feat: implement kes validation with genesis key's block test

Author: golddydev

common/src/validation.rs

@@ -235,13 +235,19 @@ pub enum KesValidationError {
     /// **Cause:** The operational certificate is invalid.
     #[error("Operational Certificate Error: {0}")]
     OperationalCertificateError(#[from] OperationalCertificateError),
+    /// **Cause:** No OCert counter found for this issuer (not a stake pool or genesis delegate)
+    #[error("No OCert Counter For Issuer: Pool ID={}", hex::encode(pool_id))]
+    NoOCertCounter { pool_id: PoolId },
     /// **Cause:** Some data has incorrect bytes
     #[error("TryFromSlice: {0}")]
     TryFromSlice(String),
     #[error("Other Kes Validation Error: {0}")]
     Other(String),
 }
 
+/// Validation function for Kes
+pub type KesValidation<'a> = Box<dyn Fn() -> Result<(), KesValidationError> + Send + Sync + 'a>;
+
 #[derive(Error, Clone, Debug, serde::Serialize, serde::Deserialize, PartialEq)]
 pub enum KesSignatureError {
     /// **Cause:** Current KES period is before the operational certificate's

modules/block_kes_validator/src/ouroboros/kes_validation.rs

@@ -0,0 +1,231 @@
+use acropolis_common::{
+    crypto::keyhash_224,
+    validation::{
+        KesSignatureError, KesValidation, KesValidationError, OperationalCertificateError,
+    },
+    GenesisDelegates, PoolId,
+};
+use imbl::HashMap;
+use pallas::{crypto::key::ed25519, ledger::traverse::MultiEraHeader};
+
+use crate::ouroboros::{kes, praos, tpraos};
+
+#[derive(Copy, Clone)]
+pub struct OperationalCertificate<'a> {
+    pub operational_cert_hot_vkey: &'a [u8],
+    pub operational_cert_sequence_number: u64,
+    pub operational_cert_kes_period: u64,
+    pub operational_cert_sigma: &'a [u8],
+}
+
+pub fn validate_kes_signature(
+    slot_kes_period: u64,
+    opcert_kes_period: u64,
+    header_body: &[u8],
+    public_key: &kes::PublicKey,
+    signature: &kes::Signature,
+    max_kes_evolutions: u64,
+) -> Result<(), KesSignatureError> {
+    if opcert_kes_period > slot_kes_period {
+        return Err(KesSignatureError::KesBeforeStartOcert {
+            ocert_start_period: opcert_kes_period,
+            current_period: slot_kes_period,
+        });
+    }
+
+    if slot_kes_period >= opcert_kes_period + max_kes_evolutions {
+        return Err(KesSignatureError::KesAfterEndOcert {
+            current_period: slot_kes_period,
+            ocert_start_period: opcert_kes_period,
+            max_kes_evolutions,
+        });
+    }
+
+    let kes_period = (slot_kes_period - opcert_kes_period) as u32;
+
+    signature.verify(kes_period, public_key, header_body).map_err(|error| {
+        KesSignatureError::InvalidKesSignatureOcert {
+            current_period: slot_kes_period,
+            ocert_start_period: opcert_kes_period,
+            reason: error.to_string(),
+        }
+    })?;
+
+    Ok(())
+}
+
+pub fn validate_operational_certificate<'a>(
+    certificate: OperationalCertificate<'a>,
+    issuer: &ed25519::PublicKey,
+    latest_sequence_number: u64,
+    is_praos: bool,
+) -> Result<(), OperationalCertificateError> {
+    // Verify the Operational Certificate signature
+    let signature =
+        ed25519::Signature::try_from(certificate.operational_cert_sigma).map_err(|error| {
+            OperationalCertificateError::MalformedSignatureOcert {
