From 2fdbc91e60fdb90a331772ae91b70ee78b14d584 Mon Sep 17 00:00:00 2001
From: Eric Swanson <eric.swanson@dfinity.org>
Date: Mon, 16 Nov 2020 12:45:49 -0800
Subject: [PATCH 1/9] feat: response authentication: fetch root key for dev
 instances

https://github.com/dfinity/agent-rs/issues/78
---
 ic-agent/src/agent/mod.rs    | 11 +++++++++++
 ic-agent/src/agent/status.rs | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/ic-agent/src/agent/mod.rs b/ic-agent/src/agent/mod.rs
index 6e692d19..495edcfb 100644
--- a/ic-agent/src/agent/mod.rs
+++ b/ic-agent/src/agent/mod.rs
@@ -30,6 +30,7 @@ use status::Status;
 
 use std::convert::TryFrom;
 use std::str::from_utf8;
+use std::sync::RwLock;
 use std::time::Duration;
 
 const DOMAIN_SEPARATOR: &[u8; 11] = b"\x0Aic-request";
@@ -101,6 +102,7 @@ pub struct Agent {
     identity: Box<dyn Identity + Send + Sync>,
     password_manager: Option<Box<dyn PasswordManager + Send + Sync>>,
     ingress_expiry_duration: Duration,
+    root_key: RwLock<Vec<u8>>,
 }
 
 impl Agent {
@@ -136,9 +138,18 @@ impl Agent {
             ingress_expiry_duration: config
                 .ingress_expiry_duration
                 .unwrap_or_else(|| Duration::from_secs(300)),
+            root_key: RwLock::new(vec![]),
         })
     }
 
+    pub async fn fetch_root_key(&self) -> Result<(), AgentError> {
+        let status = self.status().await?;
+        // todo something something
+        let mut x = self.root_key.write().unwrap();
+        *x = status.root_key.unwrap().clone();
+        Ok(())
+    }
+
     fn get_expiry_date(&self) -> u64 {
         // TODO(hansl): evaluate if we need this on the agent side (my hunch is we don't).
         let permitted_drift = Duration::from_secs(60);
diff --git a/ic-agent/src/agent/status.rs b/ic-agent/src/agent/status.rs
index 5e8d394d..bc44852d 100644
--- a/ic-agent/src/agent/status.rs
+++ b/ic-agent/src/agent/status.rs
@@ -52,6 +52,9 @@ pub struct Status {
     /// Optional. The precise git revision of the Internet Computer implementation.
     pub impl_revision: Option<String>,
 
+    /// Optional.  The root key
+    pub root_key: Option<Vec<u8>>,
+
     /// Contains any additional values that the replica gave as status.
     pub values: BTreeMap<String, Box<Value>>,
 }
@@ -136,12 +139,20 @@ impl std::convert::TryFrom<&serde_cbor::Value> for Status {
                         None
                     }
                 });
+                let root_key: Option<Vec<u8>> = map.get("root_key").and_then(|v| {
+                    if let Value::Bytes(bytes) = v.as_ref() {
+                        Some(bytes.to_owned())
+                    } else {
+                        None
+                    }
+                });
 
                 Ok(Status {
                     ic_api_version,
                     impl_source,
                     impl_version,
                     impl_revision,
+                    root_key,
                     values: map,
                 })
             }

From e6b61beb278df0f3759a60b65daba48f8fb112f4 Mon Sep 17 00:00:00 2001
From: Eric Swanson <eric.swanson@dfinity.org>
Date: Mon, 16 Nov 2020 17:41:43 -0800
Subject: [PATCH 2/9] checkpoint: verifies BLS signature, including delegation

---
 ic-agent/src/agent/agent_error.rs |  9 +++++
 ic-agent/src/agent/mod.rs         | 65 +++++++++++++++++++++++++++++--
 ic-agent/src/agent/replica_api.rs | 11 ++++++
 ref-tests/src/utils.rs            |  1 +
 ref-tests/tests/ic-ref.rs         |  4 +-
 5 files changed, 85 insertions(+), 5 deletions(-)

diff --git a/ic-agent/src/agent/agent_error.rs b/ic-agent/src/agent/agent_error.rs
index d712c736..27ecdd05 100644
--- a/ic-agent/src/agent/agent_error.rs
+++ b/ic-agent/src/agent/agent_error.rs
@@ -78,6 +78,15 @@ pub enum AgentError {
 
