Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go: Disable additional signature verification for migration #2656

Merged
merged 1 commit into from
Feb 7, 2020
Merged

go: Disable additional signature verification for migration #2656

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .changelog/2652.bugfix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
go: Disable additional signature verification for migration

Some places were missed when signature verification was disabled for the
purpose of migration.
11 changes: 9 additions & 2 deletions go/consensus/tendermint/seed.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/tendermint/tendermint/types"
"github.com/tendermint/tendermint/version"

"github.com/oasislabs/oasis-core/go/common/cbor"
"github.com/oasislabs/oasis-core/go/common/crypto/signature"
"github.com/oasislabs/oasis-core/go/common/identity"
"github.com/oasislabs/oasis-core/go/common/node"
Expand Down Expand Up @@ -162,8 +163,14 @@ func populateAddrBookFromGenesis(addrBook p2p.AddrBook, doc *genesis.Document, o
var addrs []*p2p.NetAddress
for _, v := range doc.Registry.Nodes {
var openedNode node.Node
if err := v.Open(registry.RegisterGenesisNodeSignatureContext, &openedNode); err != nil {
return errors.Wrap(err, "tendermint/seed: failed to verify validator")
if isOldNode(v) {
if err := cbor.Unmarshal(v.Blob, &openedNode); err != nil {
return errors.Wrap(err, "tendermint/seed: failed to unmarshal old-format validator")
}
} else {
if err := v.Open(registry.RegisterGenesisNodeSignatureContext, &openedNode); err != nil {
return errors.Wrap(err, "tendermint/seed: failed to verify validator")
}
}
// TODO: This should cross check that the entity is valid.
if !openedNode.HasRoles(node.RoleValidator) {
Expand Down
16 changes: 14 additions & 2 deletions go/consensus/tendermint/tendermint.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1029,6 +1029,12 @@ func (t *tendermintService) lazyInit() error {
return nil
}

func isOldNode(sigNode *node.MultiSignedNode) bool {
// Nodes signed before v20.3 are allowed in the genesis document,
// but they aren't validly signed by the current rules.
return len(sigNode.MultiSigned.Signatures) < 2
}

// genesisToTendermint converts the Oasis genesis block to Tendermint's format.
func genesisToTendermint(d *genesisAPI.Document) (*tmtypes.GenesisDoc, error) {
// WARNING: The AppState MUST be encoded as JSON since its type is
Expand Down Expand Up @@ -1071,8 +1077,14 @@ func genesisToTendermint(d *genesisAPI.Document) (*tmtypes.GenesisDoc, error) {
var tmValidators []tmtypes.GenesisValidator
for _, v := range d.Registry.Nodes {
var openedNode node.Node
if err := v.Open(registryAPI.RegisterGenesisNodeSignatureContext, &openedNode); err != nil {
return nil, fmt.Errorf("tendermint: failed to verify validator: %w", err)
if isOldNode(v) {
if err := cbor.Unmarshal(v.Blob, &openedNode); err != nil {
return nil, fmt.Errorf("tendermint: failed to unmarshal old-format validator: %w", err)
}
} else {
if err := v.Open(registryAPI.RegisterGenesisNodeSignatureContext, &openedNode); err != nil {
return nil, fmt.Errorf("tendermint: failed to verify validator: %w", err)
}
}
// TODO: This should cross check that the entity is valid.
if !openedNode.HasRoles(node.RoleValidator) {
Expand Down
2 changes: 1 addition & 1 deletion go/oasis-node/cmd/debug/fixgenesis/fixgenesis.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ func updateGenesisDoc(oldDoc *oldDocument) (*genesis.Document, error) {
}

// This currently is entirely registry genesis state changes.
oldReg, newReg := oldDoc.Registry, newDoc.Registry
oldReg, newReg := &oldDoc.Registry, &newDoc.Registry

// First copy the registry things that have not changed.
newReg.Parameters = oldReg.Parameters
Expand Down
10 changes: 5 additions & 5 deletions go/registry/api/api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -601,11 +601,11 @@ func VerifyRegisterNodeArgs( // nolint: gocyclo
)
return nil, nil, err
}
certPub, err := verifyNodeCertificate(logger, &n)
if err != nil {
return nil, nil, err
}
if !isOldNode {
certPub, err := verifyNodeCertificate(logger, &n)
if err != nil {
return nil, nil, err
}
if !sigNode.MultiSigned.IsSignedBy(certPub) {
logger.Error("RegisterNode: not signed by TLS certificate key",
"signed_node", sigNode,
Expand Down Expand Up @@ -634,7 +634,7 @@ func VerifyRegisterNodeArgs( // nolint: gocyclo
expectedSigners = append(expectedSigners, n.P2P.ID)
}
p2pAddressRequired := n.HasRoles(P2PAddressRequiredRoles)
if err = verifyAddresses(params, p2pAddressRequired, n.P2P.Addresses); err != nil {
if err := verifyAddresses(params, p2pAddressRequired, n.P2P.Addresses); err != nil {
addrs, _ := json.Marshal(n.P2P.Addresses)
logger.Error("RegisterNode: missing/invald P2P addresses",
"node", n,
Expand Down