Skip to content

Add payload hash to signer JWT claims #356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jclapis merged 141 commits into from
Sep 2, 2025
Merged

Add payload hash to signer JWT claims #356

jclapis merged 141 commits into from
Sep 2, 2025

Conversation

@jclapis
Copy link
Collaborator

@jclapis jclapis commented Aug 12, 2025

⚠️ Do not merge unntil #354 and #353 are in!

This is part 2 of the update on CBST2-01, following #354 and #353. This solves one of the issues found within the audit by making all of the routes with a request body (e.g., the POST routes) encode the Keccak256 hash of the payload body into the JWT claims for the request's auth header. Doing so means JWTs can't be intercepted and reused for unrelated requests, such as for signing different things other than what the original request was for. This affects all routes, including the new /revoke_jwt and /reload ones.

ltitanb and others added 30 commits May 13, 2025 17:17
@ltitanb @jclapis
bump version
c68125d
@jclapis
Successful cross-compilation, but runtime has memory allocation issues
d9979a2
@jclapis
Working with OpenSSL static-linked
97ef653
@jclapis
Got dynamic linking working, added a feature flag to toggle dynamic v…
91eefe2 
…s. static
@jclapis
Fixed the vendored build arg
de09415
@jclapis
Reintroduced the cargo chef setup
3aee63d
@jclapis
Ported the cross-compilation stuff into PBS
c07c717
@jclapis
Split the dockerfiles into separate builder / image definitions
699b7ec
@jclapis
Added a build guide
7165f12
@jclapis
Refactored the Github release action to use the Docker builder
9438dae
@jclapis
Fixed the Docker image binary filenames
12c020a
@jclapis
Cleaned up the Darwin artifact step
53cafc0
@jclapis
Made the CI workflow and justfile use the same toolchain as the source
58c6117
@jclapis
Revert "Made the CI workflow and justfile use the same toolchain as t…
45e581b 
…he source"

This reverts commit 58c6117.
@jclapis
Testing removal of OpenSSL vendored option
24a10c5
@jclapis
Updating just in the CI workflow
e36da54
@jclapis
Merge branch 'main' into cross-compile
843b110
@jclapis
Refactored the signer to support host and port config settings
e7c6d19
@jclapis
Updated docs
6117219
@jclapis
Fixing Clippy in CI workflow
c0f591d
@jclapis
Removed obviated CI setup
adbd34a
@jclapis
Minor dedup of RwLock guard acquisition
e3488b3
@jclapis
Added rate limiting for signer clients with repeated JWT auth failures
c3d7ec4
@jclapis
Added Signer config validation
9ddad64
@jclapis
Started unit test setup for the Signer
c62185e
@jclapis
Finished a basic signer module unit test
dc73c62
@jclapis
Added a JWT failure unit test
6c3d967
@jclapis
Added a rate limit test and cleaned up a bit
6464638
@jclapis
Added unique ports to unit tests for parallel execution
0313f18
@jclapis
Cleaned up the build Dockerfile and removed an extra dependency layer
346eea4
ltitanb
ltitanb requested changes Aug 14, 2025
View reviewed changes
api/signer-api.yml
The token **must include** the following claims:
- `exp` (integer): Expiration timestamp
- `module` (string): The ID of the module making the request, which must match a module ID in the Commit-Boost configuration file.
- `payload_hash` (string): The Keccak-256 hash of the JSON-encoded request body, with optional `0x` prefix. This is required to prevent JWT replay attacks.
Copy link
Collaborator

@ltitanb ltitanb Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Json is not an ideal serialization format to hash, let's use ssz with the nonce and object root. As an optimization, we could re use that root directly when providing the signature

Copy link
Collaborator Author

@jclapis jclapis Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, but note that this isn't exclusive to signing requests - any request made to the server with a body (e.g., any request that uses POST) needs to do this, which means we need to define SSZ types for every request and have the user conform to those.

jclapis and others added 16 commits August 18, 2025 13:55
@jclapis
Removed extraneous Display() impls
53888a1
@jclapis
Cleaned up the signature request handlers
228cbec
@jclapis
Consolidated similar bodies for signing handlers
a306f23
@jclapis
Merge branch 'sigp-audit-fixes' into signer-json-api
dc90028
@jclapis
Merge branch 'signer-json-api' into augment-sign-requests
46ec92b
@jclapis
Fixed a proxy signing bug
dfbdcc4
@jclapis
Merge branch 'signer-json-api' into augment-sign-requests
ec37c65
@jclapis
Fixed the default nonce
dd63e7c
@jclapis
Merge branch 'augment-sign-requests' into add-payload-hash-to-jwt
ad3a7fe
@jclapis
Removed an old use
fdc1b95
@jclapis
Merge branch 'augment-sign-requests' into add-payload-hash-to-jwt
5fcd187
@jclapis @ltitanb
Update crates/signer/src/service.rs
f0fe2b4 
Co-authored-by: ltitanb <[email protected]>
@jclapis @ltitanb
Update crates/signer/src/service.rs
79285f8 
Co-authored-by: ltitanb <[email protected]>
@jclapis
Updated Grafana with the new Signer routes
c36466b
@jclapis
Merge branch 'signer-json-api' into augment-sign-requests
6a09ab7
@jclapis
Merge branch 'augment-sign-requests' into add-payload-hash-to-jwt
82cecff
Base automatically changed from augment-sign-requests to sigp-audit-fixes August 19, 2025 19:11
@jclapis jclapis marked this pull request as ready for review September 2, 2025 03:57
@jclapis jclapis merged commit 52aec57 into sigp-audit-fixes Sep 2, 2025
1 check passed
@jclapis jclapis deleted the add-payload-hash-to-jwt branch September 2, 2025 03:57
@jclapis jclapis mentioned this pull request Sep 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ManuelBilbao ManuelBilbao ManuelBilbao left review comments

@ltitanb ltitanb ltitanb approved these changes

Assignees

@jclapis jclapis

Labels

core Core part of the repo (signer, modules interface)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jclapis @ManuelBilbao @ltitanb