SKALE-4262 set checkKeyOwnership on start

72bb58de · Oleh Nikolaiev · 63a08c85 · 72bb58de · 72bb58de · 72bb58de
Unverified Commit 72bb58de authored Jul 20, 2021 by Oleh Nikolaiev
7 changed files
--- a/ServerInit.cpp
+++ b/ServerInit.cpp
@@ -14,7 +14,7 @@
    GNU Affero General Public License for more details.
    You should have received a copy of the GNU Affero General Public License
-    along with sgxwallet.  If not, see <https://www.gnu.org/licenses/>.
+    along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
    @file ServerInit.cpp
    @author Stan Kladko
@@ -209,7 +209,7 @@ void initAll(uint32_t _logLevel, bool _checkCert,
        SGXRegistrationServer::initRegistrationServer(_autoSign);
        CSRManagerServer::initCSRManagerServer();
        SGXInfoServer::initInfoServer(_logLevel, _checkCert, _autoSign, _generateTestKeys);
-        ZMQServer::initZMQServer(_checkZMQSig);
+        ZMQServer::initZMQServer(_checkZMQSig, useHTTPS);
        sgxServerInited = true;
    } catch (SGXException &_e) {

--- a/zmq_src/ReqMessage.cpp
+++ b/zmq_src/ReqMessage.cpp
@@ -31,8 +31,7 @@ Json::Value ECDSASignReqMessage::process() {
    auto base = getInt64Rapid("base");
    auto keyName = getStringRapid("keyName");
    auto hash = getStringRapid("messageHash");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(keyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::ecdsaSignMessageHashImpl(base, keyName, hash);
@@ -45,8 +44,7 @@ Json::Value BLSSignReqMessage::process() {
    auto hash = getStringRapid("messageHash");
    auto t = getInt64Rapid("t");
    auto n = getInt64Rapid("n");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(keyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::blsSignMessageHashImpl(keyName, hash, t, n);
@@ -58,7 +56,7 @@ Json::Value importBLSReqMessage::process() {
    auto keyName = getStringRapid("keyShareName");
    auto keyShare = getStringRapid("keyShare");
    auto result = SGXWalletServer::importBLSKeyShareImpl(keyShare, keyName);
-    if (result["status"] == 0) {
+    if (checkKeyOwnership && result["status"] == 0) {
        auto cert = getStringRapid("cert");
        addKeyByOwner(keyName, cert);
    }
@@ -70,7 +68,7 @@ Json::Value importECDSAReqMessage::process() {
    auto keyName = getStringRapid("keyName");
    auto key = getStringRapid("key");
    auto result = SGXWalletServer::importECDSAKeyImpl(key, keyName);
-    if (result["status"] == 0) {
+    if (checkKeyOwnership && result["status"] == 0) {
        auto cert = getStringRapid("cert");
        addKeyByOwner(keyName, cert);
    }
@@ -81,7 +79,7 @@ Json::Value importECDSAReqMessage::process() {
 Json::Value generateECDSAReqMessage::process() {
    auto result = SGXWalletServer::generateECDSAKeyImpl();
    string keyName = result["keyName"].asString();
-    if (result["status"] == 0) {
+    if (checkKeyOwnership && result["status"] == 0) {
        auto cert = getStringRapid("cert");
        addKeyByOwner(keyName, cert);
    }
@@ -91,8 +89,7 @@ Json::Value generateECDSAReqMessage::process() {
 Json::Value getPublicECDSAReqMessage::process() {
    auto keyName = getStringRapid("keyName");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(keyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::getPublicECDSAKeyImpl(keyName);
@@ -104,7 +101,7 @@ Json::Value generateDKGPolyReqMessage::process() {
    auto polyName = getStringRapid("polyName");
    auto t = getInt64Rapid("t");
    auto result = SGXWalletServer::generateDKGPolyImpl(polyName, t);
-    if (result["status"] == 0) {
+    if (checkKeyOwnership && result["status"] == 0) {
        auto cert = getStringRapid("cert");
        addKeyByOwner(polyName, cert);
    }
@@ -114,8 +111,7 @@ Json::Value generateDKGPolyReqMessage::process() {
 Json::Value getVerificationVectorReqMessage::process() {
    auto polyName = getStringRapid("polyName");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(polyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto t = getInt64Rapid("t");
@@ -129,8 +125,7 @@ Json::Value getSecretShareReqMessage::process() {
    auto t = getInt64Rapid("t");
    auto n = getInt64Rapid("n");
    auto pubKeys = getJsonValueRapid("publicKeys");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(polyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::getSecretShareV2Impl(polyName, pubKeys, t, n);
@@ -145,8 +140,7 @@ Json::Value dkgVerificationReqMessage::process() {
    auto idx = getInt64Rapid("index");
    auto pubShares = getStringRapid("publicShares");
    auto secretShare = getStringRapid("secretShare");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(ethKeyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(ethKeyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::dkgVerificationV2Impl(pubShares, ethKeyName, secretShare, t, n, idx);
@@ -161,13 +155,12 @@ Json::Value createBLSPrivateKeyReqMessage::process() {
    auto secretShare = getStringRapid("secretShare");
    auto t = getInt64Rapid("t");
    auto n = getInt64Rapid("n");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(ethKeyName, getStringRapid("cert")) || !isKeyByOwner(polyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(ethKeyName, cert) || !isKeyByOwner(polyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::createBLSPrivateKeyV2Impl(blsKeyName, ethKeyName, polyName, secretShare, t, n);
-    if (result["status"] == 0) {
+    if (checkKeyOwnership && result["status"] == 0) {
-        addKeyByOwner(blsKeyName, cert);
+        addKeyByOwner(blsKeyName, getStringRapid("cert"));
    }
    result["type"] = ZMQMessage::CREATE_BLS_PRIVATE_RSP;
    return result;
@@ -175,8 +168,7 @@ Json::Value createBLSPrivateKeyReqMessage::process() {
 Json::Value getBLSPublicReqMessage::process() {
    auto blsKeyName = getStringRapid("blsKeyName");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(blsKeyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::getBLSPublicKeyShareImpl(blsKeyName);
@@ -198,8 +190,7 @@ Json::Value complaintResponseReqMessage::process() {
    auto t = getInt64Rapid("t");
    auto n = getInt64Rapid("n");
    auto idx = getInt64Rapid("ind");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(polyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::complaintResponseImpl(polyName, t, n, idx);
@@ -235,8 +226,7 @@ Json::Value getServerVersionReqMessage::process() {
 Json::Value deleteBLSKeyReqMessage::process() {
    auto blsKeyName = getStringRapid("blsKeyName");
-    auto cert = getStringRapid("cert");
+    if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
-    if (!isKeyByOwner(blsKeyName, cert)) {
        throw std::invalid_argument("Only owner of the key can access it");
    }
    auto result = SGXWalletServer::deleteBlsKeyImpl(blsKeyName);

--- a/zmq_src/ZMQClient.cpp
+++ b/zmq_src/ZMQClient.cpp
@@ -67,7 +67,7 @@ shared_ptr <ZMQMessage> ZMQClient::doRequestReply(Json::Value &_req) {
        CHECK_STATE(resultStr.front() == '{')
        CHECK_STATE(resultStr.back() == '}')
-        return ZMQMessage::parse(resultStr.c_str(), resultStr.size(), false, false);
+        return ZMQMessage::parse(resultStr.c_str(), resultStr.size(), false, false, false);
    } catch (std::exception &e) {
        spdlog::error(string("Error in doRequestReply:") + e.what());
        throw;

--- a/zmq_src/ZMQMessage.cpp
+++ b/zmq_src/ZMQMessage.cpp
@@ -76,7 +76,7 @@ string ZMQMessage::getStringRapid(const char *_name) {
 shared_ptr <ZMQMessage> ZMQMessage::parse(const char *_msg,
                                          size_t _size, bool _isRequest,
-                                          bool _verifySig) {
+                                          bool _verifySig, bool _checkKeyOwnership) {
    CHECK_STATE(_msg);
    CHECK_STATE2(_size > 5, ZMQ_INVALID_MESSAGE_SIZE);
@@ -150,16 +150,15 @@ shared_ptr <ZMQMessage> ZMQMessage::parse(const char *_msg,
        }
    }
-    shared_ptr <ZMQMessage> result;
    if (_isRequest) {
-        return buildRequest(type, d);
+        return buildRequest(type, d, _checkKeyOwnership);
    } else {
-        return buildResponse(type, d);
+        return buildResponse(type, d, _checkKeyOwnership);
    }
 }
-shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapidjson::Document> _d) {
+shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapidjson::Document> _d,
+                                                bool _checkKeyOwnership) {
    Requests r;
    try {
        int t = requests.at( _type );
@@ -232,10 +231,13 @@ shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapi
            break;
    }
+    ret->setCheckKeyOwnership(_checkKeyOwnership);
    return ret;
 }
-shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rapidjson::Document> _d) {
+shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rapidjson::Document> _d,
+                                                bool _checkKeyOwnership) {
    Responses r;
    try {
        int t = responses.at( _type );
@@ -310,6 +312,8 @@ shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rap
            break;
    }
+    ret->setCheckKeyOwnership(_checkKeyOwnership);
    return ret;
 }

