frost-client: force encryption when using HTTP (#398)
* frost-client: force encryption when using HTTP * fix test * fix new test
This commit is contained in:
parent
30cdd00fa6
commit
11c4583091
|
@ -2688,8 +2688,8 @@ dependencies = [
|
||||||
"serde_json",
|
"serde_json",
|
||||||
"serdect",
|
"serdect",
|
||||||
"snow",
|
"snow",
|
||||||
"thiserror 2.0.4",
|
|
||||||
"tempfile",
|
"tempfile",
|
||||||
|
"thiserror 2.0.4",
|
||||||
"tokio",
|
"tokio",
|
||||||
"tower-http",
|
"tower-http",
|
||||||
"tracing",
|
"tracing",
|
||||||
|
|
|
@ -26,11 +26,6 @@ pub struct Args {
|
||||||
#[arg(long, default_value_t = false)]
|
#[arg(long, default_value_t = false)]
|
||||||
pub cli: bool,
|
pub cli: bool,
|
||||||
|
|
||||||
/// HTTP mode. If enabled, it will use HTTP communication with a
|
|
||||||
/// FROST server.
|
|
||||||
#[arg(long, default_value_t = false)]
|
|
||||||
pub http: bool,
|
|
||||||
|
|
||||||
/// The comma-separated usernames of the signers to use in HTTP mode.
|
/// The comma-separated usernames of the signers to use in HTTP mode.
|
||||||
/// If HTTP mode is enabled and this is empty, then the session ID
|
/// If HTTP mode is enabled and this is empty, then the session ID
|
||||||
/// will be printed and will have to be shared manually.
|
/// will be printed and will have to be shared manually.
|
||||||
|
@ -178,7 +173,7 @@ impl<C: Ciphersuite + 'static> ProcessedArgs<C> {
|
||||||
|
|
||||||
Ok(ProcessedArgs {
|
Ok(ProcessedArgs {
|
||||||
cli: args.cli,
|
cli: args.cli,
|
||||||
http: args.http,
|
http: false,
|
||||||
signers,
|
signers,
|
||||||
num_signers,
|
num_signers,
|
||||||
public_key_package,
|
public_key_package,
|
||||||
|
|
|
@ -296,13 +296,12 @@ impl<C: Ciphersuite> HTTPComms<C> {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// Encrypts a message for a given recipient if encryption is enabled.
|
// Encrypts a message for a given recipient.
|
||||||
fn encrypt_if_needed(
|
fn encrypt(&mut self, recipient: &Vec<u8>, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> {
|
||||||
&mut self,
|
let noise_map = self
|
||||||
recipient: &Vec<u8>,
|
.send_noise
|
||||||
msg: Vec<u8>,
|
.as_mut()
|
||||||
) -> Result<Vec<u8>, Box<dyn Error>> {
|
.expect("send_noise must have been set previously");
|
||||||
if let Some(noise_map) = &mut self.send_noise {
|
|
||||||
let noise = noise_map
|
let noise = noise_map
|
||||||
.get_mut(recipient)
|
.get_mut(recipient)
|
||||||
.ok_or_eyre("unknown recipient")?;
|
.ok_or_eyre("unknown recipient")?;
|
||||||
|
@ -310,16 +309,16 @@ impl<C: Ciphersuite> HTTPComms<C> {
|
||||||
let len = noise.write_message(&msg, &mut encrypted)?;
|
let len = noise.write_message(&msg, &mut encrypted)?;
|
||||||
encrypted.truncate(len);
|
encrypted.truncate(len);
|
||||||
Ok(encrypted)
|
Ok(encrypted)
|
||||||
} else {
|
|
||||||
Ok(msg)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Decrypts a message if encryption is enabled.
|
// Decrypts a message.
|
||||||
// Note that this authenticates the `sender` in the `Msg` struct; if the
|
// Note that this authenticates the `sender` in the `Msg` struct; if the
|
||||||
// sender is tampered with, the message would fail to decrypt.
|
// sender is tampered with, the message would fail to decrypt.
