checkIsLeader should consider OCert validity

nc6 · nc6 · commit 3cefcddaccf4 · 2020-05-14T16:40:41.000+02:00
This commit adds a verification, during our leader check, that we have
an operational cert which is valid for the current KES period.

Previously, if the OCert was not valid, two things could happen
(depending on the crypto implementation):
- An error would be thrown during signing, or
- A block would be generated and subsequently rejected by the validation
logic.

Now instead we skip any slots where we would otherwise be the leader but
for an invalid operational certificiate.

It would probably be nice to log this in the future.
diff --git a/ouroboros-consensus-shelley/src/Ouroboros/Consensus/Shelley/Protocol.hs b/ouroboros-consensus-shelley/src/Ouroboros/Consensus/Shelley/Protocol.hs
@@ -57,7 +57,7 @@ import qualified Cardano.Crypto.VRF.Class as VRF
 import           Cardano.Prelude (Natural, NoUnexpectedThunks (..))
 import           Cardano.Slotting.EpochInfo
 
-import           Ouroboros.Network.Block (pointSlot)
+import           Ouroboros.Network.Block (pointSlot, unSlotNo)
 
 import           Ouroboros.Consensus.Ledger.Abstract
 import qualified Ouroboros.Consensus.Node.State as NodeState
@@ -334,6 +334,19 @@ instance TPraosCrypto c => ConsensusProtocol (TPraos c) where
       TPraosIsNotACoreNode          -> return Nothing
       TPraosIsACoreNode isACoreNode -> go isACoreNode
     where
+
+      -- | Check whether we have an operational certificate valid for the
+      -- current KES period.
+      hasValidOCert :: TPraosIsCoreNode c -> Bool
+      hasValidOCert TPraosIsCoreNode{tpraosIsCoreNodeOpCert} =
+          kesPeriod > c0 && kesPeriod < c1
+        where
+          SL.OCert _ _ (SL.KESPeriod c0) _ = tpraosIsCoreNodeOpCert
+          c1 = c0 + fromIntegral (tpraosMaxKESEvo tpraosParams)
+          -- The current KES period
+          kesPeriod = fromIntegral $
+            unSlotNo slot `div` tpraosSlotsPerKESPeriod tpraosParams
+
       go :: MonadRandom m => TPraosIsCoreNode c -> m (Maybe (TPraosProof c))
       go icn = do
         let TPraosIsCoreNode {
@@ -351,6 +364,7 @@ instance TPraosCrypto c => ConsensusProtocol (TPraos c) where
         return $ case Map.lookup slot (SL.lvOverlaySched lv) of
           Nothing
             | meetsLeaderThreshold cfg lv (SL.coerceKeyRole vkhCold) y
+            , hasValidOCert icn
               -- Slot isn't in the overlay schedule, so we're in Praos
             -> Just TPraosProof {
                  tpraosEta        = coerce rho
@@ -366,7 +380,9 @@ instance TPraosCrypto c => ConsensusProtocol (TPraos c) where
           -- The given genesis key has authority to produce a block in this
           -- slot. Check whether we're its delegate.
           Just (SL.ActiveSlot gkhash) -> case Map.lookup gkhash dlgMap of
-              Just dlgHash | SL.coerceKeyRole dlgHash == vkhCold
+              Just dlgHash
+                | SL.coerceKeyRole dlgHash == vkhCold
+                , hasValidOCert icn
                 -> Just TPraosProof {
                     tpraosEta        = coerce rho
                     -- Note that this leader value is not checked for slots in
