Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update certificate checking if disable_range_check is set #378

Closed
wants to merge 17 commits into from
Closed

fix: update certificate checking if disable_range_check is set #378

wants to merge 17 commits into from

Conversation

mraszyk
Copy link
Contributor

@mraszyk mraszyk commented Aug 26, 2022
edited

The disable_range_check condition should check that the call is to the Management Canister, not to an application canister offering a method with the name provisional_canister_create_with_cycles.

Moreover, the certification validation should follow the updated Interface Spec.

@mraszyk mraszyk requested a review from a team as a code owner August 26, 2022 22:01
ericswanson-dfinity
ericswanson-dfinity requested changes Aug 26, 2022
View reviewed changes
ic-agent/src/agent/mod.rs Outdated Show resolved Hide resolved
@mraszyk @ericswanson-dfinity
Update ic-agent/src/agent/mod.rs
686a02d 
Co-authored-by: Eric Swanson <64809312+ericswanson-dfinity@users.noreply.github.com>
@mraszyk mraszyk marked this pull request as draft August 30, 2022 17:27
mraszyk
mraszyk commented Aug 30, 2022
View reviewed changes
ic-agent/src/agent/mod.rs Outdated Show resolved Hide resolved
@mraszyk mraszyk marked this pull request as ready for review August 30, 2022 21:30
@mraszyk mraszyk changed the title fix disable_range_check condition fix: update certificate checking if disable_range_check is set Aug 31, 2022
@sesi200
Copy link
Contributor

sesi200 commented Sep 6, 2022

@mraszyk any chance you can document this code better somehow? I have a really hard time understanding what happens for what reason

@mraszyk
Copy link
Contributor Author

mraszyk commented Sep 6, 2022

@sesi200 Absolutely, I'll add more comments into the code. Ultimately, the goal is to make the agent compliant with this part of the spec.

ericswanson-dfinity
ericswanson-dfinity requested changes Sep 14, 2022
View reviewed changes
ic-agent/src/agent/mod.rs
for p in paths {
if !(p == vec![t.clone()] || p[0] == rs) {
// the path has neither the form /time nor /request_status/*
return Err(AgentError::CertificateVerificationFailed());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Up until now, the CertificateVerificationFailed error referred to a specific cause: bls::core_verify() returned something other than BLS_OK, meaning the certificate signature didn't match the expected value.

I think it would be helpful to someone diagnosing these errors if we introduced a new error type, CertificateVerificationRejected(reason), where reason is an enumeration that gives more information about the reason for the rejection of the certificate. What do you think?

@mraszyk mraszyk marked this pull request as draft September 21, 2022 09:15
@mraszyk
Copy link
Contributor Author

mraszyk commented Oct 17, 2022

Superseded by this PR.

@mraszyk mraszyk closed this Oct 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericswanson-dfinity ericswanson-dfinity ericswanson-dfinity requested changes

@sesi200 sesi200 sesi200 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mraszyk @sesi200 @ericswanson-dfinity