go-waku/waku/v2/protocol/relay/validators.go

package relay

import (
	"context"
	"crypto/ecdsa"
	"crypto/elliptic"
	"encoding/binary"
	"encoding/hex"
	"time"

	"github.com/ethereum/go-ethereum/crypto"
	"github.com/ethereum/go-ethereum/crypto/secp256k1"

	pubsub "github.com/libp2p/go-libp2p-pubsub"
	"github.com/libp2p/go-libp2p/core/peer"
	"github.com/waku-org/go-waku/waku/v2/hash"
	"github.com/waku-org/go-waku/waku/v2/protocol/pb"
	"github.com/waku-org/go-waku/waku/v2/timesource"
	"go.uber.org/zap"
	proto "google.golang.org/protobuf/proto"
)

// Application level message hash
func MsgHash(pubSubTopic string, msg *pb.WakuMessage) []byte {
	timestampBytes := make([]byte, 8)
	binary.LittleEndian.PutUint64(timestampBytes, uint64(msg.Timestamp))

	var ephemeralByte byte
	if msg.Ephemeral {
		ephemeralByte = 1
	}

	return hash.SHA256(
		[]byte(pubSubTopic),
		msg.Payload,
		[]byte(msg.ContentTopic),
		timestampBytes,
		[]byte{ephemeralByte},
	)
}

const MessageWindowDuration = time.Minute * 5

func withinTimeWindow(t timesource.Timesource, msg *pb.WakuMessage) bool {
	if msg.Timestamp == 0 {
		return false
	}

	now := t.Now()
	msgTime := time.Unix(0, msg.Timestamp)

	return now.Sub(msgTime).Abs() <= MessageWindowDuration
}

type validatorFn = func(ctx context.Context, peerID peer.ID, message *pubsub.Message) bool

func validatorFnBuilder(t timesource.Timesource, topic string, publicKey *ecdsa.PublicKey) validatorFn {
	pubkBytes := crypto.FromECDSAPub(publicKey)
	return func(ctx context.Context, peerID peer.ID, message *pubsub.Message) bool {
		msg := new(pb.WakuMessage)
		err := proto.Unmarshal(message.Data, msg)
		if err != nil {
			return false
		}

		if !withinTimeWindow(t, msg) {
			return false
		}

		msgHash := MsgHash(topic, msg)
		signature := msg.Meta

		return secp256k1.VerifySignature(pubkBytes, msgHash, signature)
	}
}

func (w *WakuRelay) AddSignedTopicValidator(topic string, publicKey *ecdsa.PublicKey) error {
	w.log.Info("adding validator to signed topic", zap.String("topic", topic), zap.String("publicKey", hex.EncodeToString(elliptic.Marshal(publicKey.Curve, publicKey.X, publicKey.Y))))
	err := w.pubsub.RegisterTopicValidator(topic, validatorFnBuilder(w.timesource, topic, publicKey))
	if err != nil {
		return err
	}

	if !w.IsSubscribed(topic) {
		w.log.Warn("relay is not subscribed to signed topic", zap.String("topic", topic))
	}

	return nil
}

func SignMessage(privKey *ecdsa.PrivateKey, topic string, msg *pb.WakuMessage) error {
	msgHash := MsgHash(topic, msg)
	sign, err := secp256k1.Sign(msgHash, crypto.FromECDSA(privKey))
	if err != nil {
		return err
	}

	msg.Meta = sign[0:64] // Drop the V in R||S||V
	return nil
}
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`package relay`

			`import (`
			`"context"`
			`"crypto/ecdsa"`
			`"crypto/elliptic"`
feat: validate message timestamp in signed topic validator 2023-05-04 15:56:56 +00:00			`"encoding/binary"`
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`"encoding/hex"`
feat: validate message timestamp in signed topic validator 2023-05-04 15:56:56 +00:00			`"time"`
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00
fix: use deterministic signatures RFC6979 2023-05-03 15:59:47 +00:00			`"github.com/ethereum/go-ethereum/crypto"`
			`"github.com/ethereum/go-ethereum/crypto/secp256k1"`

feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`pubsub "github.com/libp2p/go-libp2p-pubsub"`
			`"github.com/libp2p/go-libp2p/core/peer"`
			`"github.com/waku-org/go-waku/waku/v2/hash"`
			`"github.com/waku-org/go-waku/waku/v2/protocol/pb"`
feat: validate message timestamp in signed topic validator 2023-05-04 15:56:56 +00:00			`"github.com/waku-org/go-waku/waku/v2/timesource"`
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`"go.uber.org/zap"`
			`proto "google.golang.org/protobuf/proto"`
			`)`

