From ee9c57008d48204f418d26245f18be0fb2c95994 Mon Sep 17 00:00:00 2001 From: Jernej Kos Date: Tue, 7 May 2024 19:35:47 +0200 Subject: [PATCH] keymanager: Allow one epoch in the future during validation This avoids an issue where a key manager node that is slightly behind would return an error during an epoch transition. --- .changelog/5686.bugfix.md | 4 ++++ keymanager/src/runtime/secrets.rs | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 .changelog/5686.bugfix.md diff --git a/.changelog/5686.bugfix.md b/.changelog/5686.bugfix.md new file mode 100644 index 00000000000..1684a3821b5 --- /dev/null +++ b/.changelog/5686.bugfix.md @@ -0,0 +1,4 @@ +keymanager: Allow one epoch in the future during validation + +This avoids an issue where a key manager node that is slightly behind +would return an error during an epoch transition. diff --git a/keymanager/src/runtime/secrets.rs b/keymanager/src/runtime/secrets.rs index 7fa495669b3..0b1dad6d5ea 100644 --- a/keymanager/src/runtime/secrets.rs +++ b/keymanager/src/runtime/secrets.rs @@ -534,10 +534,10 @@ impl Secrets { } /// Validate that the epoch used for derivation of ephemeral private keys is not - /// in the future or too far back in the past. + /// too far in the future or too far back in the past. fn validate_ephemeral_key_epoch(&self, epoch: EpochTime) -> Result<()> { let consensus_epoch = self.consensus_epoch()?; - if consensus_epoch < epoch || consensus_epoch > epoch + MAX_EPHEMERAL_KEY_AGE { + if consensus_epoch + 1 < epoch || consensus_epoch > epoch + MAX_EPHEMERAL_KEY_AGE { return Err(KeyManagerError::InvalidEpoch(consensus_epoch, epoch).into()); } Ok(())