zecfoundation
/
frost-zcash-demo
mirror of https://github.com/ZcashFoundation/frost-zcash-demo.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

frost-client: force encryption when using HTTP (#398) 

* frost-client: force encryption when using HTTP

* fix test

* fix new test
This commit is contained in:
Conrado Gouvea 2024-12-26 18:40:12 -03:00 committed by GitHub
parent 30cdd00fa6
commit 11c4583091
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 147 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.lock generated
View File

@ -2688,8 +2688,8 @@ dependencies = [
"serde_json", "serde_json",
"serdect", "serdect",
"snow", "snow",
"thiserror 2.0.4",
"tempfile", "tempfile",
"thiserror 2.0.4",
"tokio", "tokio",
"tower-http", "tower-http",
"tracing", "tracing",

7
coordinator/src/args.rs
View File

@ -26,11 +26,6 @@ pub struct Args {
#[arg(long, default_value_t = false)] #[arg(long, default_value_t = false)]
pub cli: bool, pub cli: bool,
/// HTTP mode. If enabled, it will use HTTP communication with a
/// FROST server.
#[arg(long, default_value_t = false)]
pub http: bool,
/// The comma-separated usernames of the signers to use in HTTP mode. /// The comma-separated usernames of the signers to use in HTTP mode.
/// If HTTP mode is enabled and this is empty, then the session ID /// If HTTP mode is enabled and this is empty, then the session ID
/// will be printed and will have to be shared manually. /// will be printed and will have to be shared manually.
@ -178,7 +173,7 @@ impl<C: Ciphersuite + 'static> ProcessedArgs<C> {
Ok(ProcessedArgs { Ok(ProcessedArgs {
cli: args.cli, cli: args.cli,
http: args.http, http: false,
signers, signers,
num_signers, num_signers,
public_key_package, public_key_package,

