From 2c17e20d99c5b0bbab6f91ef93f22d91a7737a12 Mon Sep 17 00:00:00 2001
From: Richard Ramos <info@richardramos.me>
Date: Fri, 26 May 2023 10:42:25 -0400
Subject: [PATCH] fix: neither encoding nor address comparison are needed to
 protect a topic

---
 waku/v2/protocol/relay/validators.go      | 23 ++++++-----------------
 waku/v2/protocol/relay/validators_test.go |  9 +++++----
 2 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/waku/v2/protocol/relay/validators.go b/waku/v2/protocol/relay/validators.go
index dac50714..c6bcac67 100644
--- a/waku/v2/protocol/relay/validators.go
+++ b/waku/v2/protocol/relay/validators.go
@@ -15,7 +15,6 @@ import (
 	pubsub "github.com/libp2p/go-libp2p-pubsub"
 	"github.com/libp2p/go-libp2p/core/peer"
 	"github.com/waku-org/go-waku/waku/v2/hash"
-	"github.com/waku-org/go-waku/waku/v2/protocol"
 	"github.com/waku-org/go-waku/waku/v2/protocol/pb"
 	"github.com/waku-org/go-waku/waku/v2/timesource"
 	"go.uber.org/zap"
@@ -56,9 +55,7 @@ func withinTimeWindow(t timesource.Timesource, msg *pb.WakuMessage) bool {
 
 type validatorFn = func(ctx context.Context, peerID peer.ID, message *pubsub.Message) bool
 
-func validatorFnBuilder(t timesource.Timesource, publicKey *ecdsa.PublicKey) (validatorFn, error) {
-	address := crypto.PubkeyToAddress(*publicKey)
-	topic := protocol.NewNamedShardingPubsubTopic(address.String() + "/proto").String()
+func validatorFnBuilder(t timesource.Timesource, topic string, publicKey *ecdsa.PublicKey) (validatorFn, error) {
 	return func(ctx context.Context, peerID peer.ID, message *pubsub.Message) bool {
 		msg := new(pb.WakuMessage)
 		err := proto.Unmarshal(message.Data, msg)
@@ -73,21 +70,19 @@ func validatorFnBuilder(t timesource.Timesource, publicKey *ecdsa.PublicKey) (va
 		msgHash := MsgHash(topic, msg)
 		signature := msg.Meta
 
-		pubKey, err := crypto.SigToPub(msgHash, signature)
+		msgPubKey, err := crypto.SigToPub(msgHash, signature)
 		if err != nil {
 			return false
 		}
 
-		msgAddress := crypto.PubkeyToAddress(*pubKey)
-
-		return bytes.Equal(msgAddress.Bytes(), address.Bytes())
+		return bytes.Equal(crypto.FromECDSAPub(msgPubKey), crypto.FromECDSAPub(publicKey))
 	}, nil
 }
 
 func (w *WakuRelay) AddSignedTopicValidator(topic string, publicKey *ecdsa.PublicKey) error {
 	w.log.Info("adding validator to signed topic", zap.String("topic", topic), zap.String("publicKey", hex.EncodeToString(elliptic.Marshal(publicKey.Curve, publicKey.X, publicKey.Y))))
 
-	fn, err := validatorFnBuilder(w.timesource, publicKey)
+	fn, err := validatorFnBuilder(w.timesource, topic, publicKey)
 	if err != nil {
 		return err
 	}
@@ -104,9 +99,8 @@ func (w *WakuRelay) AddSignedTopicValidator(topic string, publicKey *ecdsa.Publi
 	return nil
 }
 
