Implement ACP-20

[StephenButtolph]

Currently NodeIDs are generated based on ripemd160(sha256(TLS_CERT_DER)):

avalanchego/ids/node_id.go

Lines 79 to 83 in ccf785c

	func NodeIDFromCert(cert *staking.Certificate) NodeID {
	return hashing.ComputeHash160Array(
	hashing.ComputeHash256(cert.Raw),
	)
	}

Only RSA and ECDSA keys are currently allowed to be used. This restriction means that we can use the public key in the TLS certificate to switch on the NodeID format:

avalanchego/staking/parse.go

Lines 124 to 167 in ccf785c

	func parsePublicKey(oid asn1.ObjectIdentifier, publicKey asn1.BitString) (crypto.PublicKey, error) {
	der := cryptobyte.String(publicKey.RightAlign())
	switch {
	case oid.Equal(oidPublicKeyRSA):
	pub := &rsa.PublicKey{N: new(big.Int)}
	if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
	return nil, ErrInvalidRSAPublicKey
	}
	if !der.ReadASN1Integer(pub.N) {
	return nil, ErrInvalidRSAModulus
	}
	if !der.ReadASN1Integer(&pub.E) {
	return nil, ErrInvalidRSAPublicExponent
	}
	if pub.N.Sign() <= 0 {
	return nil, ErrRSAModulusNotPositive
	}
	if bitLen := pub.N.BitLen(); bitLen != allowedRSALargeModulusLen && bitLen != allowedRSASmallModulusLen {
	return nil, fmt.Errorf("%w: %d", ErrUnsupportedRSAModulusBitLen, bitLen)
	}
	if pub.N.Bit(0) == 0 {
	return nil, ErrRSAModulusIsEven
	}
	if pub.E != allowedRSAPublicExponentValue {
	return nil, fmt.Errorf("%w: %d", ErrUnsupportedRSAPublicExponent, pub.E)
	}
	return pub, nil
	case oid.Equal(oidPublicKeyECDSA):
	namedCurve := elliptic.P256()
	x, y := elliptic.Unmarshal(namedCurve, der)
	if x == nil {
	return nil, ErrFailedUnmarshallingEllipticCurvePoint
	}
	return &ecdsa.PublicKey{
	Curve: namedCurve,
	X: x,
	Y: y,
	}, nil
	default:
	return nil, ErrUnknownPublicKeyAlgorithm
	}
	}

In the Etna upgrade, Ed25519 keys should be supported: https://github.com/avalanche-foundation/ACPs/tree/main/ACPs/20-ed25519-p2p

The NodeID representation of these Ed25519 keys should be the 32-byte public key representation.

The Ed25519 keys will be used for ACP-77 subnet validators: https://github.com/avalanche-foundation/ACPs/tree/main/ACPs/77-reinventing-subnets#step-2-issue-a-registersubnetvalidatortx-on-the-p-chain

We must retain support for prior P-chain transactions which encode the fixed 20-byte ids.NodeID type:

• avalanchego/vms/platformvm/txs/add_delegator_tx.go

  Line 34 in ccf785c

  Validator `serialize:"true" json:"validator"`

• avalanchego/vms/platformvm/txs/add_permissionless_delegator_tx.go

  Line 30 in ccf785c

  Validator `serialize:"true" json:"validator"`

• avalanchego/vms/platformvm/txs/add_permissionless_validator_tx.go

  Line 39 in ccf785c

  Validator `serialize:"true" json:"validator"`

• avalanchego/vms/platformvm/txs/add_subnet_validator_tx.go

  Line 28 in ccf785c

  SubnetValidator `serialize:"true" json:"validator"`

• avalanchego/vms/platformvm/txs/add_validator_tx.go

  Line 33 in ccf785c

  Validator `serialize:"true" json:"validator"`

• avalanchego/vms/platformvm/txs/remove_subnet_validator_tx.go

  Line 25 in ccf785c

  NodeID ids.NodeID `serialize:"true" json:"nodeID"`

The following PRs are related to this issue:

• Introducing GenericNodeID #1989

[github-actions]

This issue has become stale because it has been open 60 days with no activity. Adding the lifecycle/frozen label will cause this issue to ignore lifecycle events.

[github-actions]

This issue has become stale because it has been open 60 days with no activity. Adding the lifecycle/frozen label will cause this issue to ignore lifecycle events.