Ed25519KeyIdentity.generate without args generates same principal

Is it expected that generating two identities consecutively with agent-js would produce the same principal?

const tmp1 = Ed25519KeyIdentity.generate();
const tmp2 = Ed25519KeyIdentity.generate();
expect(tmp1.getPrincipal().toText()).toEqual(tmp2.getPrincipal().toText())); // success

I assumed the process would be randomized, but perhaps I misunderstood.

1 Like

I think a mistake was made in the lib: agent-js/packages/identity/src/identity/ed25519.ts at 166df8d729bf46fdd801df33884a6731d19a3265 · dfinity/agent-js · GitHub

It seems to have a line that generates a random seed when the seed is falsy but this line will never be true when no arguments are passed since the argument has a zeroed seed as fallback.

It should at least currently generate a random seed when you explicitly pass null as argument.

Change seems to be from November last year: feat: node signature verification for queries (#784) · dfinity/agent-js@c115480 · GitHub

Hopefully it didn’t break any production dapps (create zeroed instead of random identities) :sweat_smile:



Actually, if this function is supposed to genrate random principal, this can be dangerous because according my test Ed25519KeyIdentity.generate() generates always the same principal 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe!

Thanks. undefined does not work because if so, the seed is always set to the default value. A workaround is passing null.

1 Like

:warning: It turns out to be some sort of risk for Juno devs. If you have manually created controllers in the past two months in Juno’s console, please verify that none of your controllers are set to 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe. If this applies, delete or replace it immediately!

The console has been patched with the above post’s workaround.

1 Like

:warning: Juno CLI is also impacted by this issue. If you are using @junobuild/cli version >= v0.0.44 to <= v0.0.50, please upgrade now. Additionally, double-check in the console that 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe is not assigned to any of your satellites, mission control, or orbiter!

Those versions have been deprecated on npmjs, and a hotfix, version v0.0.51, has been released: npm i -g @junobuild/cli.

1 Like

Resolved here: Agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`

1 Like

I’ll share additional information on Juno’s discord later today, as I’ve already informed the community on Sunday. However, concerning my previous posts, it’s important to clarify that the problem was neither due to my misunderstanding nor my incorrect implementation, but rather a security issue with Agent-js, as described in the above-linked post.

Many thanks to the foundation’s security team for their outstanding work in managing the incident over the past two days!