Closed jeffa5 closed 1 year ago
Available from here
Available from here
Available from here
Available from here
Available from here
Available from here
Available from here
Available from here
Available from here
Available from here
Could you include a sample receipt from LSKV as a comment in this PR so that we have an overview of what receipts look like and that they don't leak confidential information?
Sure!
From the CCF native receipt endpoint
{
"cert": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAUmgAwIBAgIRAL8azkEXL7nLL5Yhp9p6DN0wCgYIKoZIzj0EAwMwFjEU\nMBIGA1UEAwwLQ0NGIE5ldHdvcmswHhcNMjIxMTAyMTcwNzU3WhcNMjMwMTMxMTcw\nNzU2WjATMREwDwYDVQQDDAhDQ0YgTm9kZTB2MBAGByqGSM49AgEGBSuBBAAiA2IA\nBON2qNOiUFwR+Ef0FqEfE5EV58gALq76yI4PjPAx7plDPb5/addKDq4+SP77+5nl\nsJfX9PRx5Ar8zXsbcE/V8EJq3uZid27Ovvez8Kq3VR7MO2qZ9/VbtDCcNI4hgh0K\nPqNeMFwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUP3z6t+rmgxRn4Q8p/xcbO6xP1/8w\nHwYDVR0jBBgwFoAUN0AJObg6ky1oCUjT4z0EvU0beuUwDwYDVR0RBAgwBocEfwAA\nATAKBggqhkjOPQQDAwNoADBlAjEA4Ul6UcDpRlkKmqWWXknCkBff6C75xOKX0QAH\nZ2aRKM5LYqG+Sf9BX4zqgGxM+rRlAjA/i5C+GK2ozYcGXTKePmWXu7KA4qNtfZ6z\nieKOcOD3fZBhKHnQKMR7O0nNHmobiu0=\n-----END CERTIFICATE-----\n",
"leaf_components": {
"claims_digest": "59845c1960ad5b384991994b5e3668d63d564b3241aad381dc842ce9765ffa9d",
"commit_evidence": "ce:2.16:60336ec9dbf02babca64faf85d794a94cfaa01e9f4984378f710d4a20dbd1792",
"write_set_digest": "6ef580c37c21d75bda380beb713d4b989aec629d3dedeb3f9d808417204db83c"
},
"node_id": "dc95a6d0610974b722485646e0be5f92312d792917fff3b8e67a5155cb5cbd1d",
"proof": [
{
"left": "c8f9e1a52e32524328c4874dfc2fdf70d8d5c5264699264fd4d8983f558705dc"
}
],
"signature": "MGUCMQDi3HIesiKldQPd7ReZAOEsHiwugRf4KrpsN+PXscPrj3XdJZwzSokp3na+YViLFggCMEJzNcuucQvLaPEbEPsfndmZM6a5oFjA0tf/yQWjP7amiB0pGX7iKMLh/KE6q89F6A=="
}
From the new gRPC receipt endpoint:
{
"header": {
"clusterId": "16768088272863050520",
"memberId": "13219201121956304348",
"revision": "17",
"raftTerm": "2"
},
"receipt": {
"cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3ekNDQVVtZ0F3SUJBZ0lSQUw4YXprRVhMN25MTDVZaHA5cDZETjB3Q2dZSUtvWkl6ajBFQXdNd0ZqRVUKTUJJR0ExVUVBd3dMUTBOR0lFNWxkSGR2Y21zd0hoY05Nakl4TVRBeU1UY3dOelUzV2hjTk1qTXdNVE14TVRjdwpOelUyV2pBVE1SRXdEd1lEVlFRRERBaERRMFlnVG05a1pUQjJNQkFHQnlxR1NNNDlBZ0VHQlN1QkJBQWlBMklBCkJPTjJxTk9pVUZ3UitFZjBGcUVmRTVFVjU4Z0FMcTc2eUk0UGpQQXg3cGxEUGI1L2FkZEtEcTQrU1A3Nys1bmwKc0pmWDlQUng1QXI4elhzYmNFL1Y4RUpxM3VaaWQyN092dmV6OEtxM1ZSN01PMnFaOS9WYnREQ2NOSTRoZ2gwSwpQcU5lTUZ3d0NRWURWUjBUQkFJd0FEQWRCZ05WSFE0RUZnUVVQM3o2dCtybWd4Um40UThwL3hjYk82eFAxLzh3Ckh3WURWUjBqQkJnd0ZvQVVOMEFKT2JnNmt5MW9DVWpUNHowRXZVMGJldVV3RHdZRFZSMFJCQWd3Qm9jRWZ3QUEKQVRBS0JnZ3Foa2pPUFFRREF3Tm9BREJsQWpFQTRVbDZVY0RwUmxrS21xV1dYa25Da0JmZjZDNzV4T0tYMFFBSApaMmFSS001TFlxRytTZjlCWDR6cWdHeE0rclJsQWpBL2k1QytHSzJvelljR1hUS2VQbVdYdTdLQTRxTnRmWjZ6CmllS09jT0QzZlpCaEtIblFLTVI3TzBuTkhtb2JpdTA9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
"signature": "MGUCMQDi3HIesiKldQPd7ReZAOEsHiwugRf4KrpsN+PXscPrj3XdJZwzSokp3na+YViLFggCMEJzNcuucQvLaPEbEPsfndmZM6a5oFjA0tf/yQWjP7amiB0pGX7iKMLh/KE6q89F6A==",
"nodeId": "ZGM5NWE2ZDA2MTA5NzRiNzIyNDg1NjQ2ZTBiZTVmOTIzMTJkNzkyOTE3ZmZmM2I4ZTY3YTUxNTVjYjVjYmQxZA==",
"txReceipt": {
"leafComponents": {
"claimsDigest": "NTk4NDVjMTk2MGFkNWIzODQ5OTE5OTRiNWUzNjY4ZDYzZDU2NGIzMjQxYWFkMzgxZGM4NDJjZTk3NjVmZmE5ZA==",
"commitEvidence": "Y2U6Mi4xNjo2MDMzNmVjOWRiZjAyYmFiY2E2NGZhZjg1ZDc5NGE5NGNmYWEwMWU5ZjQ5ODQzNzhmNzEwZDRhMjBkYmQxNzky",
"writeSetDigest": "NmVmNTgwYzM3YzIxZDc1YmRhMzgwYmViNzEzZDRiOTg5YWVjNjI5ZDNkZWRlYjNmOWQ4MDg0MTcyMDRkYjgzYw=="
},
"proof": [
{
"left": "YzhmOWUxYTUyZTMyNTI0MzI4YzQ4NzRkZmMyZmRmNzBkOGQ1YzUyNjQ2OTkyNjRmZDRkODk4M2Y1NTg3MDVkYw=="
}
]
}
}
}
And with updated .proto
to use strings more in the receipts:
{
"header": {
"clusterId": "1136169219888705108",
"memberId": "28684126496562193",
"revision": "11",
"raftTerm": "2"
},
"receipt": {
"cert": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAUmgAwIBAgIRAML8hKWDqB01ffbUZLJD+64wCgYIKoZIzj0EAwMwFjEU\nMBIGA1UEAwwLQ0NGIE5ldHdvcmswHhcNMjIxMTAyMTcxODAxWhcNMjMwMTMxMTcx\nODAwWjATMREwDwYDVQQDDAhDQ0YgTm9kZTB2MBAGByqGSM49AgEGBSuBBAAiA2IA\nBLVeMTnYdCHrWfQB32r68kqIwvAtZ9zki03HX7qFzr9PCsvItx38bRfySV3TxxcP\nijy4wZKU9Y3++zLs6xD2rYA/WUaAYR9fIbZvaLaQu+gvocHTxKbXiV1hsHQ1AaoQ\nAqNeMFwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUtxTmUJTCr/SisItTgexC3+TeFvow\nHwYDVR0jBBgwFoAUVKRNO5V1Zbs6nWUvViQdSThOIg4wDwYDVR0RBAgwBocEfwAA\nATAKBggqhkjOPQQDAwNpADBmAjEAiaXbOdQ/80t4QoayguPC+L9+k4Jf+BsYzhcf\nc7Q7Udl3h5ZqaZmsaP/yefNmE4J/AjEAl/JTbSTunjSTP/JbUaRtaBdUT8JkcDq2\nV0eU713HN+kvuFQ9uEpeeHqOpoE7sUCx\n-----END CERTIFICATE-----\n",
"signature": "MGYCMQDBT7Q8+xu12zBiqGwjx4BJ6oke1ZUdGHxcPYVSfAsOBKC6l6wJxqC2XLddZcjJVgcCMQC89kp7UtSLJSMKMa5b5yPElhgnpN3+3zAA1ZlnOeGUOnUbuNCKHYEDKOYK4sMDB2A=",
"nodeId": "111c85a20fe865007036486eaacbf9b4fc4f57c35ad0abab104f9ec5f772304a",
"txReceipt": {
"leafComponents": {
"claimsDigest": "60b64951446c6eba0c03d244341bbd9ac7ce52bb104060066c8c630cd131f59f",
