Skip to content

Commit

Permalink
Verify validator token manifest matches private key
Browse files Browse the repository at this point in the history 
RIPD-1552
  • Loading branch information
@wilsonianb @bachase
wilsonianb authored and bachase committed Nov 29, 2017
1 parent f0e1024 commit 40c39c4
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 3 deletions.
21 changes: 18 additions & 3 deletions src/ripple/app/misc/impl/ValidatorKeys.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
#include <ripple/basics/Log.h>
#include <ripple/core/Config.h>
#include <ripple/core/ConfigSections.h>
#include <beast/core/detail/base64.hpp>

namespace ripple {
ValidatorKeys::ValidatorKeys(Config const& config, beast::Journal j)
Expand All @@ -42,9 +43,23 @@ ValidatorKeys::ValidatorKeys(Config const& config, beast::Journal j)
if (auto const token = ValidatorToken::make_ValidatorToken(
config.section(SECTION_VALIDATOR_TOKEN).lines()))
{
secretKey = token->validationSecret;
publicKey = derivePublicKey(KeyType::secp256k1, secretKey);
manifest = std::move(token->manifest);
auto const pk = derivePublicKey(
KeyType::secp256k1, token->validationSecret);
auto const m = Manifest::make_Manifest(
beast::detail::base64_decode(token->manifest));

if (! m || pk != m->signingKey)
{
configInvalid_ = true;
JLOG(j.fatal())
<< "Invalid token specified in [" SECTION_VALIDATOR_TOKEN "]";
}
else
{
secretKey = token->validationSecret;
publicKey = pk;
manifest = std::move(token->manifest);
}
}
else
{
Expand Down
22 changes: 22 additions & 0 deletions src/test/app/ValidatorKeys_test.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,17 @@ class ValidatorKeys_test : public beast::unit_test::suite
"gBD67kMaRFGvmpATHlGKJdvDFlWPYy5AqDedFv5TJa2w0i21eq3MYywLVJZnFOr7C0kw"
"2AiTzSCjIzditQ8=";

// Manifest does not match private key
const std::vector<std::string> invalidTokenBlob = {
"eyJtYW5pZmVzdCI6IkpBQUFBQVZ4SWUyOVVBdzViZFJudHJ1elVkREk4aDNGV1JWZl\n",
"k3SXVIaUlKQUhJd3MxdzZzM01oQWtsa1VXQWR2RnFRVGRlSEpvS1pNY0hlS0RzOExo\n",
"b3d3bDlHOEdkVGNJbmFka1l3UkFJZ0h2Q01lQU1aSzlqQnV2aFhlaFRLRzVDQ3BBR1\n",
"k0bGtvZHRXYW84UGhzR3NDSUREVTA1d1c3bWNiMjlVNkMvTHBpZmgvakZPRGhFR21i\n",
"NWF6dTJMVHlqL1pjQkpBbitmNGhtQTQ0U0tYbGtTTUFqak1rSWRyR1Rxa21SNjBzVG\n",
"JaTjZOOUYwdk9UV3VYcUZ6eDFoSGIyL0RqWElVZXhDVGlITEcxTG9UdUp1eXdXbk55\n",
"RFE9PSIsInZhbGlkYXRpb25fc2VjcmV0X2tleSI6IjkyRDhCNDBGMzYwMTc5MTkwMU\n",
"MzQTUzMzI3NzBDMkUwMTA4MDI0NTZFOEM2QkI0NEQ0N0FFREQ0NzJGMDQ2RkYifQ==\n"};

public:
void
run() override
Expand Down Expand Up @@ -141,6 +152,17 @@ class ValidatorKeys_test : public beast::unit_test::suite
BEAST_EXPECT(k.manifest.empty());
}

{
// Token manifest and private key must match
Config c;
c.section(SECTION_VALIDATOR_TOKEN).append(invalidTokenBlob);
ValidatorKeys k{c, j};

BEAST_EXPECT(k.configInvalid());
BEAST_EXPECT(k.publicKey.size() == 0);
BEAST_EXPECT(k.manifest.empty());
}

}
}; // namespace test

Expand Down

0 comments on commit 40c39c4

Please sign in to comment.