a/dev-utils/example-dev-conf.json +++ b/dev-utils/example-dev-conf.json @@ -37,7 +37,7 @@ "value": "pPxJH5wUamXcCvSxgywzmANuO0UNR5x3nCbUzsrCeX8=" }, { - "keypackage": "RklYTUU=" + "init_payload": "RklYTUU=" } ] } diff --git a/dev-utils/src/commands/init_command.rs b/dev-utils/src/commands/init_command.rs index a121cece6..e78ba3e97 100644 --- a/dev-utils/src/commands/init_command.rs +++ b/dev-utils/src/commands/init_command.rs @@ -10,7 +10,7 @@ use serde_json::json; use crate::verify_keypackage; use chain_core::init::{address::RedeemAddress, coin::Coin, config::InitConfig}; -use chain_core::state::account::ConfidentialInit; +use chain_core::state::account::{ConfidentialInit, MLSInit}; use chain_core::state::tendermint::{TendermintValidator, TendermintValidatorPubKey}; use client_common::storage::SledStorage; use client_common::tendermint::types::Time; @@ -203,7 +203,9 @@ impl InitCommand { "dev test".to_owned(), None, pubkey, - ConfidentialInit { keypackage }, + ConfidentialInit { + init_payload: MLSInit::Genesis(keypackage), + }, ), ); Ok(()) diff --git a/dev-utils/src/commands/keypackage_command.rs b/dev-utils/src/commands/keypackage_command.rs index cab3692b7..01e858439 100644 --- a/dev-utils/src/commands/keypackage_command.rs +++ b/dev-utils/src/commands/keypackage_command.rs @@ -1,5 +1,8 @@ use crate::{gen_keypackage, verify_keypackage}; +use chain_core::state::account::MLSInit; use client_common::{ErrorKind, Result, ResultExt}; +use parity_scale_codec::Encode; + use structopt::StructOpt; #[derive(Debug, StructOpt)] pub enum KeypackageCommand { @@ -36,7 +39,7 @@ impl KeypackageCommand { pub fn execute(&self) -> Result<()> { match self { KeypackageCommand::GenKeypackage { path, output } => { - let blob = gen_keypackage(&path)?; + let blob = MLSInit::Genesis(gen_keypackage(&path)?).encode(); let encoded = base64::encode(&blob); std::fs::write(&output, &encoded) .chain(|| (ErrorKind::IoError, "Cannot write encoded key-package"))?; diff --git a/dev-utils/src/commands/test_vector_command.rs b/dev-utils/src/commands/test_vector_command.rs index e93eacad5..5ef56b303 100644 --- a/dev-utils/src/commands/test_vector_command.rs +++ b/dev-utils/src/commands/test_vector_command.rs @@ -562,9 +562,10 @@ mod tests { nodejoin_vector.tendermint_validator_pubkey, "00d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a" ); + // FIXME: update documentation, as in 0.6 the confidential init is defined assert_eq!( nodejoin_vector.tx_id, - "236a51c147023b24570286cd9fb190f60d51772a38b515899f9876272873bce4" + "e0c2dfc3f25ef87f0866a0ac6f649904d42c9504a6140b96549e3cef940d2106" ); // check unbonded stake vector let unbonded_stake_vector = test_vectors.unbonded_stake_vector.clone().unwrap(); diff --git a/docker/config/devnet/dev-conf.json b/docker/config/devnet/dev-conf.json index c100f1c2b..be71e736d 100644 --- a/docker/config/devnet/dev-conf.json +++ b/docker/config/devnet/dev-conf.json @@ -37,7 +37,7 @@ "type": "tendermint/PubKeyEd25519", "value": "FF5JxhRrCUNLj6UZmYdjv/AWgSWUeiomeOMeJG71owE=" }, - {"keypackage": ""} + {"init_payload": ""} ] } } \ No newline at end of file diff --git a/docker/config/devnet/tendermint/genesis.json b/docker/config/devnet/tendermint/genesis.json index 2b92f96e5..cabadd299 100644 --- a/docker/config/devnet/tendermint/genesis.json +++ b/docker/config/devnet/tendermint/genesis.json @@ -1,5 +1,5 @@ { - "app_hash": "7AADC4278D79C67A26CCA4A6BDC34176167FD13984BAC4FC2A4ABA93EEBFB833", + "app_hash": "0F2BBC42D93CE327ABBD06858F7BA888BDF762BB079B074B24A8FD9839ACF165", "app_state": { "council_nodes": { "0x45c1851c2f0dc6138935857b9e23b173185fea15": [ @@ -9,7 +9,7 @@ "type": "tendermint/PubKeyEd25519", "value": "FF5JxhRrCUNLj6UZmYdjv/AWgSWUeiomeOMeJG71owE=" }, - {"keypackage": ""} + {"init_payload": ""} ] }, "distribution": { diff --git a/integration-tests/bot/chainbot.py