fix(agent): Check subnet canister ranges (#580)

* Verify the canister subnet ranges for a certificate

* Don't check subnet ranges for reading management canister state

* Update usage of Certificate.verify in e2e test

* Fix how root keys are determined

* Change the expected error in the MITM test

Co-authored-by: Kyle Peacock <kylpeacock@gmail.com>

Author: oggy-dfin

docs/generated/changelog.html

@@ -10,6 +10,16 @@
     <h1>Agent-JS Changelog</h1>
 
     <section>
+      <h2>Version 0.12.0</h2>
+      <ul>
+        <li>
+          Changed the certificate verification interface and fixed its logic. The public constructor
+          is now static and asynchronous. There is no separate verification method, the check is
+          done automatically in the constructor and newly also checks that the delegation is
+          authoritative for the given canister ID, as required by the Internet Computer interface
+          specification.
+        </li>
+      </ul>
       <h2>Version 0.11.2</h2>
       <ul>
         <li>

e2e/node/basic/basic.test.ts

@@ -10,13 +10,16 @@ test('read_state', async () => {
   const resolvedAgent = await agent;
   const now = Date.now() / 1000;
   const path = [new TextEncoder().encode('time')];
-  const response = await resolvedAgent.readState(Principal.fromHex('00000000000000000001'), {
+  const canisterId = Principal.fromHex('00000000000000000001');
+  const response = await resolvedAgent.readState(canisterId, {
     paths: [path],
   });
-  const cert = new Certificate(response, resolvedAgent);
-
-  expect(() => cert.lookup(path)).toThrow(/Cannot lookup unverified certificate/);
-  expect(await cert.verify()).toBe(true);
+  if (resolvedAgent.rootKey == null) throw new Error(`The agent doesn't have a root key yet`);
+  const cert = await Certificate.create({
+    certificate: response.certificate,
+    rootKey: resolvedAgent.rootKey,
+    canisterId: canisterId,
+  });
   expect(cert.lookup([new TextEncoder().encode('Time')])).toBe(undefined);
   // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
   const rawTime = cert.lookup(path)!;

e2e/node/basic/mitm.test.ts

@@ -11,6 +11,6 @@ if (!process.env['MITM']) {
 jest.setTimeout(30000);
 mitmTest('mitm greet', async () => {
   const { actor: counter } = await counterCanister();
-  await expect(counter.greet('counter')).rejects.toThrow(/Fail to verify certificate/);
+  await expect(counter.greet('counter')).rejects.toThrow(/Invalid certificate/);
   expect(await counter.queryGreet('counter')).toEqual('Hullo, counter!');
 });

package-lock.json

@@ -87,13 +87,11 @@ export const request = async (options: {
         const response = await agent.readState(canisterId, {
           paths: [encodedPaths[index]],
         });
-        const cert = new Certificate(response, agent);
-        const verified = await cert.verify();
-        if (!verified) {
-          throw new Error(
-            'There was a problem certifying the response data. Please verify your connection to the mainnet, or be sure to call fetchRootKey on your agent if you are developing locally',
-          );
-        }
+        const cert = await Certificate.create({
+          certificate: response.certificate,
+          rootKey: agent.rootKey,
+          canisterId: canisterId,
+        });
 
         const data = cert.lookup(encodePath(uniquePaths[index], canisterId));
         if (!data) {