Merge branch 'develop' into feature/SKALE-4411-support-threshold-encryption

039bb7cd · Oleh Nikolaiev · GitHub · da16094e · 7f2aa0d7 · 039bb7cd
Unverified Commit 039bb7cd authored Aug 10, 2021 by Oleh Nikolaiev Committed by GitHub Aug 10, 2021
6 changed files
--- a/docs/run-in-hardware-mode.md
+++ b/docs/run-in-hardware-mode.md
@@ -66,6 +66,7 @@ If operating with a firewall, please make sure these ports are open so clients a
 -   \-n     Launch SGXWalletServer using http (not https)
 -   \-b     Restore from back up (you will need to enter backup key) 
 -   \-y     Do not ask user to acknowledge receipt of backup key 
+-   \-e     Check whether one who is trying to access the key is the same user who created it (Ownership is checked via SSL certificate for now. Deleting old SSL     certificates and trying to access the keys created before will cause the error!)
 -   \-T     Generate test keys     
 ### Healthcheck

--- a/sgxwall.cpp
+++ b/sgxwall.cpp
@@ -101,7 +101,7 @@ int main(int argc, char *argv[]) {
    bool checkClientCertOption = true;
    bool autoSignClientCertOption = false;
    bool generateTestKeys = false;
-    bool checkKeyOwnership = true;
+    bool checkKeyOwnership = false;
    std::signal(SIGABRT, SGXWallet::signalHandler);

--- a/testw.cpp
+++ b/testw.cpp
@@ -74,7 +74,7 @@ public:
    TestFixture() {
        TestUtils::resetDB();
        setOptions(L_INFO, false, true);
-        initAll(L_INFO, false, false, true, false, false);
+        initAll(L_INFO, false, false, true, false, true);
    }
    ~TestFixture() {
@@ -115,7 +115,7 @@ class TestFixtureNoResetFromBackup {
 public:
    TestFixtureNoResetFromBackup() {
        setFullOptions(L_INFO, false, true, true);
-        initAll(L_INFO, false, false, true, false, false);
+        initAll(L_INFO, false, false, true, false, true);
    }
    ~TestFixtureNoResetFromBackup() {
@@ -129,7 +129,7 @@ class TestFixtureNoReset {
 public:
    TestFixtureNoReset() {
        setOptions(L_INFO, false, true);
-        initAll(L_INFO, false, false, true, false, false);
+        initAll(L_INFO, false, false, true, false, true);
    }
    ~TestFixtureNoReset() {

--- a/testw.py
+++ b/testw.py
@@ -55,7 +55,6 @@ testList = [ "[zmq-ecdsa]",
             "[dkg-api-v2]",
             "[dkg-api-v2-zmq]",
             "[dkg-bls]",
-             "[dkgzmqbls]",
             "[dkg-bls-v2]",
             "[dkg-poly-exists]",
             "[dkg-poly-exists-zmq]",

