wip: add kes validation module

Author: golddydev

common/src/validation.rs

@@ -229,7 +229,16 @@ impl PartialEq for BadVrfProofError {
 /// https://github.com/IntersectMBO/ouroboros-consensus/blob/e3c52b7c583bdb6708fac4fdaa8bf0b9588f5a88/ouroboros-consensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Praos.hs#L342
 #[derive(Error, Clone, Debug, serde::Serialize, serde::Deserialize, PartialEq)]
 pub enum KesValidationError {
-    /// Current KES period is before the OCert start period
+    #[error("{0}")]
+    KesSignatureError(#[from] KesSignatureError),
+    #[error("{0}")]
+    OperationalCertificateError(#[from] OperationalCertificateError),
+}
+
+#[derive(Error, Clone, Debug, serde::Serialize, serde::Deserialize, PartialEq)]
+pub enum KesSignatureError {
+    /// **Cause:** Current KES period is before the operational certificate's
+    /// start period.
     #[error(
         "KES Before Start OCert: OCert Start Period={}, Current Period={}",
         ocert_start_period,
@@ -239,7 +248,8 @@ pub enum KesValidationError {
         ocert_start_period: u64,
         current_period: u64,
     },
-    /// Current KES period is after the valid range
+    /// **Cause:** Current KES period exceeds the operational certificate's
+    /// validity period.
     #[error(
         "KES After End OCert: Current Period={}, OCert Start Period={}, Max KES Evolutions={}",
         current_period,
@@ -251,7 +261,21 @@ pub enum KesValidationError {
         ocert_start_period: u64,
         max_kes_evolutions: u64,
     },
-    /// The OCert counter is too small
+    /// **Cause:** The KES signature on the block header is cryptographically invalid.
+    #[error("Invalid KES Signature OCert: Current KES Period={}, KES Start Period={}, Expected Evolutions={}, Max KES Evolutions={}, Error Message={}", current_kes_period, kes_start_period, expected_evolutions, max_kes_evolutions, error_message)]
+    InvalidKesSignatureOcert {
+        current_kes_period: u64,
+        kes_start_period: u64,
+        expected_evolutions: u64,
+        max_kes_evolutions: u64,
+        error_message: String,
+    },
+}
+
+#[derive(Error, Clone, Debug, serde::Serialize, serde::Deserialize, PartialEq)]
+pub enum OperationalCertificateError {
+    /// **Cause:** The operational certificate counter in the header is not greater
+    /// than the last counter used by this pool.
     #[error(
         "Counter Too Small OCert: Last Counter={}, Current Counter={}",
         last_counter,
@@ -261,7 +285,8 @@ pub enum KesValidationError {
         last_counter: u64,
         current_counter: u64,
     },
-    /// The OCert counter incremented by more than 1 (Praos only)
+    /// **Cause:** OCert counter jumped by more than 1. While not strictly invalid,
+    /// this is suspicious and may indicate key compromise. (Praos Only)
     #[error(
         "Counter Over Incremented OCert: Last Counter={}, Current Counter={}",
         last_counter,
@@ -271,23 +296,15 @@ pub enum KesValidationError {
         last_counter: u64,
         current_counter: u64,
     },
-    /// The cold key signature on the OCert is invalid
+    /// **Cause:** The cold key signature on the operational certificate is invalid.
+    /// The OCert was not properly signed by the pool's cold key.
     #[error(
         "Invalid Signature OCert: Counter={}, KES Period={}",
         counter,
         kes_period
     )]
     InvalidSignatureOcert { counter: u64, kes_period: u64 },
-    /// The KES signature verification failed
-    #[error("Invalid KES Signature OCert: Current KES Period={}, KES Start Period={}, Expected Evolutions={}, Max KES Evolutions={}, Error Message={}", current_kes_period, kes_start_period, expected_evolutions, max_kes_evolutions, error_message)]
-    InvalidKesSignatureOcert {
-        current_kes_period: u64,
-        kes_start_period: u64,
-        expected_evolutions: u64,
-        max_kes_evolutions: u64,
-        error_message: String,
-    },
-    /// No counter found for this key hash (not a stake pool or genesis delegate)
+    /// **Cause:** No counter found for this key hash (not a stake pool or genesis delegate)
     #[error("No Counter For Key Hash OCert: Pool ID={}", hex::encode(pool_id))]
     NoCounterForKeyHashOcert { pool_id: PoolId },
 }

