Verify new message type2 (#1452)

* Add validation for new message type

cosmwasm/enclaves/execute/src/registration/onchain.rs

@@ -17,6 +17,12 @@ use enclave_utils::{
 use super::cert::verify_ra_cert;
 use super::seed_exchange::encrypt_seed;
 
+#[cfg(feature = "light-client-validation")]
+use block_verifier::VERIFIED_MESSAGES;
+
+#[cfg(feature = "light-client-validation")]
+use block_verifier::registration::verify_reg_msg;
+
 ///
 /// `ecall_authenticate_new_node`
 ///
@@ -45,8 +51,14 @@ pub unsafe extern "C" fn ecall_authenticate_new_node(
 
     validate_mut_ptr!(seed.as_mut_ptr(), seed.len(), NodeAuthResult::InvalidInput);
     validate_const_ptr!(cert, cert_len as usize, NodeAuthResult::InvalidInput);
+
     let cert_slice = std::slice::from_raw_parts(cert, cert_len as usize);
 
+    #[cfg(feature = "light-client-validation")]
+    if !verify_reg_msg(cert_slice) {
+        return NodeAuthResult::SignatureInvalid;
+    }
+
     let result = panic::catch_unwind(|| -> Result<Vec<u8>, NodeAuthResult> {
         // verify certificate, and return the public key in the extra data of the report
         let pk = verify_ra_cert(cert_slice, None)?;

cosmwasm/enclaves/shared/block-verifier/Cargo.toml

@@ -5,7 +5,7 @@ edition = "2018"
 
 [features]
 default = ["random"]
-test = []
+test = ["base64"]
 random = []
 production = []
 verify-validator-whitelist = []
@@ -32,6 +32,8 @@ cosmos_proto = {path="../cosmos-proto"}
 protobuf = { version = "2.25.2" }
 hex = { version = "0.4.3" }
 
+base64 = { version = "0.21.0", optional = true }
+
 # cosmrs = { version = "0.11.0", default-features = false }
 
 

cosmwasm/enclaves/shared/block-verifier/src/lib.rs

@@ -10,6 +10,8 @@ pub mod wasm_messages;
 
 pub use wasm_messages::VERIFIED_MESSAGES;
 
+pub use verify::registration;
+
 mod txs;
 
 #[cfg(any(feature = "verify-validator-whitelist", feature = "test"))]
@@ -51,6 +53,9 @@ pub mod tests {
             crate::wasm_messages::tests::parse_tx_multiple_msg_non_wasm();
             crate::wasm_messages::tests::parse_tx_multisig();
             crate::wasm_messages::tests::check_message_is_wasm();
+            crate::wasm_messages::tests::check_message_is_reg();
+            crate::wasm_messages::tests::check_parse_reg_bytes();
+            crate::wasm_messages::tests::check_parse_reg_from_tx();
             crate::wasm_messages::tests::test_check_message_not_wasm();
             crate::wasm_messages::tests::test_wasm_msg_tracker();
             crate::wasm_messages::tests::test_wasm_msg_tracker_multiple_msgs();

cosmwasm/enclaves/shared/block-verifier/src/submit_block_signatures.rs

@@ -120,7 +120,7 @@ pub unsafe fn submit_block_signatures_impl(
             sgx_status_t::SGX_ERROR_INVALID_PARAMETER
         }));
 
-        message_verifier.append_wasm_from_tx(parsed_tx);
+        message_verifier.append_msg_from_tx(parsed_tx);
     }
 
     message_verifier.set_block_info(

cosmwasm/enclaves/shared/block-verifier/src/verify/mod.rs

@@ -1,8 +1,11 @@
-pub mod txs;
-pub mod validator_set;
 pub mod block;
 pub mod commit;
 pub mod header;
+pub mod txs;
+pub mod validator_set;
 
 #[cfg(feature = "random")]
 pub mod random;
+
+// external messages
+pub mod registration;

cosmwasm/enclaves/shared/block-verifier/src/verify/registration.rs

@@ -0,0 +1,35 @@
+use crate::VERIFIED_MESSAGES;
+use log::{debug, error};
+use protobuf::Message;
+
+pub fn verify_reg_msg(certificate: &[u8]) -> bool {
+    let mut verified_msgs = VERIFIED_MESSAGES.lock().unwrap();
+    let next = verified_msgs.get_next();
+
+    let result = if let Some(msg) = next {
+        match cosmos_proto::registration::v1beta1::msg::RaAuthenticate::parse_from_bytes(&msg) {
+            Ok(ra_msg) => {
+                if ra_msg.certificate == certificate {
+                    return true;
+                }
+                error!("Error failed to validate registration message - 0x7535");
+                false
+            }
+            Err(e) => {
+                debug!("Error decoding registation protobuf: {}", e);
+                error!("Error decoding msg from block validator - 0xA0F2");
+                false
+            }
+        }
+    } else {
+        error!("Cannot verify new node unless msg is part of the current block");
+        false
+    };
+
+    if !result {
+        // if validation failed clear the message queue and prepare for next tx... or apphash
+        verified_msgs.clear();
+    }
+
+    result
+}

cosmwasm/enclaves/shared/cosmos-proto/build.rs

@@ -47,6 +47,14 @@ mod protobuf {
             .expect(&format!("could not canonicalize {:?}", path))
     }
 
+    fn from_reg(path: &str) -> PathBuf {
+        let mut full_path = PathBuf::from("../../../../proto/secret/registration");
+        full_path.push(path);
+        full_path
+            .canonicalize()
+            .expect(&format!("could not canonicalize {:?}", path))
+    }
+
     pub fn build_protobuf_parsers() {
         let protoc_err_msg = "protoc failed to generate protobuf parsers";
         let mut library_dir = dirs::home_dir().unwrap();
@@ -61,6 +69,10 @@ mod protobuf {
                     from_cosmos("crypto/multisig/v1beta1/multisig.proto"),
                 ],
             ),
+            (
+                "src/registration/v1beta1/",
+                &[from_reg("v1beta1/msg.proto")],
+            ),
             (
                 "src/crypto/secp256k1",
                 &[from_cosmos("crypto/secp256k1/keys.proto")],

cosmwasm/enclaves/shared/cosmos-proto/src/lib.rs

@@ -41,3 +41,9 @@ pub mod cosmwasm {
 
     use super::base::coin;
 }
+
+pub mod registration {
+    pub mod v1beta1 {
+        pub mod msg;
+    }
+}