feat(confidentialrelay): vendor SignedComputeRequest + relay response bundle (PRIV-433)#2109
Conversation
The relay DON (chainlink/core) cannot import confidential-compute (the dependency runs the other way), so vendor ComputeRequest/SignedComputeRequest and the canonical ComputeRequest.Hash into the confidentialrelay package. This lets the relay verify the Workflow DON's F+1 signatures over a forwarded compute request directly, the basis for replacing the separate WorkflowAuthz blob. Hash reuses this package's existing length-prefix helpers (byte-identical to the source's writeWithLength/writeLengthPrefix), so no duplicate helpers. Tests cover determinism, field-binding, and the intentional exclusion of EncryptedDecryptionKeyShares. Byte-for-byte conformance with the source Hash will be enforced by a test in confidential-compute (which can import this package); common cannot import CC.
|
👋 nadahalli, thanks for creating this pull request! To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team. Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks! |
✅ API Diff Results -
|
There was a problem hiding this comment.
Pull request overview
This PR vendors the minimal ComputeRequest/SignedComputeRequest types and canonical ComputeRequest.Hash() logic into pkg/capabilities/v2/actions/confidentialrelay so the relay DON can verify the workflow DON’s existing F+1-signed compute request (without introducing a separate WorkflowAuthz blob and without adding a dependency from chainlink-common to confidential-compute).
Changes:
- Added vendored
ComputeRequest+SignedComputeRequesttypes andComputeRequest.Hash()implementation (intended to be byte-identical to confidential-compute). - Added self-contained tests covering hash determinism, field binding, and intentional exclusion of
EncryptedDecryptionKeyShares.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pkg/capabilities/v2/actions/confidentialrelay/computerequest.go | Introduces vendored compute-request structs plus canonical hashing logic and domain separator. |
| pkg/capabilities/v2/actions/confidentialrelay/computerequest_test.go | Adds tests to lock in hashing behavior (determinism, field binding, excluded fields). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| RequestID [32]byte `json:"requestID"` | ||
| PublicData []byte `json:"publicData"` | ||
| Ciphertexts [][]byte `json:"ciphertexts"` | ||
| CiphertextNames []string `json:"CiphertextNames"` | ||
| EncryptedDecryptionKeyShares [][][]byte `json:"encryptedDecryptionKeyShares"` |
There was a problem hiding this comment.
Intentional. This type is vendored verbatim from confidential-compute types.ComputeRequest, where the tag is json:"CiphertextNames" (capital C). The relay must marshal and unmarshal exactly what the enclave emits, so the tag has to match the source byte for byte. The capital C is a quirk in the source, but matching it is what preserves wire compatibility; changing it here is what would break it. Leaving as-is.
…tParams Add SignedComputeRequests []SignedComputeRequest to SecretsRequestParams: the F+1 Workflow-DON-signed compute requests the enclave forwards for the relay DON to verify. Excluded from the response hash, matching Attestation/EnclaveConfig.
…elper The relay DON verifies the F+1 Workflow DON signatures over a forwarded SignedComputeRequest by reconstructing the peerid domain-separated payload the nodes signed. Adds SignedComputeRequestSignaturePayload + the vendored prefix CONFIDENTIAL_COMPUTE_PAYLOAD_ (from CC util.GetConfidentialComputePayloadPrefix). The relay cannot import confidential-compute, so this lives here.
…-compute-request # Conflicts: # pkg/capabilities/v2/actions/confidentialrelay/types.go
Add SignedSecretsResponseBundle and SignedCapabilityResponseBundle, the gateway->enclave envelope for forwarding every relay node's signed response without the gateway merging, trusting, or deciding quorum over them. The enclave groups by response hash, verifies each signature against the relay-DON signer set, and accepts the result backed by F+1 valid distinct signers. Add a single Signature field to the per-node signed-result types (a node signs only its own response) and deprecate the Signatures array. The array is kept and still populated for backward compatibility until chainlink and confidential-compute migrate to Signature.
nadahalli
changed the title
Two additive changes to the
confidentialrelaytypes, both backward-compatible (no fields removed):1. Vendor SignedComputeRequest + Hash (original scope)
Vendors
ComputeRequest, its canonicalHash, andSignedComputeRequestfrom confidential-compute so the relay DON can reconstruct the workflow-DON request hash and verify F+1 signatures over it. chainlink-common cannot import confidential-compute, so the byte-for-byte conformance check lives in that repo.2. Relay response bundle types (gateway liveness fix)
Adds
SignedSecretsResponseBundleandSignedCapabilityResponseBundle, the gateway→enclave envelope that carries every relay node's signed response. This supports moving signature verification entirely into the enclave: the gateway becomes a dumb fan-in that forwards all collected responses without merging, trusting, or counting signatures, and the enclave verifies each against the relay-DON signer set and accepts the result backed by F+1 valid distinct signers. Closes a liveness gap where the gateway counted unverified, attacker-supplied signer identities toward quorum.Also adds a single
Signaturefield to the per-node signed-result types (a node signs only its own response) and marks theSignaturesarrayDeprecated, kept and still populated for backward compatibility until chainlink and confidential-compute migrate.Downstream (chainlink gateway + relay node, confidential-compute enclave) adopt these in follow-up PRs after this lands.