Implement verifySignature
#671
Conversation
j-mueller
force-pushed
the
plutus-core/signature-implementation
branch
from
1a32d9d
to
bc4f38d
Compare
|
note that the crowdfunding tests currently fail because of a bytestring size mismatch - To fix that I'm adding some newtypes for |
|
@michaelpj can you take alook at the last commit please - the (See https://hydra.iohk.io/build/742161/nixlog/1) but I can't find the place where it would get the wrong size. |
|
You haven't changed what the builtins machinery in |
|
We might need to ask @effectfully for help on what to change there. |
|
It doesn't look to me that the problem is in the builtins machinery, because typedVerifySignature :: TypedBuiltinName (BSL.ByteString -> BSL.ByteString -> BSL.ByteString -> EvaluationResult Bool) (EvaluationResult Bool)
typedVerifySignature =
TypedBuiltinName VerifySignature $
TypeSchemeAllSize $ \s0 -> TypeSchemeAllSize $ \s1 -> TypeSchemeAllSize $ \s2 ->
TypeSchemeBuiltin (TypedBuiltinSized (SizeBound s0) TypedBuiltinSizedBS) `TypeSchemeArrow`
TypeSchemeBuiltin (TypedBuiltinSized (SizeBound s1) TypedBuiltinSizedBS) `TypeSchemeArrow`
TypeSchemeBuiltin (TypedBuiltinSized (SizeBound s2) TypedBuiltinSizedBS) `TypeSchemeArrow`
TypeSchemeBuiltin TypedBuiltinDynHere is my random guess: from the definition of term <- wrapSizedBsrel [BS32, BS32, BS64] $ instSize haskellBS32Size $ instSize haskellBS32Size $ instSize haskellBS64Size $ mkBuiltin PLC.VerifySignatureto elaborate to rather than Is my guess correct? |
|
By the way, -- | A 'BSL.ByteString' of 32 bytes.
newtype ByteString32 = ByteString32 { unByteString32 :: BSL.ByteString }
deriving (Eq, Ord, Show, IsString)
-- | A 'BSL.ByteString' of 64 bytes.
newtype ByteString64 = ByteString64 { unByteString64 :: BSL.ByteString }
deriving (Eq, Ord, Show, IsString)this is terrible. Can we have newtype Sized a (s :: k) = Sized aand use If you decide to add this single |
|
I think you hit the nail on the head there. Yes, this is terrible, but we're not brave enough to do the |
Then I suggest to write it like that: mkBuiltin PLC.VerifySignature `instSize` haskellBS32Size `instSize` haskellBS32Size `instSize` haskellBS64Size
No problem, but I do not expect |
|
Well, it won't work directly since the way the compiler plugin directly identifies type constructors with types. So it's not able to have special cases for would probably work, but I would still need to work out how to get the sizes in the type system etc. So - some work. |
|
Ah, I see, thanks. |
Yes it is, thanks. I thought about a type parameter for the sizes too but I decided to go with the solution that had a smaller risk of failure :) |
|
@vmchale I updated looks like everything is working, so I think now is a good time to rebase |
|
I pushed a commit that adds type-level sizes on the Haskell side, and converts them over properly. So we don't need anything special, and a bunch of size-polymorphic stuff Just Works. Once this is merged I'll do the same for integers, but I don't want to hold this up. |
j-mueller
force-pushed
the
plutus-core/signature-implementation
branch
4 times, most recently
from
3125161
to
7ab2473
Compare
| makeLift ''PubKey | ||
|
|
||
| -- | A cryptographic private key. | ||
| newtype PrivateKey = PrivateKey { getPrivateKey :: KeyBytes } |
There was a problem hiding this comment.
Both this and the public key should be 32-byte segments of the key bytes, no?
There was a problem hiding this comment.
I changed it to use the PublicKey and PrivateKey types everywhere so KeyBytes type isn't actually necessary anymore. I think that's better than having a 64-byte ByteString with two dedicated segments.
There was a problem hiding this comment.
Okay, but the PublicKey should definitely not contain the private key in case we serialize it.
There was a problem hiding this comment.
Hm, I just realised something. We do actually serialise private keys now. (To identify wallets in the Playground). But I think I'll change it so that wallets are still Ints and to get a wallet's private key we look up the index in the list of known private keys.
There was a problem hiding this comment.
I think that's benign, since it's just in the playground which isn't meant to be secure.
There was a problem hiding this comment.
Yeah but keeping wallets as Ints has the advantage that I don't need to update the playground code ;)
| signedBy (Signature k) (PubKey s) = k == s | ||
| signedBy :: Signature -> PubKey -> TxId -> Bool | ||
| signedBy (Signature s) (PubKey k) txId = | ||
| let k' = ED25519.publicKey $ BSL.toStrict $ Builtins.unSizedByteString $ KB.getKeyBytes k |
There was a problem hiding this comment.
i.e. I'd probably do this stuff in the construction of PublicKey. Note that the current version is potentially insecure, since we might put the PublicKey somewhere public even though it actually contains the private key too!
| signedBy (Signature s) (PubKey k) txId = | ||
| let k' = ED25519.publicKey $ BSL.toStrict $ Builtins.unSizedByteString $ KB.getKeyBytes k | ||
| s' = ED25519.signature $ BSL.toStrict $ Builtins.unSizedByteString s | ||
| in throwCryptoError $ ED25519.verify <$> k' <*> pure (getTxId txId) <*> s' -- TODO: is this what we want |
There was a problem hiding this comment.
