From 2856f5122d222cbb121566462645823766fa7b33 Mon Sep 17 00:00:00 2001 From: Paul Hauner Date: Mon, 6 Jul 2020 11:56:44 +1000 Subject: [PATCH] Add checksum verification for deposit contract (#1330) --- Cargo.lock | 2 ++ common/deposit_contract/Cargo.toml | 2 ++ common/deposit_contract/build.rs | 38 ++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/Cargo.lock b/Cargo.lock index fd1fc182e..9016384de 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1132,8 +1132,10 @@ version = "0.2.0" dependencies = [ "eth2_ssz", "ethabi", + "hex 0.4.2", "reqwest", "serde_json", + "sha2 0.9.1", "tree_hash", "types", ] diff --git a/common/deposit_contract/Cargo.toml b/common/deposit_contract/Cargo.toml index 298b126df..c796ff477 100644 --- a/common/deposit_contract/Cargo.toml +++ b/common/deposit_contract/Cargo.toml @@ -9,6 +9,8 @@ build = "build.rs" [build-dependencies] reqwest = { version = "0.10.4", features = ["blocking", "json"] } serde_json = "1.0.52" +sha2 = "0.9.1" +hex = "0.4.2" [dependencies] types = { path = "../../consensus/types"} diff --git a/common/deposit_contract/build.rs b/common/deposit_contract/build.rs index db09d91b0..683b601da 100644 --- a/common/deposit_contract/build.rs +++ b/common/deposit_contract/build.rs @@ -3,7 +3,9 @@ //! //! These files are required for some `include_bytes` calls used in this crate. +use hex; use serde_json::Value; +use sha2::{Digest, Sha256}; use std::env; use std::fs::File; use std::io::Write; @@ -14,6 +16,16 @@ const TAG: &str = "v0.12.1"; // with the unmodified v0.12.1 contract const UNSAFE_TAG: &str = "v0.9.2.1"; +// Checksums for the production smart contract. +const ABI_CHECKSUM: &str = "e53a64aecdd14f7c46c4134d19500c3184bf083b046347fb14c7828a26f2bff6"; +const BYTECODE_CHECKSUM: &str = "ace004b44a9f531bcd47f9d8827b2527c713a2df3af943ac28ecc3df2aa355d6"; + +// Checksums for the testnet smart contract. +const TESTNET_ABI_CHECKSUM: &str = + "c9a0a6b3fd48b94193d48c48abad3edcd61eb645d8cdfc9d969d188beb34f5c1"; +const TESTNET_BYTECODE_CHECKSUM: &str = + "2b054e7d134e2d66566ba074c8a18a3a67841d67c8ef6175fc95f1639ee73a89"; + fn spec_url() -> String { format!("https://raw.githubusercontent.com/ethereum/eth2.0-specs/{}/deposit_contract/contracts/validator_registration.json", TAG) } @@ -34,12 +46,16 @@ pub fn get_all_contracts() -> Result<(), String> { download_deposit_contract( &spec_url(), "validator_registration.json", + ABI_CHECKSUM, "validator_registration.bytecode", + BYTECODE_CHECKSUM, )?; download_deposit_contract( &testnet_url(), "testnet_validator_registration.json", + TESTNET_ABI_CHECKSUM, "testnet_validator_registration.bytecode", + TESTNET_BYTECODE_CHECKSUM, ) } @@ -48,7 +64,9 @@ pub fn get_all_contracts() -> Result<(), String> { pub fn download_deposit_contract( url: &str, abi_file: &str, + abi_checksum: &str, bytecode_file: &str, + bytecode_checksum: &str, ) -> Result<(), String> { let abi_file = abi_dir().join(format!("{}_{}", TAG, abi_file)); let bytecode_file = abi_dir().join(format!("{}_{}", TAG, bytecode_file)); @@ -71,6 +89,9 @@ pub fn download_deposit_contract( .get("abi") .ok_or(format!("Response does not contain key: abi"))? .to_string(); + + verify_checksum(abi.as_bytes(), abi_checksum); + abi_file .write(abi.as_bytes()) .map_err(|e| format!("Failed to write http response to abi file: {:?}", e))?; @@ -79,6 +100,9 @@ pub fn download_deposit_contract( .get("bytecode") .ok_or(format!("Response does not contain key: bytecode"))? .to_string(); + + verify_checksum(bytecode.as_bytes(), bytecode_checksum); + bytecode_file.write(bytecode.as_bytes()).map_err(|e| { format!("Failed to write http response to bytecode file: {:?}", e) })?; @@ -95,6 +119,20 @@ pub fn download_deposit_contract( Ok(()) } +fn verify_checksum(bytes: &[u8], expected_checksum: &str) { + let mut hasher = Sha256::new(); + hasher.update(bytes); + let result = hasher.finalize(); + + let checksum = hex::encode(&result[..]); + + assert_eq!( + &checksum, expected_checksum, + "Checksum {} did not match {}", + checksum, expected_checksum + ); +} + /// Returns the directory that will be used to store the deposit contract ABI. fn abi_dir() -> PathBuf { let base = env::var("CARGO_MANIFEST_DIR")