Merge pull request #400 from shutter-network/fix/verify-decryption-key

ulope · web-flow · commit b7b201f9d60c · 2023-09-05T14:55:17.000+02:00
fix: snapshot collator did not verify received decryption keys
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -36,6 +36,10 @@ services:
       --http
       --http.addr 0.0.0.0
       --http.vhosts geth
+    # No idea why this is suddenly needed - the HEALTHCHECK is defined in the dockerfile but doesn't get picked up anymore...
+    healthcheck:
+      test: >
+        curl -sSf -X POST http://127.0.0.1:8545 -H "Content-Type: application/json" --data-raw '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[], "id": 1}'
     logging: *logging
 
   deploy-contracts:
diff --git a/rolling-shutter/snapshot/handler.go b/rolling-shutter/snapshot/handler.go
@@ -7,7 +7,10 @@ import (
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 
+	"github.com/shutter-network/shutter/shlib/shcrypto"
+
 	"github.com/shutter-network/rolling-shutter/rolling-shutter/db/snpdb"
+	"github.com/shutter-network/rolling-shutter/rolling-shutter/medley"
 	"github.com/shutter-network/rolling-shutter/rolling-shutter/p2p"
 	"github.com/shutter-network/rolling-shutter/rolling-shutter/p2pmsg"
 )
@@ -49,7 +52,9 @@ func (d *DecryptionTriggerHandler) MessagePrototypes() []p2pmsg.Message {
 	return []p2pmsg.Message{&p2pmsg.DecryptionTrigger{}}
 }
 
-func (handler *DecryptionKeyHandler) ValidateMessage(_ context.Context, msg p2pmsg.Message) (bool, error) {
+func (handler *DecryptionKeyHandler) ValidateMessage(ctx context.Context, msg p2pmsg.Message) (bool, error) {
+	var eonPublicKey shcrypto.EonPublicKey
+
 	decryptionKeyMsg := msg.(*p2pmsg.DecryptionKey)
 	// FIXME: check snapshot business logic for decryptionKeyMsg validation
 	if decryptionKeyMsg.GetInstanceID() != handler.config.InstanceID {
@@ -67,6 +72,30 @@ func (handler *DecryptionKeyHandler) ValidateMessage(_ context.Context, msg p2pm
 		return false, errors.Wrap(err, "failed to encode decryption key")
 	}
 
+	eonID, err := medley.Uint64ToInt64Safe(decryptionKeyMsg.GetEon())
+	if err != nil {
+		return false, errors.Wrap(err, "can't cast eon to int64")
+	}
+
+	eon, err := handler.snapshot.db.GetEonPublicKey(ctx, eonID)
+	if err != nil {
+		return false, errors.Wrap(err, "failed to retrieve eon for decryption key")
+	}
+
+	err = eonPublicKey.GobDecode(eon)
+	if err != nil {
+		return false, errors.Wrap(err, "failed to retrieve eon for decryption key")
+	}
+
+	epochID := decryptionKeyMsg.GetEpochID()
+	ok, err := shcrypto.VerifyEpochSecretKey(key, &eonPublicKey, epochID)
+	if err != nil {
+		return false, err
+	}
+	if !ok {
+		return false, errors.Errorf("recovery of epoch secret key failed for epoch %s", epochID)
+	}
+
 	return true, nil
 }
 