b/integration-tests/bot/chainbot.py index 4cb9e5fe7..a6f55a761 100755 --- a/integration-tests/bot/chainbot.py +++ b/integration-tests/bot/chainbot.py @@ -228,7 +228,7 @@ async def app_state_cfg(cfg): 'type': 'tendermint/PubKeyEd25519', 'value': SigningKey(node['validator_seed']).pub_key_base64(), }, - {'keypackage': base64.b64encode(keypackage).decode()} # FIXME: to be designed and implemented + {'init_payload': base64.b64encode(keypackage).decode()} # FIXME: to be designed and implemented ] for node in cfg['nodes'] if node['bonded_coin'] > 0 }, diff --git a/test-common/Cargo.toml b/test-common/Cargo.toml index 0496a387a..e2d463757 100644 --- a/test-common/Cargo.toml +++ b/test-common/Cargo.toml @@ -30,3 +30,4 @@ chain-abci = { path = "../chain-abci" } chain-storage = { path = "../chain-storage" } client-common = { path = "../client-common" } client-core = { path = "../client-core" } +mls = { path = "../chain-tx-enclave-next/mls" } diff --git a/test-common/src/chain_env.rs b/test-common/src/chain_env.rs index 142aacda7..8f5bfe2ee 100644 --- a/test-common/src/chain_env.rs +++ b/test-common/src/chain_env.rs @@ -22,8 +22,8 @@ use chain_core::init::config::{ SlashRatio, SlashingParameters, }; use chain_core::state::account::{ - ConfidentialInit, CouncilNodeMeta, NodeMetadata, NodeName, NodeSecurityContact, NodeState, - StakedState, StakedStateAddress, StakedStateDestination, StakedStateOpAttributes, + ConfidentialInit, CouncilNodeMeta, MLSInit, NodeMetadata, NodeName, NodeSecurityContact, + NodeState, StakedState, StakedStateAddress, StakedStateDestination, StakedStateOpAttributes, StakedStateOpWitness, UnbondTx, Validator as ChainValidator, }; use chain_core::state::tendermint::{ @@ -36,6 +36,11 @@ use chain_core::tx::{data::TxId, TransactionId, TxAux, TxPublicAux}; use chain_storage::buffer::Get; use chain_storage::{Storage, NUM_COLUMNS}; +use mls::{ + message::Add, message::ContentType, message::MLSPlaintext, message::MLSPlaintextCommon, + message::Proposal, message::Sender, message::SenderType, Codec, KeyPackage, +}; + const TEST_CHAIN_ID: &str = "test-00"; pub const DEFAULT_GENESIS_TIME: u64 = 1563148800; @@ -134,9 +139,44 @@ pub fn mock_council_node_meta(consensus_pubkey: TendermintValidatorPubKey) -> Co ) } +pub fn mock_council_node_join(consensus_pubkey: TendermintValidatorPubKey) -> NodeMetadata { + NodeMetadata::new_council_node_with_details( + "no-name".to_string(), + None, + consensus_pubkey, + mock_confidential_init_node_join(), + ) +} + +pub fn mock_confidential_init_node_join() -> ConfidentialInit { + let sender = Sender { + sender_type: SenderType::Member, + sender: 0, + }; + let kp = KeyPackage::read_bytes(KEYPACKAGE_VECTOR).unwrap(); + let add_content = MLSPlaintextCommon { + group_id: vec![], + epoch: 0, + sender, + authenticated_data: vec![], + content: ContentType::Proposal(Proposal::Add(Add { key_package: kp })), + }; + let plain = MLSPlaintext { + content: add_content, + signature: vec![], + }; + + ConfidentialInit { + init_payload: MLSInit::NodeJoin { + add: plain.get_encoding(), + commit: vec![], + }, + } +} + pub fn mock_confidential_init() -> ConfidentialInit { ConfidentialInit { - keypackage: KEYPACKAGE_VECTOR.to_vec(), + init_payload: MLSInit::Genesis(KEYPACKAGE_VECTOR.to_vec()), } } @@ -302,11 +342,13 @@ impl ChainEnv { } pub fn join_tx(&self, nonce: u64, account_index: usize) -> TxAux { + let mut node_meta = self.council_nodes[account_index].1.clone(); + node_meta.node_info.confidential_init = mock_confidential_init_node_join(); let tx = NodeJoinRequestTx::new( nonce, self.accounts[account_index].staking_address(), StakedStateOpAttributes::new(0), - NodeMetadata::CouncilNode(self.council_nodes[account_index].1.clone()), + NodeMetadata::CouncilNode(node_meta), ); let secp = Secp256k1::new(); let witness = StakedStateOpWitness::new(get_ecdsa_witness(