     #[error("The request status ({1}) at path {0:?} is invalid.")]
     InvalidRequestStatus(Vec<Label>, String),
+
+    #[error("Certificate verification failed.")]
+    CertificateVerificationFailed(),
+
+    #[error(r#"BLS DER-encoded public key must be ${expected} bytes long, but is {actual} bytes long."#)]
+    DerKeyLengthMismatch { expected: usize, actual: usize },
+
+    #[error("BLS DER-encoded public key is invalid. Expected the following prefix: ${expected:?}, but got ${actual:?}")]
+    DerPrefixMismatch{ expected: Vec<u8>, actual: Vec<u8> },
 }
 
 impl PartialEq for AgentError {
diff --git a/ic-agent/src/agent/mod.rs b/ic-agent/src/agent/mod.rs
index 495edcfb..8035a11f 100644
--- a/ic-agent/src/agent/mod.rs
+++ b/ic-agent/src/agent/mod.rs
@@ -16,9 +16,7 @@ pub use response::{Replied, RequestStatusResponse};
 #[cfg(test)]
 mod agent_test;
 
-use crate::agent::replica_api::{
-    AsyncContent, Certificate, Envelope, ReadStateResponse, SyncContent,
-};
+use crate::agent::replica_api::{AsyncContent, Certificate, Envelope, ReadStateResponse, SyncContent, Delegation};
 use crate::export::Principal;
 use crate::hash_tree::{Label, LookupResult};
 use crate::identity::Identity;
@@ -32,8 +30,12 @@ use std::convert::TryFrom;
 use std::str::from_utf8;
 use std::sync::RwLock;
 use std::time::Duration;
+use crate::bls::bls12381::bls;
 
 const DOMAIN_SEPARATOR: &[u8; 11] = b"\x0Aic-request";
+const IC_STATE_ROOT_DOMAIN_SEPARATOR: &[u8; 14] = b"\x0Dic-state-root";
+const DER_PREFIX: &[u8; 37] = b"\x30\x81\x82\x30\x1d\x06\x0d\x2b\x06\x01\x04\x01\x82\xdc\x7c\x05\x03\x01\x02\x01\x06\x0c\x2b\x06\x01\x04\x01\x82\xdc\x7c\x05\x03\x02\x01\x03\x61\x00";
+const KEY_LENGTH: usize = 96;
 
 /// A low level Agent to make calls to a Replica endpoint.
 ///
@@ -395,10 +397,50 @@ impl Agent {
 
         let cert: Certificate = serde_cbor::from_slice(&read_state_response.certificate)
             .map_err(AgentError::InvalidCborData)?;
-        // todo: verify certificate here
+        self.verify(&cert)?;
         Ok(cert)
     }
 
+    fn verify(&self, cert: &Certificate) -> Result<(), AgentError> {
+        bls::init(); // todo where to put this?
+        let root_hash = cert.tree.digest();
+        let der_key = self.check_delegation(&cert.delegation)?;
+        // self.root_key.read().unwrap().clone();
+        let sig = &cert.signature;
+        let key = extract_der(der_key)?;
+        let mut msg = vec![];
+        msg.extend_from_slice(IC_STATE_ROOT_DOMAIN_SEPARATOR);
+        msg.extend_from_slice(&root_hash);
+        let result = bls::core_verify(sig, &*msg, &*key);
+        if result != bls::BLS_OK {
+            Err(AgentError::CertificateVerificationFailed())
+        } else {
+            Ok(())
+        }
+    }
+
+    fn check_delegation(&self, delegation: &Option<Delegation>) -> Result<Vec<u8>, AgentError> {
+        match delegation {
+            None => Ok(self.root_key.read().unwrap().clone()),
+            Some(delegation) => {
+                let cert: Certificate = serde_cbor::from_slice(&delegation.certificate)
+                    .map_err(AgentError::InvalidCborData)?;
+                self.verify(&cert)?;
+                let public_key_path = vec![
+                    "subnet".into(),
+                    delegation.subnet_id.clone().into(),
+                    "public_key".into(),
+                ];
+                match cert.tree.lookup_path(&public_key_path) {
+                    LookupResult::Absent => Err(AgentError::LookupPathAbsent(public_key_path)),
+                    LookupResult::Unknown => Err(AgentError::LookupPathAbsent(public_key_path)),
+                    LookupResult::Found(root_key) => Ok(root_key.to_vec()),
+                    LookupResult::Error => Err(AgentError::LookupPathError(public_key_path)),
+                }
+            }
+        }
+    }
+
     pub async fn request_status_raw(
         &self,
         request_id: &RequestId,
@@ -439,6 +481,21 @@ impl Agent {
     }
 }
 