modules/block_kes_validator/src/block_kes_validator.rs

@@ -1,2 +1,190 @@
-mod ouroboros;
+//! Acropolis Block KES Validator module for Caryatid
+//! Validate KES signatures in the block header
+
+use acropolis_common::{
+    messages::{CardanoMessage, Message},
+    state_history::{StateHistory, StateHistoryStore},
+    BlockInfo, BlockStatus,
+};
+use anyhow::Result;
+use caryatid_sdk::{module, Context, Module, Subscription};
+use config::Config;
+use std::sync::Arc;
+use tokio::sync::Mutex;
+use tracing::{error, info, info_span, Instrument};
 mod state;
+use state::State;
+
+use crate::kes_validation_publisher::KesValidationPublisher;
+mod kes_validation_publisher;
+mod ouroboros;
+
+const DEFAULT_VALIDATION_KES_PUBLISHER_TOPIC: (&str, &str) =
+    ("validation-kes-publisher-topic", "cardano.validation.kes");
+
+const DEFAULT_BOOTSTRAPPED_SUBSCRIBE_TOPIC: (&str, &str) = (
+    "bootstrapped-subscribe-topic",
+    "cardano.sequence.bootstrapped",
+);
+const DEFAULT_PROTOCOL_PARAMETERS_SUBSCRIBE_TOPIC: (&str, &str) = (
+    "protocol-parameters-subscribe-topic",
+    "cardano.protocol.parameters",
+);
+const DEFAULT_BLOCKS_SUBSCRIBE_TOPIC: (&str, &str) =
+    ("blocks-subscribe-topic", "cardano.block.proposed");
+
+/// Block KES Validator module
+#[module(
+    message_type(Message),
+    name = "block-kes-validator",
+    description = "Validate the KES signatures in the block header"
+)]
+
+pub struct BlockKesValidator;
+
+impl BlockKesValidator {
+    #[allow(clippy::too_many_arguments)]
+    async fn run(
+        history: Arc<Mutex<StateHistory<State>>>,
+        mut kes_validation_publisher: KesValidationPublisher,
+        mut bootstrapped_subscription: Box<dyn Subscription<Message>>,
+        mut blocks_subscription: Box<dyn Subscription<Message>>,
+        mut protocol_parameters_subscription: Box<dyn Subscription<Message>>,
+    ) -> Result<()> {
+        let (_, bootstrapped_message) = bootstrapped_subscription.read().await?;
+        let genesis = match bootstrapped_message.as_ref() {
+            Message::Cardano((_, CardanoMessage::GenesisComplete(complete))) => {
+                complete.values.clone()
+            }
+            _ => panic!("Unexpected message in genesis completion topic: {bootstrapped_message:?}"),
+        };
+
+        // Consume initial protocol parameters
+        let _ = protocol_parameters_subscription.read().await?;
+
+        loop {
+            // Get a mutable state
+            let mut state = history.lock().await.get_or_init_with(State::new);
+            let mut current_block: Option<BlockInfo> = None;
+
+            let (_, message) = blocks_subscription.read().await?;
+            match message.as_ref() {
+                Message::Cardano((block_info, CardanoMessage::BlockAvailable(block_msg))) => {
+                    // handle rollback here
+                    if block_info.status == BlockStatus::RolledBack {
+                        state = history.lock().await.get_rolled_back_state(block_info.number);
+                    }
+                    current_block = Some(block_info.clone());
+                    let is_new_epoch = block_info.new_epoch && block_info.epoch > 0;
+
+                    if is_new_epoch {
+                        // read epoch boundary messages
+                        let protocol_parameters_message_f = protocol_parameters_subscription.read();
+
+                        let (_, protocol_parameters_msg) = protocol_parameters_message_f.await?;
+                        let span = info_span!(
+                            "block_kes_validator.handle_protocol_parameters",
+                            epoch = block_info.epoch
+                        );
+                        span.in_scope(|| match protocol_parameters_msg.as_ref() {
+                            Message::Cardano((block_info, CardanoMessage::ProtocolParams(msg))) => {
+                                Self::check_sync(&current_block, block_info);
+                                state.handle_protocol_parameters(msg);
+                            }