			`// Application level message hash`
			`func MsgHash(pubSubTopic string, msg *pb.WakuMessage) []byte {`
feat: validate message timestamp in signed topic validator 2023-05-04 15:56:56 +00:00			`timestampBytes := make([]byte, 8)`
			`binary.LittleEndian.PutUint64(timestampBytes, uint64(msg.Timestamp))`

			`var ephemeralByte byte`
			`if msg.Ephemeral {`
			`ephemeralByte = 1`
			`}`

			`return hash.SHA256(`
			`[]byte(pubSubTopic),`
			`msg.Payload,`
			`[]byte(msg.ContentTopic),`
			`timestampBytes,`
			`[]byte{ephemeralByte},`
			`)`
			`}`

			`const MessageWindowDuration = time.Minute * 5`

			`func withinTimeWindow(t timesource.Timesource, msg *pb.WakuMessage) bool {`
			`if msg.Timestamp == 0 {`
			`return false`
			`}`

			`now := t.Now()`
			`msgTime := time.Unix(0, msg.Timestamp)`

			`return now.Sub(msgTime).Abs() <= MessageWindowDuration`
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`}`

chore: add unit test for signed validator and --protected-topic-flag 2023-05-02 15:10:45 +00:00			`type validatorFn = func(ctx context.Context, peerID peer.ID, message *pubsub.Message) bool`

feat: validate message timestamp in signed topic validator 2023-05-04 15:56:56 +00:00			`func validatorFnBuilder(t timesource.Timesource, topic string, publicKey *ecdsa.PublicKey) validatorFn {`
fix: use deterministic signatures RFC6979 2023-05-03 15:59:47 +00:00			`pubkBytes := crypto.FromECDSAPub(publicKey)`
chore: add unit test for signed validator and --protected-topic-flag 2023-05-02 15:10:45 +00:00			`return func(ctx context.Context, peerID peer.ID, message *pubsub.Message) bool {`
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`msg := new(pb.WakuMessage)`
			`err := proto.Unmarshal(message.Data, msg)`
			`if err != nil {`
			`return false`
			`}`

feat: validate message timestamp in signed topic validator 2023-05-04 15:56:56 +00:00			`if !withinTimeWindow(t, msg) {`
			`return false`
			`}`

feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`msgHash := MsgHash(topic, msg)`
			`signature := msg.Meta`

fix: use deterministic signatures RFC6979 2023-05-03 15:59:47 +00:00			`return secp256k1.VerifySignature(pubkBytes, msgHash, signature)`
chore: add unit test for signed validator and --protected-topic-flag 2023-05-02 15:10:45 +00:00			`}`
			`}`

			`func (w WakuRelay) AddSignedTopicValidator(topic string, publicKey ecdsa.PublicKey) error {`
			`w.log.Info("adding validator to signed topic", zap.String("topic", topic), zap.String("publicKey", hex.EncodeToString(elliptic.Marshal(publicKey.Curve, publicKey.X, publicKey.Y))))`
feat: validate message timestamp in signed topic validator 2023-05-04 15:56:56 +00:00			`err := w.pubsub.RegisterTopicValidator(topic, validatorFnBuilder(w.timesource, topic, publicKey))`
fix: code review 2023-05-04 14:04:54 +00:00			`if err != nil {`
			`return err`
			`}`

			`if !w.IsSubscribed(topic) {`
			`w.log.Warn("relay is not subscribed to signed topic", zap.String("topic", topic))`
			`}`

			`return nil`
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`}`

chore: add unit test for signed validator and --protected-topic-flag 2023-05-02 15:10:45 +00:00			`func SignMessage(privKey ecdsa.PrivateKey, topic string, msg pb.WakuMessage) error {`
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`msgHash := MsgHash(topic, msg)`
fix: use deterministic signatures RFC6979 2023-05-03 15:59:47 +00:00			`sign, err := secp256k1.Sign(msgHash, crypto.FromECDSA(privKey))`
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`if err != nil {`
			`return err`
			`}`

fix: use deterministic signatures RFC6979 2023-05-03 15:59:47 +00:00			`msg.Meta = sign[0:64] // Drop the V in R\|\|S\|\|V`
feat: dos protected topic relay msgs based on meta field 2023-04-05 21:03:29 +00:00			`return nil`
			`}`