Provide salt to c10l deploys

packages/client/test/browser/e2e/index.html

@@ -54,7 +54,7 @@
             bytecode,
             arguments: [],
             // TODO: make confidential once we have the new runtime.
-            header: { confidential: false },
+            header: { salt_if_confidential: null },
             coder: test.coder,
             gateway: test.gateway,
           });

packages/client/test/browser/service/index.html

@@ -102,9 +102,20 @@
             return { publicKey: keys.peerPublicKey.bytes };
           }
           async getCode(request) {
-            // Just return any bytecode with the deploy header with confidential === true.
+            // Just return any bytecode with the deploy header with `saltIfConfidential` set
+            const prefix = '00736973'; // \0sis
+            const saltIfConfidential = [];
+            saltIfConfidential.length = 32;
+            saltIfConfidential.fill(1);
+            const headerStr = JSON.stringify({ saltIfConfidential });
+            const headerVersion = (1).toString(16).padStart(4, '0');
+            const header = oasis.utils.bytes.toHex(new TextEncoder().encode(headerStr));
+            const headerLength = headerStr.length.toString(16).padStart(4, '0');
+            const body = '0102039999816f636f6e7374727563746f722d617267';
             return {
-              code: new Uint8Array(oasis.utils.bytes.parseHex('0x00736973000100247b22636f6e666964656e7469616c223a747275652c22657870697279223a31323334357d0102039999816f636f6e7374727563746f722d617267'))
+              code: oasis.utils.bytes.parseHex(
+                `${prefix}${headerVersion}${headerLength}${header.slice(2)}${body}`
+              )
             };
           }
           hasSigner() {
@@ -153,7 +164,7 @@
         let nonConfidentialTest = {
           gateway: (resolve) => new RequestMockOasisGateway(resolve),
           db: () => new DummyStorage(),
-          coder: new oasis.utils.OasisCoder.plaintext(),
+          coder: oasis.utils.OasisCoder.plaintext(),
         };
         // Confidential test case.
         let confidentialTest = {
@@ -168,7 +179,7 @@
             }));
             return db;
           },
-          coder: new oasis.utils.OasisCoder.confidential({
+          coder: oasis.utils.OasisCoder.confidential({
             publicKey: keys.peerPublicKey,
             privateKey: keys.peerPrivateKey,
             peerPublicKey: keys.publicKey,

packages/client/test/e2e/app/service.spec.ts

@@ -1,3 +1,5 @@
+import { randomBytes } from 'tweetnacl';
+
 import oasis from '../../../src/';
 
 const process = require('process');
@@ -13,12 +15,12 @@ describe('Counter', () => {
   const cases = [
     {
       label: 'confidential',
-      header: { confidential: true },
+      header: { saltIfConfidential: randomBytes(32) },
       options: { gasLimit: '0xe79732' },
     },
     {
       label: 'non-confidential',
-      header: { confidential: false },
+      header: {},
       options: {},
     },
   ];

packages/service/src/deploy/header.ts

@@ -1,8 +1,10 @@
 import { bytes } from '@oasislabs/common';
 
+export const SALT_NUM_BYTES = 32;
+
 export type DeployHeaderOptions = {
   expiry?: number;
-  confidential?: boolean;
+  saltIfConfidential?: Uint8Array | null;
 };
 
 export class DeployHeaderError extends Error {}
@@ -13,7 +15,7 @@ export class DeployHeader {
   /**
    * @param {Number} version is the header version number.
    * @param {Object} is the header body with two fields, expiry (Number)
-   *        and confidential (boolean).
+   *        and saltIfConfidential (boolean).
    */
   constructor(public version: number, public body: DeployHeaderOptions) {}
 
@@ -98,7 +100,7 @@ export class DeployHeader {
    * @returns true iff the keys in the headerBody are part of the valid set.
    */
   public static isValidBody(headerBody: DeployHeaderOptions): boolean {
-    const validKeys = ['expiry', 'confidential'];
+    const validKeys = ['expiry', 'saltIfConfidential'];
 
     const keys = Object.keys(headerBody);
     for (let k = 0; k < keys.length; k += 1) {

packages/service/src/deploy/index.ts

@@ -1,3 +1,4 @@
+import nacl from 'tweetnacl';
 import { Address, Db, bytes } from '@oasislabs/common';
 
 import { Service } from '../service';
@@ -7,7 +8,7 @@ import {
   RpcOptions,
   defaultOasisGateway,
 } from '../oasis-gateway';
-import { DeployHeader, DeployHeaderOptions } from './header';
+import { DeployHeader, DeployHeaderOptions, SALT_NUM_BYTES } from './header';
 import { OasisCoder } from '../coder/oasis';
 import { RpcCoder } from '../coder';
 import { DeployError } from '../error';
@@ -130,7 +131,9 @@ async function toDeployOptions(
  *          filling in any left out options with the default header.
  */
 function deployHeader(options: DeployOptions): DeployHeaderOptions {
-  const defaultHeader = { confidential: true };
+  const defaultHeader = {
+    saltIfConfidential: nacl.randomBytes(SALT_NUM_BYTES),
+  };
   return Object.assign(defaultHeader, options.header);
 }
 
@@ -168,7 +171,7 @@ function oasisGateway(options: DeployOptions): OasisGateway {
  */
 function validateDeployOptions(deployOptions: DeployOptions, args: any[]) {
   if (
-    deployOptions.header!.confidential &&
+    deployOptions.header!.saltIfConfidential &&
     (!deployOptions.options || !deployOptions.options.gasLimit)
   ) {
     throw new DeployError(

packages/service/src/rpc.ts

@@ -187,7 +187,7 @@ export class RpcFactory {
 
     const deployHeader = DeployHeader.parseFromCode(response.code);
 
-    if (!deployHeader || !deployHeader.body.confidential) {
+    if (!deployHeader || !deployHeader.body.saltIfConfidential) {
       return OasisCoder.plaintext();
     }
 

packages/service/test/deploy-header.spec.ts

@@ -1,3 +1,4 @@
+import { randomBytes } from 'tweetnacl';
 import { bytes } from '@oasislabs/common';
 import { DeployHeader } from '../src/deploy/header';
 import { makeExpectedBytecode } from './utils';
@@ -8,25 +9,25 @@ describe('DeployHeader', () => {
       {
         description: 'errors when writing a deploy header to empty bytecode',
         bytecode: new Uint8Array(),
-        header: { expiry: 100000, confidential: false },
+        header: { expiry: 100000, saltIfConfidential: null },
         error: 'Malformed deploycode',
       },
       {
         description: 'errors when writing an invalid deploy header',
         bytecode: bytes.parseHex('0x1234'),
-        header: { invalid: 1234, expiry: 100000, confidential: false },
+        header: { invalid: 1234, expiry: 100000 },
         error: 'Malformed deploycode',
       },
       {
         description:
           'errors when writing to bytecode that already has an invalid header',
         bytecode: makeExpectedBytecode(
-          { expiry: 100000, confidential: false, badkey: true },
+          { expiry: 100000, saltIfConfidential: null, badkey: true },
           '1234'
         ),
-        header: { expiry: 100000, confidential: false },
+        header: { expiry: 100000, saltIfConfidential: null },
         error:
-          'Invalid body {"expiry":100000,"confidential":false,"badkey":true}',
+          'Invalid body {"expiry":100000,"saltIfConfidential":null,"badkey":true}',
       },
     ];
 
@@ -38,6 +39,8 @@ describe('DeployHeader', () => {
       });
     });
 
