feat: update handler and middleware to allow no sig on keys message and no check on decryption trigger

blockchainluffy · blockchainluffy · commit 260eccbaac43 · 2025-08-05T11:57:11.000+05:30
diff --git a/rolling-shutter/keyperimpl/shutterservice/handlers.go b/rolling-shutter/keyperimpl/shutterservice/handlers.go
@@ -177,48 +177,6 @@ func validateSignerIndices(extra *p2pmsg.ShutterServiceDecryptionKeysExtra, n in
 	return pubsub.ValidationAccept, nil
 }
 
-func ValidateDecryptionKeysSignatures(
-	keys *p2pmsg.DecryptionKeys,
-	extra *p2pmsg.ShutterServiceDecryptionKeysExtra,
-	keyperSet *obskeyperdatabase.KeyperSet,
-) (pubsub.ValidationResult, error) {
-	if int32(len(extra.SignerIndices)) != keyperSet.Threshold {
-		return pubsub.ValidationReject, errors.Errorf("expected %d signers, got %d", keyperSet.Threshold, len(extra.SignerIndices))
-	}
-	res, err := validateSignerIndices(extra, len(keyperSet.Keypers))
-	if res != pubsub.ValidationAccept {
-		return res, err
-	}
-	signers, err := keyperSet.GetSubset(extra.SignerIndices)
-	if err != nil {
-		return pubsub.ValidationReject, err
-	}
-	identityPreimages := []identitypreimage.IdentityPreimage{}
-	for _, key := range keys.Keys {
-		identityPreimage := identitypreimage.IdentityPreimage(key.IdentityPreimage)
-		identityPreimages = append(identityPreimages, identityPreimage)
-	}
-
-	sigData, err := serviceztypes.NewDecryptionSignatureData(keys.InstanceId, keys.Eon, identityPreimages)
-	if err != nil {
-		return pubsub.ValidationReject, errors.Wrap(err, "failed to create decryption signature data object")
-	}
-
-	for signatureIndex := 0; signatureIndex < len(extra.Signature); signatureIndex++ {
-		signature := extra.Signature[signatureIndex]
-		signer := signers[signatureIndex]
-		signatureValid, err := sigData.CheckSignature(signature, signer)
-		if err != nil {
-			return pubsub.ValidationReject, errors.Wrap(err, "failed to check decryption signature")
-		}
-		if !signatureValid {
-			return pubsub.ValidationReject, errors.New("decryption signature invalid")
-		}
-	}
-
-	return pubsub.ValidationAccept, nil
-}
-
 func (h *DecryptionKeysHandler) ValidateMessage(ctx context.Context, msg p2pmsg.Message) (pubsub.ValidationResult, error) {
 	keys := msg.(*p2pmsg.DecryptionKeys)
 	extra, ok := keys.Extra.(*p2pmsg.DecryptionKeys_Service)
@@ -235,7 +193,7 @@ func (h *DecryptionKeysHandler) ValidateMessage(ctx context.Context, msg p2pmsg.
 		return pubsub.ValidationReject, errors.Wrapf(err, "failed to get keyper set from database for eon %d", keys.Eon)
 	}
 
-	res, err := ValidateDecryptionKeysSignatures(keys, extra.Service, &keyperSet)
+	res, err := validateSignerIndices(extra.Service, len(keyperSet.Keypers))
 	if res != pubsub.ValidationAccept || err != nil {
 		return res, err
 	}
@@ -248,12 +206,7 @@ func (h *DecryptionKeysHandler) HandleMessage(ctx context.Context, msg p2pmsg.Me
 	extra := keys.Extra.(*p2pmsg.DecryptionKeys_Service).Service
 	serviceDB := database.New(h.dbpool)
 