|
||||||
fn decrypt_if_needed(&mut self, msg: Msg) -> Result<Msg, Box<dyn Error>> {
|
fn decrypt(&mut self, msg: Msg) -> Result<Msg, Box<dyn Error>> {
|
||||||
if let Some(noise_map) = &mut self.recv_noise {
|
let noise_map = self
|
||||||
|
.recv_noise
|
||||||
|
.as_mut()
|
||||||
|
.expect("recv_noise must have been set previously");
|
||||||
let noise = noise_map
|
let noise = noise_map
|
||||||
.get_mut(&msg.sender)
|
.get_mut(&msg.sender)
|
||||||
.ok_or_eyre("unknown sender")?;
|
.ok_or_eyre("unknown sender")?;
|
||||||
|
@ -331,9 +330,6 @@ impl<C: Ciphersuite> HTTPComms<C> {
|
||||||
sender: msg.sender,
|
sender: msg.sender,
|
||||||
msg: decrypted,
|
msg: decrypted,
|
||||||
})
|
})
|
||||||
} else {
|
|
||||||
Ok(msg)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -411,14 +407,17 @@ impl<C: Ciphersuite + 'static> Comms<C> for HTTPComms<C> {
|
||||||
self.session_id = Some(r.session_id);
|
self.session_id = Some(r.session_id);
|
||||||
self.num_signers = num_signers;
|
self.num_signers = num_signers;
|
||||||
|
|
||||||
// If encryption is enabled, create the Noise objects
|
let (Some(comm_privkey), Some(comm_participant_pubkey_getter)) = (
|
||||||
(self.send_noise, self.recv_noise) = if let (
|
|
||||||
Some(comm_privkey),
|
|
||||||
Some(comm_participant_pubkey_getter),
|
|
||||||
) = (
|
|
||||||
&self.args.comm_privkey,
|
&self.args.comm_privkey,
|
||||||
&self.args.comm_participant_pubkey_getter,
|
&self.args.comm_participant_pubkey_getter,
|
||||||
) {
|
) else {
|
||||||
|
return Err(
|
||||||
|
eyre!("comm_privkey and comm_participant_pubkey_getter must be specified").into(),
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
|
// If encryption is enabled, create the Noise objects
|
||||||
|
|
||||||
let mut send_noise_map = HashMap::new();
|
let mut send_noise_map = HashMap::new();
|
||||||
let mut recv_noise_map = HashMap::new();
|
let mut recv_noise_map = HashMap::new();
|
||||||
for pubkey in &self.args.signers {
|
for pubkey in &self.args.signers {
|
||||||
|
@ -448,10 +447,8 @@ impl<C: Ciphersuite + 'static> Comms<C> for HTTPComms<C> {
|
||||||
send_noise_map.insert(pubkey.clone(), send_noise);
|
send_noise_map.insert(pubkey.clone(), send_noise);
|
||||||
recv_noise_map.insert(pubkey.clone(), recv_noise);
|
recv_noise_map.insert(pubkey.clone(), recv_noise);
|
||||||
}
|
}
|
||||||
(Some(send_noise_map), Some(recv_noise_map))
|
self.send_noise = Some(send_noise_map);
|
||||||
} else {
|
self.recv_noise = Some(recv_noise_map);
|
||||||
(None, None)
|
|
||||||
};
|
|
||||||
|
|
||||||
eprint!("Waiting for participants to send their commitments...");
|
eprint!("Waiting for participants to send their commitments...");
|
||||||
|
|
||||||
|
@ -469,7 +466,7 @@ impl<C: Ciphersuite + 'static> Comms<C> for HTTPComms<C> {
|
||||||
.json::<server::ReceiveOutput>()
|
.json::<server::ReceiveOutput>()
|
||||||
.await?;
|
.await?;
|
||||||
for msg in r.msgs {
|
for msg in r.msgs {
|
||||||
let msg = self.decrypt_if_needed(msg)?;
|
let msg = self.decrypt(msg)?;
|
||||||
self.state.recv(msg)?;
|
self.state.recv(msg)?;
|
||||||
}
|
}
|
||||||
tokio::time::sleep(Duration::from_secs(2)).await;
|
tokio::time::sleep(Duration::from_secs(2)).await;
|
||||||
|
@ -505,8 +502,7 @@ impl<C: Ciphersuite + 'static> Comms<C> for HTTPComms<C> {
|
||||||
// individually for each recipient.
|
// individually for each recipient.
