feat: verify particle signatures [NET-539]

aquamarine/src/error.rs

@@ -15,6 +15,7 @@
  */
 
 use humantime::FormattedDuration;
+use particle_protocol::ParticleError;
 use thiserror::Error;
 
 #[derive(Debug, Error)]
@@ -44,6 +45,11 @@ pub enum AquamarineApiError {
         "AquamarineApiError::AquamarineQueueFull: can't send particle {particle_id:?} to Aquamarine"
     )]
     AquamarineQueueFull { particle_id: Option<String> },
+    #[error("AquamarineApiError::SignatureVerificationFailed: particle_id = {particle_id}, error = {err}")]
+    SignatureVerificationFailed {
+        particle_id: String,
+        err: ParticleError,
+    },
 }
 
 impl AquamarineApiError {
@@ -52,6 +58,11 @@ impl AquamarineApiError {
             AquamarineApiError::ParticleExpired { particle_id } => Some(particle_id),
             AquamarineApiError::OneshotCancelled { particle_id } => Some(particle_id),
             AquamarineApiError::ExecutionTimedOut { particle_id, .. } => Some(particle_id),
+            // Should it be `None`  considering usage of signature as particle id?
+            // It can compromise valid particles into thinking they are invalid.
+            // But still there can be a case when signature was generated wrong
+            // and client will never know about it.
+            AquamarineApiError::SignatureVerificationFailed { .. } => None,
             AquamarineApiError::AquamarineDied { particle_id } => particle_id,
             AquamarineApiError::AquamarineQueueFull { particle_id, .. } => particle_id,
         }

aquamarine/src/plumber.rs

@@ -92,6 +92,16 @@ impl<RT: AquaRuntime, F: ParticleFunctionStatic> Plumber<RT, F> {
             return;
         }
 
+        if let Err(err) = particle.verify() {
+            tracing::warn!(target: "signature", particle_id = particle.id, "Particle signature verification failed: {err:?}");
+            self.events
+                .push_back(Err(AquamarineApiError::SignatureVerificationFailed {
+                    particle_id: particle.id,
+                    err,
+                }));
+            return;
+        }
+
         let builtins = &self.builtins;
         let key = (particle.id.clone(), worker_id);
         let entry = self.actors.entry(key);

crates/local-vm/src/local_vm.rs

@@ -303,15 +303,19 @@ pub fn make_particle(
 
     tracing::info!(particle_id = id, "Made a particle");
 
-    Particle {
+    let mut particle = Particle {
         id,
         init_peer_id: peer_id,
         timestamp,
         ttl,
         script,
         signature: vec![],
         data: particle_data,
-    }
+    };
+
+    particle.sign(key_pair).expect("sign particle");
+
+    particle
 }
 
 pub fn read_args(

crates/nox-tests/tests/local_vm.rs

@@ -57,7 +57,7 @@ fn make() {
         &mut local_vm_a,
         false,
         Duration::from_secs(20),
-        &keypair_b,
+        &keypair_a,
     );
 
     let args = read_args(particle, client_b, &mut local_vm_b, &keypair_b)

particle-protocol/src/particle.rs

@@ -90,14 +90,12 @@ impl Particle {
     /// return immutable particle fields in bytes for signing
     /// concatenation of:
     /// - id as bytes
-    /// - init_peer_id in base58 as bytes
     /// - timestamp u64 as little-endian bytes
     /// - ttl u32 as little-endian bytes
     /// - script as bytes
     fn as_bytes(&self) -> Vec<u8> {
         let mut bytes = vec![];
         bytes.extend(self.id.as_bytes());
-        bytes.extend(self.init_peer_id.to_base58().as_bytes());
         bytes.extend(self.timestamp.to_le_bytes());
         bytes.extend(self.ttl.to_le_bytes());
         bytes.extend(self.script.as_bytes());

script-storage/src/script_storage.rs

@@ -0,0 +1 @@
+