Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keymanager/src/client: Fetch public keys using insecure RPC requests #5101

Merged
merged 1 commit into from
Jan 10, 2023
Merged

keymanager/src/client: Fetch public keys using insecure RPC requests #5101

merged 1 commit into from
Jan 10, 2023

Conversation

peternose
Copy link
Contributor

@peternose peternose commented Dec 14, 2022
edited
Loading

Task

Fetch and verify public long-term/ephemeral runtime keys through an insecure channel.

Test

Key manager upgrade tested locally with e2e test. Upgrade works as we allow empty runtime signing keys. An alternative would be to be strict here, but then one key manager would not be included in the node list because of the Runtime signing key mismatch for runtime error. Not sure if this is a problem though, as the new manager will be added to the list as soon as the old one is deregistered.

@peternose peternose force-pushed the peternose/feature/verify-public-keys branch from 22baa99 to 89139ec Compare December 16, 2022 15:09
@peternose peternose force-pushed the peternose/feature/verify-public-keys branch from 89139ec to 068ec2f Compare January 2, 2023 19:25
@codecov
Copy link

codecov bot commented Jan 2, 2023
edited
Loading

Codecov Report

Merging #5101 (b4b98d1) into master (541dc2f) will decrease coverage by 0.06%.
The diff coverage is 51.72%.

❗ Current head b4b98d1 differs from pull request most recent head b82ebd3. Consider uploading reports for the commit b82ebd3 to get more accurate results

@@            Coverage Diff             @@
##           master    #5101      +/-   ##
==========================================
- Coverage   66.84%   66.78%   -0.07%     
==========================================
  Files         497      497              
  Lines       53273    53197      -76     
==========================================
- Hits        35611    35525      -86     
- Misses      13321    13341      +20     
+ Partials     4341     4331      -10
Impacted Files Coverage Δ
go/keymanager/api/api.go 80.64% <ø> (ø)
go/runtime/host/protocol/types.go 54.54% <ø> (ø)
...consensus/tendermint/apps/keymanager/keymanager.go 62.05% <18.18%> (-1.59%) ⬇️
go/oasis-node/cmd/keymanager/keymanager.go 47.38% <36.36%> (-0.33%) ⬇️
go/runtime/registry/host.go 70.11% <88.00%> (-2.25%) ⬇️
go/governance/api/api.go 70.24% <0.00%> (-9.92%) ⬇️
go/consensus/tendermint/apps/staking/auth.go 62.96% <0.00%> (-7.41%) ⬇️
go/runtime/host/sandbox/sandbox.go 70.00% <0.00%> (-6.56%) ⬇️
go/registry/api/sanity_check.go 73.10% <0.00%> (-3.41%) ⬇️
go/common/sgx/aesm/aesm.go 44.13% <0.00%> (-3.29%) ⬇️
... and 51 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@peternose peternose force-pushed the peternose/feature/verify-public-keys branch 3 times, most recently from 4093b34 to 08ecd05 Compare January 3, 2023 11:07
@peternose peternose marked this pull request as ready for review January 3, 2023 12:08
kostko
kostko reviewed Jan 3, 2023
View reviewed changes
keymanager/src/crypto/types.rs Outdated
/// Signed public key.
#[derive(Clone, Debug, Default, PartialEq, Eq, cbor::Encode, cbor::Decode)]
pub struct SignedPublicKey {
/// Public key.
pub key: PublicKey,
/// Checksum of the key manager state.
pub checksum: Vec<u8>,
/// Sign(sk, (key || checksum)) from the key manager.
/// Sign(sk, (key || checksum || runtime id || key pair id || epoch || expiration date) from
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/// Sign(sk, (key || checksum || runtime id || key pair id || epoch || expiration date) from
/// Sign(sk, (key || checksum || runtime id || key pair id || epoch || expiration epoch)) from

@peternose peternose force-pushed the peternose/feature/verify-public-keys branch from 08ecd05 to b4b98d1 Compare January 4, 2023 10:20
kostko
kostko approved these changes Jan 8, 2023
View reviewed changes
@peternose peternose force-pushed the peternose/feature/verify-public-keys branch from b4b98d1 to 2bf42ba Compare January 10, 2023 01:38
@peternose peternose force-pushed the peternose/feature/verify-public-keys branch from 2bf42ba to b82ebd3 Compare January 10, 2023 09:44
@peternose peternose merged commit 29b0547 into master Jan 10, 2023
@peternose peternose deleted the peternose/feature/verify-public-keys branch January 10, 2023 11:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kostko kostko kostko approved these changes

@Yawning Yawning Awaiting requested review from Yawning

@peterjgilbert peterjgilbert Awaiting requested review from peterjgilbert peterjgilbert is a code owner

@pro-wh pro-wh Awaiting requested review from pro-wh pro-wh is a code owner

@ptrus ptrus Awaiting requested review from ptrus ptrus is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@peternose @kostko