Harden cross-version join: Handle non-monotonicity of presence of COSE signatures (#7010)

Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>

Author: eddyashton

src/kv/deserialise.h

@@ -148,7 +148,7 @@ namespace ccf::kv
 
         if (history)
         {
-          if (!history->verify_root_signatures())
+          if (!history->verify_root_signatures(version))
           {
             LOG_FAIL_FMT("Failed to deserialise");
             LOG_DEBUG_FMT(

src/kv/kv_types.h

@@ -400,7 +400,7 @@ namespace ccf::kv
     };
 
     virtual ~TxHistory() {}
-    virtual bool verify_root_signatures() = 0;
+    virtual bool verify_root_signatures(ccf::kv::Version version) = 0;
     virtual void try_emit_signature() = 0;
     virtual void emit_signature() = 0;
     virtual ccf::crypto::Sha256Hash get_replicated_state_root() = 0;

src/node/history.h

@@ -153,7 +153,7 @@ namespace ccf
       version++;
     }
 
-    bool verify_root_signatures() override
+    bool verify_root_signatures(ccf::kv::Version v) override
     {
       return true;
     }
@@ -772,7 +772,7 @@ namespace ccf
         term_of_next_version};
     }
 
-    bool verify_root_signatures() override
+    bool verify_root_signatures(ccf::kv::Version version) override
     {
       auto tx = store.create_read_only_tx();
 
@@ -801,6 +801,23 @@ namespace ccf
         return true;
       }
 
+      // Since COSE signatures have not always been emitted, it is possible in a
+      // mixed-service to see an _old_ COSE signature (by reading from the KV)
+      // that does not refer to the _current root_. When this occurs
+      // version_of_previous_write will not match the version at which we're
+      // verifying.
+      const auto cose_sig_version =
+        cose_signatures->get_version_of_previous_write();
+      if (cose_sig_version.has_value() && cose_sig_version.value() != version)
+      {
+        LOG_INFO_FMT(
+          "Non-monotonic presence of COSE signatures - had one at {} but none "
+          "at {}",
+          cose_sig_version.value(),
+          version);
+        return true;
+      }
+
       auto service = tx.template ro<ccf::Service>(Tables::SERVICE);
       auto service_info = service->get();
 

tests/recovery.py

@@ -13,7 +13,7 @@
 import subprocess
 import json
 from infra.runner import ConcurrentRunner
-from distutils.dir_util import copy_tree
+from distutils.dir_util import remove_tree, copy_tree
 from infra.consortium import slurp_file
 import infra.health_watcher
 import time
@@ -536,8 +536,9 @@ def test_recover_service_from_files(
         os.path.dirname(os.path.realpath(__file__)), "testdata", directory
     )
 
-    old_common = os.path.join(service_dir, "common")
     new_common = infra.network.get_common_folder_name(args.workspace, args.label)
+    remove_tree(new_common)
+    old_common = os.path.join(service_dir, "common")
     copy_tree(old_common, new_common)
 
     network = infra.network.Network(args.nodes, args.binary_dir)
@@ -1078,16 +1079,26 @@ def run(args):
                     ), f"{service_status} service at seqno {seqno} did not start a new ledger chunk (started at {chunk_start_seqno})"
 
     test_recover_service_from_files(
-        args, "expired_service", expected_recovery_count=2, test_receipt=True
+        args, directory="expired_service", expected_recovery_count=2, test_receipt=True
     )
     # sgx_service is historical ledger, from 1.x -> 2.x -> 3.x -> 5.x -> main.
     # This is used to test recovery from SGX to SNP.
     test_recover_service_from_files(
-        args, "sgx_service", expected_recovery_count=4, test_receipt=False
+        args, directory="sgx_service", expected_recovery_count=4, test_receipt=False
     )
 
     test_recover_service_from_files(
-        args, "double_sealed_service", expected_recovery_count=2, test_receipt=False
+        args,
+        directory="double_sealed_service",
+        expected_recovery_count=2,
+        test_receipt=False,
+    )
+
+    test_recover_service_from_files(
+        args,
+        directory="cose_flipflop_service",
+        expected_recovery_count=0,
+        test_receipt=False,
     )
 
