fix: perform certificate delegation canister range check unconditionally (#1083)

* fix: perform certificate delegation canister range check unconditionally

* chore: update changelog

Author: ilbertt

CHANGELOG.md

@@ -8,6 +8,7 @@
 - fix: add declaration maps and typescript source code to published packages
 - feat: enables type inference for the arguments and return types of `FuncClass`.
 - feat: enables type inference for the fields of `ServiceClass`.
+- fix: perform the canister range checks unconditionally for delegations when constructing a `Certificate` instance.
 
 ## [3.1.0] - 2025-07-24
 

packages/agent/src/canisterStatus/index.ts

@@ -308,9 +308,7 @@ export const fetchNodeKeys = (
 
   const canisterInRange = check_canister_ranges({ canisterId, subnetId, tree });
   if (!canisterInRange) {
-    throw TrustError.fromCode(
-      new CertificateNotAuthorizedErrorCode(canisterId, delegation.subnet_id),
-    );
+    throw TrustError.fromCode(new CertificateNotAuthorizedErrorCode(canisterId, subnetId));
   }
 
   const subnetLookupResult = lookup_subtree(['subnet', delegation.subnet_id, 'node'], tree);

packages/agent/src/certificate.ts

@@ -18,7 +18,6 @@ import {
 import { Principal } from '@dfinity/principal';
 import * as bls from './utils/bls.ts';
 import { decodeTime } from './utils/leb.ts';
-import { MANAGEMENT_CANISTER_ID } from './agent/index.ts';
 import { bytesToHex, concatBytes, hexToBytes, utf8ToBytes } from '@noble/hashes/utils';
 import { uint8Equals } from './utils/buffer.ts';
 import { sha256 } from '@noble/hashes/sha2';
@@ -304,25 +303,25 @@ export class Certificate {
 
     await cert.verify();
 
-    if (this._canisterId.toString() !== MANAGEMENT_CANISTER_ID) {
-      const canisterInRange = check_canister_ranges({
-        canisterId: this._canisterId,
-        subnetId: Principal.fromUint8Array(new Uint8Array(d.subnet_id)),
-        tree: cert.cert.tree,
-      });
-      if (!canisterInRange) {
-        throw TrustError.fromCode(
-          new CertificateNotAuthorizedErrorCode(this._canisterId, d.subnet_id),
-        );
-      }
+    const subnetIdBytes = d.subnet_id;
+    const subnetId = Principal.fromUint8Array(subnetIdBytes);
+
+    const canisterInRange = check_canister_ranges({
+      canisterId: this._canisterId,
+      subnetId,
+      tree: cert.cert.tree,
+    });
+    if (!canisterInRange) {
+      throw TrustError.fromCode(new CertificateNotAuthorizedErrorCode(this._canisterId, subnetId));
     }
+
     const publicKeyLookup = lookupResultToBuffer(
-      cert.lookup_path(['subnet', d.subnet_id, 'public_key']),
+      cert.lookup_path(['subnet', subnetIdBytes, 'public_key']),
     );
     if (!publicKeyLookup) {
       throw TrustError.fromCode(
         new MissingLookupValueErrorCode(
-          `Could not find subnet key for subnet 0x${bytesToHex(d.subnet_id)}`,
+          `Could not find subnet key for subnet ID ${subnetId.toText()}`,
         ),
       );
     }

packages/agent/src/errors.ts

@@ -1,5 +1,9 @@
 import { Principal } from '@dfinity/principal';
-import { type HttpDetailsResponse, type NodeSignature, type ReplicaRejectCode } from './agent/api.ts';
+import {
+  type HttpDetailsResponse,
+  type NodeSignature,
+  type ReplicaRejectCode,
+} from './agent/api.ts';
 import { type RequestId } from './request_id.ts';
 import { type Expiry, type RequestStatusResponseStatus } from './agent/http/index.ts';
 import { type HttpHeaderField } from './agent/http/types.ts';
@@ -237,14 +241,14 @@ export class CertificateNotAuthorizedErrorCode extends ErrorCode {
 
   constructor(
     public readonly canisterId: Principal,
-    public readonly subnetId: Uint8Array,
+    public readonly subnetId: Principal,
   ) {
     super();
     Object.setPrototypeOf(this, CertificateNotAuthorizedErrorCode.prototype);
   }
 
   public toErrorMessage(): string {
-    return `The certificate contains a delegation that does not include the canister ${this.canisterId.toText()} in the canister_ranges field. Subnet ID: 0x${bytesToHex(this.subnetId)}`;
+    return `The certificate contains a delegation that does not include the canister ${this.canisterId.toText()} in the canister_ranges field. Subnet ID: ${this.subnetId.toText()}`;
   }
 }