Good question. I think ideally we'd handle these errors explicitly. This isn't a very exceptional error, and if we throw a bunch of exceptions then we have to write a robust harness in the executable, since we still want to send a response in case of an error, so it can't kill the whole executable.
| let k = ED25519.secretKey $ BSL.toStrict $ Builtins.unSizedByteString $ KB.getKeyBytes privKey | ||
| pk = ED25519.toPublic <$> k | ||
| salt :: BS.ByteString | ||
| salt = "" -- TODO: do we need better salt? |
There was a problem hiding this comment.
I think this doesn't actually matter too much. AIUI, there are two reasons we might want a salt:
- To get a different signature for each message, to make it harder to reuse signatures. This isn't so much of a problem for us since the transaction itself is only valid once.
- To prevent replay attacks. Again, this isn't so much of a problem for us since transactions are only valid once, and in fact having replayability is actually helpful for us.
We could get a salt that's replayable by us by having it be pseudo-randomly generated with a seed that's passed in by the caller. Then the contract backend can still replay everything deterministically.
| -- ^ The 'SlotRange' during which this transaction may be validated. | ||
| txSignatures :: Map PubKey Signature |
There was a problem hiding this comment.
I think we hash the transaction by using the derived Serialise instance. But we should be signing something that doesn't include the signatures, which that does. In particular, I'm not sure how we ever validate any signatures, since I'd expect us to recalculate the hash later and get a different thing...
Also, we don't want to just rely on the map being empty, since that way we can add more signatures later without having to contort ourselves.
There was a problem hiding this comment.
The hash is of a TxStripped which excludes the signatures.
There was a problem hiding this comment.
Although it might be better to just add a type parameter for the signatures to Tx...
There was a problem hiding this comment.
Or have TxBody and Tx, which is the terminology that the specifications use, I think?
j-mueller
force-pushed
the
plutus-core/signature-implementation
branch
4 times, most recently
from
901658f
to
c34069c
Compare
|
I think |
|
Right, I'll do that |
* Add verifySignature * Add swagger bits * Use KeyBytes pervasively * Fix up wallet-api library * Test suite builds + fails * Add fromHex * Fix four test cases * More sensible API * Start signing mechanisms * Remove ownSignature * Remove unneeded functions * rearrange by secret key * Patch up types * Remove bit we don't need * Use PubKey * Use signature in pubKeyTxIn * Use bottom * cardano-crypto and http-api-data * transactions have signatures * Show KeyBytes * PublicKeySize invalid * wallet-api tests pass * fix plutus-use-cases
fix plutus-use-cases fix warnings keybytes exports game contract types
j-mueller
force-pushed
the
plutus-core/signature-implementation
branch
2 times, most recently
from
050357c
to
b2f3963
Compare
* PS bridge / JSON * Marlowe
j-mueller
force-pushed
the
plutus-core/signature-implementation
branch
from
b2f3963
to
f56e681
Compare
|
marlow test failures are odd, I was able to build it without problems:
|
|
Ah - the marlowe tests are split out into another derivation, so that won't run the tests: you need |
|
It's something weird where we're not producing a transaction when we think we should. Also I guess this means the timing out is also real. |
|
@nau this looks suspicious: https://github.com/input-output-hk/plutus/pull/671/files#diff-f1f2d09538c116215822ad173fa89638R40 It looks like the ids are coming apart from the person's public key, is that right? |
|
I wonder whether something in the test might be causing all the contracts to fail by timeouts? Which might be very slow in the property test. |
j-mueller
force-pushed
the
plutus-core/signature-implementation
branch
2 times, most recently
from
f83740a
to
235da5f
Compare
j-mueller
force-pushed
the
plutus-core/signature-implementation
branch
from
235da5f
to
cec125e
Compare
|
Compile warnings for the stuff you commented out 🙈 |
|
it should be OK with the latest commit (cec125e) |
|
👍 |
|
Stylish haskell - last thing! |
|
\o/ |
|
What a slog, great work all. Will merge shortly. |
This PR fixes the private/public key situation in
wallet-api. The main changes areInts.verifySignaturenow has the correct number of arguments and works as expected.plutus-txhas aSizedByteString ntype to distinguish bytestrings of different lengths in PLC.TO DOs:
wallet-apiplutus-use-casesplutus-use-casesmarlowe(The changes inmarloweare non-trivial - @nau could you please take a look?)plutus-playgroundplutus-tutorialsmeadow