Merge branch 'frederik/test-verify-canister-sig' into 'master'

feat(sm-tests): add canister signature verification to test binary

Canister signature verification is made significantly easier for
downstream projects if offered by the test binary. 

See merge request dfinity-lab/public/ic!12589

Author: Frederik Rothenberger

Cargo.Bazel.StaticOpenSSL.json.lock

@@ -1,5 +1,5 @@
 {
-  "checksum": "87a5af9327ba381852c335988c62c22781e11ca3f694a38d9056d943286614e3",
+  "checksum": "f563bcea718f20e1716e04d38f5d24942a2d1f2eb1622e26755e18311177f5cb",
   "crates": {
     "abnf 0.12.0": {
       "name": "abnf",
@@ -13016,7 +13016,7 @@
               "target": "ic_stable_structures"
             },
             {
-              "id": "ic-test-state-machine-client 2.1.0",
+              "id": "ic-test-state-machine-client 2.2.0",
               "target": "ic_test_state_machine_client"
             },
             {
@@ -20576,13 +20576,13 @@
       },
       "license": "Apache-2.0"
     },
-    "ic-test-state-machine-client 2.1.0": {
+    "ic-test-state-machine-client 2.2.0": {
       "name": "ic-test-state-machine-client",
-      "version": "2.1.0",
+      "version": "2.2.0",
       "repository": {
         "Http": {
-          "url": "https://crates.io/api/v1/crates/ic-test-state-machine-client/2.1.0/download",
-          "sha256": "be83b09145df43603a6255b2dee2b08055ed37642fe1ee26d2036f2ada81730b"
+          "url": "https://crates.io/api/v1/crates/ic-test-state-machine-client/2.2.0/download",
+          "sha256": "c942bd6ed0f179338f0fbe51999de9ba6f4d339e896a28f3f69bd4ccfe23b142"
         }
       },
       "targets": [
@@ -20630,7 +20630,7 @@
           "selects": {}
         },
         "edition": "2021",
-        "version": "2.1.0"
+        "version": "2.2.0"
       },
       "license": "Apache-2.0"
     },
@@ -50151,8 +50151,8 @@
         },
         {
           "Binary": {
-            "crate_name": "sleep",
-            "crate_root": "src/bin/sleep.rs",
+            "crate_name": "exit",
+            "crate_root": "src/bin/exit.rs",
             "srcs": {
               "include": [
                 "**/*.rs"
@@ -50163,8 +50163,8 @@
         },
         {
           "Binary": {
-            "crate_name": "reader",
-            "crate_root": "src/bin/reader.rs",
+            "crate_name": "sleep",
+            "crate_root": "src/bin/sleep.rs",
             "srcs": {
               "include": [
                 "**/*.rs"
@@ -50175,8 +50175,8 @@
         },
         {
           "Binary": {
-            "crate_name": "exit",
-            "crate_root": "src/bin/exit.rs",
+            "crate_name": "reader",
+            "crate_root": "src/bin/reader.rs",
             "srcs": {
               "include": [
                 "**/*.rs"

Cargo.Bazel.StaticOpenSSL.toml.lock

@@ -3947,9 +3947,9 @@ checksum = "0c0c68bf2fb590e3c3b4e0719383fb2cdceb308cd62df9fef571323b418f7e1c"
 
 [[package]]
 name = "ic-test-state-machine-client"
-version = "2.1.0"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be83b09145df43603a6255b2dee2b08055ed37642fe1ee26d2036f2ada81730b"
+checksum = "c942bd6ed0f179338f0fbe51999de9ba6f4d339e896a28f3f69bd4ccfe23b142"
 dependencies = [
  "candid 0.8.4",
  "ciborium",

Cargo.Bazel.json.lock

@@ -1,5 +1,5 @@
 {
-  "checksum": "6ee9224073d1c20dd9523a8a061a5500f3716a0c62b19612a3da665af44d9c13",
+  "checksum": "f020704ff72e0fb36927054b85f11dcbb1e0f52a8fab33a7b710ecd781ebd7b7",
   "crates": {
     "abnf 0.12.0": {
       "name": "abnf",
@@ -13016,7 +13016,7 @@
               "target": "ic_stable_structures"
             },
             {
-              "id": "ic-test-state-machine-client 2.1.0",
+              "id": "ic-test-state-machine-client 2.2.0",
               "target": "ic_test_state_machine_client"
             },
             {
@@ -20576,13 +20576,13 @@
       },
       "license": "Apache-2.0"
     },
-    "ic-test-state-machine-client 2.1.0": {
+    "ic-test-state-machine-client 2.2.0": {
       "name": "ic-test-state-machine-client",
-      "version": "2.1.0",
+      "version": "2.2.0",
       "repository": {
         "Http": {
-          "url": "https://crates.io/api/v1/crates/ic-test-state-machine-client/2.1.0/download",
-          "sha256": "be83b09145df43603a6255b2dee2b08055ed37642fe1ee26d2036f2ada81730b"
+          "url": "https://crates.io/api/v1/crates/ic-test-state-machine-client/2.2.0/download",
+          "sha256": "c942bd6ed0f179338f0fbe51999de9ba6f4d339e896a28f3f69bd4ccfe23b142"
         }
       },
       "targets": [
@@ -20630,7 +20630,7 @@
           "selects": {}
         },
         "edition": "2021",
-        "version": "2.1.0"
+        "version": "2.2.0"
       },
       "license": "Apache-2.0"
     },
@@ -50127,8 +50127,8 @@
         },
         {
           "Binary": {
-            "crate_name": "sleep",
-            "crate_root": "src/bin/sleep.rs",
+            "crate_name": "exit",
+            "crate_root": "src/bin/exit.rs",
             "srcs": {
               "include": [
                 "**/*.rs"
@@ -50139,8 +50139,8 @@
         },
         {
           "Binary": {
-            "crate_name": "reader",
-            "crate_root": "src/bin/reader.rs",
+            "crate_name": "sleep",
+            "crate_root": "src/bin/sleep.rs",
             "srcs": {
               "include": [
                 "**/*.rs"
@@ -50151,8 +50151,8 @@
         },
         {
           "Binary": {
-            "crate_name": "exit",
-            "crate_root": "src/bin/exit.rs",
+            "crate_name": "reader",
+            "crate_root": "src/bin/reader.rs",
             "srcs": {
               "include": [
                 "**/*.rs"

Cargo.Bazel.toml.lock

@@ -3947,9 +3947,9 @@ checksum = "0c0c68bf2fb590e3c3b4e0719383fb2cdceb308cd62df9fef571323b418f7e1c"
 
 [[package]]
 name = "ic-test-state-machine-client"
-version = "2.1.0"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be83b09145df43603a6255b2dee2b08055ed37642fe1ee26d2036f2ada81730b"
+checksum = "c942bd6ed0f179338f0fbe51999de9ba6f4d339e896a28f3f69bd4ccfe23b142"
 dependencies = [
  "candid 0.8.4",
  "ciborium",

Cargo.lock

@@ -487,7 +487,7 @@ def external_crates_repository(name, static_openssl, cargo_lockfile, lockfile):
                 version = "^0.2.1",
             ),
             "ic-test-state-machine-client": crate.spec(
-                version = "^2.1.0",
+                version = "^2.2.0",
             ),
             "ic-utils": crate.spec(
                 version = "^0.23.0",

bazel/external_crates.bzl

@@ -64,6 +64,8 @@ rust_library(
 BIN_DEPENDENCIES = [
     "//rs/config",
     "//rs/crypto",
+    "//rs/crypto/iccsa",
+    "//rs/crypto/utils/threshold_sig_der",
     "//rs/registry/subnet_type",
     "//rs/types/types",
     "//rs/types/ic00_types",

rs/state_machine_tests/BUILD.bazel

@@ -15,10 +15,12 @@ ic-constants = { path = "../constants" }
 ic-crypto = { path = "../crypto" }
 ic-crypto-ecdsa-secp256k1 = { path = "../crypto/ecdsa_secp256k1" }
 ic-crypto-extended-bip32 = { path = "../crypto/extended_bip32" }
+ic-crypto-iccsa = { path = "../crypto/iccsa" }
 ic-crypto-internal-seed = { path= "../crypto/internal/crypto_lib/seed" }
 ic-crypto-internal-threshold-sig-bls12381 = { path= "../crypto/internal/crypto_lib/threshold_sig/bls12_381" }
 ic-crypto-internal-types = { path= "../crypto/internal/crypto_lib/types" }
 ic-crypto-tree-hash = { path= "../crypto/tree_hash" }
+ic-crypto-utils-threshold-sig-der = { path = "../crypto/utils/threshold_sig_der" }
 ic-cycles-account-manager = { path = "../cycles_account_manager" }
 ic-error-types = { path = "../types/error_types" }
 ic-execution-environment = { path = "../execution_environment/" }

rs/state_machine_tests/Cargo.toml

@@ -2,6 +2,9 @@ use clap::Parser;
 use ic_config::execution_environment;
 use ic_config::subnet_config::SubnetConfig;
 use ic_crypto::threshold_sig_public_key_to_der;
+use ic_crypto_iccsa::types::SignatureBytes;
+use ic_crypto_iccsa::{public_key_bytes_from_der, verify};
+use ic_crypto_utils_threshold_sig_der::parse_threshold_sig_key_from_der;
 use ic_registry_subnet_type::SubnetType;
 use ic_state_machine_tests::{StateMachineBuilder, StateMachineConfig};
 use ic_test_state_machine_client::{CanisterCall, RawCanisterId, Request, Request::*};
@@ -131,6 +134,45 @@ fn main() {
                 env.run_until_completion(arg.max_ticks as usize);
                 send_response((), &opts);
             }
+            VerifyCanisterSig(arg) => {
+                type VerificationResult = Result<(), String>;
+                let pubkey = match public_key_bytes_from_der(&arg.pubkey) {
+                    Ok(pubkey) => pubkey,
+                    Err(err) => {
+                        send_response(
+                            VerificationResult::Err(format!(
+                                "failed to parse DER encoded public key: {:?}",
+                                err
+                            )),
+                            &opts,
+                        );
+                        continue;
+                    }
+                };
+                let root_pubkey = match parse_threshold_sig_key_from_der(&arg.root_pubkey) {
+                    Ok(root_pubkey) => root_pubkey,
+                    Err(err) => {
+                        send_response(
+                            VerificationResult::Err(format!(
+                                "failed to parse DER encoded root public key: {:?}",
+                                err
+                            )),
+                            &opts,
+                        );
+                        continue;
+                    }
+                };
+                match verify(&arg.msg, SignatureBytes(arg.sig), pubkey, &root_pubkey) {
+                    Ok(()) => send_response(VerificationResult::Ok(()), &opts),
+                    Err(err) => send_response(
+                        VerificationResult::Err(format!(
+                            "canister signature verification failed: {:?}",
+                            err
+                        )),
+                        &opts,
+                    ),
+                };
+            }
         }
     }
 }