Removed ca from credential signatures.

Blockstream · Jun 4, 2024 · fbb6ab9 · fbb6ab9
1 parent 3a52042
commit fbb6ab9
Show file tree

Hide file tree

Showing 8 changed files with 420 additions and 317 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/examples/python/getting-started/main.py b/examples/python/getting-started/main.py
@@ -39,10 +39,7 @@ def create_seed() -> bytes:
     # ---8<--- [end: create_seed]
     return seed
 
-
-def register_node(
-    seed: bytes, developer_cert_path: str, developer_key_path: str
-) -> None:
+def register_node(seed: bytes, developer_cert_path: str, developer_key_path: str) -> None:
     # ---8<--- [start: dev_creds]
     developer_cert = Path(developer_cert_path).open(mode="rb").read()
     developer_key = Path(developer_key_path).open(mode="rb").read()

diff --git a/libs/gl-client-py/glclient/glclient.pyi b/libs/gl-client-py/glclient/glclient.pyi
@@ -20,16 +20,17 @@ class TlsConfig:
 class Credentials:
     def __init__(self) -> None: ...
     @staticmethod
-    def nobody_with(cert: bytes, key: bytes, ca: Optional[bytes] = None) -> Credentials: ...
+    def nobody_with(cert: bytes, key: bytes) -> Credentials: ...
     @staticmethod
     def from_bytes(data: bytes) -> Credentials: ...
     @staticmethod
     def from_path(path: str) -> Credentials: ...
     @staticmethod
-    def from_parts(cert: bytes, key: bytes, rune: str, ca: Optional[bytes] = None) -> Credentials: ...
+    def from_parts(cert: bytes, key: bytes, rune: str) -> Credentials: ...
     def node_id(self) -> bytes: ...
     def upgrade(self, scheduler: Scheduler, signer: Signer) -> Credentials: ...
     def to_bytes(self) -> bytes: ...
+    def with_ca(self) -> Credentials: ...
 
 class SignerHandle:
     def shutdown(self) -> None: ...

diff --git a/libs/gl-client-py/src/credentials.rs b/libs/gl-client-py/src/credentials.rs
@@ -103,18 +103,8 @@ impl Credentials {
     }
 
     #[staticmethod]
-    pub fn nobody_with(cert: &[u8], key: &[u8], ca: Option<&[u8]>) -> Self {
-        let ca = ca.map_or_else(
-            || credentials::Nobody::default().ca,
-            Into::into
-        );
-
-        let inner = UnifiedCredentials::Nobody(gl_client::credentials::Nobody::with(
-            cert, 
-            key, 
-            &ca
-        ));
-
+    pub fn nobody_with(cert: &[u8], key: &[u8]) -> Self {
+        let inner = UnifiedCredentials::Nobody(gl_client::credentials::Nobody::with(cert, key));
         log::debug!("Created NOBODY credentials");
         Self { inner }
     }
@@ -134,14 +124,9 @@ impl Credentials {
     }
 
     #[staticmethod]
-    pub fn from_parts(cert: &[u8], key: &[u8], rune: &str, ca: Option<&[u8]>) -> Self {
-        let ca = ca.map_or_else(
-            || credentials::Nobody::default().ca,
-            Into::into
-        );
-
+    pub fn from_parts(cert: &[u8], key: &[u8], rune: &str) -> Self {
         let inner =
-            UnifiedCredentials::Device(gl_client::credentials::Device::with(cert, key, &ca, rune));
+            UnifiedCredentials::Device(gl_client::credentials::Device::with(cert, key, rune));
         Self { inner }
     }
 
@@ -185,6 +170,21 @@ impl Credentials {
     pub fn node_id(&self) -> Result<Vec<u8>> {
         Ok(self.inner.node_id()?)
     }
+
+    pub fn with_ca(&self, ca: &[u8]) -> Self {
+        match &self.inner {
+            UnifiedCredentials::Nobody(creds) => {
+                let n = creds.clone().with_ca(ca);
+                let inner = UnifiedCredentials::Nobody(n);
+                Self { inner }
+            }
+            UnifiedCredentials::Device(creds) => {
+                let d = creds.clone().with_ca(ca);
+                let inner = UnifiedCredentials::Device(d);
+                Self { inner }
+            },
+        }
+    }
 }
 
 type Result<T, E = ErrorWrapper> = std::result::Result<T, E>;

diff --git a/libs/gl-client-py/tests/fixtures.py b/libs/gl-client-py/tests/fixtures.py
@@ -8,7 +8,7 @@ def creds(nobody_id):
     """Nobody credentials for the tests."""
     creds = Credentials.nobody_with(
         nobody_id.cert_chain, nobody_id.private_key
-    )
+    ).with_ca(nobody_id.caroot)
     return creds
 