+    const saltIfConfidential = randomBytes(32);
+
     const successTests = [
       {
         description: 'does not change the bytecode if the header is empty',
@@ -48,18 +51,15 @@ describe('DeployHeader', () => {
       {
         description: 'writes a deploy header to non-empty bytecode',
         bytecode: bytes.parseHex('0x1234'),
-        header: { expiry: 100000, confidential: false },
-        expected: makeExpectedBytecode(
-          { expiry: 100000, confidential: false },
-          '1234'
-        ),
+        header: { expiry: 100000 },
+        expected: makeExpectedBytecode({ expiry: 100000 }, '1234'),
       },
       {
         description:
           'overwrites a deploy header to non-empty bytecode with an existing confidential header',
-        bytecode: makeExpectedBytecode({ confidential: false }, '1234'),
-        header: { confidential: true },
-        expected: makeExpectedBytecode({ confidential: true }, '1234'),
+        bytecode: makeExpectedBytecode({}, '1234'),
+        header: { saltIfConfidential },
+        expected: makeExpectedBytecode({ saltIfConfidential }, '1234'),
       },
       {
         description:
@@ -71,24 +71,21 @@ describe('DeployHeader', () => {
       {
         description:
           'overwrites a deploy header to non-empty bytecode with an existing expiry and confidential header',
-        bytecode: makeExpectedBytecode(
-          { expiry: 100000, confidential: false },
-          '1234'
-        ),
-        header: { expiry: 100001, confidential: true },
+        bytecode: makeExpectedBytecode({ expiry: 100000 }, '1234'),
+        header: { expiry: 100001, saltIfConfidential },
         expected: makeExpectedBytecode(
-          { expiry: 100001, confidential: true },
+          { expiry: 100001, saltIfConfidential },
           '1234'
         ),
       },
     ];
 
     successTests.forEach(test => {
-      it(test.description, function() {
-        const data = DeployHeader.deployCode(
+      it(test.description, async function() {
+        const data = (await DeployHeader.deployCode(
           test.header,
           test.bytecode
-        ) as Uint8Array;
+        )) as Uint8Array;
         expect(data).toEqual(test.expected);
       });
     });

packages/service/test/deploy.spec.ts

@@ -1,3 +1,4 @@
+import { randomBytes } from 'tweetnacl';
 import { cbor, bytes } from '@oasislabs/common';
 import { idl } from '@oasislabs/test';
 import {
@@ -7,7 +8,11 @@ import {
 } from './utils';
 import { deploy } from '../src/index';
 import { RpcRequest, setGateway } from '../src/oasis-gateway';
-import { DeployHeaderReader } from '../src/deploy/header';
+import {
+  DeployHeaderReader,
+  DeployHeaderOptions,
+  SALT_NUM_BYTES,
+} from '../src/deploy/header';
 
 setGateway(new EmptyOasisGateway());
 
@@ -27,12 +32,15 @@ describe('Service deploys', () => {
     },
     {
       bytecode: bytes.parseHex('0x0102039999'),
-      header: { confidential: false },
+      header: { saltIfConfidential: null },
       label: 'deploys a service without confidentiality',
     },
     {
       bytecode: bytes.parseHex('0x0102039999'),
-      header: { confidential: true, expiry: 12345 },
+      header: {
+        saltIfConfidential: randomBytes(SALT_NUM_BYTES),
+        expiry: 12345,
+      },
       label: 'deploys a service with expiry',
       gasLimit: '0xffff',
     },
@@ -69,7 +77,10 @@ describe('Service deploys', () => {
       // Check header.
       const header = DeployHeaderReader.header(deployCode);
       // Should have used the default header since we didn't specify one.
-      const expectedHeader = { version: 1, body: { confidential: true } };
+      const expectedHeader: { version: number; body: DeployHeaderOptions } = {
+        version: 1,
+        body: { saltIfConfidential: header?.body.saltIfConfidential },
+      };
       if (test.header !== undefined) {
         expectedHeader.body = test.header!;
       }

packages/service/test/service.spec.ts

@@ -121,12 +121,14 @@ describe('Service', () => {
     const address = '0x288e7e1cc60962f40d4d782950470e3705c5acf4';
     const bin = bytes.toHex(
       new Uint8Array(
-        require('fs').readFileSync('test/wasm/mantle-counter.wasm')
+        await require('fs').promises.readFile('test/wasm/mantle-counter.wasm')
       )
     );
     const gateway = {
-      getCode: () => {
-        return { code: makeExpectedBytecode({ confidential: false }, bin) };
+      async getCode(): Promise<any> {
+        return {
+          code: makeExpectedBytecode({ saltIfConfidential: null }, bin),
+        };
       },
     };
     // @ts-ignore