-	identityPreimages := []identitypreimage.IdentityPreimage{}
-	for _, key := range keys.Keys {
-		identityPreimage := identitypreimage.IdentityPreimage(key.IdentityPreimage)
-		identityPreimages = append(identityPreimages, identityPreimage)
-	}
-	identitiesHash := computeIdentitiesHash(identityPreimages)
+	identitiesHash := computeIdentitiesHashFromKeys(keys.GetKeys())
 	for i, keyperIndex := range extra.SignerIndices {
 		err := serviceDB.InsertDecryptionSignature(ctx, database.InsertDecryptionSignatureParams{
 			Eon:            int64(keys.Eon),
diff --git a/rolling-shutter/keyperimpl/shutterservice/identitieshash.go b/rolling-shutter/keyperimpl/shutterservice/identitieshash.go
@@ -22,3 +22,11 @@ func computeIdentitiesHashFromShares(shares []*p2pmsg.KeyShare) []byte {
 	}
 	return computeIdentitiesHash(identityPreimges)
 }
+
+func computeIdentitiesHashFromKeys(keys []*p2pmsg.Key) []byte {
+	identityPreimges := []identitypreimage.IdentityPreimage{}
+	for _, key := range keys {
+		identityPreimges = append(identityPreimges, identitypreimage.IdentityPreimage(key.IdentityPreimage))
+	}
+	return computeIdentitiesHash(identityPreimges)
+}
diff --git a/rolling-shutter/keyperimpl/shutterservice/messagingmiddleware.go b/rolling-shutter/keyperimpl/shutterservice/messagingmiddleware.go
@@ -1,10 +1,8 @@
 package shutterservice
 
 import (
-	"bytes"
 	"context"
 
-	"github.com/jackc/pgx/v4"
 	"github.com/jackc/pgx/v4/pgxpool"
 	pubsub "github.com/libp2p/go-libp2p-pubsub"
 	"github.com/pkg/errors"
@@ -105,32 +103,7 @@ func (i *MessagingMiddleware) interceptDecryptionKeyShares(
 ) (p2pmsg.Message, error) {
 	queries := database.New(i.dbpool)
 
-	currentDecryptionTrigger, err := queries.GetCurrentDecryptionTrigger(ctx, int64(originalMsg.Eon))
-	if err == pgx.ErrNoRows {
-		log.Warn().
-			Uint64("eon", originalMsg.Eon).
-			Msg("intercepted decryption key shares message with unknown corresponding decryption trigger")
-		return nil, nil
-	} else if err != nil {
-		return nil, errors.Wrapf(err, "failed to get current decryption trigger for eon %d", originalMsg.Eon)
-	}
-	if originalMsg.Eon != uint64(currentDecryptionTrigger.Eon) {
-		log.Warn().
-			Uint64("eon-got", originalMsg.Eon).
-			Int64("eon-expected", currentDecryptionTrigger.Eon).
-			Msg("intercepted decryption key shares message with unexpected eon")
-		return nil, nil
-	}
-
 	identitiesHash := computeIdentitiesHashFromShares(originalMsg.Shares)
-	if !bytes.Equal(identitiesHash, currentDecryptionTrigger.IdentitiesHash) {
-		log.Warn().
-			Uint64("eon", originalMsg.Eon).
-			Hex("expectedIdentitiesHash", currentDecryptionTrigger.IdentitiesHash).
-			Hex("actualIdentitiesHash", identitiesHash).
-			Msg("intercepted decryption key shares message with unexpected identities hash")
-		return nil, nil
-	}
 
 	identityPreimages := []identitypreimage.IdentityPreimage{}
 	for _, share := range originalMsg.Shares {
@@ -176,32 +149,23 @@ func (i *MessagingMiddleware) interceptDecryptionKeys(
 	ctx context.Context,
 	originalMsg *p2pmsg.DecryptionKeys,
 ) (p2pmsg.Message, error) {
-	// TODO: update flag in event table to notify the decryption is already done
 	if originalMsg.Extra != nil {
 		return originalMsg, nil
 	}
 
 	serviceDB := database.New(i.dbpool)
 	obsKeyperDB := obskeyperdatabase.New(i.dbpool)
-	trigger, err := serviceDB.GetCurrentDecryptionTrigger(ctx, int64(originalMsg.Eon))
-	if err == pgx.ErrNoRows {
-		log.Warn().
-			Uint64("eon", originalMsg.Eon).
-			Msg("unknown decryption trigger for intercepted keys message")
-		return nil, nil
-	}
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed to get current decryption trigger for eon %d", originalMsg.Eon)
-	}
 
 	keyperSet, err := obsKeyperDB.GetKeyperSetByKeyperConfigIndex(ctx, int64(originalMsg.Eon))
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to get keyper set from database for eon %d", originalMsg.Eon)
 	}
 
