From c07aead1946d5be91c5ee668db919d66b93eb52c Mon Sep 17 00:00:00 2001 From: Joy Wang <108701016+joyqvq@users.noreply.github.com> Date: Fri, 13 Mar 2026 11:06:07 +0800 Subject: [PATCH 1/3] [key server] reject account alias address --- crates/key-server/src/server.rs | 46 +++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/crates/key-server/src/server.rs b/crates/key-server/src/server.rs index 68cdcf07d..83c55a378 100644 --- a/crates/key-server/src/server.rs +++ b/crates/key-server/src/server.rs @@ -35,6 +35,8 @@ use jsonrpsee::types::error::{INVALID_PARAMS_CODE, METHOD_NOT_FOUND_CODE}; use key_server_options::KeyServerOptions; use master_keys::MasterKeys; use metrics::metrics_middleware; +use move_core_types::identifier::Identifier; +use move_core_types::language_storage::{StructTag, TypeTag}; use mysten_service::get_mysten_service; use mysten_service::metrics::start_prometheus_server; use mysten_service::package_name; @@ -55,6 +57,7 @@ use std::net::{IpAddr, Ipv4Addr, SocketAddr}; use std::sync::atomic::Ordering; use std::sync::{Arc, RwLock}; use sui_rpc::client::Client as SuiGrpcClient; +use sui_rpc::proto::sui::rpc::v2::GetObjectRequest; use sui_rpc_client::{RpcError, SuiRpcClient}; use sui_sdk::error::Error; use sui_sdk::rpc_types::{SuiExecutionStatus, SuiTransactionBlockEffectsAPI}; @@ -64,6 +67,7 @@ use sui_sdk::types::transaction::{ProgrammableTransaction, TransactionData, Tran use sui_sdk::verify_personal_message_signature::verify_personal_message_signature; use sui_sdk::SuiClientBuilder; use sui_sdk_types::Address; +use sui_types::{derived_object, SUI_ADDRESS_ALIAS_STATE_OBJECT_ID, SUI_FRAMEWORK_ADDRESS}; use tap::tap::TapFallible; use tap::Tap; use tokio::sync::watch::Receiver; @@ -140,6 +144,37 @@ struct Server { options: KeyServerOptions, } +async fn has_address_aliases( + client: &mut SuiGrpcClient, + address: SuiAddress, +) -> Result { + let alias_key_type = TypeTag::Struct(Box::new(StructTag { + address: SUI_FRAMEWORK_ADDRESS, + module: Identifier::new("address_alias").unwrap(), + name: Identifier::new("AliasKey").unwrap(), + type_params: vec![], + })); + + let key_bytes = bcs::to_bytes(&address).unwrap(); + let address_aliases_id = derived_object::derive_object_id( + SuiAddress::from(SUI_ADDRESS_ALIAS_STATE_OBJECT_ID), + &alias_key_type, + &key_bytes, + ) + .map_err(|_| InternalError::InvalidSignature)?; + + // Convert ObjectID to Address for gRPC request + let address_id = Address::from_bytes(address_aliases_id.into_bytes()) + .map_err(|_| InternalError::InvalidSignature)?; + + let request = GetObjectRequest::default().with_object_id(address_id.to_string()); + + match client.ledger_client().get_object(request).await { + Ok(_) => Ok(true), + Err(_) => Ok(false), + } +} + impl Server { /// Check if the server is in committee mode. fn is_committee_mode(&self) -> bool { @@ -303,6 +338,17 @@ impl Server { "Checking signature on message: {:?} (req_id: {:?})", msg, req_id ); + + // Check if the address has aliases enabled - if so, reject verification + let mut grpc_client = self.sui_rpc_client.sui_grpc_client(); + if has_address_aliases(&mut grpc_client, cert.user).await? { + debug!( + "Address has aliases enabled, rejecting signature verification (req_id: {:?})", + req_id + ); + return Err(InternalError::InvalidSignature); + } + verify_personal_message_signature( cert.signature.clone(), msg.as_bytes(), From f50d60e681a33f64731908c7e2779ea74ac91d6a Mon Sep 17 00:00:00 2001 From: Joy Wang <108701016+joyqvq@users.noreply.github.com> Date: Fri, 13 Mar 2026 22:39:33 +0800 Subject: [PATCH 2/3] handle error --- crates/key-server/src/server.rs | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/crates/key-server/src/server.rs b/crates/key-server/src/server.rs index 83c55a378..fc9cfde82 100644 --- a/crates/key-server/src/server.rs +++ b/crates/key-server/src/server.rs @@ -72,6 +72,7 @@ use tap::tap::TapFallible; use tap::Tap; use tokio::sync::watch::Receiver; use tokio::task::JoinHandle; +use tonic::Code; use tower_http::cors::{Any, CorsLayer}; use tower_http::limit::RequestBodyLimitLayer; use tracing::{debug, error, info, warn}; @@ -171,7 +172,11 @@ async fn has_address_aliases( match client.ledger_client().get_object(request).await { Ok(_) => Ok(true), - Err(_) => Ok(false), + Err(e) if e.code() == Code::NotFound => Ok(false), + Err(e) => Err(InternalError::Failure(format!( + "Failed to check address aliases: {}", + e + ))), } } @@ -341,12 +346,21 @@ impl Server { // Check if the address has aliases enabled - if so, reject verification let mut grpc_client = self.sui_rpc_client.sui_grpc_client(); - if has_address_aliases(&mut grpc_client, cert.user).await? { - debug!( - "Address has aliases enabled, rejecting signature verification (req_id: {:?})", - req_id - ); - return Err(InternalError::InvalidSignature); + match has_address_aliases(&mut grpc_client, cert.user).await { + Ok(true) => { + debug!( + "Address has aliases enabled, rejecting signature verification (req_id: {:?})", + req_id + ); + return Err(InternalError::InvalidSignature); + } + Ok(false) => {} // no alias + Err(e) => { + warn!( + "Failed to check address aliases, allowing request (req_id: {:?}): {:?}", + req_id, e + ); + } } verify_personal_message_signature( From e8a7e90539486ae1ff12bc152fb511aa3f9cf31f Mon Sep 17 00:00:00 2001 From: Joy Wang <108701016+joyqvq@users.noreply.github.com> Date: Sat, 14 Mar 2026 09:07:35 +0800 Subject: [PATCH 3/3] return error if get alias has internal error --- crates/key-server/src/server.rs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/crates/key-server/src/server.rs b/crates/key-server/src/server.rs index fc9cfde82..97ad58c2c 100644 --- a/crates/key-server/src/server.rs +++ b/crates/key-server/src/server.rs @@ -356,10 +356,7 @@ impl Server { } Ok(false) => {} // no alias Err(e) => { - warn!( - "Failed to check address aliases, allowing request (req_id: {:?}): {:?}", - req_id, e - ); + return Err(e); } }