-func SignMessage(privKey *ecdsa.PrivateKey, msg *pb.WakuMessage) error {
-	topic := PrivKeyToTopic(privKey)
-	msgHash := MsgHash(topic, msg)
+func SignMessage(privKey *ecdsa.PrivateKey, msg *pb.WakuMessage, pubsubTopic string) error {
+	msgHash := MsgHash(pubsubTopic, msg)
 	sign, err := secp256k1.Sign(msgHash, crypto.FromECDSA(privKey))
 	if err != nil {
 		return err
@@ -115,8 +109,3 @@ func SignMessage(privKey *ecdsa.PrivateKey, msg *pb.WakuMessage) error {
 	msg.Meta = sign
 	return nil
 }
-
-func PrivKeyToTopic(privKey *ecdsa.PrivateKey) string {
-	address := crypto.PubkeyToAddress(privKey.PublicKey)
-	return protocol.NewNamedShardingPubsubTopic(address.String() + "/proto").String()
-}
diff --git a/waku/v2/protocol/relay/validators_test.go b/waku/v2/protocol/relay/validators_test.go
index 352b1b1f..383c1fcb 100644
--- a/waku/v2/protocol/relay/validators_test.go
+++ b/waku/v2/protocol/relay/validators_test.go
@@ -41,6 +41,7 @@ func TestMsgHash(t *testing.T) {
 	prvKey, _ := crypto.ToECDSA(privKeyB)
 
 	payload, _ := hex.DecodeString("1A12E077D0E89F9CAC11FBBB6A676C86120B5AD3E248B1F180E98F15EE43D2DFCF62F00C92737B2FF6F59B3ABA02773314B991C41DC19ADB0AD8C17C8E26757B")
+	protectedPubSubTopic := "pubsub-topic"
 	contentTopic := "content-topic"
 	ephemeral := true
 	timestamp := time.Unix(0, 1683208172339052800)
@@ -52,7 +53,7 @@ func TestMsgHash(t *testing.T) {
 		Ephemeral:    ephemeral,
 	}
 
-	err := SignMessage(prvKey, msg)
+	err := SignMessage(prvKey, msg, protectedPubSubTopic)
 	require.NoError(t, err)
 
 	//	expectedSignature, _ := hex.DecodeString("127FA211B2514F0E974A055392946DC1A14052182A6ABEFB8A6CD7C51DA1BF2E40595D28EF1A9488797C297EED3AAC45430005FB3A7F037BDD9FC4BD99F59E63")
@@ -64,7 +65,7 @@ func TestMsgHash(t *testing.T) {
 	//messageHash := MsgHash(pubsubTopic, msg)
 	//require.True(t, bytes.Equal(expectedMessageHash, messageHash))
 
-	myValidator, err := validatorFnBuilder(NewFakeTimesource(timestamp), &prvKey.PublicKey)
+	myValidator, err := validatorFnBuilder(NewFakeTimesource(timestamp), protectedPubSubTopic, &prvKey.PublicKey)
 	require.NoError(t, err)
 	result := myValidator(context.Background(), "", &pubsub.Message{
 		Message: &pubsub_pb.Message{
@@ -75,7 +76,7 @@ func TestMsgHash(t *testing.T) {
 
 	// Exceed 5m window in both directions
 	now5m1sInPast := timestamp.Add(-5 * time.Minute).Add(-1 * time.Second)
-	myValidator, err = validatorFnBuilder(NewFakeTimesource(now5m1sInPast), &prvKey.PublicKey)
+	myValidator, err = validatorFnBuilder(NewFakeTimesource(now5m1sInPast), protectedPubSubTopic, &prvKey.PublicKey)
 	require.NoError(t, err)
 	result = myValidator(context.Background(), "", &pubsub.Message{
 		Message: &pubsub_pb.Message{
@@ -85,7 +86,7 @@ func TestMsgHash(t *testing.T) {
 	require.False(t, result)
 
 	now5m1sInFuture := timestamp.Add(5 * time.Minute).Add(1 * time.Second)
-	myValidator, err = validatorFnBuilder(NewFakeTimesource(now5m1sInFuture), &prvKey.PublicKey)
+	myValidator, err = validatorFnBuilder(NewFakeTimesource(now5m1sInFuture), protectedPubSubTopic, &prvKey.PublicKey)
 	require.NoError(t, err)
 	result = myValidator(context.Background(), "", &pubsub.Message{
 		Message: &pubsub_pb.Message{