 
@@ -36,4 +36,4 @@ def device_creds(signer, creds, sclient):
     """
 
     res = sclient.register(signer)
-    return Credentials.from_bytes(res.creds)
+    return Credentials.from_bytes(res.creds)
diff --git a/libs/gl-client/src/credentials.rs b/libs/gl-client/src/credentials.rs
@@ -89,14 +89,27 @@ impl Nobody {
     }
 
     /// Returns a new Nobody instance with a custom set of parameters.
-    pub fn with<V>(cert: V, key: V, ca: V) -> Self
+    pub fn with<V>(cert: V, key: V) -> Self
     where
         V: Into<Vec<u8>>,
     {
+        let ca =
+            load_file_or_default("GL_CA_CRT", CA_RAW).expect("Could not load file from GL_CA_CRT");
+
         Self {
             cert: cert.into(),
             key: key.into(),
+            ca,
+        }
+    }
+
+    pub fn with_ca<V>(self, ca: V) -> Self
+    where
+        V: Into<Vec<u8>>,
+    {
+        Nobody {
             ca: ca.into(),
+            ..self
         }
     }
 }
@@ -167,17 +180,30 @@ impl Device {
 
     /// Creates a new set of `Device` credentials from a complete set of
     /// credentials.
-    pub fn with<V, S>(cert: V, key: V, ca: V, rune: S) -> Self
+    pub fn with<V, S>(cert: V, key: V, rune: S) -> Self
     where
         V: Into<Vec<u8>>,
         S: Into<String>,
     {
+        let ca =
+            load_file_or_default("GL_CA_CRT", CA_RAW).expect("Could not load file from GL_CA_CRT");
+
         Self {
             version: CRED_VERSION,
             cert: cert.into(),
             key: key.into(),
-            ca: ca.into(),
             rune: rune.into(),
+            ca
+        }
+    }
+
+    pub fn with_ca<V>(self, ca: V) -> Self 
+    where
+        V: Into<Vec<u8>>,
+    {
+        Device {
+            ca: ca.into(),
+            ..self
         }
     }
 

diff --git a/libs/gl-client/src/scheduler.rs b/libs/gl-client/src/scheduler.rs
@@ -218,7 +218,6 @@ impl<Creds> Scheduler<Creds> {
         let creds = credentials::Device::with(
             res.device_cert.clone().into_bytes(),
             res.device_key.clone().into_bytes(),
-            self.ca.clone(),
             res.rune.clone(),
         );
         res.creds = creds.to_bytes();
@@ -315,7 +314,6 @@ impl<Creds> Scheduler<Creds> {
         let creds = credentials::Device::with(
             res.device_cert.clone().into_bytes(),
             res.device_key.clone().into_bytes(),
-            self.ca.clone(),
             res.rune.clone(),
         );
         res.creds = creds.to_bytes();

diff --git a/libs/gl-testing/tests/test_node.py b/libs/gl-testing/tests/test_node.py
@@ -399,41 +399,6 @@ def test_node_reconnect(clients, scheduler, node_factory, bitcoind):
     assert peer['id'] == l1.info['id']
 
 
-def test_vls_crash_repro(
-        clients: Clients,
-        scheduler: Scheduler,
-        node_factory,
-        bitcoind) -> None:
-    """Reproduce an overflow panic in VLS v0.10.0. """
-    l1, = node_factory.line_graph(1, opts={'experimental-anchors': None})
-    assert(l1.rpc.getinfo()['version'] == 'v23.08gl1')
-
-    c = clients.new()
-    c.register(configure=True)
-    s = c.signer().run_in_thread()
-    gl1 = c.node()
-
-    gl1.connect_peer(l1.info['id'], f'127.0.0.1:{l1.daemon.port}')
-
-    l1.fundwallet(10**7)
-    l1.rpc.fundchannel(c.node_id.hex(), 'all')
-    bitcoind.generate_block(1, wait_for_mempool=1)
-
-    wait_for(lambda: l1.rpc.listpeerchannels()['channels'][0]['state'] == 'CHANNELD_NORMAL')
-
-    # Roei reports that the issue can be triggered by sending n from
-    # l1 to n1 and then (n-1)msat back to l1
-
-    inv = gl1.invoice(
-        amount_msat=clnpb.AmountOrAny(amount=clnpb.Amount(msat=2500000)),
-        description="desc",
-        label="lbl"
-    ).bolt11
-
-    l1.rpc.pay(inv)
-    inv = l1.rpc.invoice(amount_msat=2499000, label="lbl", description="desc")
-
-
 def test_sendpay_signer(
         clients: Clients,
         scheduler: Scheduler,