"commitEvidence": "ce:2.10:1981d2fec3435f88e70a45deff905bc551c86e4199f1a4a5b23482b2f467810c",
"writeSetDigest": "bf91e4ee95e7f3eb24fb6b0f6d278b5386384d1fe4f29d4904078e0ce48a0f33"
},
"proof": [
{
"left": "b028ea76c8039f709f230edfe9335219467e2c8b81d46e7858a63f73d01da066"
},
{
"left": "bc6c0998957b979780855e8568c9a06d70dd6dd6c504d4aebcd6aed4423ba82f"
}
]
}
}
}
Available from here
Available from here
Available from here
Available from here
Available from here
Available from here
Could you include a sample receipt from LSKV as a comment in this PR so that we have an overview of what receipts look like and that they don't leak confidential information?
Sure!
From the CCF native receipt endpoint
{ "cert": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAUmgAwIBAgIRAL8azkEXL7nLL5Yhp9p6DN0wCgYIKoZIzj0EAwMwFjEU\nMBIGA1UEAwwLQ0NGIE5ldHdvcmswHhcNMjIxMTAyMTcwNzU3WhcNMjMwMTMxMTcw\nNzU2WjATMREwDwYDVQQDDAhDQ0YgTm9kZTB2MBAGByqGSM49AgEGBSuBBAAiA2IA\nBON2qNOiUFwR+Ef0FqEfE5EV58gALq76yI4PjPAx7plDPb5/addKDq4+SP77+5nl\nsJfX9PRx5Ar8zXsbcE/V8EJq3uZid27Ovvez8Kq3VR7MO2qZ9/VbtDCcNI4hgh0K\nPqNeMFwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUP3z6t+rmgxRn4Q8p/xcbO6xP1/8w\nHwYDVR0jBBgwFoAUN0AJObg6ky1oCUjT4z0EvU0beuUwDwYDVR0RBAgwBocEfwAA\nATAKBggqhkjOPQQDAwNoADBlAjEA4Ul6UcDpRlkKmqWWXknCkBff6C75xOKX0QAH\nZ2aRKM5LYqG+Sf9BX4zqgGxM+rRlAjA/i5C+GK2ozYcGXTKePmWXu7KA4qNtfZ6z\nieKOcOD3fZBhKHnQKMR7O0nNHmobiu0=\n-----END CERTIFICATE-----\n", "leaf_components": { "claims_digest": "59845c1960ad5b384991994b5e3668d63d564b3241aad381dc842ce9765ffa9d", "commit_evidence": "ce:2.16:60336ec9dbf02babca64faf85d794a94cfaa01e9f4984378f710d4a20dbd1792", "write_set_digest": "6ef580c37c21d75bda380beb713d4b989aec629d3dedeb3f9d808417204db83c" }, "node_id": "dc95a6d0610974b722485646e0be5f92312d792917fff3b8e67a5155cb5cbd1d", "proof": [ { "left": "c8f9e1a52e32524328c4874dfc2fdf70d8d5c5264699264fd4d8983f558705dc" } ], "signature": "MGUCMQDi3HIesiKldQPd7ReZAOEsHiwugRf4KrpsN+PXscPrj3XdJZwzSokp3na+YViLFggCMEJzNcuucQvLaPEbEPsfndmZM6a5oFjA0tf/yQWjP7amiB0pGX7iKMLh/KE6q89F6A==" }
From the new gRPC receipt endpoint:
{ "header": { "clusterId": "16768088272863050520", "memberId": "13219201121956304348", "revision": "17", "raftTerm": "2" }, "receipt": { "cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3ekNDQVVtZ0F3SUJBZ0lSQUw4YXprRVhMN25MTDVZaHA5cDZETjB3Q2dZSUtvWkl6ajBFQXdNd0ZqRVUKTUJJR0ExVUVBd3dMUTBOR0lFNWxkSGR2Y21zd0hoY05Nakl4TVRBeU1UY3dOelUzV2hjTk1qTXdNVE14TVRjdwpOelUyV2pBVE1SRXdEd1lEVlFRRERBaERRMFlnVG05a1pUQjJNQkFHQnlxR1NNNDlBZ0VHQlN1QkJBQWlBMklBCkJPTjJxTk9pVUZ3UitFZjBGcUVmRTVFVjU4Z0FMcTc2eUk0UGpQQXg3cGxEUGI1L2FkZEtEcTQrU1A3Nys1bmwKc0pmWDlQUng1QXI4elhzYmNFL1Y4RUpxM3VaaWQyN092dmV6OEtxM1ZSN01PMnFaOS9WYnREQ2NOSTRoZ2gwSwpQcU5lTUZ3d0NRWURWUjBUQkFJd0FEQWRCZ05WSFE0RUZnUVVQM3o2dCtybWd4Um40UThwL3hjYk82eFAxLzh3Ckh3WURWUjBqQkJnd0ZvQVVOMEFKT2JnNmt5MW9DVWpUNHowRXZVMGJldVV3RHdZRFZSMFJCQWd3Qm9jRWZ3QUEKQVRBS0JnZ3Foa2pPUFFRREF3Tm9BREJsQWpFQTRVbDZVY0RwUmxrS21xV1dYa25Da0JmZjZDNzV4T0tYMFFBSApaMmFSS001TFlxRytTZjlCWDR6cWdHeE0rclJsQWpBL2k1QytHSzJvelljR1hUS2VQbVdYdTdLQTRxTnRmWjZ6CmllS09jT0QzZlpCaEtIblFLTVI3TzBuTkhtb2JpdTA9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K", "signature": "MGUCMQDi3HIesiKldQPd7ReZAOEsHiwugRf4KrpsN+PXscPrj3XdJZwzSokp3na+YViLFggCMEJzNcuucQvLaPEbEPsfndmZM6a5oFjA0tf/yQWjP7amiB0pGX7iKMLh/KE6q89F6A==", "nodeId": "ZGM5NWE2ZDA2MTA5NzRiNzIyNDg1NjQ2ZTBiZTVmOTIzMTJkNzkyOTE3ZmZmM2I4ZTY3YTUxNTVjYjVjYmQxZA==", "txReceipt": { "leafComponents": { "claimsDigest": "NTk4NDVjMTk2MGFkNWIzODQ5OTE5OTRiNWUzNjY4ZDYzZDU2NGIzMjQxYWFkMzgxZGM4NDJjZTk3NjVmZmE5ZA==", "commitEvidence": "Y2U6Mi4xNjo2MDMzNmVjOWRiZjAyYmFiY2E2NGZhZjg1ZDc5NGE5NGNmYWEwMWU5ZjQ5ODQzNzhmNzEwZDRhMjBkYmQxNzky", "writeSetDigest": "NmVmNTgwYzM3YzIxZDc1YmRhMzgwYmViNzEzZDRiOTg5YWVjNjI5ZDNkZWRlYjNmOWQ4MDg0MTcyMDRkYjgzYw==" }, "proof": [ { "left": "YzhmOWUxYTUyZTMyNTI0MzI4YzQ4NzRkZmMyZmRmNzBkOGQ1YzUyNjQ2OTkyNjRmZDRkODk4M2Y1NTg3MDVkYw==" } ] } } }
Stupid question but how does the client verify that the receipt received corresponds to their request, write set and the response received?
Stupid question but how does the client verify that the receipt received corresponds to their request, write set and the response received?
They can use the signature to verify the receipt as is (https://microsoft.github.io/CCF/main/use_apps/verify_tx.html#receipt-verification). In doing so they can compute the claims_digest
with the request they sent and the response they received. If their computed claims_digest
is equal to that in the receipt then coupled with the txid
being equal they can be sure that the receipt is for their request.
I think that covers it but let me know if there is still a bit that isn't clear.
@jumaffre are you happy with this use of receipts from a security point of view?
It looks good to me. @jeffa5, could you also spell out somewhere in the docs how the claims_digest
is computed for all 3 APIs that generate receipts?
Fixes #78
Later we will want to add more request types to the claims.