Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify the origin of node public key #126

Merged
3 commits merged into from
Nov 5, 2021
Merged

Verify the origin of node public key #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
46a00fe
Verify node public key origin
Nov 4, 2021
7f3b9f4
Fix dialyzer issue
Nov 5, 2021
681ecbe
Fix test for node connection verification by defining treal ip and di…
Nov 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions config/prod.exs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,12 @@ config :archethic, ArchEthic.Governance.Pools,
uniris: []
]

config :archethic, ArchEthic.Mining.PendingTransactionValidation,
allowed_node_key_origins:
System.get_env("ARCHETHIC_NODE_ALLOWED_KEY_ORIGINS", "tpm")
|> String.split(";", trim: true)
|> Enum.map(&String.to_existing_atom/1)

config :archethic,
ArchEthic.Networking.IPLookup,
(case(System.get_env("ARCHETHIC_NETWORKING_IMPL", "NAT")) do
Expand Down
29 changes: 27 additions & 2 deletions lib/archethic/crypto.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ defmodule ArchEthic.Crypto do
```
Ed25519 Software Public key
| / |
| | |-------|
| | |-------|
| | |
<<0, 0, 106, 58, 193, 73, 144, 121, 104, 101, 53, 140, 125, 240, 52, 222, 35, 181,
13, 81, 241, 114, 227, 205, 51, 167, 139, 100, 176, 111, 68, 234, 206, 72>>
Expand Down Expand Up @@ -1070,7 +1070,7 @@ defmodule ArchEthic.Crypto do
end

@doc """
Return the Root CA public key for the given versioned public key
Return the Root CA public key for the given versioned public key
"""
@spec get_root_ca_public_key(key()) :: binary()
def get_root_ca_public_key(<<_::8, origin_id::8, _::binary>>) do
Expand Down Expand Up @@ -1133,4 +1133,29 @@ defmodule ArchEthic.Crypto do
"""
@spec default_curve() :: supported_curve()
def default_curve, do: Application.get_env(:archethic, __MODULE__)[:default_curve]

@doc """
Determine if the origin of the key is allowed
This prevent software keys to be used in prod, as we want secure element to prevent malicious nodes
## Examples
iex> Crypto.authorized_key_origin?(<<0::8, 0::8, :crypto.strong_rand_bytes(32)::binary>>, [:tpm])
false
iex> Crypto.authorized_key_origin?(<<0::8, 1::8, :crypto.strong_rand_bytes(32)::binary>>, [:tpm])
true
iex> Crypto.authorized_key_origin?(<<0::8, 0::8, :crypto.strong_rand_bytes(32)::binary>>, [])
true
"""
@spec authorized_key_origin?(key(), list(supported_origin())) :: boolean()
def authorized_key_origin?(<<_::8, origin_id::8, _::binary>>, allowed_key_origins = [_ | _]) do
ID.to_origin(origin_id) in allowed_key_origins
end

def authorized_key_origin?(<<_::8, _::8, _::binary>>, []) do
true
end
end
42 changes: 26 additions & 16 deletions lib/archethic/mining/pending_transaction_validation.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,6 @@ defmodule ArchEthic.Mining.PendingTransactionValidation do

require Logger

@validate_connection Application.compile_env(
:archethic,
[__MODULE__, :validate_connection],
false
)

@doc """
Determines if the transaction is accepted into the network
"""
Expand Down Expand Up @@ -121,21 +115,23 @@ defmodule ArchEthic.Mining.PendingTransactionValidation do
previous_public_key: previous_public_key
}) do
with {:ok, ip, port, _, _, key_certificate} <- Node.decode_transaction_content(content),
true <-
Crypto.authorized_key_origin?(previous_public_key, get_allowed_node_key_origins()),
root_ca_public_key <- Crypto.get_root_ca_public_key(previous_public_key),
true <- valid_connection?(@validate_connection, ip, port, previous_public_key),
true <-
Crypto.verify_key_certificate?(
previous_public_key,
key_certificate,
root_ca_public_key
) do
),
true <- valid_connection?(ip, port, previous_public_key) do
:ok
else
:error ->
{:error, "Invalid node transaction's content"}

false ->
{:error, "Invalid node transaction with invalid key certificate"}
{:error, "Invalid node transaction with invalid key / certificate"}
end
end

Expand Down Expand Up @@ -251,6 +247,12 @@ defmodule ArchEthic.Mining.PendingTransactionValidation do

defp do_accept_transaction(_), do: :ok

defp get_allowed_node_key_origins do
:archethic
|> Application.get_env(__MODULE__, [])
|> Keyword.get(:allowed_node_key_origins, [])
end

defp get_first_public_key(tx = %Transaction{previous_public_key: previous_public_key}) do
previous_address = Transaction.previous_address(tx)

Expand All @@ -268,15 +270,23 @@ defmodule ArchEthic.Mining.PendingTransactionValidation do
end
end

defp valid_connection?(true, ip, port, previous_public_key) do
with true <- Networking.valid_ip?(ip),
false <- P2P.duplicating_node?(ip, port, previous_public_key) do
true
defp valid_connection?(ip, port, previous_public_key) do
if should_validate_connection?() do
with true <- Networking.valid_ip?(ip),
false <- P2P.duplicating_node?(ip, port, previous_public_key) do
true
else
_ ->
false
end
else
_ ->
false
true
end
end

defp valid_connection?(false, _, _, _), do: true
defp should_validate_connection? do
:archethic
|> Application.get_env(__MODULE__, [])
|> Keyword.get(:validate_connection, false)
end
end
72 changes: 36 additions & 36 deletions test/archethic/mining/distributed_workflow_test.exs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
Enum.each(BeaconChain.list_subsets(), &Registry.register(SubsetRegistry, &1, []))

P2P.add_and_connect_node(%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3001,
first_public_key: Crypto.first_node_public_key(),
last_public_key: Crypto.last_node_public_key(),
authorized?: true,