148
coordinator/src/comms/http.rs
View File

@ -296,44 +296,40 @@ impl<C: Ciphersuite> HTTPComms<C> {
}) })
} }
// Encrypts a message for a given recipient if encryption is enabled. // Encrypts a message for a given recipient.
fn encrypt_if_needed( fn encrypt(&mut self, recipient: &Vec<u8>, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> {
&mut self, let noise_map = self
recipient: &Vec<u8>, .send_noise
msg: Vec<u8>, .as_mut()
) -> Result<Vec<u8>, Box<dyn Error>> { .expect("send_noise must have been set previously");
if let Some(noise_map) = &mut self.send_noise { let noise = noise_map
let noise = noise_map .get_mut(recipient)
.get_mut(recipient) .ok_or_eyre("unknown recipient")?;
.ok_or_eyre("unknown recipient")?; let mut encrypted = vec![0; 65535];
let mut encrypted = vec![0; 65535]; let len = noise.write_message(&msg, &mut encrypted)?;
let len = noise.write_message(&msg, &mut encrypted)?; encrypted.truncate(len);
encrypted.truncate(len); Ok(encrypted)
Ok(encrypted)
} else {
Ok(msg)
}
} }
// Decrypts a message if encryption is enabled. // Decrypts a message.
// Note that this authenticates the `sender` in the `Msg` struct; if the // Note that this authenticates the `sender` in the `Msg` struct; if the
// sender is tampered with, the message would fail to decrypt. // sender is tampered with, the message would fail to decrypt.
fn decrypt_if_needed(&mut self, msg: Msg) -> Result<Msg, Box<dyn Error>> { fn decrypt(&mut self, msg: Msg) -> Result<Msg, Box<dyn Error>> {
if let Some(noise_map) = &mut self.recv_noise { let noise_map = self
let noise = noise_map .recv_noise
.get_mut(&msg.sender) .as_mut()
.ok_or_eyre("unknown sender")?; .expect("recv_noise must have been set previously");
let mut decrypted = vec![0; 65535]; let noise = noise_map
decrypted.resize(65535, 0); .get_mut(&msg.sender)
let len = noise.read_message(&msg.msg, &mut decrypted)?; .ok_or_eyre("unknown sender")?;
decrypted.truncate(len); let mut decrypted = vec![0; 65535];
Ok(Msg { decrypted.resize(65535, 0);
sender: msg.sender, let len = noise.read_message(&msg.msg, &mut decrypted)?;
msg: decrypted, decrypted.truncate(len);
}) Ok(Msg {
} else { sender: msg.sender,
Ok(msg) msg: decrypted,
} })
} }
} }
@ -411,48 +407,49 @@ impl<C: Ciphersuite + 'static> Comms<C> for HTTPComms<C> {
self.session_id = Some(r.session_id); self.session_id = Some(r.session_id);
self.num_signers = num_signers; self.num_signers = num_signers;
// If encryption is enabled, create the Noise objects let (Some(comm_privkey), Some(comm_participant_pubkey_getter)) = (
(self.send_noise, self.recv_noise) = if let (
Some(comm_privkey),
Some(comm_participant_pubkey_getter),
) = (
&self.args.comm_privkey, &self.args.comm_privkey,
&self.args.comm_participant_pubkey_getter, &self.args.comm_participant_pubkey_getter,
) { ) else {
let mut send_noise_map = HashMap::new(); return Err(
let mut recv_noise_map = HashMap::new(); eyre!("comm_privkey and comm_participant_pubkey_getter must be specified").into(),
for pubkey in &self.args.signers { );
let comm_participant_pubkey = comm_participant_pubkey_getter(pubkey).ok_or_eyre("A participant in specified FROST session is not registered in the coordinator's address book")?;
let builder = snow::Builder::new(
"Noise_K_25519_ChaChaPoly_BLAKE2s"
.parse()
