Skip to content

Commit ebebe14

Browse files
chenchanglewchenchanglew
authored
Merge pull request #222 from dedis/210-technical-debt-verify-signature-before-execute-request
verify signature before process the request for every signedRequest
2 parents 6a53a65 + c1e3b1e commit ebebe14

File tree

3 files changed

+67
-68
lines changed

3 files changed

+67
-68
lines changed

proxy/dkg.go

+16-18
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,6 @@ func (d dkg) NewDKGActor(w http.ResponseWriter, r *http.Request) {
6464
return
6565
}
6666

67-
6867
if len(formIDBuf) == 0 {
6968
http.Error(w, "formID is empty", http.StatusBadRequest)
7069
return
@@ -145,8 +144,23 @@ func (d dkg) Actor(w http.ResponseWriter, r *http.Request) {
145144
// EditDKGActor implements proxy.DKG
146145
// Setups the DKG actor or begins decryption
147146
func (d dkg) EditDKGActor(w http.ResponseWriter, r *http.Request) {
148-
vars := mux.Vars(r)
147+
var req types.UpdateDKG
148+
149+
// Read the request
150+
signed, err := types.NewSignedRequest(r.Body)
151+
if err != nil {
152+
InternalError(w, r, newSignedErr(err), nil)
153+
return
154+
}
149155

156+
// Verify the signature
157+
err = signed.GetAndVerify(d.pk, &req)
158+
if err != nil {
159+
InternalError(w, r, getSignedErr(err), nil)
160+
return
161+
}
162+
163+
vars := mux.Vars(r)
150164
if vars == nil || vars["formID"] == "" {
151165
http.Error(w, fmt.Sprintf("formID not found: %v", vars), http.StatusInternalServerError)
152166
return
@@ -167,22 +181,6 @@ func (d dkg) EditDKGActor(w http.ResponseWriter, r *http.Request) {
167181
return
168182
}
169183

170-
var req types.UpdateDKG
171-
172-
// Read the request
173-
signed, err := types.NewSignedRequest(r.Body)
174-
if err != nil {
175-
InternalError(w, r, newSignedErr(err), nil)
176-
return
177-
}
178-
179-
// Verify the signature
180-
err = signed.GetAndVerify(d.pk, &req)
181-
if err != nil {
182-
InternalError(w, r, getSignedErr(err), nil)
183-
return
184-
}
185-
186184
switch req.Action {
187185
// setup the DKG
188186
case "setup":

proxy/election.go

+35-34
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ func NewForm(srv ordering.Service, mngr txn.Manager, p pool.Pool,
4444
logger: logger,
4545
orderingSvc: srv,
4646
context: ctx,
47-
formFac: fac,
47+
formFac: fac,
4848
mngr: mngr,
4949
pool: p,
5050
pk: pk,
@@ -60,7 +60,7 @@ type form struct {
6060
orderingSvc ordering.Service
6161
logger zerolog.Logger
6262
context serde.Context
63-
formFac serde.Factory
63+
formFac serde.Factory
6464
mngr txn.Manager
6565
pool pool.Pool
6666
pk kyber.Point
@@ -126,16 +126,6 @@ func (h *form) NewForm(w http.ResponseWriter, r *http.Request) {
126126

127127
// NewFormVote implements proxy.Proxy
128128
func (h *form) NewFormVote(w http.ResponseWriter, r *http.Request) {
129-
vars := mux.Vars(r)
130-
131-
// check if the formID is valid
132-
if vars == nil || vars["formID"] == "" {
133-
http.Error(w, fmt.Sprintf("formID not found: %v", vars), http.StatusInternalServerError)
134-
return
135-
}
136-
137-
formID := vars["formID"]
138-
139129
var req ptypes.CastVoteRequest
140130

141131
// get the signed request
@@ -152,6 +142,16 @@ func (h *form) NewFormVote(w http.ResponseWriter, r *http.Request) {
152142
return
153143
}
154144

145+
vars := mux.Vars(r)
146+
147+
// check if the formID is valid
148+
if vars == nil || vars["formID"] == "" {
149+
http.Error(w, fmt.Sprintf("formID not found: %v", vars), http.StatusInternalServerError)
150+
return
151+
}
152+
153+
formID := vars["formID"]
154+
155155
elecMD, err := h.getFormsMetadata()
156156
if err != nil {
157157
http.Error(w, "failed to get form metadata", http.StatusNotFound)
@@ -166,7 +166,7 @@ func (h *form) NewFormVote(w http.ResponseWriter, r *http.Request) {
166166

167167
ciphervote := make(types.Ciphervote, len(req.Ballot))
168168

169-
// encrypt the vote
169+
// encrypt the vote
170170
for i, egpair := range req.Ballot {
171171
k := suite.Point()
172172

