CBST2-02: Make proposer commitment signatures unique to modules #329
Conversation
…he source" This reverts commit 58c6117.
| @@ -239,6 +239,8 @@ proxy_dir = "./proxies" | |||
| [[modules]] | |||
| # Unique ID of the module | |||
| id = "DA_COMMIT" | |||
| # Unique hash that the Signer service will combine with the incoming data in signing requests to generate a signature specific to this module | |||
| signing_id = "0x6a33a23ef26a4836979edff86c493a69b26ccf0b4a16491a815a13787657431b" | |||
There was a problem hiding this comment.
does this need to be 32 bytes? something shorter like we do for chain id could also work
There was a problem hiding this comment.
It doesn't need to be, it's just 32 out of convenience to match with object_root since the tree hash lib already works with it. It just needs to be unique with a very large space to prevent overlaps; like Chain ID is technically supposed to be very large for the same purpose (https://chainlist.org/). I don't have much reason to make it smaller since it's literally just a generate-once-and-put-it-in-your-module-docs value, but if there is a compelling case for it then sure.
| @@ -37,6 +38,8 @@ pub struct StaticModuleConfig { | |||
| /// Type of the module | |||
| #[serde(rename = "type")] | |||
| pub kind: ModuleKind, | |||
| /// Signing ID for the module to use when requesting signatures | |||
| pub signing_id: Option<B256>, | |||
There was a problem hiding this comment.
also worth creating a type alias for clarity
There was a problem hiding this comment.
why make it optional?
So this was a concession I had to make in order to support the other use cases where the signature generation pipeline is used with COMMIT_BOOST_DOMAIN, but not tied to a specific module. For example, proxy key generation will do this. Proxy keys are already stored by module ID and don't have any sense of signing ID, so coupling them to the signing ID as well would either involve storing that as part of their path or adding a lookup from module ID to signing ID to the signer. Either way, any time the signing ID changes (e.g, when previous signatures need to be invalidated), you'd have to regenerate all of the proxy keys. It seemed easier to make this field optional to support the existing calls instead of refactoring all of that.
| pub const SIGNER_JWT_AUTH_FAIL_LIMIT_DEFAULT: u32 = 3; | ||
|
|
||
| /// How long to rate limit the client after auth failures | ||
| pub const SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_ENV: &str = | ||
| "CB_SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS"; | ||
| pub const SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_DEFAULT: u32 = 5 * 60; |
There was a problem hiding this comment.
is this supposed to be in this PR or does it need to be rebased?
There was a problem hiding this comment.
This was some incidental cleanup of #310 that landed in here after it was merged. There are a few little non-functional changes related to it. For cleanliness I can pull all of those out and make a separate PR for them if you'd like, no problem.
crates/common/src/config/signer.rs
Outdated
| jwt_secrets: &HashMap<ModuleId, String>, | ||
| ) -> Result<HashMap<ModuleId, ModuleSigningConfig>> { | ||
| let mut mod_signing_configs = HashMap::new(); | ||
| if let Some(modules) = &config.modules { |
There was a problem hiding this comment.
if this is None this function should not be called, we should error if it is, something like
let Some(modules) = &config.modules else { bail!("...") } There was a problem hiding this comment.
Confirmed, fixed in 1a0efec.
crates/common/src/config/signer.rs
Outdated
| let mut seen_jwt_secrets = HashMap::new(); | ||
| let mut seen_signing_ids = HashMap::new(); |
There was a problem hiding this comment.
if we go through modules one by one, then these could just be hashsets
There was a problem hiding this comment.
The value (the module_id) is used in the error messages that get thrown during duplication detection so the user knows which module entries are conflicting. We can swap to HashSets, just print the offending duplicated value itself, and let the user find it in the config if that's preferable, but listing the modules directly seems like good UX.
| #[derive(Default, Debug, TreeHash)] | ||
| pub struct PropCommitSigningInfo { | ||
| pub data: [u8; 32], | ||
| pub module_signing_id: [u8; 32], |
There was a problem hiding this comment.
