feat: use signature domain instead of signature id for signatures

Author: MrWad3r

nekoton-abi/src/abi_helpers.rs

@@ -4,6 +4,7 @@ use ton_types::UInt256;
 
 use super::{BuildTokenValue, KnownParamType, UnpackerError, UnpackerResult};
 
+#[derive(Clone, Debug)]
 pub struct BigUint128(pub BigUint);
 
 impl BuildTokenValue for BigUint128 {

src/core/keystore/mod.rs

@@ -14,7 +14,7 @@ use tokio::sync::RwLock;
 use nekoton_utils::*;
 
 use crate::crypto::{
-    EncryptedData, EncryptionAlgorithm, PasswordCache, SharedSecret, Signature, SignatureId,
+    EncryptedData, EncryptionAlgorithm, PasswordCache, SharedSecret, Signature, SignatureDomain,
     Signer, SignerContext, SignerEntry, SignerStorage,
 };
 use crate::external::Storage;
@@ -290,7 +290,7 @@ impl KeyStore {
     pub async fn sign<T>(
         &self,
         data: &[u8],
-        signature_id: Option<SignatureId>,
+        signature_domain: SignatureDomain,
         input: T::SignInput,
     ) -> Result<Signature>
     where
@@ -303,7 +303,7 @@ impl KeyStore {
         };
         state
             .get_signer_ref::<T>()?
-            .sign(ctx, data, signature_id, input)
+            .sign(ctx, data, signature_domain, input)
             .await
     }
 

src/core/ton_wallet/wallet_v5r1.rs

@@ -385,7 +385,7 @@ mod tests {
     use crate::core::ton_wallet::wallet_v5r1::{
         compute_contract_address, is_wallet_v5r1, InitData, WALLET_ID,
     };
-    use crate::crypto::extend_with_signature_id;
+    use crate::crypto::{SignatureDomain, ToSign};
     use ed25519_dalek::{PublicKey, Signature, Verifier};
     use nekoton_contracts::wallets;
     use ton_block::AccountState;
@@ -438,15 +438,21 @@ mod tests {
 
         let public_key = PublicKey::from_bytes(public_key_bytes.as_slice())?;
 
-        let result = check_signature(in_msg_body_slice, public_key, Some(2000))?;
+        let result = check_signature(
+            in_msg_body_slice,
+            public_key,
+            SignatureDomain::L2 { global_id: 2000 },
+            false,
+        )?;
         assert!(result);
         Ok(())
     }
 
     fn check_signature(
         mut in_msg_body: SliceData,
         public_key: PublicKey,
-        signature_id: Option<i32>,
+        signature_domain: SignatureDomain,
+        enable_signature_domains: bool,
     ) -> anyhow::Result<bool> {
         let signature_binding = in_msg_body
             .get_slice(in_msg_body.remaining_bits() - 512, 512)?
@@ -458,11 +464,15 @@ mod tests {
             .into_cell();
 
         let hash = payload.repr_hash();
-
-        let data = extend_with_signature_id(hash.as_ref(), signature_id);
+        let to_sign = ToSign {
+            enable_signature_domains,
+            signature_domain,
+            data: hash.into_vec(),
+        };
+        let data = to_sign.write_to_bytes();
 
         Ok(public_key
-            .verify(&*data, &Signature::from_bytes(sig)?)
+            .verify(&data, &Signature::from_bytes(sig)?)
             .is_ok())
     }
 }

src/crypto/derived_key/mod.rs

@@ -2,18 +2,17 @@ use std::collections::hash_map::{self, HashMap};
 
 use anyhow::Result;
 use chacha20poly1305::{ChaCha20Poly1305, KeyInit, Nonce};
-use ed25519_dalek::{Keypair, PublicKey, Signer};
+use ed25519_dalek::{Keypair, PublicKey};
 use secstr::SecUtf8;
 use serde::{Deserialize, Serialize, Serializer};
 