+                            _ => error!("Unexpected message type: {protocol_parameters_msg:?}"),
+                        });
+                    }
+
+                    let span =
+                        info_span!("block_kes_validator.validate", block = block_info.number);
+                    async {
+                        let result = state
+                            .validate_block_kes(block_info, &block_msg.header, &genesis)
+                            .map_err(|e| *e);
+                        if let Err(e) = kes_validation_publisher
+                            .publish_kes_validation(block_info, result)
+                            .await
+                        {
+                            error!("Failed to publish KES validation: {e}")
+                        }
+                    }
+                    .instrument(span)
+                    .await;
+                }
+                _ => error!("Unexpected message type: {message:?}"),
+            }
+
+            // Commit the new state
+            if let Some(block_info) = current_block {
+                history.lock().await.commit(block_info.number, state);
+            }
+        }
+    }
+
+    pub async fn init(&self, context: Arc<Context<Message>>, config: Arc<Config>) -> Result<()> {
+        // Publish topics
+        let validation_kes_publisher_topic = config
+            .get_string(DEFAULT_VALIDATION_KES_PUBLISHER_TOPIC.0)
+            .unwrap_or(DEFAULT_VALIDATION_KES_PUBLISHER_TOPIC.1.to_string());
+        info!("Creating validation KES publisher on '{validation_kes_publisher_topic}'");
+
+        // Subscribe topics
+        let bootstrapped_subscribe_topic = config
+            .get_string(DEFAULT_BOOTSTRAPPED_SUBSCRIBE_TOPIC.0)
+            .unwrap_or(DEFAULT_BOOTSTRAPPED_SUBSCRIBE_TOPIC.1.to_string());
+        info!("Creating subscriber for bootstrapped on '{bootstrapped_subscribe_topic}'");
+        let protocol_parameters_subscribe_topic = config
+            .get_string(DEFAULT_PROTOCOL_PARAMETERS_SUBSCRIBE_TOPIC.0)
+            .unwrap_or(DEFAULT_PROTOCOL_PARAMETERS_SUBSCRIBE_TOPIC.1.to_string());
+        info!("Creating subscriber for protocol parameters on '{protocol_parameters_subscribe_topic}'");
+
+        let blocks_subscribe_topic = config
+            .get_string(DEFAULT_BLOCKS_SUBSCRIBE_TOPIC.0)
+            .unwrap_or(DEFAULT_BLOCKS_SUBSCRIBE_TOPIC.1.to_string());
+        info!("Creating blocks subscription on '{blocks_subscribe_topic}'");
+
+        // publishers
+        let kes_validation_publisher =
+            KesValidationPublisher::new(context.clone(), validation_kes_publisher_topic);
+
+        // Subscribers
+        let bootstrapped_subscription = context.subscribe(&bootstrapped_subscribe_topic).await?;
+        let protocol_parameters_subscription =
+            context.subscribe(&protocol_parameters_subscribe_topic).await?;
+        let blocks_subscription = context.subscribe(&blocks_subscribe_topic).await?;
+
+        // state history
+        let history = Arc::new(Mutex::new(StateHistory::<State>::new(
+            "block_kes_validator",
+            StateHistoryStore::default_block_store(),
+        )));
+
+        // Start run task
+        context.run(async move {
+            Self::run(
+                history,
+                kes_validation_publisher,
+                bootstrapped_subscription,
+                blocks_subscription,
+                protocol_parameters_subscription,
+            )
+            .await
+            .unwrap_or_else(|e| error!("Failed: {e}"));
+        });
+
+        Ok(())
+    }
+
+    /// Check for synchronisation
+    fn check_sync(expected: &Option<BlockInfo>, actual: &BlockInfo) {
+        if let Some(ref block) = expected {
+            if block.number != actual.number {
+                error!(
+                    expected = block.number,
+                    actual = actual.number,
+                    "Messages out of sync"
+                );
+            }
+        }
+    }
+}

