Handle PCK certificates #1068
Handle PCK certificates #1068
Conversation
|
@HCastano now that #1063 is finished, i am a little bit unsure how to go ahead with this. The function But it seems we can't have the attestation pallet be a dependency of the staking pallet. Easiest thing to do would be to move this code to the staking pallet. But logically it kinda belongs here because its kinda related to attestation. So dunno if i should make a crate for this, or think up another place to put it, or just not worry and stick it in the staking pallet (in its own module). |
|
@ameba23 I think it's fine for this to live somewhere in/near the staking pallet for now as long as it get abstracted correctly, e.g we go through an associated type ( A module with the trait implementation is probably alright. A standalone crate seems overkill at this point. |
* master: Bump clap from 4.5.18 to 4.5.19 in the patch-dependencies group (#1091) Avoid panic by checking that we have a non-signing validator before selecting one (#1083) Fix master build (#1088) Small fixes to `test-cli` (#1084) Pregenerate keyshares sets for all possible initial signer comittees (#1073) Fix master build (#1079) Bump reqwest from 0.12.7 to 0.12.8 in the patch-dependencies group (#1082) Block tss chain when signer (#1078) Run multiple test validator (#1074) Bump tempfile from 3.12.0 to 3.13.0 (#1076) Bump axum from 0.7.6 to 0.7.7 in the patch-dependencies group (#1075) Unignore register and sign integration test, and do a non-mock jumpstart (#1070) No unbonding when signer or next signer (#1031) Add `/relay_tx` endpoint (#1050) Fix how pre-generated keyshares are added for tests (#1061) Handle Provisioning Certification Keys (PCKs) (#1051) Bump async-trait from 0.1.82 to 0.1.83 in the patch-dependencies group (#1067)
| @@ -120,6 +124,15 @@ pub mod pallet { | |||
| pub endpoint: TssServerURL, | |||
| pub provisioning_certification_key: VerifyingKey, | |||
| } | |||
|
|
|||
| #[derive(Encode, Decode, Clone, Eq, PartialEq, RuntimeDebug, TypeInfo)] | |||
| pub struct JoiningServerInfo<AccountId> { | |||
There was a problem hiding this comment.
This is given as an argument to the validate extrinsic. I don't like having this extra struct, but i couldn't come up with another way of doing it which didn't make it possible that there exists a ServerInfo with no associated PCK which i want to avoid.
Ideally i would like to impl From<ServerInfo> for JoiningServerInfo but because it needs to call the cert validator which is a trait method, i couldn't figure out how to do that either.
There was a problem hiding this comment.
Ideally i would like to impl From for JoiningServerInfo but because it needs to call the cert validator which is a trait method, i couldn't figure out how to do that either.
I think you actually want the other way around, but either way ya it seems a little tricky because of the T bound. We can do it as an internal method on the pallet implementation though.
impl<T: Config> Pallet<T> {
// ... snip ...
fn server_info(joining_server_info: JoiningServerInfo<T::AccountId>) -> ServerInfo<T::AccountId> {
let provisioning_certification_key =
T::PckCertChainVerifier::verify_pck_certificate_chain(
joining_server_info.pck_certificate_chain,
)
.unwrap();
ServerInfo::<T::AccountId> {
tss_account: joining_server_info.tss_account,
x25519_public_key: joining_server_info.x25519_public_key,
endpoint: joining_server_info.endpoint,
provisioning_certification_key,
}
}
}This is given as an argument to the validate extrinsic. I don't like having this extra struct, but i couldn't come up with another way of doing it which didn't make it possible that there exists a ServerInfo with no associated PCK which i want to avoid.
But really the above conversion doesn't really handle the crux of the problem which is this. One approach is that we can pass in the certificate chain directly to the extrinsic and then have the ServerInfo.provisioning_certification_key field be an Option. It doesn't guarantee that it can't be None, but it is something that can be verified before writing ServerInfo to storage.
There was a problem hiding this comment.
I feel pretty strongly about wanting assurance at the type level that every ServerInfo has a PCK - i don't want it to be an Option.
