Update exit list signing infra for contract based exits #988

jkilpatr · 2024-09-09T20:36:27Z

This pr can be split into modernization/update work and then exit list functionality changes.

The goal is that routers have a list of keys which can be used as the root of trust for the exit list. An exit list server exists online, publicly queryable, and returns a signed list of exits as they exit in the exit registration smart contract.

This allows exits to simply query and pass along this list to clients at will, the clients can then verify the list against their stored root of trust, and bootstrap using these exits. This resolves the need to trust a local exit to bootstrap from it and simplifies the previous structures in which the exits needed other exits configured in which to serve their own lists.

ch-iara · 2024-10-07T11:37:17Z

Some questions for the signing loop:
Is the idea to sign all cached values, then store them in a second cache to load? Otherwise I'm not seeing the point there when to_encrypted_server_list can be run when a client requests a signed list (and from my understanding these are one and the same caches we're accessing between the signing loop and the endpoint- but perhaps that's not true since as it stands there is a cache sent in to the endpoint as an argument?)

And then, how do I retrieve data for a contract that is not already in the cache?

exit_trust_root/src/bin.rs

althea_types/src/exits/mod.rs

exit_trust_root/config.toml

exit_trust_root/src/bin.rs

exit_trust_root/src/tls.rs

jkilpatr · 2024-10-15T18:20:24Z

rita_client/src/exit_manager/requests.rs

+    let sig = list.clone().signature;
+    match list.data.verify(key, sig) {
+        true => Ok(list),
+        false => Err(RitaClientError::MiscStringError(


where it's feasible try to make a new error on RitaClientError rather than just using miscstring error it's a catch all that ideally we use sparingly and eventually eliminate. Having a specific error type will make it easier for callers to match on and handle the signature failed error if they ever want to.

This root of trust server allows clients to register via untrusted exits. By viewing trusted signatures from registration server, which signs exit lists for arbitrary registration contracts based on trusted keys already in the client.

And cleanup for exit server list handling. We no longer need to have ExitList and ExitListV2 with the new ExitServerList which simply verifies received SignedExitServerList from an exit.

The multi-exit test now has clients performing the exit list request loop between the exits and the root of trust server.

We have 180 possible regions and the miscount was causing a serialization issue with the string representation of the data.

This patch centers around making the SignedExitList generally more robust. By making the individual vars private with only getters, and adding a signer field to the struct itself it's generally impossible to accidentially modify the data and mess up a signature. Or to construct a signed exit list when it's not needed.

…ExitList Hashsets are iterated in random order on serialization, resulting in signing and verification not working when the order of specific elements had changed. Sorting these elements before abi serializing produces a cannonical order and makes it extremely difficult to break verification.

This patch does the actual background work required for the exits to listen on a single multhomed ip for exit list requests. We convert mesh_ip_v2 into an arbitrary list of additional ip's to listen on, which is more flexible and a little cleaner considering that we have to listen on these extra ip's in rita_common despite only needing it for rita_exit. We also change the exit list ip to a proper constant, rather than a string.

...and must now query an exit visible to them to serve the signed exit server list.

This patch removes the -async naming prefix for actix dependencies that we adopted when pre-async and async dependencies had to co-exist in the same binary. While doing this all actix deps and openssl are unified into workspace dependencies. Making them easier to track and manage. Finally we use openssl instead of rustls for ssl in the exit trust root as it turns out that any use of rustls poisons the workspace for easy cross complilation.

Reqwest was at one time the best way to do a simple blocking http call. But now we can easily do that with a async closure and awc

This patch makes the integraiton test registration retry function more robust to failures caused when the routers don't have exit info yet.

For some reason this specific test does not init the settings that it needs.

At this point we have passed the check test, so we know the code compiles and the cause of failure is probably a very small tweak in the actual logic. Therefore we should cache the build artifact to speed up the next run.

The denied state is only for situations where the exit can not accept the clients period for some long term or even permenant reason. Instead the denied state was being returned even for momentary connectivity issues, which resulted in CI failing any time the registration server didn't finish starting up fast enough.

jkilpatr force-pushed the jkilpatr/exit-list-infra-changes branch 13 times, most recently from a3c6fa4 to 1e8db00 Compare September 14, 2024 14:02

jkilpatr mentioned this pull request Sep 16, 2024

Replace deprecated libsodium with RustCrypto alternative #893

Open

jkilpatr force-pushed the jkilpatr/exit-list-infra-changes branch 4 times, most recently from 734c1db to 1a9ebb2 Compare September 19, 2024 00:57

jkilpatr force-pushed the master branch from 7d930af to 6a5ff1b Compare September 19, 2024 01:50

jkilpatr force-pushed the jkilpatr/exit-list-infra-changes branch from 1a9ebb2 to 0e2f050 Compare September 22, 2024 18:49

ch-iara force-pushed the jkilpatr/exit-list-infra-changes branch from ffbf411 to 3ee30d8 Compare October 7, 2024 17:32

jkilpatr commented Oct 8, 2024

View reviewed changes

exit_trust_root/src/bin.rs Outdated Show resolved Hide resolved

ch-iara reviewed Oct 11, 2024

View reviewed changes

exit_trust_root/src/bin.rs Outdated Show resolved Hide resolved

ch-iara force-pushed the jkilpatr/exit-list-infra-changes branch from 076305b to a10327d Compare October 11, 2024 19:06