Expand All @@ -58,8 +58,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
{pub, _} = Crypto.generate_deterministic_keypair("seed")

P2P.add_and_connect_node(%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3002,
first_public_key: pub,
last_public_key: pub,
authorized?: true,
Expand All @@ -76,7 +76,7 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
tx =
Transaction.new(:node, %TransactionData{
content:
<<127, 0, 0, 1, 3000::16, 1, 0, 16, 233, 156, 172, 143, 228, 236, 12, 227, 76, 1, 80,
<<80, 10, 20, 102, 3000::16, 1, 0, 16, 233, 156, 172, 143, 228, 236, 12, 227, 76, 1, 80,
12, 236, 69, 10, 209, 6, 234, 172, 97, 188, 240, 207, 70, 115, 64, 117, 44, 82, 132,
186, byte_size(certificate)::16, certificate::binary>>
})
Expand Down Expand Up @@ -158,7 +158,7 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
)

welcome_node = %Node{
ip: {127, 0, 0, 1},
ip: {80, 10, 20, 102},
port: 3005,
first_public_key: "key1",
last_public_key: "key1",
Expand Down Expand Up @@ -188,8 +188,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
test "should aggregate context and wait enough confirmed validation nodes context building",
%{tx: tx, sorting_seed: sorting_seed} do
P2P.add_and_connect_node(%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3006,
last_public_key: "other_validator_key",
first_public_key: "other_validator_key",
authorized?: true,
Expand All @@ -202,8 +202,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
})

P2P.add_and_connect_node(%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3007,
last_public_key: "other_validator_key2",
first_public_key: "other_validator_key2",
authorized?: true,
Expand Down Expand Up @@ -240,7 +240,7 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
end)

welcome_node = %Node{
ip: {127, 0, 0, 1},
ip: {80, 10, 20, 102},
port: 3005,
first_public_key: "key1",
last_public_key: "key1",
Expand All @@ -257,8 +257,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do

previous_storage_nodes = [
%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3006,
first_public_key: "key10",
last_public_key: "key10",
authorized?: true,
Expand All @@ -267,8 +267,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
network_patch: "AAA"
},
%Node{
ip: {127, 0, 0, 1},
port: 3002,
ip: {80, 10, 20, 102},
port: 3007,
first_public_key: "key23",
last_public_key: "key23",
authorized?: true,
Expand Down Expand Up @@ -333,7 +333,7 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
end)

welcome_node = %Node{
ip: {127, 0, 0, 1},
ip: {80, 10, 20, 102},
port: 3005,
first_public_key: "key1",
last_public_key: "key1",
Expand All @@ -352,8 +352,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do

previous_storage_nodes = [
%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3006,
first_public_key: "key10",
last_public_key: "key10",
reward_address: :crypto.strong_rand_bytes(32),
Expand All @@ -363,8 +363,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
network_patch: "AAA"
},
%Node{
ip: {127, 0, 0, 1},
port: 3002,
ip: {80, 10, 20, 102},
port: 3007,
first_public_key: "key23",
last_public_key: "key23",
reward_address: :crypto.strong_rand_bytes(32),
Expand Down Expand Up @@ -410,8 +410,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
{pub, _} = Crypto.generate_deterministic_keypair("seed3")

P2P.add_and_connect_node(%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3008,
last_public_key: pub,
first_public_key: pub,
authorized?: true,
Expand Down Expand Up @@ -458,7 +458,7 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
end)

welcome_node = %Node{
ip: {127, 0, 0, 1},
ip: {80, 10, 20, 102},
port: 3005,
first_public_key: "key1",
last_public_key: "key1",
Expand All @@ -485,8 +485,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do

previous_storage_nodes = [
%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3006,
first_public_key: "key10",
last_public_key: "key10",
reward_address: :crypto.strong_rand_bytes(32),
Expand All @@ -496,8 +496,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
network_patch: "AAA"
},
%Node{
ip: {127, 0, 0, 1},
port: 3002,
ip: {80, 10, 20, 102},
port: 3007,
first_public_key: "key23",
last_public_key: "key23",
reward_address: :crypto.strong_rand_bytes(32),
Expand Down Expand Up @@ -639,8 +639,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
end)

P2P.add_and_connect_node(%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3006,
last_public_key: "key10",
first_public_key: "key10",
network_patch: "AAA",
Expand All @@ -653,8 +653,8 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
})

P2P.add_and_connect_node(%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3007,
last_public_key: "key23",
first_public_key: "key23",
network_patch: "AAA",
Expand All @@ -667,7 +667,7 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do
})

welcome_node = %Node{
ip: {127, 0, 0, 1},
ip: {80, 10, 20, 102},
port: 3005,
first_public_key: "key1",
last_public_key: "key1",
Expand All @@ -694,17 +694,17 @@ defmodule ArchEthic.Mining.DistributedWorkflowTest do

previous_storage_nodes = [
%Node{
ip: {127, 0, 0, 1},
port: 3000,
ip: {80, 10, 20, 102},
port: 3007,
first_public_key: "key10",
last_public_key: "key10",
reward_address: :crypto.strong_rand_bytes(32),
authorized?: true,
authorization_date: DateTime.utc_now()
},
%Node{
ip: {127, 0, 0, 1},
port: 3002,
ip: {80, 10, 20, 102},
port: 3008,
first_public_key: "key23",
last_public_key: "key23",
reward_address: :crypto.strong_rand_bytes(32),
Expand Down
Loading