+fn extract_der(buf: Vec<u8>) -> Result<Vec<u8>, AgentError> {
+    let expected_length = DER_PREFIX.len() + KEY_LENGTH;
+    if buf.len() != expected_length {
+        return Err(AgentError::DerKeyLengthMismatch { expected: expected_length, actual: buf.len() } );
+    }
+
+    let prefix = &buf[0..DER_PREFIX.len()];
+    if &prefix[..] != &DER_PREFIX[..] {
+        return Err(AgentError::DerPrefixMismatch { expected: DER_PREFIX.to_vec(), actual: prefix.to_vec() } );
+    }
+
+    let key = &buf[DER_PREFIX.len()..];
+    Ok(key.to_vec())
+}
+
 fn lookup_request_status(
     certificate: Certificate,
     request_id: &RequestId,
diff --git a/ic-agent/src/agent/replica_api.rs b/ic-agent/src/agent/replica_api.rs
index 7cddbeeb..0277c4a4 100644
--- a/ic-agent/src/agent/replica_api.rs
+++ b/ic-agent/src/agent/replica_api.rs
@@ -62,6 +62,17 @@ pub(crate) struct Certificate {
 
     #[serde(with = "serde_bytes")]
     pub signature: Vec<u8>,
+
+    pub delegation: Option<Delegation>,
+}
+
+#[derive(Deserialize)]
+pub(crate) struct Delegation {
+    #[serde(with = "serde_bytes")]
+    pub subnet_id: Vec<u8>,
+
+    #[serde(with = "serde_bytes")]
+    pub certificate: Vec<u8>,
 }
 
 #[derive(Debug, Clone, Deserialize, Serialize)]
diff --git a/ref-tests/src/utils.rs b/ref-tests/src/utils.rs
index 4463d0cf..07be64c6 100644
--- a/ref-tests/src/utils.rs
+++ b/ref-tests/src/utils.rs
@@ -55,6 +55,7 @@ where
         let agent = create_agent(agent_identity)
             .await
             .expect("Could not create an agent.");
+        agent.fetch_root_key().await.expect("could not fetch root key");
         match f(agent).await {
             Ok(_) => {}
             Err(e) => assert!(false, "{:?}", e),
diff --git a/ref-tests/tests/ic-ref.rs b/ref-tests/tests/ic-ref.rs
index d194e30b..a5330db8 100644
--- a/ref-tests/tests/ic-ref.rs
+++ b/ref-tests/tests/ic-ref.rs
@@ -91,7 +91,7 @@ mod management_canister {
         }
     }
 
-    #[ignore]
+    //#[ignore]
     #[test]
     fn management() {
         with_agent(|agent| async move {
@@ -128,6 +128,7 @@ mod management_canister {
             let other_agent_identity = create_identity().await?;
             let other_agent_principal = other_agent_identity.sender()?;
             let other_agent = create_agent(other_agent_identity).await?;
+            other_agent.fetch_root_key().await?;
             let other_ic00 = ManagementCanister::create(&other_agent);
 
             // Reinstall with another agent should fail.
@@ -382,6 +383,7 @@ mod management_canister {
             // Create another agent with different identity.
             let other_agent_identity = create_identity().await?;
             let other_agent = create_agent(other_agent_identity).await?;
+            other_agent.fetch_root_key().await?;
             let other_ic00 = ManagementCanister::create(&other_agent);
 
             // Start as a wrong controller should fail.

From 5c6f5306aafdf339c1ae75b77257c26596960800 Mon Sep 17 00:00:00 2001
From: Eric Swanson <eric.swanson@dfinity.org>
Date: Mon, 16 Nov 2020 17:47:45 -0800
Subject: [PATCH 3/9] format

---
 ic-agent/src/agent/agent_error.rs |  6 ++++--
 ic-agent/src/agent/mod.rs         | 16 ++++++++++++----
 ref-tests/src/utils.rs            |  5 ++++-
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/ic-agent/src/agent/agent_error.rs b/ic-agent/src/agent/agent_error.rs
index 27ecdd05..0a91c210 100644
--- a/ic-agent/src/agent/agent_error.rs
+++ b/ic-agent/src/agent/agent_error.rs
@@ -82,11 +82,13 @@ pub enum AgentError {
     #[error("Certificate verification failed.")]
     CertificateVerificationFailed(),
 