 

tests/testdata/cose_flipflop_service/common/member0_cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtjCCATygAwIBAgIUTZE/TAbIYBwtCz7OKWJLQ2PlC0YwCgYIKoZIzj0EAwMw
+EjEQMA4GA1UEAwwHbWVtYmVyMDAeFw0yNTA1MTQwOTM4MjhaFw0yNjA1MTQwOTM4
+MjhaMBIxEDAOBgNVBAMMB21lbWJlcjAwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQR
+cCSEcdKjs4Nu5h55mNGo2JREdPlLmRiBBIaospJonX6m6UAQT0FFU3jeaSkI8Yq7
+5HKGGXcbxzi0628aN9tDir0W2IfFATWww12Ln/+xLQhgkuBjFXc5XLHSdX/zbKuj
+UzBRMB0GA1UdDgQWBBQnqJPZXtGRunqPjKeqXB/nLIjEUjAfBgNVHSMEGDAWgBQn
+qJPZXtGRunqPjKeqXB/nLIjEUjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMD
+A2gAMGUCMB1RJ1k8gU2HEjzUxO6KeluhMLwdzYWcKFtsVpjaIhGVtpPNvA/JEbZ2
+ye3R8lQZVAIxAP8H+jAdzZGbl0ZAj4fgMn3Hr8p5IRzy2QOkp7N0HQdn4jRnNn/f
+PSR+05Qr0dy0iw==
+-----END CERTIFICATE-----

tests/testdata/cose_flipflop_service/common/member0_enc_privk.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0gQu2IGuDYWwO
+3Uza1k/Yz957bmQ6vsUBcw80aj9F1s0Q4xbX5zLHddf80KPdVeacXL696Xj4eaWR
+3p2KVU+485RAXnGPsgrnXOKp++sYm2Sbg/S7C0gN3F+nSKjOv2UucefGpJUGR2zE
+Vo+tR+F5COxKipCpeVKYqX9caPSsxa5x80fdY380LvxO5DA2TZHibn55Qurj9g+a
+5M3pvBB+d4tRqAQCLC6nmYBi7Efs71gpg0Gy6mQecx3iqtFF2hHSpSkOODQL7P0w
+ybhfMcPW+l2x8tnGZtAttRa4m39pVZoRXaAvke2QOPmrOMhnSJ4giOjryzG94j69
+x9ybipL9AgMBAAECggEAbvZlnLCRZ1KcewbQGDdnHoGq43YZZ4Oe2CVDU5V9EBHc
+PmVbxZ37OWLYRDJ+ibIk8jqRh23fT+B4SBPyBPgs6iXTHT7x0MRCr7gKHzUecSIV
+1wRnjhSBVwQCSXQBUheWu9aKBTNn6VQ/KPONn5hwo1c46xoDlCtg+zg3czeSMiLK
+X36/vRwgywCWLfh/n7R7W7VE+jloOdSRGVAXBiUBNRO7bJLyThUbQKfJpqPbEQJk
+T6lmmEKUHEtO3UwkQWaSo3le7P2YZj9Hbt2ZbIuKGlg1+TK99p2Ld5PgcbMojb4L
+VXeVtrninkj4yo8sNhKWSmUi40aBmGtoR1XCdCGCgQKBgQDtdejRdwmynCVf6O8/
+cFgm1uukK63gT5XcHARUfVCtl2IDAtOlerGzTzFS3Xxxju9bCgPlIhfrp+RVvLpx
+7LTQMvJHqYb33yZWQk3x3nZV632RlFE7u/fNS7aAWiwQyop7TcuuyJQUJ/niLefj
+nrv2LPFMFG+D7HC2rSJlI4H80wKBgQDCmMFEM78S5yBghmW0oqdeVdOSoV3r9PsS
+36g/8QUPxp7h+iaGLFY6i9TlpubHMA/qtUTc3DOWKEbu7kGybTT9PTU0HFOqj9p9
++J5KMzrG8ZKnZ5cZnAz9djsHY2TlKNEPl9WVMz7BdpwSsE1+4PUXmidJa4fFnYKb
+d1fu97QO7wKBgCfwkBNDMVdgWgzyseL6s2j89y9qxVkYKb2W3MeVOE+qSar1+8E2
+jNL6+/HTHQ5Am1O1sIgGnv1dBNPC5Z0p0hO+re+NvQzN9LXHezK2VzMGY91rk+o3
+KGvYUz7ta8H7PyWUJTElvXpSav42+GzZkwXJ81/3g/Yte5vOLR3TxhZPAoGAYY+m
+LaRn4nlAEUSwTvzRPol3FmeSqA7dpdu+Bbi3me4xkAgTMmeeH6IlbbHct/aPtFOH
+H9fCgUDWN0n6ZBM+YsxCFUsyYyvWFhwEeBzxFfbdWNKlvbAwDw8sjwq09fMdxVyR
+N0lG6EWn//KmF7t/BYNCuRuRKXFLntgZnPRRML8CgYEAvKEHgmHtO5Pq5lEXA8zW
+tD8luf+PlHZEN65/1ramh13vjzBcT/Hy3Wd5mao9ukaDyxs7scpSQjIi7sGLi+AL
+mcH/EVJEhW/yhhS9oxjEiFw1hDkniRABkY8e7qgY+BYBr03IxAaeO3P5xbmtU6hD
+xQZD7728oOYUnGdJMECxk1E=
+-----END PRIVATE KEY-----

