adds parity_verifySignature RPC method

[seunlanlege]

Closes #7009

[parity-cla-bot]

It looks like @seunlanlege signed our Contributor License Agreement. 👍

Many thanks,

Parity Technologies CLA Bot

[niklasad1]

this file doesn't exist change it to mod signature or change the file name itself?

[niklasad1]

Needless into()

[tomusdrw]

Looks promising, but would be nice to re-use existing methods.

[tomusdrw]

Message is pre-maturely casted to H256, it should be just keccaked without prefix.

[seunlanlege]

did not think of this 😅

[tomusdrw]

You can re-use: https://github.com/paritytech/parity-ethereum/blob/2177a0179e67717adfb7b00e7fddc59df6cfa8f4/rpc/src/v1/helpers/dispatch.rs#L243

[seunlanlege]

thanks!

[tomusdrw]

The method should support chain replay protected signatures with chain_id encoded in the value of v.

[seunlanlege]

I'm pretty sure this is wrong

[niklasad1]

Since you are not using the message after you have computed the hash the clone seems needless!

Consider:
let hash = if is_prefixed { eth_data_hash(message.0) } else { keccak(message.0) };

Also I think keccak supports slices so should be possible to pass-by-reference too!

[niklasad1]

space after comma 😸

[seunlanlege]

@tomusdrw @niklasad1 i think this is ready to be merged

[niklasad1]

this can still overflow if chain_id*2 is bigger than v-35 (maybe only theoretical but still ...)

Consider to use saturating_sub/checked_sub and saturated_mul for this use-case instead!

EDIT:
for example v.saturating_sub(35).saturating_sub(chain_id.saturating_mul(2)) < 2

[seunlanlege]

not sure why we need saturating_mul with chain_id, isn't it supposed to be a compile-time constant?

[niklasad1]

sorry to nag but please remove clone() here 🥇

[niklasad1]

Minor things to address, see comments below

[niklasad1]

@seunlanlege

this if expression is unnecessary now so remove it and return false from the match instead 👍

Also I would prefer if you can perform saturated_mul on chain_id * 2 because it can also overflow sorry if I was unclear

[tomusdrw]

Should be just (signature.v().checked_sub(35) / 2) as u64 == chain_id - it's simpler, doesn't overflow and does not require matching 0 and 1.
Also if chain_id.is_none() the signature is valid if it's not replay-protected (currently we return false).

BTW This function needs tests, we should also clearly document what format of signature we expect here. (I know there is one RPC test for this, but we should just test this function with different signatures to make sure to cover all branches and that replay protection part works correctly)
Note that signature in transaction is actually using u64 + U256 + U256 to store the replay protection, we later remove replay protection (subtract and divide) and convert the entire signature to H520.
So the fact that we require replay protection to fit to u8 when submitted over RPC limits the number of chain_ids one can safely use for this scheme.

[tomusdrw]

To make it clear: have a look at ec_recover method that we have in personal namespace.
It expects signature in electrum notation and doesn't handle replay protection (I think replay protection is not implemented for prefixed signing (i.e. eth_sign - please check)).
This method should work exactly like ec_recover for prefixed data, but for non-prefixed data (i.e. transaction hash) we might consider checking replay-protection (but then we need to change the input type to something else than H520) or we need to clearly state that the signature should be passed in electrum format.

[tomusdrw]

Move to other v1::types imports

[tomusdrw]

Why do we return RichBasicAccount if extra_info is always empty?

[tomusdrw]

missing trailing comma & docs

[tomusdrw]

New files need a preamble, but I think it would be much better to add the tests in the same file as the function-under-test. Just add #[cfg(test)] mod tests { and put the content there.

[tomusdrw]

Test in a current form is pretty unreadable - I think it would be way better to avoid passing so many bools and numbers without some additional description.
I think the setup should only be producing the signature, the assertion and call to verify_signature should be inlined and duplicated in every test, like this:

#[test]
fn test_verify_signature_not_prefixed_mainnet() {
  let should_prefix = true;
  let data = vec![5u8];
  let chain_id = Some(1);
  let (address, v, r, s) = sign(should_prefix, &data, chain_id);

  let account = verify_signature(should_prefix, &data, v, r, s, chain_id).unwrap();

  assert_eq!(account.inner.address, address);
  assert_eq!(account.inner.is_valid_for_current_chain, true);
}

IMHO that would really help readability/understandability of the test. If you want to keep the de-duplication, then consider using this:

#[test]
fn test_verify_signature_not_prefixed_mainnet() {
  run_test(TestCase {
    should_prefix: true,
    signing_chain_id: Some(1),
    rpc_chain_id: Some(1),
    is_valid_for_current_chain: true,
  });
}

[tomusdrw]

In RPC we only use non hex-encoded numbers for indices/limits. For constistency this should be U64 type (hex-encoded ser/de)

[tomusdrw]

I still don't understand why we need RichBasicAccount here, if we don't pass any "rich" data. Just return the BasicAccount and get rid of the to_rich_struct helper func.

[tomusdrw]

👌

[5chdn]

Please, rebase on master

[dvdplm]

Need docs (anything pub does). Consider moving params to own lines as well, and perhaps use the rsv order to make it clearer what the params are?

[dvdplm]

Funny whitespace here. Either put it all on one line or both arms on own lines.

[dvdplm]

Can you help me understand what is going on here?

[seunlanlege]

if there's no chain_id, then v must either be 1/0 to be a valid for the current chain.
otherwise, if there's a chain_id and v > 36; (37 is the lowest value, where v = 0, chain_id = 1)
we check if the encoded chain_id is valid for the current chain.

(v - 35) / 2 == chain_id

[niklasad1]

This is related to extract to chain_id and remove the replay protection right?

This code is hard to read, can you add an inline comment to refer to EIP 155 and perhaps add a one-liner function named remove_replay_protection or something similar?

Also, I think it should be v >= 35 to support chain_id 0

[dvdplm]

I'd prefer let (r, s, v) = … for consistency with other code, e.g. from_rsv()

[dvdplm]

The docs here are a bit…short? I don't see the params being documented, but perhaps you'll address that in a separate PR? Maybe something like: "/// Extracts Address and public key from signature using the r, s and v params. Equivalent to Solidity erecover"?

[dvdplm]

Do we really need all these derives? It's hard to tell from the code in this PR if that is the case. Thanks!

[dvdplm]

Good docs on this type; would be great if you could fix the line lengths and start all sentences with a capital letter.

[dvdplm]

Would be great with some module docs here; I think these types are all return types for RPC calls? If so, perhaps "Return types for RPC calls" is enough.

[5chdn]

@dvdplm Can you have a look at this one again?

David can't review at the moment

[5chdn]

Happy to merge this if you could resolve the conflicts again