Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bugfix: make Sep10Challenge.verifyTransactionSignatures resilient against account IDs that are not compliant with ed25519 #440

Conversation

marcelosalloum
Copy link
Contributor

@marcelosalloum marcelosalloum commented Jun 30, 2022

What

Make Sep10Challenge.verifyTransactionSignatures resilient against account IDs that are not compliant with ed25519. If a non-compliant account was provided in the list of signers, this account is simply ignored.

Accounts whose ID is not a valid ed25519 public key won't have a signing key, so they can't have signed the challenge transaction.

After the Sep10Challenge.verifyTransactionSignatures method finds the intersection between account IDs that signed the transactionsigners provided in the list, it will return to the caller and the number of accounts and their weight will be verified accordingly.

Why

Close #439.

…reshold` is called with an account id signer that's not compliant with ed25519.
@marcelosalloum marcelosalloum self-assigned this Jun 30, 2022
@marcelosalloum marcelosalloum requested review from sreuland and lijamie98 and removed request for sreuland June 30, 2022 17:50
@marcelosalloum marcelosalloum marked this pull request as ready for review June 30, 2022 17:51
Copy link
Contributor

@Shaptic Shaptic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that we continue on invalid signers, does this make it possible for a challenge to be "valid" despite being full of fake signers? I would expect at least one real additional signer to be required.

@Shaptic Shaptic requested a review from tamirms June 30, 2022 17:56
@marcelosalloum
Copy link
Contributor Author

marcelosalloum commented Jun 30, 2022

Given that we continue on invalid signers, does this make it possible for a challenge to be "valid" despite being full of fake signers? I would expect at least one real additional signer to be required.

Maybe my description of the PR is not precise enough...

What I actually changed was the method verifyTransactionSignatures(transaction, signers), that basically gets the intersection between account IDs that signed the transactionsigners provided in the list.

After that, these signers will validated in the caller method, where the verification you suggested is being performed:
https://github.com/stellar/java-stellar-sdk/blob/6d8a397969a9bca084ffb739de34744a6e12c258/src/main/java/org/stellar/sdk/Sep10Challenge.java#L435-L468

If no signer is found or if the number of signers found is not sufficient, an exception will still be thrown.

Note: I'm updating the PR description to make it more precise.

@marcelosalloum marcelosalloum changed the title bugfix: make Sep10Challenge.verifyChallengeTransactionThreshold resilient against account IDs that are not compliant with ed25519 bugfix: make Sep10Challenge. verifyTransactionSignatures resilient against account IDs that are not compliant with ed25519 Jun 30, 2022
@marcelosalloum marcelosalloum changed the title bugfix: make Sep10Challenge. verifyTransactionSignatures resilient against account IDs that are not compliant with ed25519 bugfix: make Sep10Challenge.verifyTransactionSignatures resilient against account IDs that are not compliant with ed25519 Jun 30, 2022
@marcelosalloum marcelosalloum requested a review from Shaptic June 30, 2022 19:01
@@ -1608,6 +1608,43 @@ public void testVerifyChallengeTransactionThresholdValidServerAndMultipleClientK
assertEquals(new HashSet<String>(Arrays.asList(masterClient.getAccountId(), signerClient1.getAccountId())), signersFound);
}

@Test
public void testVerifyChallengeTransactionThresholdValidServerAndMultipleClientKeyMeetingThresholdSomeUnusedAndOneNotEd25519Compliant() throws IOException, InvalidSep10ChallengeException {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now that's a test case name, good coverage to assert the change! maybe condense the name down to just the non-compliant aspect.

try {
keyPair = KeyPair.fromAccountId(signer);
} catch (RuntimeException e) {
System.out.printf("Couldn't parse the signer \"%s\" as a valid Public Key.", signer);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this console output is non-standard for the sdk which by default does not generate that type of output or logger outputs. So, to maintain consistency, would remove this and the stacktrace prints. the callers of this method could check the returned set, and determine which signers are missing, then it could deduce something was wrong and log something from the app layer, etc.

Copy link
Contributor

@sreuland sreuland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for jumping in to make the required change!

@marcelosalloum marcelosalloum merged commit 1d9a83e into master Jun 30, 2022
@marcelosalloum marcelosalloum deleted the 439-fix-crash-in-sep10challenge-for-invalid-ed25519-public-key branch June 30, 2022 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
3 participants