-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[crypto & al] Direct signing/verification for values #4846
Conversation
d98cbbc
to
c433e8b
Compare
☔ The latest upstream changes (presumably 7aa3450) made this pull request unmergeable. Please resolve the merge conflicts. |
274cf65
to
2d47094
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just random questions for my own understanding and a few minor comments.
1f5bb66
to
1a06510
Compare
The strategy that underpins this is: - armoring serialization, as in diem#4250 - acknowledging signing is a bad place to recover from a serialization error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new API is very nice. Thanks for the changes!
) -> Result<Self::SignatureMaterial, CryptoMaterialError>; | ||
/// Note: this assumes serialization is unfaillible. See libra_common::lcs::ser | ||
/// for a discussion of this assumption. | ||
fn sign<T: CryptoHash + Serialize>(&self, message: &T) -> Self::SignatureMaterial; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yay!
@huitseeker Can you update the swiss-knife README.md before you land? |
This uses the new functionality to sign/verify any struct that implements libra_crypto::hash::CryptoHash + serde::ser::Serialize directly. Note that it makes the semantics of e.g. client/swiss-knife ambiguous, as the deserialization of a payload into an unknown type offered by this API is impossible: the new APis need to know (and use) the type to figure out the prefix that should be applied in signing that struct. `#[allow(deprecated)]` has been introduced in every place the old functionality needed to be maintained.
We want to reduce the uncertainty on how to sign/verify in Libra=> let's not leave those around.
- verify_struct_msg -> verify - batch_verify_struct_signatures -> batch_verify - batch_verify_aggregated_struct_signature -> batch_verify_aggregated_signatures
@bors-libra r=ankushagarwal |
📌 Commit bd6c45d has been approved by |
Closes: #4846 Approved by: ankushagarwal
This uses the new functionality to sign/verify any struct that implements libra_crypto::hash::CryptoHash + serde::ser::Serialize directly. Note that it makes the semantics of e.g. client/swiss-knife ambiguous, as the deserialization of a payload into an unknown type offered by this API is impossible: the new APis need to know (and use) the type to figure out the prefix that should be applied in signing that struct. `#[allow(deprecated)]` has been introduced in every place the old functionality needed to be maintained. Closes: #4846 Approved by: ankushagarwal
We want to reduce the uncertainty on how to sign/verify in Libra=> let's not leave those around. Closes: #4846 Approved by: ankushagarwal
Closes: #4846 Approved by: ankushagarwal
Closes: #4846 Approved by: ankushagarwal
- verify_struct_msg -> verify - batch_verify_struct_signatures -> batch_verify - batch_verify_aggregated_struct_signature -> batch_verify_aggregated_signatures Closes: #4846 Approved by: ankushagarwal
Closes: #4846 Approved by: ankushagarwal
Cluster Test Result
Repro cmd:
|
☀️ Test successful - checks-actions_land_blocking_test, checks-circle_commit_workflow |
What this does
We used to do:
Now we do:
Throughout the code base.
Why was it this way?
Long story short: domain separation & weaknesses in serialization engine. We bypassed serialization (which was ambiguous, as of a while ago) and had a very specific way of constructing a hash value, which was
sha3(sha3(domain_separation_bytes) || serialized_object_bytes)
, and then you signed thatHashValue
. Seelibra_crypto::hash::CryptoHasher
for the domain separation details.What are the signed bytes now?
We automatically derive them for you, but they're
sha3(domain_separation_bytes) || serialized_object_bytes
.So signing is handled for existing
struct
s. What do I do if I want to defineMyFancyStruct
?Is this in specs?
It's upcoming. The older signing/verification isn't there yet.
Why is this better?
It's simpler and more secure (you might pass the wrong hash in code, it's even a crypto gotcha).
Why is this worse?
Serialization is now on the critical path for signing / verification operations, which are exposed as infallible. Serialization can fail in some edge cases, so now they can panic. There's no clean way of recovering from this sort situation, but we are committed to and have a plan to push serialization failures into a never-visited corner (see e.g. #4928).
What's left?
See above re:spec. It's my very next item.