Open nugaon opened 1 year ago
I am kinda missing context where is this going to be used ? Will this be used to verify postageStamp signer and only for it ? Or why ?
If you plan to do any multisig kind verification then I have a huntch the replay attack could happen since there is no nonce. Is timestamp from when batchId is created? If it is then message hash for (chunk, batchId, index and timestamp) is constant and you can have man in the middle attack. If timestamp is changing per request then its ok.
the postage stamp sig check will be used in the storage incentives. though, it can be a utility function for something else as well in the future. the single owner chunk sig check is needed in the fdp sw3 contracts later.
Is timestamp from when batchId is created?
exactly. https://github.com/ethersphere/bee/blob/master/pkg/postage/stamper.go#L45
how can you have man in the middle attack here? you need the private key from of postage stamp owner to sign the message.
if timestamp would not change, one could cache signature. But since timestampe is changing it acts as a nounce, is always higher then before, then it can not occour.
Added smart contract library
Signature.sol
that contains all helper function to signature handling and addedPostageStampSig
andSocSig
that shows how to utilize that with the functionality to recover Ethereum address from postage stamp and Single Owner Chunk signatures, respectively.