Skip to content

[key server] reject account alias address #516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joyqvq merged 3 commits into from
Mar 17, 2026
Merged

[key server] reject account alias address #516

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c07aead
[key server] reject account alias address
joyqvq Mar 13, 2026
f50d60e
handle error
joyqvq Mar 13, 2026
e8a7e90
return error if get alias has internal error
joyqvq Mar 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions crates/key-server/src/server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ use jsonrpsee::types::error::{INVALID_PARAMS_CODE, METHOD_NOT_FOUND_CODE};
use key_server_options::KeyServerOptions;
use master_keys::MasterKeys;
use metrics::metrics_middleware;
use move_core_types::identifier::Identifier;
use move_core_types::language_storage::{StructTag, TypeTag};
use mysten_service::get_mysten_service;
use mysten_service::metrics::start_prometheus_server;
use mysten_service::package_name;
Expand All @@ -55,6 +57,7 @@ use std::net::{IpAddr, Ipv4Addr, SocketAddr};
use std::sync::atomic::Ordering;
use std::sync::{Arc, RwLock};
use sui_rpc::client::Client as SuiGrpcClient;
use sui_rpc::proto::sui::rpc::v2::GetObjectRequest;
use sui_rpc_client::{RpcError, SuiRpcClient};
use sui_sdk::error::Error;
use sui_sdk::rpc_types::{SuiExecutionStatus, SuiTransactionBlockEffectsAPI};
Expand All @@ -64,10 +67,12 @@ use sui_sdk::types::transaction::{ProgrammableTransaction, TransactionData, Tran
use sui_sdk::verify_personal_message_signature::verify_personal_message_signature;
use sui_sdk::SuiClientBuilder;
use sui_sdk_types::Address;
use sui_types::{derived_object, SUI_ADDRESS_ALIAS_STATE_OBJECT_ID, SUI_FRAMEWORK_ADDRESS};
use tap::tap::TapFallible;
use tap::Tap;
use tokio::sync::watch::Receiver;
use tokio::task::JoinHandle;
use tonic::Code;
use tower_http::cors::{Any, CorsLayer};
use tower_http::limit::RequestBodyLimitLayer;
use tracing::{debug, error, info, warn};
Expand Down Expand Up @@ -140,6 +145,41 @@ struct Server {
options: KeyServerOptions,
}

async fn has_address_aliases(
client: &mut SuiGrpcClient,
address: SuiAddress,
) -> Result<bool, InternalError> {
let alias_key_type = TypeTag::Struct(Box::new(StructTag {
address: SUI_FRAMEWORK_ADDRESS,
module: Identifier::new("address_alias").unwrap(),
name: Identifier::new("AliasKey").unwrap(),
type_params: vec![],
}));

let key_bytes = bcs::to_bytes(&address).unwrap();
let address_aliases_id = derived_object::derive_object_id(
SuiAddress::from(SUI_ADDRESS_ALIAS_STATE_OBJECT_ID),
&alias_key_type,
&key_bytes,
)
.map_err(|_| InternalError::InvalidSignature)?;

// Convert ObjectID to Address for gRPC request
let address_id = Address::from_bytes(address_aliases_id.into_bytes())
.map_err(|_| InternalError::InvalidSignature)?;

let request = GetObjectRequest::default().with_object_id(address_id.to_string());

match client.ledger_client().get_object(request).await {
Ok(_) => Ok(true),
Err(e) if e.code() == Code::NotFound => Ok(false),
Err(e) => Err(InternalError::Failure(format!(
"Failed to check address aliases: {}",
e
))),
}
}

impl Server {
/// Check if the server is in committee mode.
fn is_committee_mode(&self) -> bool {
Expand Down Expand Up @@ -303,6 +343,23 @@ impl Server {
"Checking signature on message: {:?} (req_id: {:?})",
msg, req_id
);

// Check if the address has aliases enabled - if so, reject verification
let mut grpc_client = self.sui_rpc_client.sui_grpc_client();
match has_address_aliases(&mut grpc_client, cert.user).await {
Ok(true) => {
debug!(
"Address has aliases enabled, rejecting signature verification (req_id: {:?})",
req_id
);
return Err(InternalError::InvalidSignature);
}
Ok(false) => {} // no alias
Err(e) => {
return Err(e);
}
}

verify_personal_message_signature(
cert.signature.clone(),
msg.as_bytes(),
Expand Down
Loading