Remove Pre-Durango TLS certificate parsing logic (#2831)

Co-authored-by: Stephen Buttolph <stephen@avalabs.org>

Author: dhrubabasu

chains/manager.go

@@ -6,7 +6,6 @@ package chains
 import (
 	"context"
 	"crypto"
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"os"
@@ -173,7 +172,8 @@ type ChainConfig struct {
 
 type ManagerConfig struct {
 	SybilProtectionEnabled bool
-	StakingTLSCert         tls.Certificate // needed to sign snowman++ blocks
+	StakingTLSSigner       crypto.Signer
+	StakingTLSCert         *staking.Certificate
 	StakingBLSKey          *bls.SecretKey
 	TracingEnabled         bool
 	// Must not be used unless [TracingEnabled] is true as this may be nil.
@@ -239,9 +239,6 @@ type manager struct {
 	ids.Aliaser
 	ManagerConfig
 
-	stakingSigner crypto.Signer
-	stakingCert   *staking.Certificate
-
 	// Those notified when a chain is created
 	registrants []Registrant
 
@@ -268,8 +265,6 @@ func New(config *ManagerConfig) Manager {
 	return &manager{
 		Aliaser:                ids.NewAliaser(),
 		ManagerConfig:          *config,
-		stakingSigner:          config.StakingTLSCert.PrivateKey.(crypto.Signer),
-		stakingCert:            staking.CertificateFromX509(config.StakingTLSCert.Leaf),
 		chains:                 make(map[ids.ID]handler.Handler),
 		chainsQueue:            buffer.NewUnboundedBlockingDeque[ChainParameters](initialQueueSize),
 		unblockChainCreatorCh:  make(chan struct{}),
@@ -725,8 +720,8 @@ func (m *manager) createAvalancheChain(
 			MinimumPChainHeight: m.ApricotPhase4MinPChainHeight,
 			MinBlkDelay:         minBlockDelay,
 			NumHistoricalBlocks: numHistoricalBlocks,
-			StakingLeafSigner:   m.stakingSigner,
-			StakingCertLeaf:     m.stakingCert,
+			StakingLeafSigner:   m.StakingTLSSigner,
+			StakingCertLeaf:     m.StakingTLSCert,
 		},
 	)
 
@@ -1062,8 +1057,8 @@ func (m *manager) createSnowmanChain(
 			MinimumPChainHeight: m.ApricotPhase4MinPChainHeight,
 			MinBlkDelay:         minBlockDelay,
 			NumHistoricalBlocks: numHistoricalBlocks,
-			StakingLeafSigner:   m.stakingSigner,
-			StakingCertLeaf:     m.stakingCert,
+			StakingLeafSigner:   m.StakingTLSSigner,
+			StakingCertLeaf:     m.StakingTLSCert,
 		},
 	)
 

indexer/examples/p-chain/main.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/ava-labs/avalanchego/indexer"
-	"github.com/ava-labs/avalanchego/version"
 	"github.com/ava-labs/avalanchego/wallet/subnet/primary"
 
 	platformvmblock "github.com/ava-labs/avalanchego/vms/platformvm/block"
@@ -34,7 +33,7 @@ func main() {
 		}
 
 		platformvmBlockBytes := container.Bytes
-		proposerVMBlock, err := proposervmblock.Parse(container.Bytes, version.DefaultUpgradeTime)
+		proposerVMBlock, err := proposervmblock.Parse(container.Bytes)
 		if err == nil {
 			platformvmBlockBytes = proposerVMBlock.Block()
 		}

indexer/examples/x-chain-blocks/main.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/ava-labs/avalanchego/indexer"
-	"github.com/ava-labs/avalanchego/version"
 	"github.com/ava-labs/avalanchego/vms/proposervm/block"
 	"github.com/ava-labs/avalanchego/wallet/chain/x"
 	"github.com/ava-labs/avalanchego/wallet/subnet/primary"
@@ -32,7 +31,7 @@ func main() {
 			continue
 		}
 
-		proposerVMBlock, err := block.Parse(container.Bytes, version.DefaultUpgradeTime)
+		proposerVMBlock, err := block.Parse(container.Bytes)
 		if err != nil {
 			log.Fatalf("failed to parse proposervm block: %s\n", err)
 		}

network/certs_test.go

@@ -58,8 +58,17 @@ func init() {
 		cert1, cert2, cert3,
 	}
 
+	stakingCert1, err := staking.ParseCertificate(cert1.Leaf.Raw)
+	if err != nil {
+		panic(err)
+	}
+	stakingCert2, err := staking.ParseCertificate(cert2.Leaf.Raw)
+	if err != nil {
+		panic(err)
+	}
+
 	ip = ips.NewClaimedIPPort(
-		staking.CertificateFromX509(cert1.Leaf),
+		stakingCert1,
 		ips.IPPort{
 			IP:   net.IPv4(127, 0, 0, 1),
 			Port: 9651,
@@ -68,7 +77,7 @@ func init() {
 		nil, // signature
 	)
 	otherIP = ips.NewClaimedIPPort(
-		staking.CertificateFromX509(cert2.Leaf),
+		stakingCert2,
 		ips.IPPort{
 			IP:   net.IPv4(127, 0, 0, 1),
 			Port: 9651,
@@ -94,7 +103,8 @@ func getTLS(t *testing.T, index int) (ids.NodeID, *tls.Certificate, *tls.Config)
 	}
 
 	tlsCert := tlsCerts[index]
-	cert := staking.CertificateFromX509(tlsCert.Leaf)
+	cert, err := staking.ParseCertificate(tlsCert.Leaf.Raw)
+	require.NoError(t, err)
 	nodeID := ids.NodeIDFromCert(cert)
 	return nodeID, tlsCert, tlsConfigs[index]
 }

network/network.go

@@ -272,12 +272,6 @@ func NewNetwork(
 		IPSigner:             peer.NewIPSigner(config.MyIPPort, config.TLSKey, config.BLSKey),
 	}
 
-	// Invariant: We delay the activation of durango during the TLS handshake to
-	// avoid gossiping any TLS certs that anyone else in the network may
-	// consider invalid. Recall that if a peer gossips an invalid cert, the
-	// connection is terminated.
-	durangoTime := version.GetDurangoTime(config.NetworkID)
-	durangoTimeWithClockSkew := durangoTime.Add(config.MaxClockDifference)
 	onCloseCtx, cancel := context.WithCancel(context.Background())
 	n := &network{
 		config:               config,
@@ -288,8 +282,8 @@ func NewNetwork(
 		inboundConnUpgradeThrottler: throttling.NewInboundConnUpgradeThrottler(log, config.ThrottlerConfig.InboundConnUpgradeThrottlerConfig),
 		listener:                    listener,
 		dialer:                      dialer,
-		serverUpgrader:              peer.NewTLSServerUpgrader(config.TLSConfig, metrics.tlsConnRejected, durangoTimeWithClockSkew),
-		clientUpgrader:              peer.NewTLSClientUpgrader(config.TLSConfig, metrics.tlsConnRejected, durangoTimeWithClockSkew),
+		serverUpgrader:              peer.NewTLSServerUpgrader(config.TLSConfig, metrics.tlsConnRejected),
+		clientUpgrader:              peer.NewTLSClientUpgrader(config.TLSConfig, metrics.tlsConnRejected),
 
 		onCloseCtx:       onCloseCtx,
 		onCloseCtxCancel: cancel,

network/network_test.go

@@ -403,9 +403,12 @@ func TestTrackVerifiesSignatures(t *testing.T) {
 	nodeID, tlsCert, _ := getTLS(t, 1)
 	require.NoError(network.config.Validators.AddStaker(constants.PrimaryNetworkID, nodeID, nil, ids.Empty, 1))
 
-	err := network.Track([]*ips.ClaimedIPPort{
+	stakingCert, err := staking.ParseCertificate(tlsCert.Leaf.Raw)
+	require.NoError(err)
+
+	err = network.Track([]*ips.ClaimedIPPort{
 		ips.NewClaimedIPPort(
-			staking.CertificateFromX509(tlsCert.Leaf),
+			stakingCert,
 			ips.IPPort{
 				IP:   net.IPv4(123, 132, 123, 123),
 				Port: 10000,
@@ -558,15 +561,17 @@ func TestDialDeletesNonValidators(t *testing.T) {
 	wg.Add(len(networks))
 	for i, net := range networks {
 		if i != 0 {
-			err := net.Track([]*ips.ClaimedIPPort{
+			stakingCert, err := staking.ParseCertificate(config.TLSConfig.Certificates[0].Leaf.Raw)
+			require.NoError(err)
+
+			require.NoError(net.Track([]*ips.ClaimedIPPort{
 				ips.NewClaimedIPPort(
-					staking.CertificateFromX509(config.TLSConfig.Certificates[0].Leaf),
+					stakingCert,
 					ip.IPPort,
 					ip.Timestamp,
 					ip.TLSSignature,
 				),
-			})
-			require.NoError(err)
+			}))
 		}
 
