re-read the enclave key

ten-protocol · Dec 13, 2024 · 1e03728 · 1e03728
1 parent 27eeffe
commit 1e03728
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/go/common/types.go b/go/common/types.go
@@ -1,6 +1,7 @@
 package common
 
 import (
+	"errors"
 	"fmt"
 	"math/big"
 
@@ -77,6 +78,9 @@ type (
 	EnclaveID = common.Address
 )
 
+// FailedDecryptErr - when the TEN enclave fails to decrypt an RPC request
+var FailedDecryptErr = errors.New("failed to decrypt RPC payload. please use the correct enclave key")
+
 // EncryptedRPCRequest - an encrypted request with extra plaintext metadata
 type EncryptedRPCRequest struct {
 	Req  EncryptedRequest

diff --git a/go/enclave/rpc/vk_utils.go b/go/enclave/rpc/vk_utils.go
@@ -55,7 +55,7 @@ func HandleEncryptedRPC(ctx context.Context,
 	// 1. Decrypt request
 	plaintextRequest, err := encManager.DecryptBytes(encReq)
 	if err != nil {
-		return responses.AsPlaintextError(fmt.Errorf("could not decrypt params - %w", err)), nil
+		return responses.AsPlaintextError(common.FailedDecryptErr), nil
 	}
 
 	// 2. Unmarshall

diff --git a/go/rpc/encrypted_client.go b/go/rpc/encrypted_client.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/rand"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"reflect"
 	"sync/atomic"
@@ -71,7 +72,23 @@ func (c *EncRPCClient) CallContext(ctx context.Context, result interface{}, meth
 	}
 
 	if rpc.IsEncryptedMethod(method) {
-		return c.executeEncryptedCall(ctx, result, method, args...)
+		err := c.executeEncryptedCall(ctx, result, method, args...)
+		// this should only be triggered during testing
+		if err != nil && errors.Is(err, common.FailedDecryptErr) {
+			c.logger.Warn("Reconnecting to new backend. Reading the enclave key.")
+			newKey, err := ReadEnclaveKey(c.obscuroClient)
+			if err != nil {
+				return fmt.Errorf("could not refresh enclave key: %w", err)
+			}
+			enclPubECDSA, err := crypto.DecompressPubkey(newKey)
+			if err != nil {
+				return fmt.Errorf("failed to decompress key for RPC client: %w", err)
+			}
+			c.enclavePublicKey = ecies.ImportECDSAPublic(enclPubECDSA)
+			// retry with the updated key
+			return c.executeEncryptedCall(ctx, result, method, args...)
+		}
+		return err
 	}
 
 	// for non-sensitive methods or when viewing keys are disabled we just delegate directly to the geth RPC client