-    #[error(r#"BLS DER-encoded public key must be ${expected} bytes long, but is {actual} bytes long."#)]
+    #[error(
+        r#"BLS DER-encoded public key must be ${expected} bytes long, but is {actual} bytes long."#
+    )]
     DerKeyLengthMismatch { expected: usize, actual: usize },
 
     #[error("BLS DER-encoded public key is invalid. Expected the following prefix: ${expected:?}, but got ${actual:?}")]
-    DerPrefixMismatch{ expected: Vec<u8>, actual: Vec<u8> },
+    DerPrefixMismatch { expected: Vec<u8>, actual: Vec<u8> },
 }
 
 impl PartialEq for AgentError {
diff --git a/ic-agent/src/agent/mod.rs b/ic-agent/src/agent/mod.rs
index 8035a11f..40700ada 100644
--- a/ic-agent/src/agent/mod.rs
+++ b/ic-agent/src/agent/mod.rs
@@ -16,7 +16,9 @@ pub use response::{Replied, RequestStatusResponse};
 #[cfg(test)]
 mod agent_test;
 
-use crate::agent::replica_api::{AsyncContent, Certificate, Envelope, ReadStateResponse, SyncContent, Delegation};
+use crate::agent::replica_api::{
+    AsyncContent, Certificate, Delegation, Envelope, ReadStateResponse, SyncContent,
+};
 use crate::export::Principal;
 use crate::hash_tree::{Label, LookupResult};
 use crate::identity::Identity;
@@ -26,11 +28,11 @@ use reqwest::Method;
 use serde::Serialize;
 use status::Status;
 
+use crate::bls::bls12381::bls;
 use std::convert::TryFrom;
 use std::str::from_utf8;
 use std::sync::RwLock;
 use std::time::Duration;
-use crate::bls::bls12381::bls;
 
 const DOMAIN_SEPARATOR: &[u8; 11] = b"\x0Aic-request";
 const IC_STATE_ROOT_DOMAIN_SEPARATOR: &[u8; 14] = b"\x0Dic-state-root";
@@ -484,12 +486,18 @@ impl Agent {
 fn extract_der(buf: Vec<u8>) -> Result<Vec<u8>, AgentError> {
     let expected_length = DER_PREFIX.len() + KEY_LENGTH;
     if buf.len() != expected_length {
-        return Err(AgentError::DerKeyLengthMismatch { expected: expected_length, actual: buf.len() } );
+        return Err(AgentError::DerKeyLengthMismatch {
+            expected: expected_length,
+            actual: buf.len(),
+        });
     }
 
     let prefix = &buf[0..DER_PREFIX.len()];
     if &prefix[..] != &DER_PREFIX[..] {
-        return Err(AgentError::DerPrefixMismatch { expected: DER_PREFIX.to_vec(), actual: prefix.to_vec() } );
+        return Err(AgentError::DerPrefixMismatch {
+            expected: DER_PREFIX.to_vec(),
+            actual: prefix.to_vec(),
+        });
     }
 
     let key = &buf[DER_PREFIX.len()..];
diff --git a/ref-tests/src/utils.rs b/ref-tests/src/utils.rs
index 07be64c6..8902a5f7 100644
--- a/ref-tests/src/utils.rs
+++ b/ref-tests/src/utils.rs
@@ -55,7 +55,10 @@ where
         let agent = create_agent(agent_identity)
             .await
             .expect("Could not create an agent.");
-        agent.fetch_root_key().await.expect("could not fetch root key");
+        agent
+            .fetch_root_key()
+            .await
+            .expect("could not fetch root key");
         match f(agent).await {
             Ok(_) => {}
             Err(e) => assert!(false, "{:?}", e),

From 45381b656a4a2ac245a5607f0f477ad8c6ce2502 Mon Sep 17 00:00:00 2001
From: Eric Swanson <eric.swanson@dfinity.org>
Date: Tue, 17 Nov 2020 17:25:54 -0800
Subject: [PATCH 4/9] Avoid RwLock poisoning, fix clippy stuff, put root_key
 rwlock stuff in proximity

