Skip to content

Request validation hardening#153

Merged
b3y0urs3lf merged 5 commits into
mainfrom
hardening/canonical-certification-request-cbor
May 26, 2026
Merged

Request validation hardening#153
b3y0urs3lf merged 5 commits into
mainfrom
hardening/canonical-certification-request-cbor

Conversation

@jait91
Copy link
Copy Markdown
Contributor

@jait91 jait91 commented May 14, 2026

Closes #150

@jait91 jait91 added this to Unicity May 14, 2026
@jait91 jait91 removed this from Unicity May 14, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements strict canonical CBOR validation for certification requests to ensure deterministic encoding and prevent malleability. It introduces a new canonicalCBORValidator that enforces RFC 8949 Core Deterministic form by rejecting non-shortest integer encodings, trailing data, and out-of-order map keys. Additionally, the PR refactors hashing functions for StateID and CertificationData to use explicit structs for consistent marshaling and adds rigorous length validation for state and transaction hashes. Review feedback suggests optimizing integer parsing using the binary package and hardening simple value checks within the CBOR validator to reject reserved values.

Comment thread pkg/api/certification_request_canonical.go Outdated
Comment thread pkg/api/certification_request_canonical.go Outdated
@jait91 jait91 self-assigned this May 14, 2026
@jait91 jait91 requested review from MastaP and ahtotruu May 14, 2026 08:41
MastaP
MastaP requested changes May 20, 2026
View reviewed changes
Comment thread pkg/api/certification_request_canonical.go Outdated
return nil
}

const maxCanonicalCBORDepth = 64
Copy link
Copy Markdown
Member

@MastaP MastaP May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the code below is canonical CBOR handling, should be extracted somewhere

Copy link
Copy Markdown
Contributor Author

@jait91 jait91 May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extracted the generic canonical CBOR validation into pkg/cbor, so it is no longer certification-request specific

Comment thread pkg/api/certification_request_canonical.go Outdated

// UnmarshalCanonicalCertificationRequestCBOR decodes data into out and rejects
// the input if it is not in canonical Core Deterministic CBOR form.
func UnmarshalCanonicalCertificationRequestCBOR(data []byte, out *CertificationRequest) error {
Copy link
Copy Markdown
Member

@MastaP MastaP May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move this to pkg/api/certification_request.go. func name looks like an overkill. maybe just UnmarshalCertificationRequestCBOR (comment explains the expectation to be canonical)

Copy link
Copy Markdown
Contributor Author

@jait91 jait91 May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved the request-specific wrapper to certification_request.go and renamed it to UnmarshalCertificationRequestCBOR

Comment thread pkg/api/certification_request_canonical.go Outdated
const maxCanonicalCBORDepth = 64

const (
cborMajorUnsignedInt byte = 0
Copy link
Copy Markdown
Member

@MastaP MastaP May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't checked but shouldn't these consts and functions come from some existing cbor lib? or maybe we need to extract one and share it between bft and aggregator..

Copy link
Copy Markdown
Contributor Author

@jait91 jait91 May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CBOR library has equivalent internal constants/parsing logic, but they are not exported for us to reuse directly. I moved the constants and validation code into a generic pkg/cbor package instead of keeping them in certification-request code, SDK handles this the same way

@jait91 jait91 requested a review from MastaP May 21, 2026 10:44
@MastaP MastaP assigned b3y0urs3lf and unassigned jait91 May 22, 2026
@b3y0urs3lf b3y0urs3lf merged commit b26e0f7 into main May 26, 2026
2 checks passed
@b3y0urs3lf b3y0urs3lf deleted the hardening/canonical-certification-request-cbor branch May 26, 2026 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MastaP MastaP MastaP approved these changes

@ahtotruu ahtotruu Awaiting requested review from ahtotruu

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@b3y0urs3lf b3y0urs3lf

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Request validation hardening

3 participants

@jait91 @MastaP @b3y0urs3lf