@@ -192,8 +192,8 @@ func (h *form) NewFormVote(w http.ResponseWriter, r *http.Request) {
192192

193193
castVote := types.CastVote{
194194
FormID: formID,
195-
UserID: req.UserID,
196-
Ballot: ciphervote,
195+
UserID: req.UserID,
196+
Ballot: ciphervote,
197197
}
198198

199199
// serialize the vote
@@ -214,6 +214,22 @@ func (h *form) NewFormVote(w http.ResponseWriter, r *http.Request) {
214214

215215
// EditForm implements proxy.Proxy
216216
func (h *form) EditForm(w http.ResponseWriter, r *http.Request) {
217+
var req ptypes.UpdateFormRequest
218+
219+
// get the signed request
220+
signed, err := ptypes.NewSignedRequest(r.Body)
221+
if err != nil {
222+
InternalError(w, r, newSignedErr(err), nil)
223+
return
224+
}
225+
226+
// get the request and verify the signature
227+
err = signed.GetAndVerify(h.pk, &req)
228+
if err != nil {
229+
InternalError(w, r, getSignedErr(err), nil)
230+
return
231+
}
232+
217233
vars := mux.Vars(r)
218234

219235
//check if the formID is valid
@@ -236,21 +252,6 @@ func (h *form) EditForm(w http.ResponseWriter, r *http.Request) {
236252
return
237253
}
238254

239-
var req ptypes.UpdateFormRequest
240-
241-
// get the signed request
242-
signed, err := ptypes.NewSignedRequest(r.Body)
243-
if err != nil {
244-
InternalError(w, r, newSignedErr(err), nil)
245-
return
246-
}
247-
248-
// get the request and verify the signature
249-
err = signed.GetAndVerify(h.pk, &req)
250-
if err != nil {
251-
InternalError(w, r, getSignedErr(err), nil)
252-
return
253-
}
254255
switch req.Action {
255256
case "open":
256257
h.openForm(formID, w, r)
@@ -413,7 +414,7 @@ func (h *form) Form(w http.ResponseWriter, r *http.Request) {
413414
}
414415

415416
response := ptypes.GetFormResponse{
416-
FormID: string(form.FormID),
417+
FormID: string(form.FormID),
417418
Configuration: form.Configuration,
418419
Status: uint16(form.Status),
419420
Pubkey: hex.EncodeToString(pubkeyBuf),
@@ -468,9 +469,9 @@ func (h *form) Forms(w http.ResponseWriter, r *http.Request) {
468469

469470
info := ptypes.LightForm{
470471
FormID: string(form.FormID),
471-
Title: form.Configuration.MainTitle,
472-
Status: uint16(form.Status),
473-
Pubkey: hex.EncodeToString(pubkeyBuf),
472+
Title: form.Configuration.MainTitle,
473+
Status: uint16(form.Status),
474+
Pubkey: hex.EncodeToString(pubkeyBuf),
474475
}
475476

476477
allFormsInfo[i] = info

proxy/shuffle.go

+16-16
Original file line numberDiff line numberDiff line change
@@ -32,22 +32,6 @@ type shuffle struct {
3232

3333
// EditShuffle implements proxy.Shuffle
3434
func (s shuffle) EditShuffle(w http.ResponseWriter, r *http.Request) {
35-
vars := mux.Vars(r)
36-
37-
// check if the formID is present
38-
if vars == nil || vars["formID"] == "" {
39-
http.Error(w, fmt.Sprintf("formID not found: %v", vars), http.StatusInternalServerError)
40-
return
41-
}
42-
43-
formID := vars["formID"]
44-
45-
buff, err := hex.DecodeString(formID)
46-
if err != nil {
47-
http.Error(w, "failed to decode formID: "+formID, http.StatusInternalServerError)
48-
return
49-
}
50-
5135
var req types.UpdateShuffle
5236

5337
// Read the request
@@ -64,6 +48,22 @@ func (s shuffle) EditShuffle(w http.ResponseWriter, r *http.Request) {
6448
return
6549
}
6650

51+
vars := mux.Vars(r)
52+
53+
// check if the formID is present
54+
if vars == nil || vars["formID"] == "" {
55+
http.Error(w, fmt.Sprintf("formID not found: %v", vars), http.StatusInternalServerError)
56+
return
57+
}
58+
59+
formID := vars["formID"]
60+
61+
buff, err := hex.DecodeString(formID)
62+
if err != nil {
63+
http.Error(w, "failed to decode formID: "+formID, http.StatusInternalServerError)
64+
return
65+
}
66+
6767
switch req.Action {
6868
// shuffle the ballots
6969
case "shuffle":

0 commit comments

Comments
 (0)