---
 ic-agent/src/agent/agent_error.rs |  3 +++
 ic-agent/src/agent/mod.rs         | 32 +++++++++++++++++++------------
 2 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/ic-agent/src/agent/agent_error.rs b/ic-agent/src/agent/agent_error.rs
index 0a91c210..981e23a3 100644
--- a/ic-agent/src/agent/agent_error.rs
+++ b/ic-agent/src/agent/agent_error.rs
@@ -89,6 +89,9 @@ pub enum AgentError {
 
     #[error("BLS DER-encoded public key is invalid. Expected the following prefix: ${expected:?}, but got ${actual:?}")]
     DerPrefixMismatch { expected: Vec<u8>, actual: Vec<u8> },
+
+    #[error("The status response did not contain a root key")]
+    NoRootKeyInStatus(),
 }
 
 impl PartialEq for AgentError {
diff --git a/ic-agent/src/agent/mod.rs b/ic-agent/src/agent/mod.rs
index 40700ada..a2d405c6 100644
--- a/ic-agent/src/agent/mod.rs
+++ b/ic-agent/src/agent/mod.rs
@@ -34,7 +34,7 @@ use std::str::from_utf8;
 use std::sync::RwLock;
 use std::time::Duration;
 
-const DOMAIN_SEPARATOR: &[u8; 11] = b"\x0Aic-request";
+const IC_REQUEST_DOMAIN_SEPARATOR: &[u8; 11] = b"\x0Aic-request";
 const IC_STATE_ROOT_DOMAIN_SEPARATOR: &[u8; 14] = b"\x0Dic-state-root";
 const DER_PREFIX: &[u8; 37] = b"\x30\x81\x82\x30\x1d\x06\x0d\x2b\x06\x01\x04\x01\x82\xdc\x7c\x05\x03\x01\x02\x01\x06\x0c\x2b\x06\x01\x04\x01\x82\xdc\x7c\x05\x03\x02\x01\x03\x61\x00";
 const KEY_LENGTH: usize = 96;
@@ -118,6 +118,8 @@ impl Agent {
 
     /// Create an instance of an [`Agent`].
     pub fn new(config: AgentConfig) -> Result<Agent, AgentError> {
+        bls::init(); // todo where to put this? we need to call it once globally.
+
         let url = config.url;
         let mut tls_config = rustls::ClientConfig::new();
 
@@ -148,12 +150,17 @@ impl Agent {
 
     pub async fn fetch_root_key(&self) -> Result<(), AgentError> {
         let status = self.status().await?;
-        // todo something something
-        let mut x = self.root_key.write().unwrap();
-        *x = status.root_key.unwrap().clone();
+        let root_key = status.root_key.ok_or_else(AgentError::NoRootKeyInStatus)?;
+        let mut write_guard = self.root_key.write().unwrap();
+        *write_guard = root_key;
         Ok(())
     }
 
+    fn read_root_key(&self) -> Result<Vec<u8>, AgentError> {
+        let root_key = self.root_key.read().unwrap().clone();
+        Ok(root_key)
+    }
+
     fn get_expiry_date(&self) -> u64 {
         // TODO(hansl): evaluate if we need this on the agent side (my hunch is we don't).
         let permitted_drift = Duration::from_secs(60);
@@ -167,7 +174,7 @@ impl Agent {
 
     fn construct_message(&self, request_id: &RequestId) -> Vec<u8> {
         let mut buf = vec![];
-        buf.extend_from_slice(DOMAIN_SEPARATOR);
+        buf.extend_from_slice(IC_REQUEST_DOMAIN_SEPARATOR);
         buf.extend_from_slice(request_id.as_slice());
         buf
     }
@@ -404,15 +411,16 @@ impl Agent {
     }
 
     fn verify(&self, cert: &Certificate) -> Result<(), AgentError> {
-        bls::init(); // todo where to put this?
-        let root_hash = cert.tree.digest();
-        let der_key = self.check_delegation(&cert.delegation)?;
-        // self.root_key.read().unwrap().clone();
         let sig = &cert.signature;
-        let key = extract_der(der_key)?;
+
+        let root_hash = cert.tree.digest();
         let mut msg = vec![];
         msg.extend_from_slice(IC_STATE_ROOT_DOMAIN_SEPARATOR);
         msg.extend_from_slice(&root_hash);
+
+        let der_key = self.check_delegation(&cert.delegation)?;
+        let key = extract_der(der_key)?;
+
         let result = bls::core_verify(sig, &*msg, &*key);
         if result != bls::BLS_OK {
             Err(AgentError::CertificateVerificationFailed())
@@ -423,7 +431,7 @@ impl Agent {
 
     fn check_delegation(&self, delegation: &Option<Delegation>) -> Result<Vec<u8>, AgentError> {
         match delegation {
-            None => Ok(self.root_key.read().unwrap().clone()),
+            None => self.read_root_key(),
             Some(delegation) => {
                 let cert: Certificate = serde_cbor::from_slice(&delegation.certificate)
                     .map_err(AgentError::InvalidCborData)?;
@@ -493,7 +501,7 @@ fn extract_der(buf: Vec<u8>) -> Result<Vec<u8>, AgentError> {
     }
 
     let prefix = &buf[0..DER_PREFIX.len()];
-    if &prefix[..] != &DER_PREFIX[..] {
+    if prefix[..] != DER_PREFIX[..] {
         return Err(AgentError::DerPrefixMismatch {
             expected: DER_PREFIX.to_vec(),
             actual: prefix.to_vec(),

From 0f8a0f09034b0d06ad66eb3fae797c0b0909a882 Mon Sep 17 00:00:00 2001
From: Eric Swanson <eric.swanson@dfinity.org>
Date: Tue, 17 Nov 2020 17:35:34 -0800
Subject: [PATCH 5/9] Proper one-time initialization for bls library

---
 ic-agent/src/agent/mod.rs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ic-agent/src/agent/mod.rs b/ic-agent/src/agent/mod.rs
index a2d405c6..dd56e8a3 100644
--- a/ic-agent/src/agent/mod.rs
+++ b/ic-agent/src/agent/mod.rs
@@ -31,6 +31,7 @@ use status::Status;
 use crate::bls::bls12381::bls;
 use std::convert::TryFrom;
 use std::str::from_utf8;
+use std::sync::Once;
 use std::sync::RwLock;
 use std::time::Duration;
 
@@ -39,6 +40,8 @@ const IC_STATE_ROOT_DOMAIN_SEPARATOR: &[u8; 14] = b"\x0Dic-state-root";
 const DER_PREFIX: &[u8; 37] = b"\x30\x81\x82\x30\x1d\x06\x0d\x2b\x06\x01\x04\x01\x82\xdc\x7c\x05\x03\x01\x02\x01\x06\x0c\x2b\x06\x01\x04\x01\x82\xdc\x7c\x05\x03\x02\x01\x03\x61\x00";
 const KEY_LENGTH: usize = 96;
 
+static INIT_BLS: Once = Once::new();
+
 /// A low level Agent to make calls to a Replica endpoint.
 ///
 /// ```ignore
@@ -118,7 +121,9 @@ impl Agent {
 
     /// Create an instance of an [`Agent`].
     pub fn new(config: AgentConfig) -> Result<Agent, AgentError> {
-        bls::init(); // todo where to put this? we need to call it once globally.
+        INIT_BLS.call_once(|| {
+            bls::init();
+        });
 
         let url = config.url;
         let mut tls_config = rustls::ClientConfig::new();

From ca1ad8ce068d5b7b5c1e958a16f7bf4f4fab5c3f Mon Sep 17 00:00:00 2001
From: Eric Swanson <eric.swanson@dfinity.org>
Date: Tue, 17 Nov 2020 17:36:13 -0800
Subject: [PATCH 6/9] Add doc comment for public fetch_root_key

---
 ic-agent/src/agent/mod.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ic-agent/src/agent/mod.rs b/ic-agent/src/agent/mod.rs
index dd56e8a3..26f63af7 100644
--- a/ic-agent/src/agent/mod.rs
+++ b/ic-agent/src/agent/mod.rs
@@ -153,6 +153,8 @@ impl Agent {
         })
     }
 
+    /// Fetch the root key from the status endpoint.
+    /// It is not necessary to call this when communicating with "the" Internet Computer.
     pub async fn fetch_root_key(&self) -> Result<(), AgentError> {
         let status = self.status().await?;
         let root_key = status.root_key.ok_or_else(AgentError::NoRootKeyInStatus)?;

From 1d3747a92b9d42fcf8ab30adb22e360bd609a144 Mon Sep 17 00:00:00 2001
From: Eric Swanson <eric.swanson@dfinity.org>
Date: Tue, 17 Nov 2020 17:59:49 -0800
Subject: [PATCH 7/9] re-ignore management test

