Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fetch_root_key refuses to play along if called on the mainnet #526

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: fetch_root_key refuses to play along if called on the mainnet #526

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d9a0dbf
fix: fetch_root_key refuses to play along if called on the mainnet
ericswanson-dfinity Mar 7, 2024
d7fee85
lint, do not run test on wasm target
ericswanson-dfinity Mar 7, 2024
16f5836
Update CHANGELOG.md
ericswanson-dfinity May 6, 2024
953ce05
Merge branch 'main' into ens/refuse-fetch-mainnet-root-key
ericswanson-dfinity May 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
* Function `Agent::fetch_api_boundary_nodes()` is split into two functions: `fetch_api_boundary_nodes_by_canister_id()` and `fetch_api_boundary_nodes_by_subnet_id()`.
* `ReqwestTransport` and `HyperTransport` structures storing the trait object `route_provider: Box<dyn RouteProvider>` have been modified to allow for shared ownership via `Arc<dyn RouteProvider>`.
* Added `wasm_memory_limit` to canister creation and canister setting update options.
* Agent::fetch_root_key() now returns an error, and sets its root key to an empty vector, if got the same root key as the mainnet. This reduce the potentiality of MITM attack.

## [0.34.0] - 2024-03-18

Expand Down
5 changes: 5 additions & 0 deletions ic-agent/src/agent/agent_error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,11 @@ pub enum AgentError {
/// Route provider failed to generate a url for some reason.
#[error("Route provider failed to generate url: {0}")]
RouteProviderError(String),

/// It's an error to fetch the root key on the mainnet.
/// Doing so would enable a man-in-the-middle attack.
#[error("Never fetch the root key on the mainnet")]
NeverFetchRootKeyOnMainNet(),
}

impl PartialEq for AgentError {
Expand Down
14 changes: 14 additions & 0 deletions ic-agent/src/agent/agent_test.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,20 @@ fn make_certifying_agent(url: &str) -> Agent {
.unwrap()
}

#[cfg_attr(not(target_family = "wasm"), tokio::test)]
async fn refuse_to_install_mainnet_root_key() -> Result<(), AgentError> {
let url = "https://icp0.io";

let agent = make_agent(url);
let result = agent.fetch_root_key().await;
assert!(matches!(
result,
Err(AgentError::NeverFetchRootKeyOnMainNet())
));
assert_eq!(agent.read_root_key(), Vec::<u8>::new());
Ok(())
}

#[cfg_attr(not(target_family = "wasm"), tokio::test)]
#[cfg_attr(target_family = "wasm", wasm_bindgen_test)]
async fn query() -> Result<(), AgentError> {
Expand Down
7 changes: 6 additions & 1 deletion ic-agent/src/agent/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,11 @@ impl Agent {
}
let status = self.status().await?;
let root_key = match status.root_key {
Some(key) if key[..] == IC_ROOT_KEY[..] => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This wouldn't apply in case of an actual man-in-the-middle-attack.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. What this is meant to protect against is accidentally fetching the root key on mainnet, which opens the door to the man-in-the-middle attack.

This applies in the case where you are erroneously fetching the root key on mainnet. Prior to this change you won't notice, because everything works: you fetch the root key from mainnet, replace your root key with it (the same key), and go about your day. You shouldn't have, but no harm done, right? It "works" locally, it "works" on mainnet, it "works" on any testnet. It "works" everywhere; there's just one problem...

Then one day, you connect with the agent, only there's been a DNS hack and you connect somewhere else: a man-in-the-middle. You fetch the root key, like you always do. It's not the the IC_ROOT_KEY this time, but you don't notice, and all the signatures check out. You're fallen for the man-in-the-middle attack.

This change is intended to make you notice that you are fetching the root key from mainnet (opening yourself up to this attack) and stop doing that.

Does that make sense?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does make sense to nudge people not to fetch the root key from mainnet. But if we wanted to make sure that people don't fetch the root key from mainnet, we'd need to take the URL into account.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are other places that look at the URL and later skip the call or flag this as an error. But I wouldn't consider them as making sure, because there are a lot of ways to express the same URL.

This method however does seem like a way of making sure that you aren't blithely calling fetch_root_key against , because if you do, the only time it doesn't notice is if there is a MITM attack going on.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. Thank you for your explanations!

// even if the caller ignores this error, we're done here.
self.set_root_key(vec![]);
return Err(AgentError::NeverFetchRootKeyOnMainNet());
}
Some(key) => key,
None => return Err(AgentError::NoRootKeyInStatus(status)),
};
Expand All @@ -343,7 +348,7 @@ impl Agent {
/// By default, the agent is configured to talk to the main Internet Computer, and verifies
/// responses using a hard-coded public key.
///
/// Using this function you can set the root key to a known one if you know if beforehand.
/// Using this function you can set the root key to a known one if you know it beforehand.
pub fn set_root_key(&self, root_key: Vec<u8>) {
*self.root_key.write().unwrap() = root_key;
}
Expand Down