feat: kes validation

[golddydev]

Description

This pull request introduces a full KES (Key Evolving Signature) validation pipeline for Cardano block headers and wires it into the omnibus process as the new block-kes-validator module. The validator consumes BlockAvailable message, applies the relevant Praos/TPraos rules, and publishes validation outcomes as BlockValidation

Major Changes

• New block-kes-validator crate

  • Registers the Caryatid module, subscribes to bootstrapped, block, protocol-parameter, and SPO-state feeds, and publishes ValidationStatus (with KESValidationError if block is invalid) messages for each block.
  • Persists per-block state (operational-certificate counters, protocol parameters, active pools) via StateHistory, handling rollbacks.

• KES validation logic

  • ouroboros/kes.rs: thin wrapper around kes-summed-ed25519 with safe conversions, signature verification, and unit tests.
  • ouroboros/kes_validation.rs: translates Pallas multi-era headers into protocol checks and returns closures that perform signature validation and operational-certificate verification; supports Praos (Babbage+) and TPraos (Shelley-era) flows.
  • ouroboros/praos.rs & ouroboros/tpraos.rs: helper utilities for deriving the latest OCert counter depending on active stake pools and genesis delegates.

• State management

  • state.rs: tracks OCert counters, protocol parameters, and active SPOs; decodes headers with Pallas and coordinates validation.
  • KesValidationPublisher: standardizes publishing of success/failure results.

Related Issue(s)

Relates to #199

How was this tested?

• Local Test cases

  • Added raw block header data for test cases. (both from TPraos and Praos eras and the one which is produced by genesis-key)
  • All KES validations are passed for those block headers.
  • Write some failed test cases. (wrong ocert counter, missing ocert counter, over-incremented ocert counter)

• Command

cargo test --package acropolis_module_block_kes_validator

Checklist

• My code builds and passes local tests
• I added/updated tests for my changes, where applicable
• I added comments and references from haskell code.
• CI is green for this PR

Impact / Side effects

Since every block headers now have to pass KES validation (with several cryptographic checks), this will consume more CPU.

Reviewer notes / Areas to focus

kes_validation.rs is where all KES validation logic lives.

[Copilot]

Pull Request Overview

This PR implements KES (Key Evolving Signature) validation for Cardano block headers, adding cryptographic verification of operational certificates and KES signatures to ensure blocks are produced by authorized stake pools with valid keys.

Key Changes

• Added new block_kes_validator module that validates KES signatures and operational certificates for both TPraos and Praos protocols
• Integrated KES validation into the omnibus process with proper state management and rollback support
• Extended common validation error types to include detailed KES-related error variants

Reviewed Changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated 25 comments.

Show a summary per file

File	Description
processes/omnibus/src/main.rs	Registers BlockKesValidator module with the omnibus process
processes/omnibus/Cargo.toml	Adds block_kes_validator dependency
processes/omnibus/omnibus.toml	Adds configuration section for block-kes-validator module
modules/block_kes_validator/Cargo.toml	Defines new module dependencies including kes-summed-ed25519 library
modules/block_kes_validator/src/block_kes_validator.rs	Main module implementation with subscription handling and validation orchestration
modules/block_kes_validator/src/state.rs	State management for ocert counters, protocol parameters, and active SPOs
modules/block_kes_validator/src/kes_validation_publisher.rs	Publishes KES validation results to the message bus
modules/block_kes_validator/src/ouroboros/kes.rs	Rust wrapper for KES cryptographic operations
modules/block_kes_validator/src/ouroboros/kes_validation.rs	Core KES validation logic with comprehensive tests
modules/block_kes_validator/src/ouroboros/praos.rs	Praos-specific ocert counter resolution
modules/block_kes_validator/src/ouroboros/tpraos.rs	TPraos-specific ocert counter resolution with genesis delegate support
modules/block_kes_validator/src/ouroboros/mod.rs	Module declarations for ouroboros submodules
modules/block_kes_validator/src/ouroboros/data/*.cbor	Test fixtures for block header validation
common/src/validation.rs	Adds KES validation error types and variants
modules/block_vrf_validator/src/block_vrf_validator.rs	Reorders constant definitions for consistency
Cargo.toml	Adds block_kes_validator to workspace members
Cargo.lock	Updates dependencies including kes-summed-ed25519 library
.cargo/audit.toml	Removes redundant empty ignore list

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[whankinsiv]

Everything looks good. The only change I'd like to see is moving the SecretKey definition and impl into tests since it isn't required for KES validation.

[lowhung]

Would VerificationKey? be appropriate here? PublicKey also makes sense too.

[golddydev]

Yeah, I choose PublicKey because kes library exports it as PublicKey

[lowhung]

Nice tests 👍