.expect("should be a valid cipher"),
);
let send_noise = Noise::new(
builder
.local_private_key(comm_privkey)
.remote_public_key(&comm_participant_pubkey)
.build_initiator()?,
);
let builder = snow::Builder::new(
"Noise_K_25519_ChaChaPoly_BLAKE2s"
.parse()
.expect("should be a valid cipher"),
);
let recv_noise = Noise::new(
builder
.local_private_key(comm_privkey)
.remote_public_key(&comm_participant_pubkey)
.build_responder()?,
);
send_noise_map.insert(pubkey.clone(), send_noise);
recv_noise_map.insert(pubkey.clone(), recv_noise);
}
(Some(send_noise_map), Some(recv_noise_map))
} else {
(None, None)
}; };
// If encryption is enabled, create the Noise objects
let mut send_noise_map = HashMap::new();
let mut recv_noise_map = HashMap::new();
for pubkey in &self.args.signers {
let comm_participant_pubkey = comm_participant_pubkey_getter(pubkey).ok_or_eyre("A participant in specified FROST session is not registered in the coordinator's address book")?;
let builder = snow::Builder::new(
"Noise_K_25519_ChaChaPoly_BLAKE2s"
.parse()
.expect("should be a valid cipher"),
);
let send_noise = Noise::new(
builder
.local_private_key(comm_privkey)
.remote_public_key(&comm_participant_pubkey)
.build_initiator()?,
);
let builder = snow::Builder::new(
"Noise_K_25519_ChaChaPoly_BLAKE2s"
.parse()
.expect("should be a valid cipher"),
);
let recv_noise = Noise::new(
builder
.local_private_key(comm_privkey)
.remote_public_key(&comm_participant_pubkey)
.build_responder()?,
);
send_noise_map.insert(pubkey.clone(), send_noise);
recv_noise_map.insert(pubkey.clone(), recv_noise);
}
self.send_noise = Some(send_noise_map);
self.recv_noise = Some(recv_noise_map);
eprint!("Waiting for participants to send their commitments..."); eprint!("Waiting for participants to send their commitments...");
loop { loop {
@ -469,7 +466,7 @@ impl<C: Ciphersuite + 'static> Comms<C> for HTTPComms<C> {
.json::<server::ReceiveOutput>() .json::<server::ReceiveOutput>()
.await?; .await?;
for msg in r.msgs { for msg in r.msgs {
let msg = self.decrypt_if_needed(msg)?; let msg = self.decrypt(msg)?;
self.state.recv(msg)?; self.state.recv(msg)?;
} }
tokio::time::sleep(Duration::from_secs(2)).await; tokio::time::sleep(Duration::from_secs(2)).await;
@ -505,8 +502,7 @@ impl<C: Ciphersuite + 'static> Comms<C> for HTTPComms<C> {
// individually for each recipient. // individually for each recipient.
let pubkeys: Vec<_> = self.pubkeys.keys().cloned().collect(); let pubkeys: Vec<_> = self.pubkeys.keys().cloned().collect();
for recipient in pubkeys { for recipient in pubkeys {
let msg = self let msg = self.encrypt(&recipient, serde_json::to_vec(&send_signing_package_args)?)?;
.encrypt_if_needed(&recipient, serde_json::to_vec(&send_signing_package_args)?)?;
let _r = self let _r = self
.client .client
.post(format!("{}/send", self.host_port)) .post(format!("{}/send", self.host_port))
@ -546,7 +542,7 @@ impl<C: Ciphersuite + 'static> Comms<C> for HTTPComms<C> {
.json::<server::ReceiveOutput>() .json::<server::ReceiveOutput>()
.await?; .await?;
for msg in r.msgs { for msg in r.msgs {
let msg = self.decrypt_if_needed(msg)?; let msg = self.decrypt(msg)?;
self.state.recv(msg)?; self.state.recv(msg)?;
} }
tokio::time::sleep(Duration::from_secs(2)).await; tokio::time::sleep(Duration::from_secs(2)).await;