--- a/zmq_src/ReqMessage.cpp
+++ b/zmq_src/ReqMessage.cpp
@@ -26,12 +26,14 @@
 #include "ReqMessage.h"
+#include "third_party/spdlog/spdlog.h"
 Json::Value ECDSASignReqMessage::process() {
    auto base = getInt64Rapid("base");
    auto keyName = getStringRapid("keyName");
    auto hash = getStringRapid("messageHash");
    if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
+        spdlog::error("Cert {} try to access key {} which does not belong to it", getStringRapid("cert"), keyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::ecdsaSignMessageHashImpl(base, keyName, hash);
@@ -45,6 +47,7 @@ Json::Value BLSSignReqMessage::process() {
    auto t = getInt64Rapid("t");
    auto n = getInt64Rapid("n");
    if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
+        spdlog::error("Cert {} try to access key {} which does not belong to it", getStringRapid("cert"), keyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::blsSignMessageHashImpl(keyName, hash, t, n);
@@ -57,6 +60,7 @@ Json::Value importBLSReqMessage::process() {
    auto keyShare = getStringRapid("keyShare");
    auto result = SGXWalletServer::importBLSKeyShareImpl(keyShare, keyName);
    if (checkKeyOwnership && result["status"] == 0) {
+        spdlog::info("Cert {} creates key {}", getStringRapid("cert"), keyName);
        auto cert = getStringRapid("cert");
        addKeyByOwner(keyName, cert);
    }
@@ -90,6 +94,7 @@ Json::Value generateECDSAReqMessage::process() {
 Json::Value getPublicECDSAReqMessage::process() {
    auto keyName = getStringRapid("keyName");
    if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
+        spdlog::error("Cert {} try to access key {} which does not belong to it", getStringRapid("cert"), keyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::getPublicECDSAKeyImpl(keyName);
@@ -103,6 +108,7 @@ Json::Value generateDKGPolyReqMessage::process() {
    auto result = SGXWalletServer::generateDKGPolyImpl(polyName, t);
    if (checkKeyOwnership && result["status"] == 0) {
        auto cert = getStringRapid("cert");
+        spdlog::info("Cert {} creates key {}", cert, polyName);
        addKeyByOwner(polyName, cert);
    }
    result["type"] = ZMQMessage::GENERATE_DKG_POLY_RSP;
@@ -112,6 +118,7 @@ Json::Value generateDKGPolyReqMessage::process() {
 Json::Value getVerificationVectorReqMessage::process() {
    auto polyName = getStringRapid("polyName");
    if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
+        spdlog::error("Cert {} try to access key {} which does not belong to it", getStringRapid("cert"), polyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto t = getInt64Rapid("t");
@@ -126,6 +133,7 @@ Json::Value getSecretShareReqMessage::process() {
    auto n = getInt64Rapid("n");
    auto pubKeys = getJsonValueRapid("publicKeys");
    if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
+        spdlog::error("Cert {} try to access key {} which does not belong to it", getStringRapid("cert"), polyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::getSecretShareV2Impl(polyName, pubKeys, t, n);
@@ -141,6 +149,7 @@ Json::Value dkgVerificationReqMessage::process() {
    auto pubShares = getStringRapid("publicShares");
    auto secretShare = getStringRapid("secretShare");
    if (checkKeyOwnership && !isKeyByOwner(ethKeyName, getStringRapid("cert"))) {
+        spdlog::error("Cert {} try to access key {} which does not belong to it", getStringRapid("cert"), ethKeyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::dkgVerificationV2Impl(pubShares, ethKeyName, secretShare, t, n, idx);
@@ -156,10 +165,12 @@ Json::Value createBLSPrivateKeyReqMessage::process() {
    auto t = getInt64Rapid("t");
    auto n = getInt64Rapid("n");
    if (checkKeyOwnership && (!isKeyByOwner(ethKeyName, getStringRapid("cert")) || !isKeyByOwner(polyName, getStringRapid("cert")))) {
+        spdlog::error("Cert {} try to access keys {} {} which do not belong to it", getStringRapid("cert"), ethKeyName ,polyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::createBLSPrivateKeyV2Impl(blsKeyName, ethKeyName, polyName, secretShare, t, n);
    if (checkKeyOwnership && result["status"] == 0) {
+        spdlog::info("Cert {} creates key {}", getStringRapid("cert"), blsKeyName);
        addKeyByOwner(blsKeyName, getStringRapid("cert"));
    }
    result["type"] = ZMQMessage::CREATE_BLS_PRIVATE_RSP;
@@ -169,6 +180,7 @@ Json::Value createBLSPrivateKeyReqMessage::process() {
 Json::Value getBLSPublicReqMessage::process() {
    auto blsKeyName = getStringRapid("blsKeyName");
    if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
+        spdlog::error("Cert {} try to access key {} which does not belong to it", getStringRapid("cert"), blsKeyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::getBLSPublicKeyShareImpl(blsKeyName);
@@ -191,6 +203,7 @@ Json::Value complaintResponseReqMessage::process() {
    auto n = getInt64Rapid("n");
    auto idx = getInt64Rapid("ind");
    if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
+        spdlog::error("Cert {} try to access key {} which does not belong to it", getStringRapid("cert"), polyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::complaintResponseImpl(polyName, t, n, idx);
@@ -227,6 +240,7 @@ Json::Value getServerVersionReqMessage::process() {
 Json::Value deleteBLSKeyReqMessage::process() {
    auto blsKeyName = getStringRapid("blsKeyName");
    if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
+        spdlog::error("Cert {} try to access key {} which does not belong to it", getStringRapid("cert"), blsKeyName);
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::deleteBlsKeyImpl(blsKeyName);

--- a/zmq_src/ZMQMessage.cpp
+++ b/zmq_src/ZMQMessage.cpp
@@ -326,12 +326,12 @@ shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rap
 std::map<string, string> ZMQMessage::keysByOwners;
 bool ZMQMessage::isKeyByOwner(const string& keyName, const string& cert) {
-    auto value = LevelDB::getLevelDb()->readString(keyName);
+    auto value = LevelDB::getLevelDb()->readString(keyName  + ":OWNER");
    return value && *value == cert;
 }
 void ZMQMessage::addKeyByOwner(const string& keyName, const string& cert) {
-    SGXWalletServer::writeDataToDB(keyName, cert);
+    SGXWalletServer::writeDataToDB(keyName + ":OWNER", cert);
 }
 cache::lru_cache<string, pair < EVP_PKEY * , X509 *>> ZMQMessage::verifiedCerts(256);