chore: CRP-2832 Check that the BLS public key is not the identity (#141)

Author: randombit

backend/rs/ic_vetkeys/src/utils/mod.rs

@@ -703,9 +703,15 @@ pub fn verify_bls_signature(dpk: &DerivedPublicKey, input: &[u8], signature: &[u
 /// Returns true if and only if the provided signature is valid with respect to
 /// the provided public key and input
 fn verify_bls_signature_pt(dpk: &DerivedPublicKey, input: &[u8], signature: &G1Affine) -> bool {
+    if dpk.point.is_identity().into() {
+        return false;
+    }
+
     let msg = augmented_hash_to_g1(&dpk.point, input);
     let dpk_prep = G2Prepared::from(dpk.point);
 
+    // Check that `e(sig, G2) == e(msg, dpk)` using a multipairing
+
     use pairing::group::Group;
     let is_valid =
         gt_multipairing(&[(signature, &G2PREPARED_NEG_G), (&msg, &dpk_prep)]).is_identity();

backend/rs/ic_vetkeys/tests/utils.rs

@@ -56,6 +56,19 @@ fn test_bls_signature_verification() {
     assert!(!verify_bls_signature(&dpk, wrong_msg, &signature));
 }
 
+#[test]
+fn test_bls_signature_verification_using_identity() {
+    // Check that the identity element is rejected as a public key
+
+    let dpk = DerivedPublicKey::deserialize(&ic_bls12_381::G2Affine::identity().to_compressed()).unwrap();
+
+    let msg = b"wrong message";
+
+    let signature = ic_bls12_381::G1Affine::identity().to_compressed();
+
+    assert!(!verify_bls_signature(&dpk, msg, &signature));
+}
+
 #[test]
 fn test_second_level_public_key_derivation() {
     let canister_key = DerivedPublicKey::deserialize(&hex::decode("8bf165ea580742abf5fd5123eb848aa116dcf75c3ddb3cd3540c852cf99f0c5394e72dfc2f25dbcb5f9220f251cd04040a508a0bcb8b2543908d6626b46f09d614c924c5deb63a9949338ae4f4ac436bd77f8d0a392fd29de0f392a009fa61f3").unwrap()).unwrap();