search

cosmos / cosmos-sdk

:chains: A Framework for Building High Value Public Blockchains :sparkles:
https://cosmos.network/
Apache License 2.0
6.22k stars 3.6k forks source link

[Bug]: secp256k1 public keys with invalid SEC1 tags are accepted #20406

Open tony-iqlusion opened 4 months ago

tony-iqlusion commented 4 months ago

Is there an existing issue for this?

What happened?

Valid secp256k1 public keys are typically 33-bytes long and begin with a SEC1 tag byte: either 0x02 or 0x03 depending on whether the y-coordinate is odd, followed by the big endian serialization of the x-coordinate, which is 32-bytes.

The current point validation logic only checks the length of the public key and does no validation of the SEC1 tag whatsoever: https://github.com/cosmos/cosmos-sdk/blob/b2e8feb/crypto/keys/secp256k1/secp256k1.go#L203-L211

This has lead to chains accepting public keys with invalid SEC1 tags: https://github.com/informalsystems/tendermint-rs/issues/1419#issuecomment-2105317413

Ideally, if it's possible to retrofit improved validation, the SEC1 tag byte would be checked in addition to the length.

The SEC1 tag byte 0x00 can be used to encode the identity point (with the x-coordinate typically omitted for a 1-byte encoding), though it seems these are currently encoded as 33-bytes of 0x00, which is at least a tolerable encoding: https://github.com/informalsystems/tendermint-rs/issues/1417

Cosmos SDK Version

main

tac0turtle commented 4 months ago

How would retro fitting this work? its hard to see a way to get this to work in a backwards compatible way

tony-iqlusion commented 4 months ago

One option might be to replace the invalid keys with a placeholder, e.g. the additive identity.