From 01dbd802d96e974f8c84537ac2892baba7a7cf86 Mon Sep 17 00:00:00 2001 From: Balamurali Gopalswami Date: Fri, 20 Dec 2024 11:07:28 -0500 Subject: [PATCH 1/2] CCIP-4710: Adding nil and length check on input value to Ed25519 verify call --- commit/merkleroot/rmn/crypto.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/commit/merkleroot/rmn/crypto.go b/commit/merkleroot/rmn/crypto.go index 00d7be2c7..e43321d6d 100644 --- a/commit/merkleroot/rmn/crypto.go +++ b/commit/merkleroot/rmn/crypto.go @@ -47,6 +47,12 @@ func verifyObservationSignature( msg := append([]byte(signedObservationPrefix), observationBytesSha256[:]...) msgSha256 := sha256.Sum256(msg) + if rmnNode.OffchainPublicKey == nil { + return fmt.Errorf("node %d has no offchain public key", rmnNode.ID) + } + if len(*rmnNode.OffchainPublicKey) != ed25519.PublicKeySize { + return fmt.Errorf("node %d has an invalid offchain public key", rmnNode.ID) + } isValid := verifier.Verify(*rmnNode.OffchainPublicKey, msgSha256[:], signedObs.Signature) if !isValid { return fmt.Errorf("observation signature does not match node %d public key", rmnNode.ID) From d39139dce09fd693bcba87a6804fb757c1d575d0 Mon Sep 17 00:00:00 2001 From: Balamurali Gopalswami Date: Fri, 20 Dec 2024 11:43:39 -0500 Subject: [PATCH 2/2] fix test --- commit/merkleroot/rmn/controller_test.go | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/commit/merkleroot/rmn/controller_test.go b/commit/merkleroot/rmn/controller_test.go index dc7c44807..62f19c5f8 100644 --- a/commit/merkleroot/rmn/controller_test.go +++ b/commit/merkleroot/rmn/controller_test.go @@ -415,15 +415,11 @@ func TestClient_ComputeReportSignatures(t *testing.T) { const numNodes = 8 rmnNodes := make([]rmntypes.HomeNodeInfo, numNodes) for i := 0; i < numNodes; i++ { - // deterministically create a public key by seeding with a 32char string. - publicKey, _, err := ed25519.GenerateKey( - strings.NewReader(strconv.Itoa(i) + strings.Repeat("x", 31))) - require.NoError(t, err) rmnNodes[i] = rmntypes.HomeNodeInfo{ ID: rmntypes.NodeID(i + 1), PeerID: [32]byte{1, 2, 3}, SupportedSourceChains: mapset.NewSet(chainS1, chainS2), - OffchainPublicKey: &publicKey, + OffchainPublicKey: getDeterministicPubKey(t), } } @@ -648,7 +644,7 @@ func Test_controller_validateSignedObservationResponse(t *testing.T) { { ID: 20, SupportedSourceChains: mapset.NewSet[cciptypes.ChainSelector](cciptypes.ChainSelector(2)), - OffchainPublicKey: &ed25519.PublicKey{}, + OffchainPublicKey: getDeterministicPubKey(t), }, }, }, @@ -733,6 +729,14 @@ func Test_controller_validateSignedObservationResponse(t *testing.T) { } } +func getDeterministicPubKey(t *testing.T) *ed25519.PublicKey { + // deterministically create a public key by seeding with a 32char string. + publicKey, _, err := ed25519.GenerateKey( + strings.NewReader(strconv.Itoa(1) + strings.Repeat("x", 31))) + require.NoError(t, err) + return &publicKey +} + func (ts *testSetup) waitForObservationRequestsToBeSent( rmnClient *mockPeerClient, homeF int,