Wrong key used to sign handoff-give envelope ?

[dpwiz]

Fist, I assume the code being tests is the receiver here, judging by the fact that it gets a fetch request for a greeter object. Also comment

Since we're both the gifter and exporter, let's just mimic a connection

... implies that the 3rd party that isn't simulated has the receiver role.

So...

In the make_valid_handoff method the signature is made with g2e private key. And then sent to g2r session (me). However the receiver doesn't have means to validate the signature since this is the first message where exporter is even mentioned.

Also, I've checked goblins code for the handoff-give message and apparently the session private key is used to sign handoff-give messages.

Changing the key used in the envelope to use primary session key (i.e. g2r) allows execution to proceed:

         return captp_types.DescSigEnvelope(
             handoff_give,
-            self.g2e_privkey.sign(handoff_give.to_syrup())
+            self.remote.private_key.sign(handoff_give.to_syrup())
         )

[dpwiz]

But maybe I'm completely wrong on this and I, as a receiver, should NOT check the signature and just go connect to the exporter.

https://github.com/ocapn/ocapn/blob/main/draft-specifications/CapTP%20Specification.md#handoffs-from-the-receivers-perspective

But peeking into a signed objects without checking the signature feels wrong 😕
And:

When this [sig envelope] is received, the signature must be valid using the corresponding public key. If the signature is not valid, the operation should be aborted.

[tsyesika]

So it's important that the signature on the desc:sig-envolope that wraps the desc:handoff-give sent the receiver is the signature that's of the gifter <-> exporter. This does mean the receiver cannot verify it. The main reason behind this is the exporter needs a way to verify that the gifter they know from their gifter <-> exporter session actually made this desc:handoff-give.

The certificate isn't really something that the receiver ought to be checking, this is a capability being handed to it to get an object. The responsibility of checking it lands solely on the exporter who needs to verify it's correct and has the information to do this. The issue with changing the key in the envelope to the receiver's key is that the gifter no longer has a mechanism to verify that it really was the gifter who created this certificate.

I don't know if you've seen it but I made a presentation in January's OCapN meeting where I went over how handoffs work in details, the slides and the recorded presentation are available here:

https://ocapn.org/news/spritely-goblins-third-party-handoffs-implementation-presentation.html

As an aside I agree the spec does say you should always check the signature envolope, this I guess isn't the case, there are exceptions in the situation of handoffs as you don't have enough information to check them :)

Let me know if this makes sense and resolves this issue for you.

[dpwiz]

Can we split it the type and have e.g. sig:envelope for "check before reading" and sig:handoff for "check when it is for you"?