--- a/zmq_src/ZMQMessage.h
+++ b/zmq_src/ZMQMessage.h
@@ -52,6 +52,7 @@ class ZMQMessage {
    static cache::lru_cache<string, pair<EVP_PKEY*, X509*>> verifiedCerts;
 protected:
+    bool checkKeyOwnership = true;
    static std::map<string, string> keysByOwners;
@@ -135,11 +136,15 @@ public:
    }
    static shared_ptr <ZMQMessage> parse(const char* _msg, size_t _size, bool _isRequest,
-                                         bool _verifySig);
+                                         bool _verifySig, bool _checkKeyOwnership);
-    static shared_ptr<ZMQMessage> buildRequest(string& type, shared_ptr<rapidjson::Document> _d);
+    static shared_ptr<ZMQMessage> buildRequest(string& type, shared_ptr<rapidjson::Document> _d,
-    static shared_ptr<ZMQMessage> buildResponse(string& type, shared_ptr<rapidjson::Document> _d);
+                                                bool _checkKeyOwnership);
+    static shared_ptr<ZMQMessage> buildResponse(string& type, shared_ptr<rapidjson::Document> _d,
+                                                bool _checkKeyOwnership);
    virtual Json::Value process() = 0;
+    void setCheckKeyOwnership(bool _check) { checkKeyOwnership = _check; }
 };
--- a/zmq_src/ZMQServer.cpp
+++ b/zmq_src/ZMQServer.cpp
@@ -38,8 +38,8 @@ using namespace std;
 shared_ptr <ZMQServer> ZMQServer::zmqServer = nullptr;
-ZMQServer::ZMQServer(bool _checkSignature, const string &_caCertFile)
+ZMQServer::ZMQServer(bool _checkSignature, bool _checkKeyOwnership, const string &_caCertFile)
-        : checkSignature(_checkSignature),
+        : checkSignature(_checkSignature), checkKeyOwnership(_checkKeyOwnership),
          caCertFile(_caCertFile), ctx(make_shared<zmq::context_t>(1)) {
    socket = make_shared<zmq::socket_t>(*ctx, ZMQ_ROUTER);
@@ -94,12 +94,13 @@ void ZMQServer::exitZMQServer() {
    spdlog::info("Exited zmq server.");
 }
-void ZMQServer::initZMQServer(bool _checkSignature) {
+void ZMQServer::initZMQServer(bool _checkSignature, bool _checkKeyOwnership) {
    static bool initedServer = false;
    CHECK_STATE(!initedServer)
    initedServer = true;
-    spdlog::info("Initing zmq server. checkSignature is set to {}", _checkSignature);
+    spdlog::info("Initing zmq server.\n checkSignature is set to {}.\n checkKeyOwnership is set to {}",
+                _checkSignature, _checkKeyOwnership);
    string rootCAPath = "";
@@ -109,7 +110,7 @@ void ZMQServer::initZMQServer(bool _checkSignature) {
        CHECK_STATE(access(rootCAPath.c_str(), F_OK) == 0);
    };
-    zmqServer = make_shared<ZMQServer>(_checkSignature, rootCAPath);
+    zmqServer = make_shared<ZMQServer>(_checkSignature, _checkKeyOwnership, rootCAPath);
    CHECK_STATE(zmqServer)
@@ -179,7 +180,7 @@ void ZMQServer::doOneServerLoop() {
        CHECK_STATE(stringToParse.back() == '}')
        auto parsedMsg = ZMQMessage::parse(
-                stringToParse.c_str(), stringToParse.size(), true, checkSignature);
+                stringToParse.c_str(), stringToParse.size(), true, checkSignature, checkKeyOwnership);
        CHECK_STATE2(parsedMsg, ZMQ_COULD_NOT_PARSE);

--- a/zmq_src/ZMQServer.h
+++ b/zmq_src/ZMQServer.h
@@ -14,7 +14,7 @@
    GNU Affero General Public License for more details.
    You should have received a copy of the GNU Affero General Public License
-    along with sgxwallet.  If not, see <https://www.gnu.org/licenses/>.
+    along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
    @file ZMQServer.h
    @author Stan Kladko
@@ -52,16 +52,18 @@ public:
    static shared_ptr<std::thread> serverThread;
-    ZMQServer(bool _checkSignature, const string& _caCertFile);
+    ZMQServer(bool _checkSignature, bool _checkKeyOwnership, const string& _caCertFile);
    ~ZMQServer();
    void run();
-    static void initZMQServer(bool _checkSignature);
+    static void initZMQServer(bool _checkSignature, bool _checkKeyOwnership);
    static void exitZMQServer();
 private:
+    bool checkKeyOwnership = true;
    shared_ptr<zmq::context_t> ctx;
    shared_ptr<zmq::socket_t> socket;