+	identitiesHash := computeIdentitiesHashFromKeys(originalMsg.GetKeys())
+
 	signatures, err := serviceDB.GetDecryptionSignatures(ctx, database.GetDecryptionSignaturesParams{
 		Eon:            int64(originalMsg.Eon),
-		IdentitiesHash: trigger.IdentitiesHash,
+		IdentitiesHash: identitiesHash,
 		Limit:          keyperSet.Threshold,
 	})
 	if err != nil {
@@ -212,7 +176,7 @@ func (i *MessagingMiddleware) interceptDecryptionKeys(
 	if len(signatures) < int(keyperSet.Threshold) {
 		log.Debug().
 			Uint64("eon", originalMsg.Eon).
-			Hex("identities-hash", trigger.IdentitiesHash).
+			Hex("identities-hash", identitiesHash).
 			Int32("threshold", keyperSet.Threshold).
 			Int("num-signatures", len(signatures)).
 			Msg("dropping intercepted keys message as signature count is not high enough yet")
@@ -241,7 +205,7 @@ func (i *MessagingMiddleware) interceptDecryptionKeys(
 
 	log.Info().
 		Uint64("eon", originalMsg.Eon).
-		Hex("identities-hash", trigger.IdentitiesHash).
+		Hex("identities-hash", identitiesHash).
 		Int("num-signatures", len(signatures)).
 		Int("num-keys", len(msg.Keys)).
 		Msg("sending keys")
diff --git a/rolling-shutter/keyperimpl/shutterservice/newblock.go b/rolling-shutter/keyperimpl/shutterservice/newblock.go
@@ -109,7 +109,6 @@ func (kpr *Keyper) triggerDecryption(ctx context.Context,
 	triggeredBlock *syncevent.LatestBlock,
 ) error {
 	coreKeyperDB := corekeyperdatabase.New(kpr.dbpool)
-	serviceDB := servicedatabase.New(kpr.dbpool)
 
 	identityPreimages := make(map[int64][]identitypreimage.IdentityPreimage)
 	lastEonBlock := make(map[int64]int64)
@@ -143,15 +142,6 @@ func (kpr *Keyper) triggerDecryption(ctx context.Context,
 	for eon, preImages := range identityPreimages {
 		sortedIdentityPreimages := sortIdentityPreimages(preImages)
 
-		err := serviceDB.SetCurrentDecryptionTrigger(ctx, servicedatabase.SetCurrentDecryptionTriggerParams{
-			Eon:                  eon,
-			TriggeredBlockNumber: triggeredBlock.Number.Int64(),
-			IdentitiesHash:       computeIdentitiesHash(sortedIdentityPreimages),
-		})
-		if err != nil {
-			return errors.Wrap(err, "failed to insert published decryption trigger into db")
-		}
-
 		trigger := epochkghandler.DecryptionTrigger{
 			// sending last block available for that eon as the key shares will be generated based on the eon associated with this block number
 			BlockNumber:       uint64(lastEonBlock[eon]),

Original file line number	Diff line number	Diff line change
`@@ -22,3 +22,11 @@ func computeIdentitiesHashFromShares(shares []*p2pmsg.KeyShare) []byte {`
`22`	`22`	`}`
`23`	`23`	`return computeIdentitiesHash(identityPreimges)`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+func computeIdentitiesHashFromKeys(keys []*p2pmsg.Key) []byte {`
	`27`	`+ identityPreimges := []identitypreimage.IdentityPreimage{}`
	`28`	`+ for _, key := range keys {`
	`29`	`+ identityPreimges = append(identityPreimges, identitypreimage.IdentityPreimage(key.IdentityPreimage))`
	`30`	`+ }`
	`31`	`+ return computeIdentitiesHash(identityPreimges)`
	`32`	`+}`