diff --git a/Cargo.lock b/Cargo.lock index f3d1abe3..0b769e23 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1539,7 +1539,6 @@ dependencies = [ "ic-verify-bls-signature", "lazy_static", "leb128", - "nom", "parking_lot", "rand 0.8.5", "rand_chacha 0.3.1", diff --git a/packages/ic-asset-certification/tests/large_assets.rs b/packages/ic-asset-certification/tests/large_assets.rs index b76ee69a..44142f9f 100644 --- a/packages/ic-asset-certification/tests/large_assets.rs +++ b/packages/ic-asset-certification/tests/large_assets.rs @@ -26,7 +26,7 @@ fn should_certify_long_asset_chunkwise( ) { let current_time = get_current_timestamp(); let canister_id = create_canister_id("rdmx6-jaaaa-aaaaa-aaadq-cai"); - let req_url = format!("/{}", ASSET_ONE_NAME); + let req_url = format!("/{ASSET_ONE_NAME}"); let mut asset_router = AssetRouter::default(); let assets = [Asset::new(ASSET_ONE_NAME, asset_one_body)]; @@ -107,7 +107,7 @@ fn should_certify_long_asset_chunkwise( let chunk_two_req = HttpRequest::get(&req_url) .with_headers(vec![( "range".to_string(), - format!("bytes={}-", ASSET_CHUNK_SIZE), + format!("bytes={ASSET_CHUNK_SIZE}-"), )]) .build(); let chunk_two_res = asset_router diff --git a/packages/ic-certificate-verification/Cargo.toml b/packages/ic-certificate-verification/Cargo.toml index 180f36bc..9f2cacaa 100644 --- a/packages/ic-certificate-verification/Cargo.toml +++ b/packages/ic-certificate-verification/Cargo.toml @@ -22,13 +22,12 @@ homepage.workspace = true [dependencies] candid.workspace = true -nom.workspace = true thiserror.workspace = true leb128.workspace = true -cached.workspace = true +cached = { workspace = true, optional = true } sha2.workspace = true -lazy_static.workspace = true -parking_lot.workspace = true +lazy_static = { workspace = true, optional = true } +parking_lot = { workspace = true, optional = true } ic-certification = { workspace = true } ic-cbor.workspace = true @@ -41,3 +40,7 @@ rand.workspace = true rand_chacha.workspace = true ic-types.workspace = true + +[features] +default = ["signature_cache"] +signature_cache = ["dep:cached", "dep:lazy_static", "dep:parking_lot"] diff --git a/packages/ic-certificate-verification/src/signature_verification/mod.rs b/packages/ic-certificate-verification/src/signature_verification/mod.rs index f0911e70..e6d27d75 100644 --- a/packages/ic-certificate-verification/src/signature_verification/mod.rs +++ b/packages/ic-certificate-verification/src/signature_verification/mod.rs @@ -1,20 +1,23 @@ -use self::signature_cache::{SignatureCache, SignatureCacheEntry}; use crate::CertificateVerificationError; use ic_verify_bls_signature::verify_bls_signature; +#[cfg(feature = "signature_cache")] mod signature_cache; -#[cfg(test)] +#[cfg(all(test, feature = "signature_cache"))] mod reproducible_rng; -#[cfg(test)] +#[cfg(all(test, feature = "signature_cache"))] mod tests; +#[cfg(feature = "signature_cache")] pub fn verify_signature( pk: &[u8], sig: &[u8], msg: &[u8], ) -> Result<(), CertificateVerificationError> { + use self::signature_cache::{SignatureCache, SignatureCacheEntry}; + let entry = SignatureCacheEntry::new(pk, sig, msg); if SignatureCache::global().contains(&entry) { @@ -28,3 +31,13 @@ pub fn verify_signature( SignatureCache::global().insert(&entry); Ok(()) } + +#[cfg(not(feature = "signature_cache"))] +pub fn verify_signature( + pk: &[u8], + sig: &[u8], + msg: &[u8], +) -> Result<(), CertificateVerificationError> { + verify_bls_signature(sig, msg, pk) + .map_err(|_| CertificateVerificationError::SignatureVerificationFailed) +} diff --git a/packages/ic-certificate-verification/src/signature_verification/tests.rs b/packages/ic-certificate-verification/src/signature_verification/tests.rs index f857127b..1f43ffd2 100644 --- a/packages/ic-certificate-verification/src/signature_verification/tests.rs +++ b/packages/ic-certificate-verification/src/signature_verification/tests.rs @@ -2,6 +2,7 @@ use super::signature_cache::SignatureCacheEntry; use crate::signature_verification::{ reproducible_rng::reproducible_rng, signature_cache::{SignatureCache, SignatureCacheStatistics}, + verify_signature, }; use rand::RngCore; @@ -83,6 +84,21 @@ fn should_have_signature_cache_behave_like_a_lru_cache() { } } +#[test] +fn verify_signature_uses_cache_for_known_entries() { + // Pre-populate the global cache with inputs that are not valid BLS signatures. + // If the signature_cache feature gate is correctly applied, verify_signature + // returns Ok() on a cache hit without ever calling the BLS verifier. + // If the cfg gates are wrong and the uncached path is compiled instead, + // this test will fail with SignatureVerificationFailed. + let pk = [1u8; 96]; + let sig = [2u8; 48]; + let msg = [3u8; 32]; + + SignatureCache::global().insert(&SignatureCacheEntry::new(&pk, &sig, &msg)); + assert!(verify_signature(&pk, &sig, &msg).is_ok()); +} + #[test] fn should_have_signature_cache_update_lru_status_after_cache_hit() { let cache_size = 3; diff --git a/packages/ic-response-verification-tests/src/rust-tests/src/main.rs b/packages/ic-response-verification-tests/src/rust-tests/src/main.rs index 8353a800..7e4cab56 100644 --- a/packages/ic-response-verification-tests/src/rust-tests/src/main.rs +++ b/packages/ic-response-verification-tests/src/rust-tests/src/main.rs @@ -24,17 +24,14 @@ fn get_current_time() -> u128 { } fn read_file(file_path: &str) -> Result> { - let path = format!( - "packages/ic-response-verification-tests/src/frontend/{}", - file_path - ); + let path = format!("packages/ic-response-verification-tests/src/frontend/{file_path}"); match fs::read(path.clone()) { Ok(file) => { - println!("Read file: {}", path); + println!("Read file: {path}"); Ok(file) } Err(e) => { - println!("Error reading file: {} from {}", e, path); + println!("Error reading file: {e} from {path}"); Err(e.into()) } }