modules/block_kes_validator/src/kes_validation_publisher.rs

@@ -0,0 +1,52 @@
+use acropolis_common::{
+    messages::{CardanoMessage, Message},
+    validation::{KesValidationError, ValidationError, ValidationStatus},
+    BlockInfo,
+};
+use caryatid_sdk::Context;
+use std::sync::Arc;
+use tracing::error;
+
+/// Message publisher for Block header KES Validation Result
+pub struct KesValidationPublisher {
+    /// Module context
+    context: Arc<Context<Message>>,
+
+    /// Topic to publish on
+    topic: String,
+}
+
+impl KesValidationPublisher {
+    /// Construct with context and topic to publish on
+    pub fn new(context: Arc<Context<Message>>, topic: String) -> Self {
+        Self { context, topic }
+    }
+
+    pub async fn publish_kes_validation(
+        &mut self,
+        block: &BlockInfo,
+        validation_result: Result<(), KesValidationError>,
+    ) -> anyhow::Result<()> {
+        let validation_status = match validation_result {
+            Ok(_) => ValidationStatus::Go,
+            Err(error) => {
+                error!(
+                    "KES validation failed: {} of block {}",
+                    error.clone(),
+                    block.number
+                );
+                ValidationStatus::NoGo(ValidationError::from(error))
+            }
+        };
+        self.context
+            .message_bus
+            .publish(
+                &self.topic,
+                Arc::new(Message::Cardano((
+                    block.clone(),
+                    CardanoMessage::BlockValidation(validation_status),
+                ))),
+            )
+            .await
+    }
+}

modules/block_kes_validator/src/state.rs

@@ -0,0 +1,40 @@
+use acropolis_common::{
+    genesis_values::GenesisValues, messages::ProtocolParamsMessage, validation::KesValidationError,
+    BlockInfo, PoolId,
+};
+use imbl::HashMap;
+
+#[derive(Default, Debug, Clone)]
+pub struct State {
+    pub ocert_counters: HashMap<PoolId, u64>,
+
+    pub slots_per_kes_period: Option<u64>,
+
+    pub max_kes_evolutions: Option<u64>,
+}
+
+impl State {
+    pub fn new() -> Self {
+        Self {
+            ocert_counters: HashMap::new(),
+            slots_per_kes_period: None,
+            max_kes_evolutions: None,
+        }
+    }
+
+    pub fn handle_protocol_parameters(&mut self, msg: &ProtocolParamsMessage) {
+        if let Some(shelley_params) = msg.params.shelley.as_ref() {
+            self.slots_per_kes_period = Some(shelley_params.slots_per_kes_period as u64);
+            self.max_kes_evolutions = Some(shelley_params.max_kes_evolutions as u64);
+        }
+    }
+
+    pub fn validate_block_kes(
+        &self,
+        block_info: &BlockInfo,
+        raw_header: &[u8],
+        genesis: &GenesisValues,
+    ) -> Result<(), Box<KesValidationError>> {
+        Ok(())
+    }
+}