Pallet AutoId #2641
Pallet AutoId #2641
Conversation
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 10089939 | Triggered | Generic Private Key | a11c528 | domains/pallets/auto-id/res/private.issuer.pem | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
vedhavyas
changed the title
vedhavyas
force-pushed
the
certificate_registry
branch
from
cfa0c35 to
a88badb
Compare
vedhavyas
force-pushed
the
certificate_registry
branch
from
a88badb to
a11c528
Compare
There was a problem hiding this comment.
I had one nit and I still have some questions on overall design but we can address them later in order to begin testing sooner. @NingLin-P should also review.
…ot compilable in no_std
domains/pallets/auto-id/src/lib.rs
Outdated
| let req = SignatureVerificationRequest { | ||
| public_key_info: auto_id.certificate.subject_public_key_info(), | ||
| signature_algorithm, | ||
| // uses auto_id identifier as the message to sign | ||
| data: auto_id.identifier.encode(), | ||
| signature, | ||
| }; |
There was a problem hiding this comment.
This seems problematic, since the signing data is always the same the signature is always valid, so the attacker can reuse the signature from previous blocks to construct arbitrary request.
There was a problem hiding this comment.
Good catch!
We would need some extra random data for this block for users to sign along with AutoId, we can previous block hash. UX issue with this, whichever data we pick, transaction is valid only for one block. Users need to re-sign if the transaction does not make it into the block.
Thoughts @jfrank-summit
There was a problem hiding this comment.
We would need some extra random data for this block for users to sign along with AutoId, we can previous block hash
This may not be enough as the attacker can listen to the tx pool and act something similar to MEV to front run the normal request. Ideally, we should sign the register/revoke/deactivate request itself.
There was a problem hiding this comment.
The problem still exists in that case as well since there is no specific request data for these actions.
I would need to think more this
There was a problem hiding this comment.
Actually, we can solve this with a nonce and request specific data. So even if the attacker does MEV, this signature will only be valid for specific request and specific nonce. They will end up paying for it instead of user.
Request specific data can be as simple as a enum variant. But this introduces signing nonce for each certificate operation.
cc: @jfrank-summit
There was a problem hiding this comment.
What does the user flow look like for this? Will we iterate nonces or track used random nonces?
There was a problem hiding this comment.
every certificate will have a signing nonce like we have a nonce for the account. Along with the nonce, we also will have the request specific pre-defined data. So the final data to be signed would look like this
Action enum {
RevokeCert
DeactivateAutoId
...
}
SigningData struct {
ID
Nonce
Action
}
This ensures, the signature is valid for this (nonce. action) and cannot be re-used.
This does not affect the X509 certificate signing. Just the actions done by the subject of the certificate
… for certificate actions
vedhavyas
force-pushed
the
certificate_registry
branch
from
a825753 to
5de3054
Compare
|
for PRs that are to be audited, we need context. |
|
@vanhauser-thc The needs to audit label on this PR was premature as we are still defining specs, etc. |
|
@vanhauser-thc yes, I tagged the label prematurely. Will reach back once we have more specs in place for your audit |
This PR introduces pallet-auto-id with following functionality
This is not the full implementation of the as per spec. Current changes will get us started with above functionality. Once we have a new runtime and domain node, I'm planning to add the remaining spec post that.
I have also left some TODOs regading the revocation and deactivation. Once we have some feedback, based on the feasibility of implementation, they will be handled in the seperate PR
cc: @jfrank-summit
Code contributor checklist: