Ledger backend is not on par with tendermint votes/proposals

[adrianbrink]

This seems to be a larger problem with the KMS implementation. Currently the sign_bytes that are returned in session.rs/sign() change depending on whether the KMS is compiled with the YubiHSM backend or the Ledger backend. This should never be the case since the KMS should be agnostic to the backend being used.

So I've added logging after the sign_bytes method in called in session.rs/sign(). With the YubiHSM it results in
Proposal: 119
Prevote: 109 or 110
Precommit: 109 or 110

With the ledger it results in:
Proposal: 120
Prevote: 37

However the sign() method is called before it ever reaches any specific backend HSM. One reason for these errors could be that due to the conditional compilation with "--features" the KMS generates different data depending on which features are turned on.

@tarcieri @liamsi I have no idea why this happens. With the Yubi HSM it works fine and sign_bytes returns the correct values, whereas if you don't compile with yubihsm the returned sign_bytes are wrong.

The second issue here is that the Ledger validator application does not expect these sign_bytes, since they are divergent from the specification. The reason why this only appears with the ledger is that the YubiHSM will just sign whatever it is given, but the ledger actually decodes the bytes. @jleni

[adrianbrink]

I've managed to get the same sign bytes for SignProposal if I add ledger and yubihsm to the default features. The ones for SignVote are still different.

13:18:53 [DEBUG] tmkms::session: started handling request ...
13:18:54 [DEBUG] tmkms::session: got sign proposal request
13:18:54 [DEBUG] tmkms::session: got sign request
13:18:54 [DEBUG] tmkms::session: sign_bytes for request: [119, 8, 32, 17, 1, 0, 0, 0, 0, 0, 0, 0, 33, 255, 255, 255, 255, 255, 255, 255, 255, 42, 72, 10, 32, 191, 103, 198, 145, 194, 126, 71, 202, 43, 138, 157, 77, 130, 186, 161, 188, 97,
 53, 37, 92, 124, 110, 78, 222, 47, 18, 148, 103, 202, 210, 142, 122, 18, 36, 10, 32, 229, 245, 202, 169, 32, 97, 200, 158, 211, 240, 106, 182, 197, 35, 14, 157, 114, 199, 37, 118, 2, 22, 36, 232, 216, 110, 41, 153, 215, 79, 219, 39, 16,
1, 50, 12, 8, 190, 213, 149, 227, 5, 16, 248, 190, 156, 140, 3, 58, 9, 116, 101, 115, 116, 45, 121, 117, 98, 105]
13:18:54 [DEBUG] tmkms::keyring: Successfully got signer and now trying to sign message
Ledger is trying to sign: [119, 8, 32, 17, 1, 0, 0, 0, 0, 0, 0, 0, 33, 255, 255, 255, 255, 255, 255, 255, 255, 42, 72, 10, 32, 191, 103, 198, 145, 194, 126, 71, 202, 43, 138, 157, 77, 130, 186, 161, 188, 97, 53, 37, 92, 124, 110, 78, 222,
 47, 18, 148, 103, 202, 210, 142, 122, 18, 36, 10, 32, 229, 245, 202, 169, 32, 97, 200, 158, 211, 240, 106, 182, 197, 35, 14, 157, 114, 199, 37, 118, 2, 22, 36, 232, 216, 110, 41, 153, 215, 79, 219, 39, 16, 1, 50, 12, 8, 190, 213, 149, 22
7, 5, 16, 248, 190, 156, 140, 3, 58, 9, 116, 101, 115, 116, 45, 121, 117, 98, 105]
Received an error
13:18:54 [ERROR] [test-yubi@tcp://127.0.0.1:26658] signing operation failed: received an invalid signature: received an invalid signature
13:18:55 [INFO] KMS node ID: 3DD79F0F25B3F71423DABEF47F43BAF3ABEEC68B
13:18:55 [DEBUG] tmkms::session: test-yubi: Connecting to 127.0.0.1:26658...
13:18:55 [INFO] [test-yubi@tcp://127.0.0.1:26658] connected to validator successfully

sign_bytes for SignProposal with the Yubi:

[119, 8, 32, 17, 1, 0, 0, 0, 0, 0, 0, 0, 33, 255, 255, 255, 255, 255, 255, 255, 255, 42, 72, 10, 32, 109, 184, 47, 185, 69, 249, 99, 187, 134, 206, 136, 198, 23, 145, 171, 194, 52,
8, 17, 118, 206, 143, 191, 25, 150, 215, 173, 178, 131, 254, 28, 94, 18, 36, 10, 32, 148, 8, 254, 116, 222, 40, 160, 178, 114, 15, 62, 50, 10, 187, 33, 66, 206, 190, 39, 140, 25, 50, 56, 61, 158, 0, 54, 81, 122, 146, 19, 15, 16, 1, 50, 12
, 8, 230, 185, 149, 227, 5, 16, 240, 150, 158, 195, 3, 58, 9, 116, 101, 115, 116, 45, 121, 117, 98, 105]

sign_bytes for SignProposal with the Ledger given that all yubihsm stuff is compiled as well:

[119, 8, 32, 17, 1, 0, 0, 0, 0, 0, 0, 0, 33, 255, 255, 255, 255, 255, 255, 255, 255, 42, 72, 10, 32, 191, 103, 198, 145, 194, 126, 71, 202, 43, 138, 157, 77, 130, 186, 161, 188, 97,
 53, 37, 92, 124, 110, 78, 222, 47, 18, 148, 103, 202, 210, 142, 122, 18, 36, 10, 32, 229, 245, 202, 169, 32, 97, 200, 158, 211, 240, 106, 182, 197, 35, 14, 157, 114, 199, 37, 118, 2, 22, 36, 232, 216, 110, 41, 153, 215, 79, 219, 39, 16,
1, 50, 12, 8, 190, 213, 149, 227, 5, 16, 248, 190, 156, 140, 3, 58, 9, 116, 101, 115, 116, 45, 121, 117, 98, 105]

However on the above sign_bytes the ledger fails as you can see from the first log from tmkms.

[adrianbrink]

However for SignVote with compiled ledger and yubihsm features the sign_bytes are wrong.

13:18:57 [DEBUG] tmkms::session: got sign vote request
13:18:57 [DEBUG] tmkms::session: got sign request
13:18:57 [DEBUG] tmkms::session: sign_bytes for request: [36, 8, 1, 17, 1, 0, 0, 0, 0, 0, 0, 0, 42, 12, 8, 193, 213, 149, 227, 5, 16, 176, 252, 185, 140, 3, 50, 9, 116, 101, 115, 116, 45, 121, 117, 98, 105]
13:18:57 [DEBUG] tmkms::keyring: Successfully got signer and now trying to sign message
Ledger is trying to sign: [36, 8, 1, 17, 1, 0, 0, 0, 0, 0, 0, 0, 42, 12, 8, 193, 213, 149, 227, 5, 16, 176, 252, 185, 140, 3, 50, 9, 116, 101, 115, 116, 45, 121, 117, 98, 105]
Received an error
13:18:57 [ERROR] [test-yubi@tcp://127.0.0.1:26658] signing operation failed: received an invalid signature: received an invalid signature
13:18:58 [INFO] KMS node ID: 3DD79F0F25B3F71423DABEF47F43BAF3ABEEC68B

I can't explain why the conditional compilation of the yubihsm or the ledger would cause different sign_bytes to appear.

[jleni]

Yes, but still.. that first byte is unexpected and out of spec.
I am looking at tendermint-rs right now.

[adrianbrink]

Oh 119 is not in the spec?

[jleni]

well.. at least the spec for how votes/proposals where going to be serialized.
https://github.com/cosmos/ledger-cosmos/blob/aaae52d2692a586eae171577152378c3b756593f/tests/val/vote_parser.cpp#L83

The ledger will expect field_number and later content

[liamsi]

It seems like the ledger test-vectors are not up to date. That is easy to fix. The other problem (sign bytes seem to differ depending on if compiled with yubihsm or not) is rather mysterious tho.

[jleni]

Ok, the issue is now clear :)
When serializing, the code is using cp.encode_length_delimited(sign_bytes)?;
so the first "magic" byte is the number of bytes.
we need to drop that when sending to the HSMs

[jleni]

The issue is in this line
https://github.com/tendermint/kms/blob/752184b5bfa139cde4c9013d836e0f3cda897110/tendermint-rs/src/amino_types/proposal.rs#L118

[jleni]

I will write a fix + additional test and check other types too.

[liamsi]

OK, wait: In the test-vectors you've linked MarshalBinaryBare is used (see https://github.com/tendermint/tendermint/blob/28d75ec8016b7fb043735cbe4c4d92ec73355de7/types/vote_test.go#L99-L138), the actual sign-bytes use

func (vote *Vote) SignBytes(chainID string) []byte {
	bz, err := cdc.MarshalBinaryLengthPrefixed(CanonicalizeVote(chainID, vote))
	if err != nil {
		panic(err)
	}
	return bz
}

which corresponds to encode_length_delimited (see: https://github.com/tendermint/tendermint/blob/28d75ec8016b7fb043735cbe4c4d92ec73355de7/types/vote.go#L72-L78).

[jleni]

ok, so should I then update the test vectors and the spec for the ledger app?

[liamsi]

Yes, sorry that the test vectors skip the length. I think initially they were length encoded. Must have been changed in PR (in tm).

[adrianbrink]

This is amazing. Thank you very much for looking into this.

@liamsi What is the best way to investigate why the YubiHSM feature is needed for correct compilation?