+                reason: error.to_string(),
+            }
+        })?;
+
+    let declared_sequence_number = certificate.operational_cert_sequence_number;
+
+    // Check the sequence number of the operational certificate. It should either be the same
+    // as the latest known sequence number for the issuer or one greater.
+    if declared_sequence_number < latest_sequence_number {
+        return Err(OperationalCertificateError::CounterTooSmallOcert {
+            latest_counter: latest_sequence_number,
+            declared_counter: declared_sequence_number,
+        });
+    }
+
+    // this is only for praos protocol
+    if is_praos && (declared_sequence_number - latest_sequence_number) > 1 {
+        return Err(OperationalCertificateError::CounterOverIncrementedOcert {
+            latest_counter: latest_sequence_number,
+            declared_counter: declared_sequence_number,
+        });
+    }
+
+    // The opcert message is a concatenation of the KES vkey, the sequence number, and the kes period
+    let mut message = Vec::new();
+    message.extend_from_slice(certificate.operational_cert_hot_vkey);
+    message.extend_from_slice(&certificate.operational_cert_sequence_number.to_be_bytes());
+    message.extend_from_slice(&certificate.operational_cert_kes_period.to_be_bytes());
+    if !issuer.verify(&message, &signature) {
+        return Err(OperationalCertificateError::InvalidSignatureOcert {
+            issuer: issuer.as_ref().to_vec(),
+        });
+    }
+
+    Ok(())
+}
+
+pub fn validate_block_kes<'a>(
+    header: &'a MultiEraHeader,
+    ocert_counters: &'a HashMap<PoolId, u64>,
+    active_spos: &'a [PoolId],
+    genesis_delegs: &'a GenesisDelegates,
+    slots_per_kes_period: u64,
+    max_kes_evolutions: u64,
+) -> Result<Vec<KesValidation<'a>>, Box<KesValidationError>> {
+    let is_praos = matches!(header, MultiEraHeader::BabbageCompatible(_));
+
+    let issuer_vkey = header.issuer_vkey().ok_or(Box::new(KesValidationError::Other(
+        "Issuer Key is not set".to_string(),
+    )))?;
+    let issuer = ed25519::PublicKey::from(
+        <[u8; ed25519::PublicKey::SIZE]>::try_from(issuer_vkey)
+            .map_err(|_| Box::new(KesValidationError::Other("Invalid issuer key".to_string())))?,
+    );
+    let pool_id = PoolId::from(keyhash_224(issuer_vkey));
+
+    let slot_kes_period = header.slot() / slots_per_kes_period;
+    let cert = operational_cert(header).ok_or(Box::new(KesValidationError::Other(
+        "Operational certificate is not set".to_string(),
+    )))?;
+    let body_sig = body_signature(header).ok_or(Box::new(KesValidationError::Other(
+        "Body signature is not set".to_string(),
+    )))?;
+    let raw_header_body = header.header_body_cbor().ok_or(Box::new(KesValidationError::Other(
+        "Header body is not set".to_string(),
+    )))?;
+
+    let latest_sequence_number = if is_praos {
+        praos::latest_issue_no_praos(ocert_counters, active_spos, &pool_id)
+    } else {
+        tpraos::latest_issue_no_tpraos(ocert_counters, active_spos, genesis_delegs, &pool_id)
+    }
+    .ok_or(Box::new(KesValidationError::NoOCertCounter { pool_id }))?;
+
+    Ok(vec![
+        Box::new(move || {
+            validate_kes_signature(
+                slot_kes_period,
+                cert.operational_cert_kes_period,
+                raw_header_body,
+                &kes::PublicKey::try_from(cert.operational_cert_hot_vkey).map_err(|_| {
+                    KesValidationError::Other(
+                        "Invalid operational certificate hot vkey".to_string(),
+                    )
+                })?,
+                &kes::Signature::try_from(body_sig)
+                    .map_err(|_| KesValidationError::Other("Invalid body signature".to_string()))?,
+                max_kes_evolutions,
+            )?;
+            Ok(())
+        }),
+        Box::new(move || {
+            validate_operational_certificate(cert, &issuer, latest_sequence_number, is_praos)?;
+            Ok(())
+        }),
+    ])
+}
+
+fn operational_cert<'a>(header: &'a MultiEraHeader) -> Option<OperationalCertificate<'a>> {
+    match header {
+        MultiEraHeader::ShelleyCompatible(x) => {
+            let cert = OperationalCertificate {
+                operational_cert_hot_vkey: &x.header_body.operational_cert_hot_vkey,
+                operational_cert_sequence_number: x.header_body.operational_cert_sequence_number,
+                operational_cert_kes_period: x.header_body.operational_cert_kes_period,
+                operational_cert_sigma: &x.header_body.operational_cert_sigma,
+            };
+            Some(cert)
+        }
+        MultiEraHeader::BabbageCompatible(x) => Some(OperationalCertificate {
+            operational_cert_hot_vkey: &x.header_body.operational_cert.operational_cert_hot_vkey,
+            operational_cert_sequence_number: x
+                .header_body
+                .operational_cert
+                .operational_cert_sequence_number,
+            operational_cert_kes_period: x.header_body.operational_cert.operational_cert_kes_period,
+            operational_cert_sigma: &x.header_body.operational_cert.operational_cert_sigma,
+        }),
+        _ => None,
+    }
+}
+
+fn body_signature<'a>(header: &'a MultiEraHeader) -> Option<&'a [u8]> {
+    match header {
+        MultiEraHeader::ShelleyCompatible(x) => Some(&x.body_signature),
+        MultiEraHeader::BabbageCompatible(x) => Some(&x.body_signature),
+        _ => None,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use acropolis_common::{genesis_values::GenesisValues, Era};
+    use pallas::ledger::traverse::MultiEraHeader;
+
+    use super::*;
+
+    #[test]
+    fn test_4490511_block_produced_by_genesis_key() {
+        let slots_per_kes_period = 129600;
+        let max_kes_evolutions = 62;
+        let genesis_values = GenesisValues::mainnet();
+
+        let block_header_4490511: Vec<u8> =
+            hex::decode(include_str!("./data/4490511.cbor")).unwrap();
+        let block_header =
+            MultiEraHeader::decode(Era::Shelley as u8, None, &block_header_4490511).unwrap();
+
+        let ocert_counters = HashMap::new();
+        let active_spos = Vec::new();
+
+        let result = validate_block_kes(
+            &block_header,
+            &ocert_counters,
+            &active_spos,
+            &genesis_values.genesis_delegs,
+            slots_per_kes_period,
+            max_kes_evolutions,
+        )
+        .and_then(|kes_validations| {
+            kes_validations.iter().try_for_each(|assert| assert().map_err(Box::new))
+        });
+        assert!(result.is_ok());
+    }
+}

