Merge pull request #569 from input-output-hk/ensemble/548-fix-kes-period-issue

Fix KES key update

Author: jpraynaud

mithril-aggregator/src/multi_signer.rs

@@ -9,9 +9,9 @@ use slog_scope::{debug, trace, warn};
 use thiserror::Error;
 
 use mithril_common::crypto_helper::{
-    key_decode_hex, key_encode_hex, ProtocolAggregateVerificationKey, ProtocolAggregationError,
-    ProtocolClerk, ProtocolKeyRegistration, ProtocolMultiSignature, ProtocolParameters,
-    ProtocolPartyId, ProtocolRegistrationError, ProtocolSignerVerificationKey,
+    key_decode_hex, key_encode_hex, KESPeriod, ProtocolAggregateVerificationKey,
+    ProtocolAggregationError, ProtocolClerk, ProtocolKeyRegistration, ProtocolMultiSignature,
+    ProtocolParameters, ProtocolPartyId, ProtocolRegistrationError, ProtocolSignerVerificationKey,
     ProtocolSingleSignature, ProtocolStakeDistribution, PROTOCOL_VERSION,
 };
 use mithril_common::entities::{self, PartyId, Signer, SignerWithStake};
@@ -562,11 +562,14 @@ impl MultiSigner for MultiSignerImpl {
             _ => None,
         };
         let kes_period = match &operational_certificate {
-            Some(operational_certificate) => self
-                .chain_observer
-                .get_current_kes_period(operational_certificate)
-                .await
-                .map_err(|e| ProtocolError::ChainObserver(e.to_string()))?,
+            Some(operational_certificate) => Some(
+                self.chain_observer
+                    .get_current_kes_period(operational_certificate)
+                    .await
+                    .map_err(|e| ProtocolError::ChainObserver(e.to_string()))?
+                    .unwrap_or_default()
+                    - operational_certificate.start_kes_period as KESPeriod,
+            ),
             None => None,
         };
         let party_id_save = key_registration.register(

mithril-common/src/crypto_helper/cardano/key_certification.rs

@@ -65,6 +65,17 @@ pub enum ProtocolRegistrationErrorWrapper {
     CoreRegister(#[from] RegisterError),
 }
 
+/// New initializer error
+#[derive(Error, Debug)]
+pub enum ProtocolInitializerErrorWrapper {
+    /// Error raised when a codec parse error occurs
+    #[error("codec parse error: '{0}'")]
+    Codec(#[from] ParseError),
+
+    /// Error raised when a KES update error occurs
+    #[error("KES key cannot be updated for period {0}")]
+    KesUpdate(KESPeriod),
+}
 /// Wrapper structure for [MithrilCore:StmInitializer](https://mithril.network/mithril-core/doc/mithril/stm/struct.StmInitializer.html).
 /// It now obtains a KES signature over the Mithril key. This allows the signers prove
 /// their correct identity with respect to a Cardano PoolID.
@@ -96,10 +107,18 @@ impl StmInitializerWrapper {
         kes_period: Option<KESPeriod>,
         stake: Stake,
         rng: &mut R,
-    ) -> Result<Self, ParseError> {
+    ) -> Result<Self, ProtocolInitializerErrorWrapper> {
         let stm_initializer = StmInitializer::setup(params, stake, rng);
         let kes_signature = if let Some(kes_sk_path) = kes_sk_path {
-            let kes_sk: Sum6Kes = Sum6Kes::from_file(kes_sk_path)?;
+            let mut kes_sk: Sum6Kes = Sum6Kes::from_file(kes_sk_path)?;
+
+            // We need to perform the evolutions, as the key is stored in evolution 0 in `kes.skey`
+            for period in 0..kes_period.unwrap_or_default() {
+                kes_sk
+                    .update(period)
+                    .map_err(|_| ProtocolInitializerErrorWrapper::KesUpdate(period))?;
+            }
+
             Some(kes_sk.sign(
                 kes_period.unwrap_or_default(),
                 &stm_initializer.verification_key().to_bytes(),

mithril-common/src/crypto_helper/cardano/opcert.rs

@@ -41,7 +41,8 @@ struct RawOpCert(RawFields, EdPublicKey);
 pub struct OpCert {
     pub(crate) kes_vk: KesPublicKey,
     pub(crate) issue_number: u64,
-    pub(crate) start_kes_period: u64, // this is not the kes period used in signing/verifying
+    /// KES period at which KES key is initalized
+    pub start_kes_period: u64,
     pub(crate) cert_sig: EdSignature,
     pub(crate) cold_vk: EdPublicKey,
 }

mithril-signer/src/runtime/runner.rs

@@ -7,7 +7,7 @@ use thiserror::Error;
 use mockall::automock;
 
 use mithril_common::crypto_helper::{
-    key_decode_hex, OpCert, ProtocolSignerVerificationKey, SerDeShelleyFileFormat,
+    key_decode_hex, KESPeriod, OpCert, ProtocolSignerVerificationKey, SerDeShelleyFileFormat,
 };
 use mithril_common::entities::{PartyId, ProtocolParameters};
 use mithril_common::{
@@ -192,7 +192,8 @@ impl Runner for SignerRunner {
                     .chain_observer
                     .get_current_kes_period(&operational_certificate)
                     .await?
-                    .unwrap_or_default(),
+                    .unwrap_or_default()
+                    - operational_certificate.start_kes_period as KESPeriod,
             ),
             None => None,
         };

openapi.yaml

@@ -353,7 +353,7 @@ components:
           type: string
           format: byte
         kes_period:
-          description: The KES Period at which the verification key has been signed by the KES secret key
+          description: The number of updates of the KES secret key that signed the verification key
           type: integer
           format: int64
       example: