search

Sjors / bitcoin

Bitcoin Core integration/staging tree
https://bitcoin.org/en/download
MIT License
7 stars 11 forks source link

Stratum v2 handshake fails cert validation #38

Open jakubtrnka opened 8 months ago

jakubtrnka commented 8 months ago

Is there an existing issue for this?

Current behaviour

Noise handshake fails if NOISE_SIGNATURE_MESSAGE validation is enforced.

Expected behaviour

The signature should be validated successfully

Steps to reproduce

  1. Run ./bitcoind -regtest -sv2 -debug=sv2 -loglevel=sv2:trace
  2. copy authority key 2024-03-08T15:27:58Z Template Provider authority key: 9bNYLvwTgfh9Ez9REW9giPcXgKi3HTijS5bSJvgF47gRdQmsveT
  3. Attach a client stratum-v2 application. Enforce signature validation with respect to authority 9bNYLvwTgfh9Ez9REW9giPcXgKi3HTijS5bSJvgF47gRdQmsveT

Relevant log output

my logs

2024-03-08T15:45:18.095056Z TRACE initiator:init-step0: ii_noise_core::cryptography::noise_nx_secp256k1_chachapoly_sha256: ephemeral key [64 bytes] total_bytes_sent=64
2024-03-08T15:45:18.095119Z TRACE initiator: ii_stratum2_noise::stratum_handshake::initiator: -> e [64 bytes]
2024-03-08T15:45:18.246834Z TRACE initiator:init-step1: ii_noise_core::cryptography::noise_nx_secp256k1_chachapoly_sha256: bytes_read=234
2024-03-08T15:45:18.246969Z TRACE initiator:init-step1: ii_noise_core::cryptography::noise_nx_secp256k1_chachapoly_sha256: remote ephemeral key [64 bytes], remote static key [80 bytes], encrypted payload [90 bytes] total_bytes_received=234
2024-03-08T15:45:18.250441Z TRACE initiator: ii_stratum2_noise::stratum_handshake::initiator: <- e, ee, s, es [payload: 74 bytes]
2024-03-08T15:45:18.250562Z TRACE initiator: ii_stratum2_noise::stratum_handshake: Time and signature validation of server certificate version=0 valid_from=1709908078 not_valid_after=4294967295 server_static_key=9buWsBdB1WEsGTn95Q2qM8A4RHvE3RbnuFWhQk7u3JWkNyiKzr7 signature=6zqN4Z9hNx35e2NEeVMQGK7V1GgBPNRSjdvucBkSjR4M5V7tB8aE4sEgct5sixCkHUDp4YYYM3CNWLxeVXj8hiy authority=9bNYLvwTgfh9Ez9REW9giPcXgKi3HTijS5bSJvgF47gRdQmsveT
Error: Initialization failure Signature is invalid

Caused by:
    0: Signature is invalid
    1: Signature is invalid

logs on TP on start

2024-03-08T15:27:58Z [sv2] Reading cached static key from /home/kuba/.bitcoin/regtest/sv2_static_key
2024-03-08T15:27:58Z msghand thread start
2024-03-08T15:27:58Z [sv2:info] Static key: 02a7e5a29bf028e6c8191f88b508edce7734282dd8bafeeb2b26bb92ebdd8c0027
2024-03-08T15:27:58Z dnsseed thread start
2024-03-08T15:27:58Z Loading addresses from DNS seed dummySeed.invalid.
2024-03-08T15:27:58Z Template Provider authority key: 9bNYLvwTgfh9Ez9REW9giPcXgKi3HTijS5bSJvgF47gRdQmsveT
2024-03-08T15:27:58Z [sv2:trace] Authority key: 6190cafb7c16ffd34900472108ab76d2289f08cc32e87ed7e4e1e02f248ca769
2024-03-08T15:27:58Z [sv2:trace] Certificate hashed data: 00006e20eb65ffffffff
2024-03-08T15:27:58Z init message: Done loading
2024-03-08T15:27:58Z sv2 thread start
2024-03-08T15:27:58Z Leaving InitialBlockDownload (latching to false)
2024-03-08T15:27:58Z [sv2:info] Template Provider listening on port: 18447

How did you obtain Bitcoin Core

Compiled from source

What version of Bitcoin Core are you using?

2024/02/sv2-poll-ellswift@8b42c0f7d5

Operating system and version

arch linux

Machine specifications

No response

Sjors commented 8 months ago

Can you try this again with the sv2 branch (https://github.com/bitcoin/bitcoin/pull/29432). They're probably the same, apart from rebases b171a79edf7cdd2e1ddf968b7634af19e0a05ce9.

Did you check that your server_static_key=9buWsBdB1WEsGTn95Q2qM8A4RHvE3RbnuFWhQk7u3JWkNyiKzr7 (base58) matches the hex encoded static key 02a7e5a29bf028e6c8191f88b508edce7734282dd8bafeeb2b26bb92ebdd8c0027 printed by the template provider?

I'm assuming the valid_from and not_valid_after fields were not the issue?

One next step for debugging would to be log and compare "Certificate hashed data" with 00006e20eb65ffffffff.

Were you able to connect to an SRI role? Last time I tested I was able to connect from various SRI roles to the Template Provider, including certificate verification.

Sjors commented 8 months ago

I just looked up the commit hash you used: 8b42c0f7d5629887584e2c1fa4bd8a8a8efce907

It's from before we fixed the certificate checking in SRI https://github.com/stratum-mining/stratum/pull/752

This branch contains a workaround for this bug: f00ef11c3423cd03520ea9e4d46eb0ac475e8188

That's why the "Certificate hashed data" data is so short: it doesn't include the static key.

Hopefully switching to my sv2 branch will magically fix things for you.

Sjors commented 3 months ago

Are you still seeing this?