|
||||||
let pubkeys: Vec<_> = self.pubkeys.keys().cloned().collect();
|
let pubkeys: Vec<_> = self.pubkeys.keys().cloned().collect();
|
||||||
for recipient in pubkeys {
|
for recipient in pubkeys {
|
||||||
let msg = self
|
let msg = self.encrypt(&recipient, serde_json::to_vec(&send_signing_package_args)?)?;
|
||||||
.encrypt_if_needed(&recipient, serde_json::to_vec(&send_signing_package_args)?)?;
|
|
||||||
let _r = self
|
let _r = self
|
||||||
.client
|
.client
|
||||||
.post(format!("{}/send", self.host_port))
|
.post(format!("{}/send", self.host_port))
|
||||||
|
@ -546,7 +542,7 @@ impl<C: Ciphersuite + 'static> Comms<C> for HTTPComms<C> {
|
||||||
.json::<server::ReceiveOutput>()
|
.json::<server::ReceiveOutput>()
|
||||||
.await?;
|
.await?;
|
||||||
for msg in r.msgs {
|
for msg in r.msgs {
|
||||||
let msg = self.decrypt_if_needed(msg)?;
|
let msg = self.decrypt(msg)?;
|
||||||
self.state.recv(msg)?;
|
self.state.recv(msg)?;
|
||||||
}
|
}
|
||||||
tokio::time::sleep(Duration::from_secs(2)).await;
|
tokio::time::sleep(Duration::from_secs(2)).await;
|
||||||
|
|
|
@ -26,11 +26,6 @@ pub struct Args {
|
||||||
#[arg(long, default_value_t = false)]
|
#[arg(long, default_value_t = false)]
|
||||||
pub cli: bool,
|
pub cli: bool,
|
||||||
|
|
||||||
/// HTTP mode. If enabled, it will use HTTP communication with a
|
|
||||||
/// FROST server.
|
|
||||||
#[arg(long, default_value_t = false)]
|
|
||||||
pub http: bool,
|
|
||||||
|
|
||||||
/// Public key package to use. Can be a file with a JSON-encoded
|
/// Public key package to use. Can be a file with a JSON-encoded
|
||||||
/// package, or "". If the file does not exist or if "" is specified,
|
/// package, or "". If the file does not exist or if "" is specified,
|
||||||
/// then it will be read from standard input.
|
/// then it will be read from standard input.
|
||||||
|
@ -110,7 +105,7 @@ impl<C: Ciphersuite + 'static> ProcessedArgs<C> {
|
||||||
|
|
||||||
Ok(ProcessedArgs {
|
Ok(ProcessedArgs {
|
||||||
cli: args.cli,
|
cli: args.cli,
|
||||||
http: args.http,
|
http: false,
|
||||||
key_package,
|
key_package,
|
||||||
ip: args.ip.clone(),
|
ip: args.ip.clone(),
|
||||||
port: args.port,
|
port: args.port,
|
||||||
|
|
|
@ -132,29 +132,29 @@ where
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// Encrypts a message for the coordinator if encryption is enabled.
|
// Encrypts a message for the coordinator.
|
||||||
fn encrypt_if_needed(&mut self, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> {
|
fn encrypt(&mut self, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> {
|
||||||
if let Some(noise) = &mut self.send_noise {
|
let noise = self
|
||||||
|
.send_noise
|
||||||
|
.as_mut()
|
||||||
|
.expect("send_noise must have been set previously");
|
||||||
let mut encrypted = vec![0; 65535];
|
let mut encrypted = vec![0; 65535];
|
||||||
let len = noise.write_message(&msg, &mut encrypted)?;
|
let len = noise.write_message(&msg, &mut encrypted)?;
|
||||||
encrypted.truncate(len);
|
encrypted.truncate(len);
|
||||||
Ok(encrypted)
|
Ok(encrypted)
|
||||||
} else {
|
|
||||||
Ok(msg)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Decrypts a message from the coordinator if encryption is enabled.
|
// Decrypts a message from the coordinator.