I would like to somehow improve the conversion between JoiningServerInfo and ServerInfo but its going to have to be in a follow up as i don't wanna keep resolving conflicts here.
| PckCertificateParse, | ||
| PckCertificateVerify, | ||
| PckCertificateBadPublicKey, | ||
| PckCertificateNoCertificate, |
There was a problem hiding this comment.
I tried to add the error variant for these as PckCertificate(PckParseVerifyError), but i couldn't get adding #[pallet::Error] to that error type to work, and without it it doesn't implement the needed traits.
|
@JesseAbram @HCastano a gentle reminder this has been up for review for a few weeks now. There were some messy conflicts and i'd like to avoid having more. |
|
Still getting an error when running the staking pallet benchmarks, will fix tomorrow. |
|
@ameba23 sorry, forgot about this. Will take a look today 🙇 |
pallets/staking/src/lib.rs
Outdated
| pck::PckParseVerifyError::Parse => Error::<T>::PckCertificateParse, | ||
| pck::PckParseVerifyError::Verify => Error::<T>::PckCertificateVerify, | ||
| pck::PckParseVerifyError::BadPublicKey => { | ||
| Error::<T>::PckCertificateBadPublicKey | ||
| }, | ||
| pck::PckParseVerifyError::NoCertificate => { | ||
| Error::<T>::PckCertificateNoCertificate | ||
| }, |
There was a problem hiding this comment.
We should try and implement a From implementation on these so that we can use ?/into() here
There was a problem hiding this comment.
👍 i've added one but we still need to call map_err to tell rust what type we are converting into because this returns a DispatchResult, not a pallet::Error<T>.
| @@ -120,6 +124,15 @@ pub mod pallet { | |||
| pub endpoint: TssServerURL, | |||
| pub provisioning_certification_key: VerifyingKey, | |||
| } | |||
|
|
|||
| #[derive(Encode, Decode, Clone, Eq, PartialEq, RuntimeDebug, TypeInfo)] | |||
| pub struct JoiningServerInfo<AccountId> { | |||
There was a problem hiding this comment.
Ideally i would like to impl From for JoiningServerInfo but because it needs to call the cert validator which is a trait method, i couldn't figure out how to do that either.
I think you actually want the other way around, but either way ya it seems a little tricky because of the T bound. We can do it as an internal method on the pallet implementation though.
impl<T: Config> Pallet<T> {
// ... snip ...
fn server_info(joining_server_info: JoiningServerInfo<T::AccountId>) -> ServerInfo<T::AccountId> {
let provisioning_certification_key =
T::PckCertChainVerifier::verify_pck_certificate_chain(
joining_server_info.pck_certificate_chain,
)
.unwrap();
ServerInfo::<T::AccountId> {
tss_account: joining_server_info.tss_account,
x25519_public_key: joining_server_info.x25519_public_key,
endpoint: joining_server_info.endpoint,
provisioning_certification_key,
}
}
}This is given as an argument to the validate extrinsic. I don't like having this extra struct, but i couldn't come up with another way of doing it which didn't make it possible that there exists a ServerInfo with no associated PCK which i want to avoid.
But really the above conversion doesn't really handle the crux of the problem which is this. One approach is that we can pass in the certificate chain directly to the extrinsic and then have the ServerInfo.provisioning_certification_key field be an Option. It doesn't guarantee that it can't be None, but it is something that can be verified before writing ServerInfo to storage.
HCastano
added
the
Bump `transaction_version`
Co-authored-by: Hernando Castano <HCastano@users.noreply.github.com>
Co-authored-by: Hernando Castano <HCastano@users.noreply.github.com>
Co-authored-by: Hernando Castano <HCastano@users.noreply.github.com>
Co-authored-by: Hernando Castano <HCastano@users.noreply.github.com>
… pallet benchmark
This is a followup to #1051 in that it adds a way of parsing and validating the PCK certificates, as well as intermediary 'provider' certificates which sign the PCK cert and are in turn signed by intel's root certificate authority public key, which is hard coded. If all goes well the PCK public key is extracted from the certificate to be used in the
ServerInfostruct.This parsing / validating needs to happen when a validator initially joins, or when they change their endpoint (IP address).
@junkicide from poetic has also provided us with a function to validate a certificate chain of arbitrary length - im not sure whether in practice we can expect that there will be more than one intermediary provider beween the PCK cert and the root CA.
Related issue: #982