Skip to content

wallet-0.3.4

Choose a tag to compare

View all tags
@sgbett sgbett released this 08 Apr 20:54
· 740 commits to master since this release
wallet-v0.3.4
7ae8d49

Paired security patch release with sdk-0.8.2. Must be installed togetherbsv-wallet 0.3.4 now pins its bsv-sdk dependency to >= 0.8.2, < 1.0, so installing this gem will pull in bsv-sdk 0.8.2 automatically.

Headline

Credential forgery fix. Before this release, acquire_certificate persisted user-supplied certificate fields to storage without verifying the certifier's signature. A caller could pass any value in args[:signature] and list_certificates / prove_certificate would later treat the record as authentic.

Security advisory: GHSA-hc36-c89j-5f4j (F8.15 / F8.16 partial — CWE-347, CVSS 8.1 HIGH). Draft until CVE ID returns from MITRE.

What changed

F8.15 — acquire_certificate signature verification

Both the 'direct' and 'issuance' acquisition paths now run BRC-52 signature verification against the canonical preimage before persisting, via the new BSV::Wallet::CertificateSignature module. The module builds the BRC-52 canonical preimage (matching the TypeScript reference Certificate#toBinary(false) byte-for-byte) and delegates to ProtoWallet#verify_signature with:

  • protocol_id: [2, 'certificate signature']
  • key_id: \"<type> <serialNumber>\"
  • counterparty: certifier_pubkey_hex

Invalid certificates raise BSV::Wallet::CertificateSignature::InvalidError and are not persisted.

F8.16 partial closure

The F8.16 review finding flagged two issues with acquire_via_issuance: (a) the ad-hoc HTTP transport, and (b) that it also stored unverified signatures. Aspect (b) is closed in this release — both acquisition paths verify. Aspect (a) — switching to BRC-104 AuthFetch with BRC-103-signed requests — remains deferred to the Phase 8 architectural epic.

Gemspec dependency tightened

bsv-wallet.gemspec previously declared spec.add_dependency 'bsv-sdk', '~> 0.4', which allowed bsv-sdk 0.4.x–0.9.x. This was stale (wallet hadn't been tested against anything below 0.8.x in months) and hazardous (a user installing bsv-wallet 0.3.4 against an old bsv-sdk would silently miss the F1.3 and F5.13 bsv-sdk security fixes).

Now: '>= 0.8.2', '< 1.0'. Un-breaking fix — forces users to the known-good pair rather than a silently-broken combination.

Migration

  • Callers of acquire_certificate with a fake or untrusted signature: field will now see BSV::Wallet::CertificateSignature::InvalidError. Ensure the certificate has been properly signed by the declared certifier.
  • Existing bsv-wallet users pinned to bsv-sdk ~> 0.4 will need to relax their constraint or upgrade. Anything installed before bsv-wallet 0.3.4 is vulnerable to the F8.15 credential forgery primitive.

BRC-52 signing reference

Since Ruby's ProtoWallet#create_signature defaults to counterparty: 'self' (unlike TS which defaults to 'anyone' for createSignature specifically), Ruby consumers producing BRC-52 certificate signatures must pass counterparty: 'anyone' explicitly:

preimage = BSV::Wallet::CertificateSignature.serialise_preimage(cert_hash)
sig = certifier_wallet.create_signature({
  data: preimage.unpack('C*'),
  protocol_id: [2, 'certificate signature'],
  key_id: \"#{type} #{serial_number}\",
  counterparty: 'anyone'
})

A follow-up release (bsv-wallet 0.4.0, part of the 0.9.0 paired release) will flip Ruby's default to match TS — tracked as finding P305.1.

See CHANGELOG.md for the full changelog.

Install: `gem install bsv-wallet -v 0.3.4` (will automatically pull in bsv-sdk 0.8.2)

Assets 2
Loading