|
||||||
fn decrypt_if_needed(&mut self, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> {
|
fn decrypt(&mut self, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> {
|
||||||
if let Some(noise) = &mut self.recv_noise {
|
let noise = self
|
||||||
|
.recv_noise
|
||||||
|
.as_mut()
|
||||||
|
.expect("recv_noise must have been set previously");
|
||||||
let mut decrypted = vec![0; 65535];
|
let mut decrypted = vec![0; 65535];
|
||||||
decrypted.resize(65535, 0);
|
decrypted.resize(65535, 0);
|
||||||
let len = noise.read_message(&msg, &mut decrypted)?;
|
let len = noise.read_message(&msg, &mut decrypted)?;
|
||||||
decrypted.truncate(len);
|
decrypted.truncate(len);
|
||||||
Ok(decrypted)
|
Ok(decrypted)
|
||||||
} else {
|
|
||||||
Ok(msg)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -241,14 +241,17 @@ where
|
||||||
};
|
};
|
||||||
self.session_id = Some(session_id);
|
self.session_id = Some(session_id);
|
||||||
|
|
||||||
// If encryption is enabled, create the Noise objects
|
let (Some(comm_privkey), Some(comm_coordinator_pubkey_getter)) = (
|
||||||
(self.send_noise, self.recv_noise) = if let (
|
|
||||||
Some(comm_privkey),
|
|
||||||
Some(comm_coordinator_pubkey_getter),
|
|
||||||
) = (
|
|
||||||
&self.args.comm_privkey,
|
&self.args.comm_privkey,
|
||||||
&self.args.comm_coordinator_pubkey_getter,
|
&self.args.comm_coordinator_pubkey_getter,
|
||||||
) {
|
) else {
|
||||||
|
return Err(
|
||||||
|
eyre!("comm_privkey and comm_coordinator_pubkey_getter must be specified").into(),
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
|
// If encryption is enabled, create the Noise objects
|
||||||
|
|
||||||
// We need to know what is the username of the coordinator in order
|
// We need to know what is the username of the coordinator in order
|
||||||
// to encrypt message to them.
|
// to encrypt message to them.
|
||||||
let session_info = self
|
let session_info = self
|
||||||
|
@ -284,17 +287,15 @@ where
|
||||||
.remote_public_key(&comm_coordinator_pubkey)
|
.remote_public_key(&comm_coordinator_pubkey)
|
||||||
.build_responder()?,
|
.build_responder()?,
|
||||||
);
|
);
|
||||||
(Some(send_noise), Some(recv_noise))
|
self.send_noise = Some(send_noise);
|
||||||
} else {
|
self.recv_noise = Some(recv_noise);
|
||||||
(None, None)
|
|
||||||
};
|
|
||||||
|
|
||||||
// Send Commitments to Server
|
// Send Commitments to Server
|
||||||
let send_commitments_args = SendCommitmentsArgs {
|
let send_commitments_args = SendCommitmentsArgs {
|
||||||
identifier,
|
identifier,
|
||||||
commitments: vec![commitments],
|
commitments: vec![commitments],
|
||||||
};
|
};
|
||||||
let msg = self.encrypt_if_needed(serde_json::to_vec(&send_commitments_args)?)?;
|
let msg = self.encrypt(serde_json::to_vec(&send_commitments_args)?)?;
|
||||||
self.client
|
self.client
|
||||||
.post(format!("{}/send", self.host_port))
|
.post(format!("{}/send", self.host_port))
|
||||||
.bearer_auth(self.access_token.as_ref().expect("was just set"))
|
.bearer_auth(self.access_token.as_ref().expect("was just set"))
|
||||||
|
@ -329,7 +330,7 @@ where
|
||||||
eprint!(".");
|
eprint!(".");
|
||||||
} else {
|
} else {
|
||||||
eprintln!("\nSigning package received");
|
eprintln!("\nSigning package received");
|
||||||
let msg = self.decrypt_if_needed(r.msgs[0].msg.clone())?;
|
let msg = self.decrypt(r.msgs[0].msg.clone())?;
|
||||||
eprintln!("\n{}", String::from_utf8_lossy(&msg.clone()));
|
eprintln!("\n{}", String::from_utf8_lossy(&msg.clone()));
|
||||||
break serde_json::from_slice(&msg)?;
|
