Add secure minting

[davebryson]

This PR addresses issue #98 adding support for secure minting. Mint transactions now run through the sentinel and validation. Minters are identified via pre-approved key pairs used during sentinel validation to determine who is allowed to execute a mint transaction. Public keys associated with approved minters are added to the cfg file.

For testing and demonstrations a pre-calculated minter key pair is available. Existing cfg files have been updated with the information.

A mint transaction is identified as having no inputs and 1 or more outputs. Validation has been adjusted to support this to ensure only valid minting transactions are forwarded from the sentinel. This required a change in the Atomizer as it will no longer reject a transaction that has no inputs (as it did previously).

PR #96 should be applied before this PR

[HalosGhost]

@davebryson looks like there's a small merge conflict (and some linting issues); but a general rebase is probably a good idea now that the macOS script updates have been merged in.

[davebryson]

@HalosGhost Rebased. But still need to address cognitive complexity issue (clang-tidy) in client-cli.cpp

[davebryson]

@HalosGhost clang-tidy is failing due to the number of if/else clauses in client-cli.cpp main() exceeding the default threshold of 25 (there are currently 26) for the readability-function-cognitive-complexity.Threshold setting.

Any objections to increasing the threshold setting in .clang-tidy to provide a little room for growth in the command line client?

[HalosGhost]

I think a longer-term solution would be to factor out a basic parsing mechanism so that we can have less of an if/else soup (ideally allowing use of a function-pointer map, or switch/case); but that's definitely a larger refactoring effort. I don't have any immediate problem raising the threshold. @metalicjames is there a middle-ground that you think we should pursue instead?

[metalicjames]

I would prefer that we move the command dispatch code to its own function than increase the cognitive complexity limit.

[davebryson]

@HalosGhost Not sure what the issue is with the CI failing on unit/integration tests. Note commit 9fa789e above passed all tests. Last commit (that failed tests) made no changes that would effect tests. Additionally I've tested locally several times and all unit/integration tests are passing.

[HalosGhost]

Seems it's the atomizer end-to-end tests:

/home/runner/work/opencbdc-tx/opencbdc-tx/tests/integration/atomizer_end_to_end_test.cpp:58: Failure
Value of: m_ctl_watchtower->get_block_height() > 0
  Actual: false
Expected: true
scripts/test.sh: line 9:  8480 Aborted                 (core dumped) $PWD/$1

I will try to pull the changes and test locally today to see what's going wrong.

[HalosGhost]

@davebryson your suspicions were correct; timing issue during the run; rerunning it passed all checks in a breeze. I'll dig in and begin review in the next few days!

[HalosGhost]

Sorry it has taken me a little while to review this. I think there's a lot of great work here (and a solid step towards having some rough means of secure minting).

I do have a few questions to make sure I'm understanding the flow right, and a few requests for changes that I've made inline.

Please feel free to ask for clarification!

[davebryson]

@HalosGhost Latest commit addresses requested changes

[HalosGhost]

@davebryson these changes look solid (sorry there was such a delay in-review). I have a small comment, and I'd like @metalicjames to take a quick look at it before merge, but I'm comfortable with merging.

[HalosGhost]

Is the point of leaving this just to minimize the change in this PR? (it's otherwise leaving specifically-dead code in the repo.)

[davebryson]

@HalosGhost I primarily left it in the event someone objected to the changes and/or wanted the functionality for other reasons (testing?).

[HalosGhost]

Nothing occurs to me on why it would still be needed with the adopting of this (pretty simple even) minting mechanism, but perhaps @metalicjames will think otherwise (I'm open to hearing alternative opinions). :)

[metalicjames]

If we're not using it, let's remove it.

[metalicjames]

I have a general question. Can I make multiple mint transactions with this PR?

It seems that all mint transactions will be identical, resulting in the same outpoints for every mint TX, meaning I can actually only make one valid mint TX without overwriting (or re-adding!! previously used outputs). One can see how this could lead to replay attacks where a previously submitted transaction spending a mint output becomes valid again when its input(s) are recreated.

The signatures on the outputs are missing any kind of sequence number or nonce. Does that matter? Is there a replay attack vector on mint transactions without one?

[metalicjames]

Style point: prefer return; over else here to avoid the unnecessary condition nesting (which causes a cognitive complexity penalty).

https://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines#f56-avoid-unnecessary-condition-nesting

[metalicjames]

Don't we need the sentinel attestations here?

m_attestations is not set.