-use nekoton_utils::*;
-
 use super::mnemonic::*;
 use super::{
-    default_key_name, extend_with_signature_id, Password, PasswordCache, PasswordCacheTransaction,
-    PubKey, SharedSecret, SignatureId, Signer as StoreSigner, SignerContext, SignerEntry,
-    SignerStorage,
+    default_key_name, Password, PasswordCache, PasswordCacheTransaction, PubKey, SharedSecret,
+    Signer as StoreSigner, SignerContext, SignerEntry, SignerStorage,
 };
+use crate::crypto::signature_domain::SignatureDomain;
+use nekoton_utils::*;
 
 #[derive(Default, Clone, Debug, Eq, PartialEq)]
 pub struct DerivedKeySigner {
@@ -355,12 +354,12 @@ impl StoreSigner for DerivedKeySigner {
         &self,
         ctx: SignerContext<'_>,
         data: &[u8],
-        signature_id: Option<SignatureId>,
+        signature_domain: SignatureDomain,
         input: Self::SignInput,
     ) -> Result<[u8; 64]> {
         let keypair = self.use_sign_input(ctx.password_cache, input)?;
-        let data = extend_with_signature_id(data, signature_id);
-        Ok(keypair.sign(&data).to_bytes())
+        let signature = signature_domain.sign(&keypair, data);
+        Ok(signature.to_bytes())
     }
 }
 

src/crypto/encrypted_key/mod.rs

@@ -4,19 +4,18 @@ use std::io::Read;
 
 use anyhow::Result;
 use chacha20poly1305::{ChaCha20Poly1305, Key, KeyInit, Nonce};
-use ed25519_dalek::{Keypair, PublicKey, SecretKey, Signer};
+use ed25519_dalek::{Keypair, PublicKey, SecretKey};
 use rand::Rng;
 use secstr::SecUtf8;
 use serde::{Deserialize, Serialize};
 
-use nekoton_utils::*;
-
 use super::mnemonic::*;
 use super::{
-    default_key_name, extend_with_signature_id, Password, PasswordCache, PasswordCacheTransaction,
-    PubKey, SharedSecret, SignatureId, Signer as StoreSigner, SignerContext, SignerEntry,
-    SignerStorage,
+    default_key_name, signature_domain::SignatureDomain, Password, PasswordCache,
+    PasswordCacheTransaction, PubKey, SharedSecret, Signer as StoreSigner, SignerContext,
+    SignerEntry, SignerStorage,
 };
+use nekoton_utils::*;
 
 #[derive(Default, Clone, Debug, Eq, PartialEq)]
 pub struct EncryptedKeySigner {
@@ -194,7 +193,7 @@ impl StoreSigner for EncryptedKeySigner {
         &self,
         ctx: SignerContext<'_>,
         data: &[u8],
-        signature_id: Option<SignatureId>,
+        signature_domain: SignatureDomain,
         input: Self::SignInput,
     ) -> Result<[u8; 64]> {
         let key = self.get_key(&input.public_key)?;
@@ -203,7 +202,7 @@ impl StoreSigner for EncryptedKeySigner {
             .password_cache
             .process_password(input.public_key.to_bytes(), input.password)?;
 
-        let signature = key.sign(data, signature_id, password.as_ref())?;
+        let signature = key.sign(signature_domain, data, password.as_ref())?;
 
         password.proceed();
         Ok(signature)
@@ -470,11 +469,11 @@ impl EncryptedKey {
 
     pub fn sign(
         &self,
+        signature_domain: SignatureDomain,
         data: &[u8],
-        signature_id: Option<SignatureId>,
         password: &str,
     ) -> Result<[u8; ed25519_dalek::SIGNATURE_LENGTH]> {
-        self.inner.sign(data, signature_id, password)
+        self.inner.sign(signature_domain, data, password)
     }
 