tests/testdata/cose_flipflop_service/common/member0_enc_pubk.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIELtiBrg2FsDt1M2tZP
+2M/ee25kOr7FAXMPNGo/RdbNEOMW1+cyx3XX/NCj3VXmnFy+vel4+Hmlkd6dilVP
+uPOUQF5xj7IK51ziqfvrGJtkm4P0uwtIDdxfp0iozr9lLnHnxqSVBkdsxFaPrUfh
+eQjsSoqQqXlSmKl/XGj0rMWucfNH3WN/NC78TuQwNk2R4m5+eULq4/YPmuTN6bwQ
+fneLUagEAiwup5mAYuxH7O9YKYNBsupkHnMd4qrRRdoR0qUpDjg0C+z9MMm4XzHD
+1vpdsfLZxmbQLbUWuJt/aVWaEV2gL5HtkDj5qzjIZ0ieIIjo68sxveI+vcfcm4qS
+/QIDAQAB
+-----END PUBLIC KEY-----

tests/testdata/cose_flipflop_service/common/member0_privk.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MD4CAQEEMJE8kt9YzL1Rzq4KEJr6cwGaQzNBaXRT+H5o7D0Q3lzJb2YElOTbf4Bc
+JxtMzasj7KAHBgUrgQQAIg==
+-----END EC PRIVATE KEY-----

tests/testdata/cose_flipflop_service/common/service_cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxzCCAU6gAwIBAgIRANl2+C0zZDIT2lMUKTXnYYEwCgYIKoZIzj0EAwMwGzEZ
+MBcGA1UEAwwQQ0NGIFRlc3QgU2VydmljZTAeFw0yNTA1MTQwOTM4MjlaFw0yNTA4
+MTIwOTM4MjhaMBsxGTAXBgNVBAMMEENDRiBUZXN0IFNlcnZpY2UwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAAS0OZpyTj4YkNdKkdb2oyWQyWl+3t4CW8GoDZV2wAwCT4qY
+qHvFlUV6/x9Po1vSO3jhZGSalh7Xt5g+/n/27oeJ3hwUuCFSHul5h83iz0/ic1cR
+PUZfb2q3w9BkxH0KDOyjVjBUMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
+FGOM7cxAKjqDINga++n9fP/VYD3/MB8GA1UdIwQYMBaAFGOM7cxAKjqDINga++n9
+fP/VYD3/MAoGCCqGSM49BAMDA2cAMGQCMFwMjw+TrzJdDX6TwzTDxEZ1lbeMBoQZ
+ggP6dDyixzMM5fpf8IcVzIEmFLxhcHIxwQIwf0Er1e/V4liei8BrmDMVSoZ49ET9
+XTYUeiwfi4L9bH5AeZE3s7nl9YeZTYx7TqGO
+-----END CERTIFICATE-----

tests/testdata/cose_flipflop_service/common/user0_cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsTCCATigAwIBAgIUO+mcweSUTjR+BRR7bGk7lLJAwyQwCgYIKoZIzj0EAwMw
+EDEOMAwGA1UEAwwFdXNlcjAwHhcNMjUwNTE0MDkzODMwWhcNMjYwNTE0MDkzODMw
+WjAQMQ4wDAYDVQQDDAV1c2VyMDB2MBAGByqGSM49AgEGBSuBBAAiA2IABDqJJdHa
+lRH8ouN0YdzZWCX98riSIuus/EgMy5uFGnXqf2hRAzA30Pf5nb8VbUxkc+j358y7
+5GDjlEHkiUifi9ulKmMWKwZORvyiDlkoJNtgtmuxnIOcL8zSzrTVYJK1k6NTMFEw
+HQYDVR0OBBYEFNbcukLhNYbUZyGg8cgGVlO4gOclMB8GA1UdIwQYMBaAFNbcukLh
+NYbUZyGg8cgGVlO4gOclMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwMDZwAw
+ZAIwRvHW6wT7TJGFwoGSA8GCOl5dwUpgfE4mOfeTimPds460bVNuHPBEnpCMs4of
+ZWFJAjAneFheLWxphX+bZY1UZtg5qcsdHcojPZV76jP+ejwfbycB/ng1iGxzD8b/
+gnS9oHM=
+-----END CERTIFICATE-----

tests/testdata/cose_flipflop_service/common/user0_privk.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MD4CAQEEMOyzlQIbgQgSdhgKF/ZEdcbW7yZ0FMXPf2q6HVb0dl+pcol7BDCVq1M5
+6x3R/L/WHqAHBgUrgQQAIg==
+-----END EC PRIVATE KEY-----