modules/block_kes_validator/src/ouroboros/mod.rs

@@ -1,2 +1,4 @@
 pub mod kes;
+pub mod kes_validation;
 pub mod praos;
+pub mod tpraos;

modules/block_kes_validator/src/ouroboros/praos.rs

@@ -1,94 +1,14 @@
-use acropolis_common::validation::{KesSignatureError, OperationalCertificateError};
-use pallas::crypto::key::ed25519;
-
-use crate::ouroboros::kes;
-
-pub struct OperationalCertificate<'a> {
-    pub operational_cert_hot_vkey: &'a [u8],
-    pub operational_cert_sequence_number: u64,
-    pub operational_cert_kes_period: u64,
-    pub operational_cert_sigma: &'a [u8],
-}
-
-pub fn validate_kes_signature<'a>(
-    slot_kes_period: u64,
-    opcert_kes_period: u64,
-    header_body: &[u8],
-    public_key: &kes::PublicKey,
-    signature: &kes::Signature,
-    max_kes_evolutions: u64,
-) -> Result<(), KesSignatureError> {
-    if opcert_kes_period > slot_kes_period {
-        return Err(KesSignatureError::KesBeforeStartOcert {
-            ocert_start_period: opcert_kes_period,
-            current_period: slot_kes_period,
-        });
-    }
-
-    if slot_kes_period >= opcert_kes_period + max_kes_evolutions {
-        return Err(KesSignatureError::KesAfterEndOcert {
-            current_period: slot_kes_period,
-            ocert_start_period: opcert_kes_period,
-            max_kes_evolutions,
-        });
-    }
-
-    let kes_period = (slot_kes_period - opcert_kes_period) as u32;
-
-    signature.verify(kes_period, public_key, header_body).map_err(|error| {
-        KesSignatureError::InvalidKesSignatureOcert {
-            current_period: slot_kes_period,
-            ocert_start_period: opcert_kes_period,
-            reason: error.to_string(),
-        }
-    })?;
-
-    Ok(())
-}
-
-pub fn validate_operational_certificate<'a>(
-    certificate: OperationalCertificate<'a>,
-    issuer: &ed25519::PublicKey,
-    latest_sequence_number: u64,
-    is_praos: bool,
-) -> Result<(), OperationalCertificateError> {
-    // Verify the Operational Certificate signature
-    let signature =
-        ed25519::Signature::try_from(certificate.operational_cert_sigma).map_err(|error| {
-            OperationalCertificateError::MalformedSignatureOcert {
-                reason: error.to_string(),
-            }
-        })?;
-
-    let declared_sequence_number = certificate.operational_cert_sequence_number;
-
-    // Check the sequence number of the operational certificate. It should either be the same
-    // as the latest known sequence number for the issuer or one greater.
-    if declared_sequence_number < latest_sequence_number {
-        return Err(OperationalCertificateError::CounterTooSmallOcert {
-            latest_counter: latest_sequence_number,
-            declared_counter: declared_sequence_number,
-        });
-    }
-
-    // this is only for praos protocol
-    if is_praos && (declared_sequence_number - latest_sequence_number) > 1 {
-        return Err(OperationalCertificateError::CounterOverIncrementedOcert {
-            latest_counter: latest_sequence_number,
-            declared_counter: declared_sequence_number,
-        });
-    }
-
-    // The opcert message is a concatenation of the KES vkey, the sequence number, and the kes period
-    let mut message = Vec::new();
-    message.extend_from_slice(certificate.operational_cert_hot_vkey);
-    message.extend_from_slice(&certificate.operational_cert_sequence_number.to_be_bytes());
-    message.extend_from_slice(&certificate.operational_cert_kes_period.to_be_bytes());
-    if !issuer.verify(&message, &signature) {
-        return Err(OperationalCertificateError::InvalidSignatureOcert {
-            issuer: issuer.as_ref().to_vec(),
-        });
-    }
-
-    Ok(())
+use acropolis_common::PoolId;
+use imbl::HashMap;
+
+pub fn latest_issue_no_praos(
+    ocert_counter: &HashMap<PoolId, u64>,
+    active_spos: &[PoolId],
+    pool_id: &PoolId,
+) -> Option<u64> {
+    ocert_counter.get(pool_id).copied().or(if active_spos.contains(pool_id) {
+        Some(0)
+    } else {
+        None
+    })
 }

modules/block_kes_validator/src/ouroboros/tpraos.rs

@@ -0,0 +1,15 @@
+use acropolis_common::{GenesisDelegates, PoolId};
+use imbl::HashMap;
+
+pub fn latest_issue_no_tpraos(
+    ocert_counter: &HashMap<PoolId, u64>,
+    active_spos: &[PoolId],
+    genesis_delegs: &GenesisDelegates,
+    pool_id: &PoolId,
+) -> Option<u64> {
+    ocert_counter.get(pool_id).copied().or(if active_spos.contains(pool_id) {
+        Some(0)
+    } else {
+        genesis_delegs.as_ref().values().any(|v| v.delegate.eq(pool_id.as_ref())).then_some(0)
+    })
+}