Verify pre-DR self-issued receipts (#7546)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: maxtropets

CHANGELOG.md

@@ -13,6 +13,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - Experimental self-healing-open protocol for automatically transitioning-to-open during a disaster recovery without operator intervention. (#7189)
 
+### Changed
+
+- Improved `ccf::historical::verify_self_issued_receipt` - now can verify receipts signed by the past service identities if they were back-endorsed (#7546).
+
 ## [7.0.0-dev6]
 
 [7.0.0-dev6]: https://github.com/microsoft/CCF/releases/tag/ccf-7.0.0-dev6

doc/schemas/app_openapi.json

@@ -1269,14 +1269,6 @@
             "$ref": "#/components/responses/default"
           }
         },
-        "security": [
-          {
-            "jwt": []
-          },
-          {
-            "user_cose_sign1": []
-          }
-        ],
         "x-ccf-forwarding": {
           "$ref": "#/components/x-ccf-forwarding/never"
         }

include/ccf/crypto/base64.h

@@ -3,6 +3,7 @@
 #pragma once
 
 #include <cstdint>
+#include <span>
 #include <string>
 #include <vector>
 
@@ -14,7 +15,7 @@ namespace ccf::crypto
 
   std::string b64_from_raw(const uint8_t* data, size_t size);
 
-  std::string b64_from_raw(const std::vector<uint8_t>& data);
+  std::string b64_from_raw(std::span<const uint8_t> data);
 
   std::string b64url_from_raw(
     const uint8_t* data, size_t size, bool with_padding = true);

include/ccf/crypto/cose_verifier.h

@@ -25,6 +25,8 @@ namespace ccf::crypto
   COSEVerifierUniquePtr make_cose_verifier_from_cert(
     const std::vector<uint8_t>& cert);
   COSEVerifierUniquePtr make_cose_verifier_from_key(const Pem& public_key);
+  COSEVerifierUniquePtr make_cose_verifier_from_key(
+    std::span<const uint8_t> public_key);
 
   struct COSEEndorsementValidity
   {

include/ccf/crypto/ec_public_key.h

@@ -173,6 +173,14 @@ namespace ccf::crypto
    */
   ECPublicKeyPtr make_ec_public_key(const std::vector<uint8_t>& der);
 
+  /**
+   * Construct ECPublicKey from a raw public key in DER format
+   *
+   * @param der Sequence of bytes containing the key in DER format
+   * @return Public key
+   */
+  ECPublicKeyPtr make_ec_public_key(std::span<const uint8_t> der);
+
   /**
    * Construct ECPublicKey from a JsonWebKeyECPublic object
    *

include/ccf/historical_queries_utils.h

@@ -42,8 +42,9 @@ namespace ccf::historical
     std::shared_ptr<NetworkIdentitySubsystemInterface>
       network_identity_subsystem);
 
-  // Verifies CCF COSE receipt using the *current network* identity's
-  // certificate.
+  // Verifies CCF COSE receipt issued by either current service identity or the
+  // one from the past that both corresponds to the receipt Tx ID and can be
+  // trusted via back-endorsement chain.
   void verify_self_issued_receipt(
     const std::vector<uint8_t>& cose_receipt,
     std::shared_ptr<NetworkIdentitySubsystemInterface>

include/ccf/network_identity_interface.h

@@ -2,6 +2,7 @@
 // Licensed under the Apache 2.0 License.
 #pragma once
 
+#include "ccf/crypto/ec_public_key.h"
 #include "ccf/node_subsystem_interface.h"
 
 #include <optional>
@@ -38,5 +39,8 @@ namespace ccf
 
     [[nodiscard]] virtual std::optional<CoseEndorsementsChain>
     get_cose_endorsements_chain(ccf::SeqNo seqno) const = 0;
+
+    [[nodiscard]] virtual ccf::crypto::ECPublicKeyPtr get_trusted_identity_for(
+      ccf::SeqNo seqno) const = 0;
   };
 }

samples/apps/logging/logging.cpp

@@ -2124,7 +2124,7 @@ namespace loggingapp
         HTTP_GET,
         ccf::historical::read_only_adapter_v4(
           get_cose_receipt, context, is_tx_committed),
-        auth_policies)
+        ccf::no_auth_required)
         .set_auto_schema<void, void>()
         .set_forwarding_required(ccf::endpoints::ForwardingRequired::Never)
         .install();

src/crypto/base64.cpp

@@ -43,7 +43,7 @@ namespace ccf::crypto
     return Base64Impl::b64_from_raw(data, size);
   }
 
-  std::string b64_from_raw(const std::vector<uint8_t>& data)
+  std::string b64_from_raw(std::span<const uint8_t> data)
   {
     return b64_from_raw(data.data(), data.size());
   }

src/crypto/openssl/cose_verifier.cpp

@@ -162,6 +162,12 @@ namespace ccf::crypto
     public_key = std::make_shared<PublicKey_OpenSSL>(public_key_);
   }
 
+  COSEKeyVerifier_OpenSSL::COSEKeyVerifier_OpenSSL(
+    std::span<const uint8_t> public_key_der_)
+  {
+    public_key = std::make_shared<PublicKey_OpenSSL>(public_key_der_);
+  }
+
   COSEVerifier_OpenSSL::~COSEVerifier_OpenSSL() = default;
 
   bool COSEVerifier_OpenSSL::verify(
@@ -235,6 +241,12 @@ namespace ccf::crypto
     return std::make_unique<COSEKeyVerifier_OpenSSL>(public_key);
   }
 
+  COSEVerifierUniquePtr make_cose_verifier_from_key(
+    std::span<const uint8_t> public_key)
+  {
+    return std::make_unique<COSEKeyVerifier_OpenSSL>(public_key);
+  }
+
   COSEEndorsementValidity extract_cose_endorsement_validity(
     std::span<const uint8_t> cose_msg)
   {