break serde_json::from_slice(&msg)?;
|
||||||
}
|
}
|
||||||
|
@ -365,7 +366,7 @@ where
|
||||||
signature_share: vec![signature_share],
|
signature_share: vec![signature_share],
|
||||||
};
|
};
|
||||||
|
|
||||||
let msg = self.encrypt_if_needed(serde_json::to_vec(&send_signature_shares_args)?)?;
|
let msg = self.encrypt(serde_json::to_vec(&send_signature_shares_args)?)?;
|
||||||
|
|
||||||
let _r = self
|
let _r = self
|
||||||
.client
|
.client
|
||||||
|
|
|
@ -45,7 +45,6 @@ async fn check_valid_round_1_inputs() {
|
||||||
ip: "0.0.0.0".to_string(),
|
ip: "0.0.0.0".to_string(),
|
||||||
port: 80,
|
port: 80,
|
||||||
session_id: "session-id".to_string(),
|
session_id: "session-id".to_string(),
|
||||||
http: false,
|
|
||||||
};
|
};
|
||||||
let input = SECRET_SHARE_JSON;
|
let input = SECRET_SHARE_JSON;
|
||||||
let mut valid_input = input.as_bytes();
|
let mut valid_input = input.as_bytes();
|
||||||
|
|
|
@ -501,7 +501,7 @@ async fn test_http() -> Result<(), Box<dyn std::error::Error>> {
|
||||||
// Test if passing the wrong session ID returns an error
|
// Test if passing the wrong session ID returns an error
|
||||||
let wrong_session_id = Uuid::new_v4();
|
let wrong_session_id = Uuid::new_v4();
|
||||||
let r = client
|
let r = client
|
||||||
.post("http://127.0.0.1:2744/get_session_info")
|
.post("https://127.0.0.1:2744/get_session_info")
|
||||||
.bearer_auth(access_token)
|
.bearer_auth(access_token)
|
||||||
.json(&server::GetSessionInfoArgs {
|
.json(&server::GetSessionInfoArgs {
|
||||||
session_id: wrong_session_id,
|
session_id: wrong_session_id,
|
||||||
|
@ -516,7 +516,7 @@ async fn test_http() -> Result<(), Box<dyn std::error::Error>> {
|
||||||
// Attempt to close the session as a participant (Bob)
|
// Attempt to close the session as a participant (Bob)
|
||||||
// Log in as Bob
|
// Log in as Bob
|
||||||
let r = client
|
let r = client
|
||||||
.post("http://127.0.0.1:2744/challenge")
|
.post("https://127.0.0.1:2744/challenge")
|
||||||
.json(&server::ChallengeArgs {})
|
.json(&server::ChallengeArgs {})
|
||||||
.send()
|
.send()
|
||||||
.await?;
|
.await?;
|
||||||
|
@ -526,7 +526,7 @@ async fn test_http() -> Result<(), Box<dyn std::error::Error>> {
|
||||||
xed25519::PrivateKey::from(&TryInto::<[u8; 32]>::try_into(bob_keypair.private).unwrap());
|
xed25519::PrivateKey::from(&TryInto::<[u8; 32]>::try_into(bob_keypair.private).unwrap());
|
||||||
let bob_signature: [u8; 64] = bob_private.sign(bob_challenge.as_bytes(), &mut rng);
|
let bob_signature: [u8; 64] = bob_private.sign(bob_challenge.as_bytes(), &mut rng);
|
||||||
let r = client
|
let r = client
|
||||||
.post("http://127.0.0.1:2744/login")
|
.post("https://127.0.0.1:2744/login")
|
||||||
.json(&server::KeyLoginArgs {
|
.json(&server::KeyLoginArgs {
|
||||||
uuid: bob_challenge,
|
uuid: bob_challenge,
|
||||||
pubkey: bob_keypair.public.clone(),
|
pubkey: bob_keypair.public.clone(),
|
||||||
|
@ -538,7 +538,7 @@ async fn test_http() -> Result<(), Box<dyn std::error::Error>> {
|
||||||
let bob_access_token = r.access_token;
|
let bob_access_token = r.access_token;
|
||||||
// Try to close the session
|
// Try to close the session
|
||||||
let r = client
|
let r = client
|
||||||
.post("http://127.0.0.1:2744/close_session")
|
.post("https://127.0.0.1:2744/close_session")
|
||||||
.bearer_auth(bob_access_token)
|
.bearer_auth(bob_access_token)
|
||||||
.json(&server::CloseSessionArgs { session_id })
|
.json(&server::CloseSessionArgs { session_id })
|
||||||
.send()
|
.send()
|
||||||
|
|
Loading…
Reference in New Issue