-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong key used to sign handoff-give envelope ? #6
Comments
But maybe I'm completely wrong on this and I, as a receiver, should NOT check the signature and just go connect to the exporter. But peeking into a signed objects without checking the signature feels wrong 😕
|
So it's important that the signature on the The certificate isn't really something that the receiver ought to be checking, this is a capability being handed to it to get an object. The responsibility of checking it lands solely on the exporter who needs to verify it's correct and has the information to do this. The issue with changing the key in the envelope to the receiver's key is that the gifter no longer has a mechanism to verify that it really was the gifter who created this certificate. I don't know if you've seen it but I made a presentation in January's OCapN meeting where I went over how handoffs work in details, the slides and the recorded presentation are available here: https://ocapn.org/news/spritely-goblins-third-party-handoffs-implementation-presentation.html As an aside I agree the spec does say you should always check the signature envolope, this I guess isn't the case, there are exceptions in the situation of handoffs as you don't have enough information to check them :) Let me know if this makes sense and resolves this issue for you. |
Can we split it the type and have e.g. |
Fist, I assume the code being tests is the receiver here, judging by the fact that it gets a fetch request for a greeter object. Also comment
... implies that the 3rd party that isn't simulated has the receiver role.
So...
In the make_valid_handoff method the signature is made with
g2e
private key. And then sent tog2r
session (me). However the receiver doesn't have means to validate the signature since this is the first message where exporter is even mentioned.Also, I've checked goblins code for the
handoff-give
message and apparently the session private key is used to signhandoff-give
messages.Changing the key used in the envelope to use primary session key (i.e. g2r) allows execution to proceed:
The text was updated successfully, but these errors were encountered: