Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Submitting an empty "assetMetadataHash" causes the signature validation to fail #250

Closed
DJRHails opened this issue Nov 21, 2020 · 2 comments · Fixed by #253
Closed

Submitting an empty "assetMetadataHash" causes the signature validation to fail #250

DJRHails opened this issue Nov 21, 2020 · 2 comments · Fixed by #253
Assignees
@jasonpaulos
Labels
bug Something isn't working external contribution FDE
Milestone
Sprint 14

Comments

@DJRHails
Copy link

For instance the following code snippet:

const txnParams = {
      'from': addr,
      'note': note,
      'suggestedParams': suggestedParams,
      'assetTotal': supply,
      'assetDecimals': decimals,
      'assetDefaultFrozen': false,
      'assetUnitName': unitName,
      'assetName': assetName,
      'assetURL': assetURL,
      'assetMetadataHash': '',
      'assetManager': managerAddress,
      'assetReserve': reserveAddress,
      'assetFreeze': freezeAddress,
      'assetClawback': clawbackAddress,
      'type': 'acfg' as const,
    }
    const signedTxn = sdk.signTransaction(txnParams, sk)
    const transaction = await algodv2.sendRawTransaction(signedTxn.blob).do()

Will fail with:

{"message":"signature validation failed"}

If you remove the assetMetadataHash then this will then succeed happily.
@DJRHails DJRHails changed the title Submitting an empty "assetMetadataHash" causes the signing verification to fail Submitting an empty "assetMetadataHash" causes the signature validation to fail Nov 21, 2020
@jasonpaulos jasonpaulos added FDE bug Something isn't working labels Nov 23, 2020
@jasonpaulos jasonpaulos self-assigned this Dec 1, 2020
@ian-algorand ian-algorand added this to the Sprint 14 milestone Dec 1, 2020
@jasonpaulos
Copy link
Contributor

Thanks for reporting this @DJRHails, I'm looking into it.

@jasonpaulos jasonpaulos mentioned this issue Dec 1, 2020
Merged
@jasonpaulos
Copy link
Contributor

jasonpaulos commented Dec 1, 2020
edited
Loading

This was a strange one to debug, but it looks like the issue is because the Javascript SDK does not validate assetMetadataHash properly. This value is supposed to be exactly 32 bytes long, but if you pass in a smaller value the Javascript SDK will construct and sign a transaction with that smaller value.

Then when the transaction reaches the server, the assetMetadataHash gets unpacked into the field here, which is 32 bytes long. In the case of a smaller value, it appears extra 0s are added. This means that when the server tries to verify the transaction signature it fails because a different transaction with a shorter assetMetadataHash was actually signed in Javascript.

I've created #253 to fix this by throwing an error if assetMetadataHash isn't 32 bytes long, and I've made it so that an empty string or a zero-length Uint8Array also get treated the same as undefined for this field.

In the meantime, you'll have to manually make sure you either pass in undefined or a string/Uint8Array that's exactly 32 bytes long.

Thanks for reporting this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jasonpaulos jasonpaulos

Labels
bug Something isn't working external contribution FDE
Projects
None yet
Milestone
Sprint 14
Development

Successfully merging a pull request may close this issue.

Validate that assetMetaDataHash is 32 bytes algorand/js-algorand-sdk
3 participants
@jasonpaulos @DJRHails @ian-algorand