7
participant/src/args.rs
View File

@ -26,11 +26,6 @@ pub struct Args {
#[arg(long, default_value_t = false)] #[arg(long, default_value_t = false)]
pub cli: bool, pub cli: bool,
/// HTTP mode. If enabled, it will use HTTP communication with a
/// FROST server.
#[arg(long, default_value_t = false)]
pub http: bool,
/// Public key package to use. Can be a file with a JSON-encoded /// Public key package to use. Can be a file with a JSON-encoded
/// package, or "". If the file does not exist or if "" is specified, /// package, or "". If the file does not exist or if "" is specified,
/// then it will be read from standard input. /// then it will be read from standard input.
@ -110,7 +105,7 @@ impl<C: Ciphersuite + 'static> ProcessedArgs<C> {
Ok(ProcessedArgs { Ok(ProcessedArgs {
cli: args.cli, cli: args.cli,
http: args.http, http: false,
key_package, key_package,
ip: args.ip.clone(), ip: args.ip.clone(),
port: args.port, port: args.port,

135
participant/src/comms/http.rs
View File

@ -132,29 +132,29 @@ where
}) })
} }
// Encrypts a message for the coordinator if encryption is enabled. // Encrypts a message for the coordinator.
fn encrypt_if_needed(&mut self, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> { fn encrypt(&mut self, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> {
if let Some(noise) = &mut self.send_noise { let noise = self
let mut encrypted = vec![0; 65535]; .send_noise
let len = noise.write_message(&msg, &mut encrypted)?; .as_mut()
encrypted.truncate(len); .expect("send_noise must have been set previously");
Ok(encrypted) let mut encrypted = vec![0; 65535];
} else { let len = noise.write_message(&msg, &mut encrypted)?;
Ok(msg) encrypted.truncate(len);
} Ok(encrypted)
} }
// Decrypts a message from the coordinator if encryption is enabled. // Decrypts a message from the coordinator.
fn decrypt_if_needed(&mut self, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> { fn decrypt(&mut self, msg: Vec<u8>) -> Result<Vec<u8>, Box<dyn Error>> {
if let Some(noise) = &mut self.recv_noise { let noise = self
let mut decrypted = vec![0; 65535]; .recv_noise
decrypted.resize(65535, 0); .as_mut()
let len = noise.read_message(&msg, &mut decrypted)?; .expect("recv_noise must have been set previously");
decrypted.truncate(len); let mut decrypted = vec![0; 65535];
Ok(decrypted) decrypted.resize(65535, 0);
} else { let len = noise.read_message(&msg, &mut decrypted)?;
Ok(msg) decrypted.truncate(len);
} Ok(decrypted)
} }
} }
@ -241,60 +241,61 @@ where
}; };
self.session_id = Some(session_id); self.session_id = Some(session_id);
// If encryption is enabled, create the Noise objects let (Some(comm_privkey), Some(comm_coordinator_pubkey_getter)) = (
(self.send_noise, self.recv_noise) = if let (
Some(comm_privkey),
Some(comm_coordinator_pubkey_getter),
) = (
&self.args.comm_privkey, &self.args.comm_privkey,
&self.args.comm_coordinator_pubkey_getter, &self.args.comm_coordinator_pubkey_getter,
) { ) else {
// We need to know what is the username of the coordinator in order return Err(
// to encrypt message to them. eyre!("comm_privkey and comm_coordinator_pubkey_getter must be specified").into(),
let session_info = self
.client
.post(format!("{}/get_session_info", self.host_port))
.json(&server::GetSessionInfoArgs { session_id })
.bearer_auth(self.access_token.as_ref().expect("was just set"))
.send()
.await?
.json::<server::GetSessionInfoOutput>()
.await?;
let comm_coordinator_pubkey = comm_coordinator_pubkey_getter(&session_info.coordinator_pubkey).ok_or_eyre("The coordinator for the specified FROST session is not registered in the user's address book")?;
let builder = snow::Builder::new(
"Noise_K_25519_ChaChaPoly_BLAKE2s"
.parse()
.expect("should be a valid cipher"),
); );
let send_noise = Noise::new(
builder
.local_private_key(comm_privkey)
.remote_public_key(&comm_coordinator_pubkey)
.build_initiator()?,
);
let builder = snow::Builder::new(
"Noise_K_25519_ChaChaPoly_BLAKE2s"
.parse()
.expect("should be a valid cipher"),
);
let recv_noise = Noise::new(
builder
.local_private_key(comm_privkey)
.remote_public_key(&comm_coordinator_pubkey)
.build_responder()?,
);
(Some(send_noise), Some(recv_noise))
} else {
(None, None)
}; };
// If encryption is enabled, create the Noise objects
// We need to know what is the username of the coordinator in order
// to encrypt message to them.
let session_info = self
.client
.post(format!("{}/get_session_info", self.host_port))
.json(&server::GetSessionInfoArgs { session_id })
.bearer_auth(self.access_token.as_ref().expect("was just set"))
.send()
.await?
.json::<server::GetSessionInfoOutput>()
.await?;
let comm_coordinator_pubkey = comm_coordinator_pubkey_getter(&session_info.coordinator_pubkey).ok_or_eyre("The coordinator for the specified FROST session is not registered in the user's address book")?;
let builder = snow::Builder::new(
"Noise_K_25519_ChaChaPoly_BLAKE2s"
.parse()
.expect("should be a valid cipher"),
);
let send_noise = Noise::new(
builder
.local_private_key(comm_privkey)
.remote_public_key(&comm_coordinator_pubkey)
.build_initiator()?,
);
let builder = snow::Builder::new(
"Noise_K_25519_ChaChaPoly_BLAKE2s"
.parse()
.expect("should be a valid cipher"),
);
let recv_noise = Noise::new(
builder
.local_private_key(comm_privkey)
.remote_public_key(&comm_coordinator_pubkey)
.build_responder()?,
);
self.send_noise = Some(send_noise);
self.recv_noise = Some(recv_noise);
// Send Commitments to Server // Send Commitments to Server
let send_commitments_args = SendCommitmentsArgs { let send_commitments_args = SendCommitmentsArgs {
identifier, identifier,
commitments: vec![commitments], commitments: vec![commitments],
}; };
let msg = self.encrypt_if_needed(serde_json::to_vec(&send_commitments_args)?)?; let msg = self.encrypt(serde_json::to_vec(&send_commitments_args)?)?;
self.client self.client
.post(format!("{}/send", self.host_port)) .post(format!("{}/send", self.host_port))
.bearer_auth(self.access_token.as_ref().expect("was just set")) .bearer_auth(self.access_token.as_ref().expect("was just set"))
@ -329,7 +330,7 @@ where
eprint!("."); eprint!(".");
} else { } else {
eprintln!("\nSigning package received"); eprintln!("\nSigning package received");
let msg = self.decrypt_if_needed(r.msgs[0].msg.clone())?; let msg = self.decrypt(r.msgs[0].msg.clone())?;
eprintln!("\n{}", String::from_utf8_lossy(&msg.clone())); eprintln!("\n{}", String::from_utf8_lossy(&msg.clone()));
break serde_json::from_slice(&msg)?; break serde_json::from_slice(&msg)?;
} }
@ -365,7 +366,7 @@ where
signature_share: vec![signature_share], signature_share: vec![signature_share],
}; };
let msg = self.encrypt_if_needed(serde_json::to_vec(&send_signature_shares_args)?)?; let msg = self.encrypt(serde_json::to_vec(&send_signature_shares_args)?)?;
let _r = self let _r = self
.client .client

