diff --git a/.changelog/2918.breaking.md b/.changelog/2918.breaking.md new file mode 100644 index 00000000000..b500e0be8ac --- /dev/null +++ b/.changelog/2918.breaking.md @@ -0,0 +1 @@ +go/registry: Drop support for v0 node descriptor diff --git a/go/oasis-test-runner/scenario/e2e/e2e.go b/go/oasis-test-runner/scenario/e2e/e2e.go index f996f492085..963479578ba 100644 --- a/go/oasis-test-runner/scenario/e2e/e2e.go +++ b/go/oasis-test-runner/scenario/e2e/e2e.go @@ -127,8 +127,6 @@ func RegisterScenarios() error { Debond, // Late start test. LateStart, - // Restore from v20.6 genesis file. - RestoreV206, // KeymanagerUpgrade test. KeymanagerUpgrade, } { diff --git a/go/oasis-test-runner/scenario/e2e/restore_previous.go b/go/oasis-test-runner/scenario/e2e/restore_previous.go deleted file mode 100644 index a7ab5954a4a..00000000000 --- a/go/oasis-test-runner/scenario/e2e/restore_previous.go +++ /dev/null @@ -1,59 +0,0 @@ -package e2e - -import ( - "fmt" - - "github.com/oasisprotocol/oasis-core/go/common/node" - "github.com/oasisprotocol/oasis-core/go/oasis-test-runner/env" - "github.com/oasisprotocol/oasis-core/go/oasis-test-runner/oasis" - "github.com/oasisprotocol/oasis-core/go/oasis-test-runner/scenario" -) - -// RestoreV206 tests restoring from a v20.6 genesis document. -var RestoreV206 scenario.Scenario = &restorePrevious{ - runtimeImpl: *newRuntimeImpl("restore-v206", "simple-keyvalue-client", nil), - // Use the genesis document from v20.6 E2E tests (scenario: e2e/runtime/runtime). - genesisFile: "tests/fixture-data/restore-previous/genesis-v20.6.json", -} - -type restorePrevious struct { - runtimeImpl - - genesisFile string -} - -func (sc *restorePrevious) Clone() scenario.Scenario { - return &restorePrevious{ - runtimeImpl: *sc.runtimeImpl.Clone().(*runtimeImpl), - genesisFile: sc.genesisFile, - } -} - -func (sc *restorePrevious) Fixture() (*oasis.NetworkFixture, error) { - f, err := sc.runtimeImpl.Fixture() - if err != nil { - return nil, err - } - - if sc.genesisFile == "" { - return nil, fmt.Errorf("genesis file not specified in scenario") - } - f.Network.GenesisFile = sc.genesisFile - // Use deterministic identities so we can use the same keys. - f.Network.DeterministicIdentities = true - - return f, nil -} - -func (sc *restorePrevious) Run(childEnv *env.Env) error { - // Restore tests use a fixed genesis that only works on non-TEE environments. - tee, err := sc.getTEEHardware() - if err != nil { - return err - } - if tee != node.TEEHardwareInvalid { - sc.logger.Info("skipping test due to incompatible TEE hardware") - return nil - } - return sc.runtimeImpl.Run(childEnv) -} diff --git a/go/registry/api/api.go b/go/registry/api/api.go index 68d19e331d0..537972f690d 100644 --- a/go/registry/api/api.go +++ b/go/registry/api/api.go @@ -594,57 +594,30 @@ func VerifyRegisterNodeArgs( // nolint: gocyclo } // Validate TLSInfo. - if n.DescriptorVersion == 0 { - // Old descriptor that used full TLS certificates instead of just public keys. We allow old - // descriptors iff this is the chain being initialized from genesis and the node only has - // the validator role (because validators do not expose any TLS services). - // TODO: Drop support for node descriptor version 0 (oasis-core#2918). - if !isGenesis && !isSanityCheck { - return nil, nil, fmt.Errorf("%w: v0 descriptor only allowed at genesis time", ErrInvalidArgument) - } - if !n.OnlyHasRoles(node.RoleValidator) { - logger.Error("RegisterNode: v0 descriptor for non-validator node", - "node", n, - ) - return nil, nil, fmt.Errorf("%w: v0 descriptor for non-validator node", ErrInvalidArgument) - } - - legacyTLSKey, err := nodeV0parseTLSPubKey(logger, sigNode) - if err != nil { - return nil, nil, err - } - - logger.Warn("RegisterNode: using v0 node descriptor", + if !n.TLS.PubKey.IsValid() { + logger.Error("RegisterNode: invalid TLS public key", "node", n, ) + return nil, nil, fmt.Errorf("%w: invalid TLS public key", ErrInvalidArgument) + } + tlsAddressRequired := n.HasRoles(TLSAddressRequiredRoles) + if err := verifyAddresses(params, tlsAddressRequired, n.TLS.Addresses); err != nil { + addrs, _ := json.Marshal(n.TLS.Addresses) + logger.Error("RegisterNode: missing/invalid committee addresses", + "node", n, + "committee_addrs", addrs, + ) + return nil, nil, err + } - expectedSigners = append(expectedSigners, legacyTLSKey) - } else { - if !n.TLS.PubKey.IsValid() { - logger.Error("RegisterNode: invalid TLS public key", - "node", n, - ) - return nil, nil, fmt.Errorf("%w: invalid TLS public key", ErrInvalidArgument) - } - tlsAddressRequired := n.HasRoles(TLSAddressRequiredRoles) - if err := verifyAddresses(params, tlsAddressRequired, n.TLS.Addresses); err != nil { - addrs, _ := json.Marshal(n.TLS.Addresses) - logger.Error("RegisterNode: missing/invalid committee addresses", - "node", n, - "committee_addrs", addrs, - ) - return nil, nil, err - } - - if !sigNode.MultiSigned.IsSignedBy(n.TLS.PubKey) { - logger.Error("RegisterNode: not signed by TLS certificate key", - "signed_node", sigNode, - "node", n, - ) - return nil, nil, fmt.Errorf("%w: registration not signed by TLS certificate key", ErrInvalidArgument) - } - expectedSigners = append(expectedSigners, n.TLS.PubKey) + if !sigNode.MultiSigned.IsSignedBy(n.TLS.PubKey) { + logger.Error("RegisterNode: not signed by TLS certificate key", + "signed_node", sigNode, + "node", n, + ) + return nil, nil, fmt.Errorf("%w: registration not signed by TLS certificate key", ErrInvalidArgument) } + expectedSigners = append(expectedSigners, n.TLS.PubKey) // Validate P2PInfo. if !n.P2P.ID.IsValid() { @@ -724,8 +697,7 @@ func VerifyRegisterNodeArgs( // nolint: gocyclo ) return nil, nil, ErrInvalidArgument } - // TODO: Drop support for node descriptor version 0 (oasis-core#2918). - if existingNode != nil && existingNode.ID != n.ID && n.DescriptorVersion != 0 { + if existingNode != nil && existingNode.ID != n.ID { logger.Error("RegisterNode: duplicate node TLS public key", "node_id", n.ID, "existing_node_id", existingNode.ID, diff --git a/go/registry/api/legacy_v0.go b/go/registry/api/legacy_v0.go deleted file mode 100644 index 64d60c572e6..00000000000 --- a/go/registry/api/legacy_v0.go +++ /dev/null @@ -1,64 +0,0 @@ -package api - -// TODO: Remove this when dropping support for node descriptor version 0 (oasis-core#2918). - -import ( - goEd25519 "crypto/ed25519" - "crypto/x509" - "fmt" - - "github.com/oasisprotocol/oasis-core/go/common/cbor" - "github.com/oasisprotocol/oasis-core/go/common/crypto/signature" - "github.com/oasisprotocol/oasis-core/go/common/logging" - "github.com/oasisprotocol/oasis-core/go/common/node" -) - -func nodeV0parseTLSPubKey(logger *logging.Logger, sigNode *node.MultiSignedNode) (signature.PublicKey, error) { - var ( - cert *x509.Certificate - certPub signature.PublicKey - err error - ) - type v0Node struct { - // We are only interested in the old "committee certificate" field. - Committee struct { - Certificate []byte `json:"certificate"` - } `json:"committee"` - } - var node v0Node - if err = cbor.Unmarshal(sigNode.Blob, &node); err != nil { - logger.Error("RegisterNode: invalid v0 node descriptor", - "node", node, - "err", err, - ) - return certPub, ErrInvalidArgument - } - - cert, err = x509.ParseCertificate(node.Committee.Certificate) - if err != nil { - logger.Error("RegisterNode: failed to parse v0 committee certificate", - "err", err, - "node", node, - ) - return certPub, fmt.Errorf("%w: failed to parse v0 committee certificate", ErrInvalidArgument) - } - - edPub, ok := cert.PublicKey.(goEd25519.PublicKey) - if !ok { - logger.Error("RegisterNode: incorrect v0 committee certifiate signing algorithm", - "node", node, - ) - return certPub, fmt.Errorf("%w: incorrect v0 committee certificate signing algorithm", ErrInvalidArgument) - } - - if err = certPub.UnmarshalBinary(edPub); err != nil { - // This should NEVER happen. - logger.Error("RegisterNode: malformed v0 committee certificate signing key", - "err", err, - "node", node, - ) - return certPub, fmt.Errorf("%w: malformed v0 committee certificate signing key", ErrInvalidArgument) - } - - return certPub, nil -}