Pqc falcon512#28
Open
Federico2014 wants to merge 4 commits into
Open
Conversation
The inline fully-qualified java.util.Set / HashSet in validatePQSignature was a leftover from avoiding new imports. Standard JLS / Checkstyle style expects imports for non-conflicting JDK types. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace the two parallel List<String> fields on LocalWitnesses (pqPrivateKeys / pqPublicKeys) with a single List<PqKeypair> so the index-alignment invariant is enforced by construction rather than by runtime size-mismatch checks. - chainbase: new PqKeypair (Lombok @value) + LocalWitnesses uses it - framework: Args parses extended-hex entries directly into PqKeypair; WitnessInitializer / ConsensusService / RelayService consume pairs - test: rewritten to construct PqKeypair instances; the mismatched-list-size test is removed (impossible by construction) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…sactionSignWeight
Three changes in TransactionUtil.getTransactionSignWeight:
- PQ signature validation now only runs when isAnyPqSchemeAllowed() is
true, mirroring the rest of the PQ activation gating
- Switches to the renamed validatePQSignatureGetWeight API, which owns
its own signed-address dedup set internally (no more passing one in)
- Always emits approveList / currentWeight on the builder, even when
the transaction carries zero signatures of either kind
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…lowed
Thread DynamicPropertiesStore through BlockCapsule#hasWitnessSignature so
a PQ-only block only reads as signed once at least one PQ scheme has been
governance-activated; before activation, only legacy ECDSA counts.
In BlockCapsule#validateSignature, simplify the PQ path:
- drop the early "mutually exclusive" / "missing witness signature"
checks; if PQ is allowed and pq_auth_sig is set, validate PQ — else
fall through to legacy
- tighten the PQ match: derive(pk) must equal
AccountCapsule#getWitnessPermissionAddress() directly, no more
iterating Permission.keys[]
Update VMActuator and Manager call sites to pass the store, plus the two
test classes that hit the renamed method.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 14 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="chainbase/src/main/java/org/tron/common/utils/PqKeypair.java">
<violation number="1" location="chainbase/src/main/java/org/tron/common/utils/PqKeypair.java:12">
P1: `@Value` generates `toString()` including `privateKey`, which can leak secret key material in logs. Exclude this field from `toString()` generation.</violation>
</file>
<file name="chainbase/src/main/java/org/tron/core/capsule/BlockCapsule.java">
<violation number="1" location="chainbase/src/main/java/org/tron/core/capsule/BlockCapsule.java:211">
P1: Missing null-check on witness account can throw NullPointerException during signature validation.</violation>
<violation number="2" location="chainbase/src/main/java/org/tron/core/capsule/BlockCapsule.java:259">
P1: PQ signature address matching is restricted to a single witness key, which can reject valid signatures from other configured witness permission keys.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic
| */ | ||
| @Value | ||
| public class PqKeypair { | ||
| String privateKey; |
There was a problem hiding this comment.
P1: @Value generates toString() including privateKey, which can leak secret key material in logs. Exclude this field from toString() generation.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At chainbase/src/main/java/org/tron/common/utils/PqKeypair.java, line 12:
<comment>`@Value` generates `toString()` including `privateKey`, which can leak secret key material in logs. Exclude this field from `toString()` generation.</comment>
<file context>
@@ -0,0 +1,14 @@
+ */
+@Value
+public class PqKeypair {
+ String privateKey;
+ String publicKey;
+}
</file context>
| matched = k; | ||
| break; | ||
| } | ||
| if (!Arrays.equals(derivedAddr, witnessPermissionAddress)) { |
There was a problem hiding this comment.
P1: PQ signature address matching is restricted to a single witness key, which can reject valid signatures from other configured witness permission keys.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At chainbase/src/main/java/org/tron/core/capsule/BlockCapsule.java, line 259:
<comment>PQ signature address matching is restricted to a single witness key, which can reject valid signatures from other configured witness permission keys.</comment>
<file context>
@@ -262,38 +249,22 @@ private boolean validatePQSignature(DynamicPropertiesStore dynamicPropertiesStor
- matched = k;
- break;
- }
+ if (!Arrays.equals(derivedAddr, witnessPermissionAddress)) {
+ throw new ValidateSignatureException(
+ "pq_auth_sig public key does not match witness permission address");
</file context>
| if (dynamicPropertiesStore.getAllowMultiSign() != 1) { | ||
| witnessPermissionAddress = witnessAccountAddress; | ||
| } else { | ||
| witnessPermissionAddress = accountStore.get(witnessAccountAddress) |
There was a problem hiding this comment.
P1: Missing null-check on witness account can throw NullPointerException during signature validation.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At chainbase/src/main/java/org/tron/core/capsule/BlockCapsule.java, line 211:
<comment>Missing null-check on witness account can throw NullPointerException during signature validation.</comment>
<file context>
@@ -203,41 +201,27 @@ private Sha256Hash getRawHash() {
+ if (dynamicPropertiesStore.getAllowMultiSign() != 1) {
+ witnessPermissionAddress = witnessAccountAddress;
+ } else {
+ witnessPermissionAddress = accountStore.get(witnessAccountAddress)
+ .getWitnessPermissionAddress();
}
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Why are these changes required?
This PR has been tested by:
Follow up
Extra details
Summary by cubic
Gate Falcon-512 (FN-DSA-512) signatures behind governance activation and bundle PQ priv/pub keys into a single
PqKeypair. This prevents config mistakes, tightens signature checks, and keeps legacy behavior until PQ is enabled.Refactors
PqKeypairand replaced parallel PQ key lists inLocalWitnesses;Argsnow parses extended hex entries into pairs; updatedWitnessInitializer.initFromPQOnly.ConsensusServiceandRelayServicenow consumeList<PqKeypair>for single/multi-witness setups.BlockCapsule: PQ validation runs only whenisAnyPqSchemeAllowed()is true; derived PQ public key address must equal the witness permission address;hasWitnessSignaturenow requiresDynamicPropertiesStore.TransactionUtil.getTransactionSignWeightgates PQ checks onisAnyPqSchemeAllowed(), usesTransactionCapsule.validatePQSignatureGetWeight, and always sets approve list and current weight.TransactionCapsule: renamed PQ validator tovalidatePQSignatureGetWeightand manages its own dedup set.VMActuator/ManagerpassDynamicPropertiesStore; CPU limit ratio helper now takesDynamicPropertiesStore.Migration
LocalWitnesses#getPqPrivateKeys()/getPqPublicKeys()withgetPqKeypairs().WitnessInitializer.initFromPQOnly(PQScheme, List<PqKeypair>, String),BlockCapsule#hasWitnessSignature(DynamicPropertiesStore),TransactionCapsule.validatePQSignatureGetWeight(...), andVMActuator#getCpuLimitInUsRatio(DynamicPropertiesStore).saveAllowFnDsa512(1)), preserving pre-activation semantics.Written for commit bd79efc. Summary will update on new commits. Review in cubic