     pub fn compute_shared_keys(
@@ -531,17 +530,17 @@ struct CryptoData {
 impl CryptoData {
     pub fn sign(
         &self,
+        signature_domain: SignatureDomain,
         data: &[u8],
-        signature_id: Option<SignatureId>,
         password: &str,
     ) -> Result<[u8; ed25519_dalek::SIGNATURE_LENGTH]> {
         let secret = self.decrypt_secret(password)?;
         let pair = Keypair {
             secret,
             public: self.pubkey,
         };
-        let data = extend_with_signature_id(data, signature_id);
-        Ok(pair.sign(&data).to_bytes())
+        let signature = signature_domain.sign(&pair, data);
+        Ok(signature.to_bytes())
     }
 
     pub fn compute_shared_keys(
@@ -705,7 +704,7 @@ mod tests {
         .unwrap();
 
         assert!(!signer.as_json().is_empty());
-        let result = signer.sign(b"lol", None, "lol");
+        let result = signer.sign(SignatureDomain::Empty, b"lol", "lol");
         assert!(result.is_err());
     }
 

src/crypto/ledger_key/mod.rs

@@ -10,10 +10,11 @@ use serde::{Deserialize, Serialize};
 use nekoton_utils::*;
 
 use super::{
-    default_key_name, SharedSecret, SignatureId, Signer as StoreSigner, SignerContext, SignerEntry,
+    default_key_name, SharedSecret, Signer as StoreSigner, SignerContext, SignerEntry,
     SignerStorage,
 };
 use crate::core::ton_wallet::WalletType;
+use crate::crypto::signature_domain::SignatureDomain;
 use crate::external::{LedgerConnection, LedgerSignatureContext};
 
 #[derive(Clone)]
@@ -150,22 +151,22 @@ impl StoreSigner for LedgerKeySigner {
         &self,
         _: SignerContext<'_>,
         data: &[u8],
-        signature_id: Option<SignatureId>,
+        signature_domain: SignatureDomain,
         input: Self::SignInput,
     ) -> Result<[u8; ed25519_dalek::SIGNATURE_LENGTH]> {
         let key = self.get_key(&input.public_key)?;
         let signature = match input.context {
             None => {
                 self.connection
-                    .sign(key.account_id, signature_id, data)
+                    .sign(key.account_id, signature_domain, data)
                     .await?
             }
             Some(context) => {
                 self.connection
                     .sign_transaction(
                         key.account_id,
                         input.wallet.try_into()?,
-                        signature_id,
+                        signature_domain,
                         data,
                         &context,
                     )

src/crypto/mod.rs

@@ -1,5 +1,3 @@
-use std::borrow::Cow;
-
 use anyhow::Result;
 use downcast_rs::{impl_downcast, Downcast};
 use dyn_clone::DynClone;
@@ -15,12 +13,14 @@ pub use encrypted_key::*;
 pub use ledger_key::*;
 pub use mnemonic::*;
 pub use password_cache::*;
+pub use signature_domain::*;
 
 mod derived_key;
 mod encrypted_key;
 mod ledger_key;
 mod mnemonic;
 mod password_cache;
+mod signature_domain;
 
 pub type Signature = [u8; ed25519_dalek::SIGNATURE_LENGTH];
 pub type PubKey = [u8; ed25519_dalek::PUBLIC_KEY_LENGTH];
@@ -166,7 +166,7 @@ pub trait Signer: SignerStorage {
         &self,
         ctx: SignerContext<'_>,
         data: &[u8],
-        signature_id: Option<SignatureId>,
+        signature_domain: SignatureDomain,
         input: Self::SignInput,
     ) -> Result<Signature>;
 }
@@ -240,17 +240,17 @@ pub fn default_key_name(public_key: &PubKey) -> String {
     )
 }
 
-pub fn extend_with_signature_id(data: &[u8], signature_id: Option<SignatureId>) -> Cow<'_, [u8]> {
-    match signature_id {
-        Some(signature_id) => {
-            let mut extended_data = Vec::with_capacity(4 + data.len());
-            extended_data.extend_from_slice(&signature_id.to_be_bytes());
-            extended_data.extend_from_slice(data);
-            Cow::Owned(extended_data)
-        }
-        None => Cow::Borrowed(data),
-    }
-}
+// pub fn extend_with_signature_id(data: &[u8], signature_id: Option<SignatureId>) -> Cow<'_, [u8]> {
+//     match signature_id {
+//         Some(signature_id) => {
+//             let mut extended_data = Vec::with_capacity(4 + data.len());
+//             extended_data.extend_from_slice(&signature_id.to_be_bytes());
+//             extended_data.extend_from_slice(data);
+//             Cow::Owned(extended_data)
+//         }
+//         None => Cow::Borrowed(data),
+//     }
+// }
 
 pub mod x25519 {
     use curve25519_dalek_ng::scalar::Scalar;

src/crypto/signature_domain/mod.rs

@@ -0,0 +1,84 @@
+use ed25519_dalek::Signer;
+use sha2::{Digest, Sha256};
+use std::borrow::Cow;
+
+pub struct ToSign {
+    pub enable_signature_domains: bool,
+    pub signature_domain: SignatureDomain,
+    pub data: Vec<u8>,
+}
+
+impl ToSign {
+    pub fn write_to_bytes(&self) -> Vec<u8> {
+        let mut output = Vec::new();
+
+        match self.signature_domain {
+            // Empty signature domain always doesn't have any prefix.
+            SignatureDomain::Empty => {}
+            // All other signature domains are prefixed as hash.
+            _ if self.enable_signature_domains => {
+                output.extend_from_slice(&self.signature_domain.get_tl_hash());
+            }
+            // Fallback for the original `SignatureWithId` implementation
+            // if domains are disabled.
+            SignatureDomain::L2 { global_id } => output.extend_from_slice(&global_id.to_be_bytes()),
+        }
+
+        output.extend_from_slice(&self.data);
+
+        output
+    }
+}
+
+/// Signature domain variants.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+pub enum SignatureDomain {
+    /// Special variant to NOT add any prefix for the verified data.
+    /// Can be used to verify mainnet signatures from L2 networks.
+    Empty,
+    /// Non-empty variant. Hash of its TL representation
+    /// is used as a prefix for the verified data.
+    L2 {
+        /// Global id of the network.
+        global_id: i32,
+    },
+}
+
+impl SignatureDomain {
+    /// Signs arbitrary data using the key and optional signature id.
+    pub fn sign(&self, key: &ed25519_dalek::Keypair, data: &[u8]) -> ed25519_dalek::Signature {
+        let data = self.apply(data);
+        key.sign(&data)
+    }
+    /// Prepares arbitrary data for signing.
+    pub fn apply<'a>(&self, data: &'a [u8]) -> Cow<'a, [u8]> {
+        if let Self::Empty = self {
+            Cow::Borrowed(data)
+        } else {
+            let hash = self.get_tl_hash();
+            let mut result = Vec::with_capacity(32 + data.len());
+            result.extend_from_slice(&hash);
+            result.extend_from_slice(data);
+            Cow::Owned(result)
+        }
+    }
+
+    fn get_tl_hash(&self) -> Vec<u8> {
+        Sha256::digest(self.write_to_bytes()).to_vec()
+    }
+
+    fn write_to_bytes(&self) -> Vec<u8> {
+        let mut data = Vec::new();
+        match self {
+            Self::Empty => {
+                data.extend_from_slice(&0xe1d571bu32.to_le_bytes()); //Empty variant tl tag
+            }
+            Self::L2 { global_id } => {
+                data.extend_from_slice(&0x71b34ee1u32.to_le_bytes()); // L2 variant tl tag
+                data.extend_from_slice(&global_id.to_le_bytes());
+            }
+        }
+
+        data
+    }
+}