Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

intermittent invalid signature with tz2 in aws kms #364

Open
stephengaudet opened this issue May 23, 2023 · 1 comment
Open

intermittent invalid signature with tz2 in aws kms #364

stephengaudet opened this issue May 23, 2023 · 1 comment
Labels
aws bug Something isn't working

Comments

@stephengaudet
Copy link
Contributor

tz3 seems ok, but tz2 produces signature that octez-client reports as invalid about 50% of the time.

steps to reproduce:

  1. configure the Signatory aws-kms vault
  2. create a tz2 (Secp256k1) and a tz3 (P-256) keys for signing in aws kms
  3. make active these 2 keys in signatory.yaml
  4. import the Signatory URI for both keys into octez-client use aliases awstz2 and awstz3
  5. fund both the tz2 and tz3 with some tez. 100 for example
  6. make repeated calls to: octez-client transfer 1 from awstz2 to alice --burn-cap 0.06425

expected:
each transfer is successful. (it is with tz3 but not tz2)

actual:
Signatory logs each one as successful:
time="2023-05-23T20:58:43Z" level=info msg="Requesting signing operation" ops="map[transaction:1]" ops_total=1 pkh=tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM request=generic vault=AWSKMS vault_name=aws
time="2023-05-23T20:58:43Z" level=info msg="About to sign raw bytes" ops="map[transaction:1]" ops_total=1 pkh=tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM raw=0349a3452d2701444118c24aa6dc0ee16f234797af321c95693be265f135cc0a3b6c01c8c903c8f37924fb8c158b58b78f5cebdf54d4028a02089b0100c0843d00006b82198cb179e8306c1bedd08f12dc863f32888600 request=generic vault=AWSKMS vault_name=aws
time="2023-05-23T20:58:43Z" level=info msg="Signed generic successfully" ops="map[transaction:1]" ops_total=1 pkh=tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM request=generic vault=AWSKMS vault_name=aws
time="2023-05-23T20:58:43Z" level=info msg="POST /keys/tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM" duration=183.171042ms hostname="signatory:6732" method=POST path=/keys/tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM start_time="2023-05-23T20:58:43Z" status=200

but half of them are invalid from octez-client perspective:
The signer for http://signatory:6732/tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM produced an invalid signature
Fatal error:
transfer simulation failed
@stephengaudet
Copy link
Contributor Author

failed validation:

13: http://signatory:6732/keys/tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM
"032c305d6f5abe669dcb122008353a585ac26f0f24c61339b419f7f007ac9adbfa6c01c8c903c8f37924fb8c158b58b78f5cebdf54d4028a020e9b0100c0843d00006b82198cb179e8306c1bedd08f12dc863f32888600"
<<<<13: 200 OK

{ "signature":
"spsig15wjAnArhsnWM7jt7PRCeqq3JVVhey6qDCZHSVr4hbi1ir1wkQFGvAp8VKN4VFTC3dGHXo6YhSxyBXazwLQsgRggbZ33CR" }
The signer for http://signatory:6732/tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM produced an invalid signature

passed validation:

13: http://signatory:6732/keys/tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM
"039c6bbca75e6863101a5e1849d830b085d4e721bcf94487d4311a457fee67593f6c01c8c903c8f37924fb8c158b58b78f5cebdf54d4028a020e9b0100c0843d00006b82198cb179e8306c1bedd08f12dc863f32888600"
<<<<13: 200 OK
{ "signature":
"spsig1MKbCc5VXVYzQntnRKvxyLYDajX4S6XFGt9R1vGGzDhXXsXTnQ7GzB2nBP1VDHVkrcyx4wTwWGyFTC5DtaY2kW3axE1o2b" }
14: http://flextesa:20000/chains/main/blocks/head/helpers/preapply/operations

{ "name": "awstz2",
"value":
{ "locator":
"http://signatory:6732/tz2SctcTKRRyogSTC8BZcAyxjw9XLUuyjvgM",
"key": "sppk7cqbfSsBjf6ixegAbkBz9YP4TBM2dSsosfFzrurWShQRqvAo3YH" } },

@stephengaudet stephengaudet added bug Something isn't working aws labels May 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stephengaudet