Yeah, I left these as [u8; 32] because the original SigningData above it used those. Happy to convert everything to B256 though, in fact I'd prefer it if that's ok.
crates/common/src/signature.rs
Outdated
| let signing_root = match module_signing_id { | ||
| Some(id) => compute_signing_root(&types::SigningData { | ||
| object_root: compute_signing_root(&types::PropCommitSigningInfo { | ||
| data: msg.tree_hash_root().0, | ||
| module_signing_id: id.0, | ||
| }), | ||
| signing_domain: domain, | ||
| }), | ||
| None => compute_signing_root(&types::SigningData { | ||
| object_root: msg.tree_hash_root().0, | ||
| signing_domain: domain, | ||
| }), | ||
| }; |
There was a problem hiding this comment.
this logic is repeated a couple of times can we refactor to a separate function?
| @@ -52,14 +48,27 @@ pub fn verify_signed_message<T: TreeHash>( | |||
| pubkey: &BlsPublicKey, | |||
| msg: &T, | |||
| signature: &BlsSignature, | |||
| module_signing_id: Option<&B256>, | |||
There was a problem hiding this comment.
Option here and below can be removed, we only do signatures in the signer module and modules will always need to have the id set after this PR
There was a problem hiding this comment.
See the earlier response - the proxy key generator uses it too, and it (currently) doesn't include signing IDs which is why it's an Option in here. Validating the signature in e.g. SignedProxyDelegationBls won't work without it.
|
|
||
| ## The Signing ID | ||
|
|
||
| Your module's signing ID is a 32-byte value that is used as a unique identifier within the signing process. Preconfirmation signatures incorporate this value along with the data being signed as a way to create signatures that are exclusive to your module, so other modules can't maliciously construct signatures that appear to be from your module. Your module must have this ID incorporated into itself ahead of time, and the user must include this same ID within their Commit Boost configuration file section for your module. Commit Boost does not maintain a global registry of signing IDs, so this is a value you should provide to your users in your documentation. |
There was a problem hiding this comment.
nit: not "preconfirmation signatures" but "commitment signatures", preconfs are just one type of commitment
There was a problem hiding this comment.
Yep good catch! Old verbiage from before Drew gave them a formal name. Fixed in ee282da.
| #### `200 OK` | ||
|
|
||
| A successful signing request, with the signature provided as a plaintext quoted hex-encoded string, with a `0x` prefix. For example, the response body would look like: | ||
| ``` | ||
| "0xa43e623f009e615faa3987368f64d6286a4103de70e9a81d82562c50c91eae2d5d6fb9db9fe943aa8ee42fd92d8210c1149f25ed6aa72a557d74a0ed5646fdd0e8255ec58e3e2931695fe913863ba0cdf90d29f651bce0a34169a6f6ce5b3115" | ||
| ``` | ||
|
|
||
| #### `401 Unauthorized` | ||
|
|
||
| Your module did not provide a JWT string in the request's authorization header, or the JWT string was not configured in the signer service's configuration file as belonging to your module. | ||
|
|
||
|
|
There was a problem hiding this comment.
i wonder if this part is actually needed? we do have an OpenAPI schema after all
There was a problem hiding this comment.
That would be lovely, because maintaining it manually is a chore. I'll ping you about it and add the results to this PR once we have them.
This is a large change that modifies the ways proposer commitment signatures are generated. Currently, the requesting module isn't embedded into the data being signed so any authorized module can request the signature of any data - including data that might be used or expected by other modules. This PR precludes that possibility by embedding a new special per-module signing ID into the data being signed.
The signing ID is a 32-byte hex string provided in the Commit Boost configuration's
[[modules]]section, per module. Module authors can make it whatever they want, and should publish it within their own documentation so users know which unique value to configure for that module. Since Commit Boost doesn't (and won't) maintain a global registry of such IDs, the onus is on the user to ensure the correct ID is entered for each module. Module authors can then directly bake this into their module code, in their signature validation routines, to confirm that any proposer commitments returned by the signer used the correct ID.Since different modules will have different signing IDs (a condition enforced by the loader logic), this prevents one module from "forging" a signature destined for another one.
Using a discrete signing ID means module authors can change their module ID at any time (such as with a version number bump or a vendor rename) without invalidating previous signatures. Conversely, if they do want to invalidate previous signatures while retaining the module ID, they can do so by simply changing their signing ID and informing their clients to update with the new configuration accordingly.
This also adds new round-trip integration tests that confirm signing works as expected with the new paradigm and cross-module signatures are no longer possible.
Finally, it starts some documentation on how to request proposer commitments from the signer service, including how to request a signature and verify it. See
docs/docs/developing/prop-commit-signing.md.