---
 ref-tests/tests/ic-ref.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ref-tests/tests/ic-ref.rs b/ref-tests/tests/ic-ref.rs
index a5330db8..1454a93b 100644
--- a/ref-tests/tests/ic-ref.rs
+++ b/ref-tests/tests/ic-ref.rs
@@ -91,7 +91,7 @@ mod management_canister {
         }
     }
 
-    //#[ignore]
+    #[ignore]
     #[test]
     fn management() {
         with_agent(|agent| async move {

From b4e2b21b3089bf0abc7f40e8803215b1c888f87b Mon Sep 17 00:00:00 2001
From: Eric Swanson <eric.swanson@dfinity.org>
Date: Tue, 17 Nov 2020 18:20:00 -0800
Subject: [PATCH 8/9] Error reporting for the BLS library

---
 ic-agent/src/agent/agent_error.rs |  3 +++
 ic-agent/src/agent/mod.rs         | 18 +++++++++++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/ic-agent/src/agent/agent_error.rs b/ic-agent/src/agent/agent_error.rs
index 981e23a3..9deabc5d 100644
--- a/ic-agent/src/agent/agent_error.rs
+++ b/ic-agent/src/agent/agent_error.rs
@@ -92,6 +92,9 @@ pub enum AgentError {
 
     #[error("The status response did not contain a root key")]
     NoRootKeyInStatus(),
+
+    #[error("Failed to initialize the BLS library")]
+    BlsInitializationFailure(),
 }
 
 impl PartialEq for AgentError {
diff --git a/ic-agent/src/agent/mod.rs b/ic-agent/src/agent/mod.rs
index 26f63af7..3233933a 100644
--- a/ic-agent/src/agent/mod.rs
+++ b/ic-agent/src/agent/mod.rs
@@ -121,9 +121,7 @@ impl Agent {
 
     /// Create an instance of an [`Agent`].
     pub fn new(config: AgentConfig) -> Result<Agent, AgentError> {
-        INIT_BLS.call_once(|| {
-            bls::init();
-        });
+        initialize_bls()?;
 
         let url = config.url;
         let mut tls_config = rustls::ClientConfig::new();
@@ -498,6 +496,20 @@ impl Agent {
     }
 }
 
+fn initialize_bls() -> Result<(), AgentError> {
+    let mut init_err = None;
+    INIT_BLS.call_once(|| {
+        if bls::init() != bls::BLS_OK {
+            init_err = Some(AgentError::BlsInitializationFailure());
+        }
+    });
+    if let Some(init_err) = init_err {
+        Err(init_err)
+    } else {
+        Ok(())
+    }
+}
+
 fn extract_der(buf: Vec<u8>) -> Result<Vec<u8>, AgentError> {
     let expected_length = DER_PREFIX.len() + KEY_LENGTH;
     if buf.len() != expected_length {

From d8d2649ad0e4e8bb5328d5e97b6705c5275afe7a Mon Sep 17 00:00:00 2001
From: Eric Swanson <eric.swanson@dfinity.org>
Date: Tue, 17 Nov 2020 18:20:18 -0800
Subject: [PATCH 9/9] Update doc tests?

---
 ic-agent/src/agent/mod.rs | 1 +
 ic-agent/src/lib.rs       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ic-agent/src/agent/mod.rs b/ic-agent/src/agent/mod.rs
index 3233933a..98f0d2d0 100644
--- a/ic-agent/src/agent/mod.rs
+++ b/ic-agent/src/agent/mod.rs
@@ -75,6 +75,7 @@ static INIT_BLS: Once = Once::new();
 ///     .with_url(URL)
 ///     .with_identity(create_identity())
 ///     .build()?;
+///   agent.fetch_root_key().await?;
 ///   let management_canister_id = Principal::from_text("aaaaa-aa")?;
 ///
 ///   let waiter = delay::Delay::builder()
diff --git a/ic-agent/src/lib.rs b/ic-agent/src/lib.rs
index 4ae514b8..09b6a722 100644
--- a/ic-agent/src/lib.rs
+++ b/ic-agent/src/lib.rs
@@ -57,6 +57,7 @@
 //!     .with_url(URL)
 //!     .with_identity(create_identity())
 //!     .build()?;
+//!   agent.fetch_root_key().await?;
 //!   let management_canister_id = Principal::from_text("aaaaa-aa")?;
 //!
 //!   let waiter = delay::Delay::builder()