 		go func(net Network) {

network/peer/ip_test.go

@@ -19,16 +19,16 @@ import (
 func TestSignedIpVerify(t *testing.T) {
 	tlsCert1, err := staking.NewTLSCert()
 	require.NoError(t, err)
-	cert1 := staking.CertificateFromX509(tlsCert1.Leaf)
-	require.NoError(t, staking.ValidateCertificate(cert1))
+	cert1, err := staking.ParseCertificate(tlsCert1.Leaf.Raw)
+	require.NoError(t, err)
 	tlsKey1 := tlsCert1.PrivateKey.(crypto.Signer)
 	blsKey1, err := bls.NewSecretKey()
 	require.NoError(t, err)
 
 	tlsCert2, err := staking.NewTLSCert()
 	require.NoError(t, err)
-	cert2 := staking.CertificateFromX509(tlsCert2.Leaf)
-	require.NoError(t, staking.ValidateCertificate(cert2))
+	cert2, err := staking.ParseCertificate(tlsCert2.Leaf.Raw)
+	require.NoError(t, err)
 
 	now := time.Now()
 

network/peer/peer.go

@@ -1207,22 +1207,9 @@ func (p *peer) handlePeerList(msg *p2p.PeerList) {
 		close(p.onFinishHandshake)
 	}
 
-	// Invariant: We do not account for clock skew here, as the sender of the
-	// certificate is expected to account for clock skew during the activation
-	// of Durango.
-	durangoTime := version.GetDurangoTime(p.NetworkID)
-	beforeDurango := time.Now().Before(durangoTime)
 	discoveredIPs := make([]*ips.ClaimedIPPort, len(msg.ClaimedIpPorts)) // the peers this peer told us about
 	for i, claimedIPPort := range msg.ClaimedIpPorts {
-		var (
-			tlsCert *staking.Certificate
-			err     error
-		)
-		if beforeDurango {
-			tlsCert, err = staking.ParseCertificate(claimedIPPort.X509Certificate)
-		} else {
-			tlsCert, err = staking.ParseCertificatePermissive(claimedIPPort.X509Certificate)
-		}
+		tlsCert, err := staking.ParseCertificate(claimedIPPort.X509Certificate)
 		if err != nil {
 			p.Log.Debug("message with invalid field",
 				zap.Stringer("nodeID", p.id),

network/peer/peer_test.go

@@ -68,11 +68,13 @@ func makeRawTestPeers(t *testing.T, trackedSubnets set.Set[ids.ID]) (*rawTestPee
 
 	tlsCert0, err := staking.NewTLSCert()
 	require.NoError(err)
-	cert0 := staking.CertificateFromX509(tlsCert0.Leaf)
+	cert0, err := staking.ParseCertificate(tlsCert0.Leaf.Raw)
+	require.NoError(err)
 
 	tlsCert1, err := staking.NewTLSCert()
 	require.NoError(err)
-	cert1 := staking.CertificateFromX509(tlsCert1.Leaf)
+	cert1, err := staking.ParseCertificate(tlsCert1.Leaf.Raw)
+	require.NoError(err)
 
 	nodeID0 := ids.NodeIDFromCert(cert0)
 	nodeID1 := ids.NodeIDFromCert(cert1)

network/peer/test_peer.go

@@ -66,7 +66,6 @@ func StartTestPeer(
 	clientUpgrader := NewTLSClientUpgrader(
 		tlsConfg,
 		prometheus.NewCounter(prometheus.CounterOpts{}),
-		version.GetDurangoTime(networkID),
 	)
 
 	peerID, conn, cert, err := clientUpgrader.Upgrade(conn)