[davebryson]

@metalicjames This is related to an issue that I asked about early in the process of working on this. The Atomizer, unlike 2PC, actually requires inputs in the compact transaction. A mint transaction doesn't have any inputs. So making mint transactions work with the Atomized feels like a hack and deviates from the normal transaction flow. Any thoughts or insights you have on this would be appreciated.

[metalicjames]

Hmm, I think the atomizer should be able to understand mint transactions. Otherwise, how would the mint transaction be included in a block and applied by the shards? If the transaction is included in a block, the atomizer should check the sentinel attestations. A valid mint transaction should still be validated by multiple sentinels and attested to, the same way as any other transaction. Otherwise, how can we be confident the mint transaction wasn't validated by a malicious sentinel, ignoring the authorized minter keys?

[davebryson]

@metalicjames A mint transaction flows through the sentinel and accumulates attestations the same as any other transaction. The controller checks the attestations before it forwards it to the shard: https://github.com/mit-dci/opencbdc-tx/blob/trunk/src/uhs/atomizer/shard/controller.cpp#L152. All the shard appears to do is collect the input index into the msg attestations set https://github.com/mit-dci/opencbdc-tx/blob/trunk/src/uhs/atomizer/shard/shard.cpp#L151. What concerns me more is the fact that atomizer allow this (at least passes all tests) even though the msg.m_attestations is empty for a mint transaction.

[metalicjames]

This code seems duplicated from print_tx_result, can we refactor it?

[metalicjames]

If we're not using it, let's remove it.

[metalicjames]

Is it possible to use a more general container here (like a vector, array etc)? Requiring a std::unordered_set with a custom hasher seems too specific to me.

[metalicjames]

Can you add doc comments for the new functions in this file?

[metalicjames]

This signing code seems duplicated with the code in wallet::sign, can we refactor it?

[davebryson]

Some of the code is duplicate. As I was touching a lot of the code base, I didn't want to be too intrusive

[metalicjames]

I think it's best to refactor the duplicate code in this PR. That will make the code more maintainable in the long run. You can split the refactors into separate commits to reduce the review burden.

[metalicjames]

Any reason to rename this variable?

[metalicjames]

I think you need to hold the lock to access m_pubkeys here.

[metalicjames]

I'm confused about this. Is the test minter key the one the validation code will check signed the TX? How is that different from the key generated when I can generate_minter_key()?

What if I call generate_minter_key() first, and then generate_test_minter_key() after? Now m_pubkeys[1] contains the minter key. Same thing if I call generate_test_minter_key() multiple times.

[davebryson]

generate_test_minter_key generates a pre-determined key that's preset in all existing .cfg files for testing and/or demos. Again, I was looking for a way to minimize changes across the codebase. See

opencbdc-tx/src/uhs/transaction/wallet.hpp

Line 129 in eb16c65

/// Generate a fixed public key for a minter. This is

for a descriptoin

[metalicjames]

Can we not read the key from the config file? Why do we need code to re-generate it?

[davebryson]

@metalicjames Mainly because tests call wallet code to mint (especially the integration tests) and you need a deterministic key for that. Putting the minter's private key in the configuration file for testing would mean you should put all minter private keys in the configuration file (testing and non-testing) to keep the design consistent. But IMO, putting minter (or any) private keys in the configuration file seems like a really bad idea from a security perspective.

[HalosGhost]

Worth noting that this is not a production system, so we don't have to be quite as worried about such things at the moment.

For example, for sentinel attestation checks, the sentinel private keys are stored in the configuration files.

[davebryson]

@HalosGhost Agree and I understand what you're saying. But on the other hand, adding security late to the process usually doesn't turn out well. If security is not a high-priority in the current context of the project, then is secure minting even necessary right now? Just thinking out loud on how to best bound the problem...

[HalosGhost]

I take your point. I suppose my view is that we should try to scope our questions as small as possible.

I think this PR is answering the question “How could secure minting be supported?” That doesn't require all other best-practices to be addressed at the same time. To that end, having the keys in-configuration or not is an orthogonal concern (in my opinion).

[davebryson]

The signatures on the outputs are missing any kind of sequence number or nonce. Does that matter? Is there a replay attack vector on mint transactions without one?

@metalicjames Great question and I believe you are correct. Adding a nonce/sequence number would be an easy solution. Of course a sequence number would require some form of state known by the system for validation. But either way you have minters using the same key over and over. Policy could dictate a minter must rotate a key after each use, but this complicates configuration.