1
participant/src/tests/round1.rs
View File

@ -45,7 +45,6 @@ async fn check_valid_round_1_inputs() {
ip: "0.0.0.0".to_string(), ip: "0.0.0.0".to_string(),
port: 80, port: 80,
session_id: "session-id".to_string(), session_id: "session-id".to_string(),
http: false,
}; };
let input = SECRET_SHARE_JSON; let input = SECRET_SHARE_JSON;
let mut valid_input = input.as_bytes(); let mut valid_input = input.as_bytes();

8
server/tests/integration_tests.rs
View File

@ -501,7 +501,7 @@ async fn test_http() -> Result<(), Box<dyn std::error::Error>> {
// Test if passing the wrong session ID returns an error // Test if passing the wrong session ID returns an error
let wrong_session_id = Uuid::new_v4(); let wrong_session_id = Uuid::new_v4();
let r = client let r = client
.post("http://127.0.0.1:2744/get_session_info") .post("https://127.0.0.1:2744/get_session_info")
.bearer_auth(access_token) .bearer_auth(access_token)
.json(&server::GetSessionInfoArgs { .json(&server::GetSessionInfoArgs {
session_id: wrong_session_id, session_id: wrong_session_id,
@ -516,7 +516,7 @@ async fn test_http() -> Result<(), Box<dyn std::error::Error>> {
// Attempt to close the session as a participant (Bob) // Attempt to close the session as a participant (Bob)
// Log in as Bob // Log in as Bob
let r = client let r = client
.post("http://127.0.0.1:2744/challenge") .post("https://127.0.0.1:2744/challenge")
.json(&server::ChallengeArgs {}) .json(&server::ChallengeArgs {})
.send() .send()
.await?; .await?;
@ -526,7 +526,7 @@ async fn test_http() -> Result<(), Box<dyn std::error::Error>> {
xed25519::PrivateKey::from(&TryInto::<[u8; 32]>::try_into(bob_keypair.private).unwrap()); xed25519::PrivateKey::from(&TryInto::<[u8; 32]>::try_into(bob_keypair.private).unwrap());
let bob_signature: [u8; 64] = bob_private.sign(bob_challenge.as_bytes(), &mut rng); let bob_signature: [u8; 64] = bob_private.sign(bob_challenge.as_bytes(), &mut rng);
let r = client let r = client
.post("http://127.0.0.1:2744/login") .post("https://127.0.0.1:2744/login")
.json(&server::KeyLoginArgs { .json(&server::KeyLoginArgs {
uuid: bob_challenge, uuid: bob_challenge,
pubkey: bob_keypair.public.clone(), pubkey: bob_keypair.public.clone(),
@ -538,7 +538,7 @@ async fn test_http() -> Result<(), Box<dyn std::error::Error>> {
let bob_access_token = r.access_token; let bob_access_token = r.access_token;
// Try to close the session // Try to close the session
let r = client let r = client
.post("http://127.0.0.1:2744/close_session") .post("https://127.0.0.1:2744/close_session")
.bearer_auth(bob_access_token) .bearer_auth(bob_access_token)
.json(&server::CloseSessionArgs { session_id }) .json(&server::CloseSessionArgs { session_id })
.send() .send()