-
Notifications
You must be signed in to change notification settings - Fork 944
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return signing key in SignedEnvelope.payload #2522
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -10,7 +10,7 @@ use unsigned_varint::encode::usize_buffer; | |||||
/// For more details see libp2p RFC0002: <https://github.com/libp2p/specs/blob/master/RFC/0002-signed-envelopes.md> | ||||||
#[derive(Debug, Clone, PartialEq)] | ||||||
pub struct SignedEnvelope { | ||||||
pub(crate) key: PublicKey, | ||||||
key: PublicKey, | ||||||
payload_type: Vec<u8>, | ||||||
payload: Vec<u8>, | ||||||
signature: Vec<u8>, | ||||||
|
@@ -44,15 +44,19 @@ impl SignedEnvelope { | |||||
self.key.verify(&buffer, &self.signature) | ||||||
} | ||||||
|
||||||
/// Extract the payload of this [`SignedEnvelope`]. | ||||||
/// Extract the payload and signing key of this [`SignedEnvelope`]. | ||||||
/// | ||||||
/// You must provide the correct domain-separation string and expected payload type in order to get the payload. | ||||||
/// This guards against accidental mis-use of the payload where the signature was created for a different purpose or payload type. | ||||||
/// | ||||||
/// It is the caller's responsibility to check that the signing key is what | ||||||
/// is expected. For example, checking that the signing key is from a | ||||||
/// certain peer. | ||||||
pub fn payload( | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
What do you think of renaming the method as well? If I recall correctly you suggested this in your initial vulnerability report, right? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Changed in ef3afcd |
||||||
&self, | ||||||
domain_separation: String, | ||||||
expected_payload_type: &[u8], | ||||||
) -> Result<&[u8], ReadPayloadError> { | ||||||
) -> Result<(&[u8], &PublicKey), ReadPayloadError> { | ||||||
if self.payload_type != expected_payload_type { | ||||||
return Err(ReadPayloadError::UnexpectedPayloadType { | ||||||
expected: expected_payload_type.to_vec(), | ||||||
|
@@ -64,7 +68,7 @@ impl SignedEnvelope { | |||||
return Err(ReadPayloadError::InvalidSignature); | ||||||
} | ||||||
|
||||||
Ok(&self.payload) | ||||||
Ok((&self.payload, &self.key)) | ||||||
} | ||||||
|
||||||
/// Encode this [`SignedEnvelope`] using the protobuf encoding specified in the RFC. | ||||||
|
@@ -221,11 +225,11 @@ mod tests { | |||||
) | ||||||
.expect("Failed to create envelope"); | ||||||
|
||||||
let actual_payload = env | ||||||
let (actual_payload, signing_key) = env | ||||||
.payload(domain_separation, &payload_type) | ||||||
.expect("Failed to extract payload and public key"); | ||||||
|
||||||
assert_eq!(actual_payload, payload); | ||||||
assert_eq!(env.key, kp.public()); | ||||||
assert_eq!(signing_key, &kp.public()); | ||||||
} | ||||||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about enforcing this constraint via
#[must_use]
? Something along the lines of the playground below:https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=1a32dedc2d59c3298dc73a8b48d9d76c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh excellent! I was wondering if there was a way I could leverage
#[must_use]
. Thanks!There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can tell, unfortunately one can not do it on an anonymous tuple. E.g. instead of the additional
struct
I would prefer to do:There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that was my first thought, but I hadn't considering using a struct instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, the above suggestion actually does not work. The compiler reports the field not being used in general, rather than not being used in this particular case.
Also nesting
#[must_use]
structs doesn't work see rust-lang/rust#39524.Also @MarcoPolo pointed out that users would likely do something along the lines of
let (payload, _) = payload().handle_error();
which would thus circumvent the#[must_use]
.Sorry for the noise here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could do something like this: https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=92e6fc6cf971873eb590d9ada72f85fa
But I am not sure if it is useful. Assigning
_
will silence themust_use
warning ...There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately assigning the return value to anything and not using the key value will also satisfy the must_use lint. e.g.
let data = foo().unwrap();