github.com/aswedchain/aswed@v1.0.1/trie/proof.go (about) 1 // Copyright 2015 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 package trie 18 19 import ( 20 "bytes" 21 "errors" 22 "fmt" 23 24 "github.com/aswedchain/aswed/common" 25 "github.com/aswedchain/aswed/ethdb" 26 "github.com/aswedchain/aswed/ethdb/memorydb" 27 "github.com/aswedchain/aswed/log" 28 "github.com/aswedchain/aswed/rlp" 29 ) 30 31 // Prove constructs a merkle proof for key. The result contains all encoded nodes 32 // on the path to the value at key. The value itself is also included in the last 33 // node and can be retrieved by verifying the proof. 34 // 35 // If the trie does not contain a value for key, the returned proof contains all 36 // nodes of the longest existing prefix of the key (at least the root node), ending 37 // with the node that proves the absence of the key. 38 func (t *Trie) Prove(key []byte, fromLevel uint, proofDb ethdb.KeyValueWriter) error { 39 // Collect all nodes on the path to key. 40 key = keybytesToHex(key) 41 var nodes []node 42 tn := t.root 43 for len(key) > 0 && tn != nil { 44 switch n := tn.(type) { 45 case *shortNode: 46 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 47 // The trie doesn't contain the key. 48 tn = nil 49 } else { 50 tn = n.Val 51 key = key[len(n.Key):] 52 } 53 nodes = append(nodes, n) 54 case *fullNode: 55 tn = n.Children[key[0]] 56 key = key[1:] 57 nodes = append(nodes, n) 58 case hashNode: 59 var err error 60 tn, err = t.resolveHash(n, nil) 61 if err != nil { 62 log.Error(fmt.Sprintf("Unhandled trie error: %v", err)) 63 return err 64 } 65 default: 66 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 67 } 68 } 69 hasher := newHasher(false) 70 defer returnHasherToPool(hasher) 71 72 for i, n := range nodes { 73 if fromLevel > 0 { 74 fromLevel-- 75 continue 76 } 77 var hn node 78 n, hn = hasher.proofHash(n) 79 if hash, ok := hn.(hashNode); ok || i == 0 { 80 // If the node's database encoding is a hash (or is the 81 // root node), it becomes a proof element. 82 enc, _ := rlp.EncodeToBytes(n) 83 if !ok { 84 hash = hasher.hashData(enc) 85 } 86 proofDb.Put(hash, enc) 87 } 88 } 89 return nil 90 } 91 92 // Prove constructs a merkle proof for key. The result contains all encoded nodes 93 // on the path to the value at key. The value itself is also included in the last 94 // node and can be retrieved by verifying the proof. 95 // 96 // If the trie does not contain a value for key, the returned proof contains all 97 // nodes of the longest existing prefix of the key (at least the root node), ending 98 // with the node that proves the absence of the key. 99 func (t *SecureTrie) Prove(key []byte, fromLevel uint, proofDb ethdb.KeyValueWriter) error { 100 return t.trie.Prove(key, fromLevel, proofDb) 101 } 102 103 // VerifyProof checks merkle proofs. The given proof must contain the value for 104 // key in a trie with the given root hash. VerifyProof returns an error if the 105 // proof contains invalid trie nodes or the wrong value. 106 func VerifyProof(rootHash common.Hash, key []byte, proofDb ethdb.KeyValueReader) (value []byte, err error) { 107 key = keybytesToHex(key) 108 wantHash := rootHash 109 for i := 0; ; i++ { 110 buf, _ := proofDb.Get(wantHash[:]) 111 if buf == nil { 112 return nil, fmt.Errorf("proof node %d (hash %064x) missing", i, wantHash) 113 } 114 n, err := decodeNode(wantHash[:], buf) 115 if err != nil { 116 return nil, fmt.Errorf("bad proof node %d: %v", i, err) 117 } 118 keyrest, cld := get(n, key, true) 119 switch cld := cld.(type) { 120 case nil: 121 // The trie doesn't contain the key. 122 return nil, nil 123 case hashNode: 124 key = keyrest 125 copy(wantHash[:], cld) 126 case valueNode: 127 return cld, nil 128 } 129 } 130 } 131 132 // proofToPath converts a merkle proof to trie node path. The main purpose of 133 // this function is recovering a node path from the merkle proof stream. All 134 // necessary nodes will be resolved and leave the remaining as hashnode. 135 // 136 // The given edge proof is allowed to be an existent or non-existent proof. 137 func proofToPath(rootHash common.Hash, root node, key []byte, proofDb ethdb.KeyValueReader, allowNonExistent bool) (node, []byte, error) { 138 // resolveNode retrieves and resolves trie node from merkle proof stream 139 resolveNode := func(hash common.Hash) (node, error) { 140 buf, _ := proofDb.Get(hash[:]) 141 if buf == nil { 142 return nil, fmt.Errorf("proof node (hash %064x) missing", hash) 143 } 144 n, err := decodeNode(hash[:], buf) 145 if err != nil { 146 return nil, fmt.Errorf("bad proof node %v", err) 147 } 148 return n, err 149 } 150 // If the root node is empty, resolve it first. 151 // Root node must be included in the proof. 152 if root == nil { 153 n, err := resolveNode(rootHash) 154 if err != nil { 155 return nil, nil, err 156 } 157 root = n 158 } 159 var ( 160 err error 161 child, parent node 162 keyrest []byte 163 valnode []byte 164 ) 165 key, parent = keybytesToHex(key), root 166 for { 167 keyrest, child = get(parent, key, false) 168 switch cld := child.(type) { 169 case nil: 170 // The trie doesn't contain the key. It's possible 171 // the proof is a non-existing proof, but at least 172 // we can prove all resolved nodes are correct, it's 173 // enough for us to prove range. 174 if allowNonExistent { 175 return root, nil, nil 176 } 177 return nil, nil, errors.New("the node is not contained in trie") 178 case *shortNode: 179 key, parent = keyrest, child // Already resolved 180 continue 181 case *fullNode: 182 key, parent = keyrest, child // Already resolved 183 continue 184 case hashNode: 185 child, err = resolveNode(common.BytesToHash(cld)) 186 if err != nil { 187 return nil, nil, err 188 } 189 case valueNode: 190 valnode = cld 191 } 192 // Link the parent and child. 193 switch pnode := parent.(type) { 194 case *shortNode: 195 pnode.Val = child 196 case *fullNode: 197 pnode.Children[key[0]] = child 198 default: 199 panic(fmt.Sprintf("%T: invalid node: %v", pnode, pnode)) 200 } 201 if len(valnode) > 0 { 202 return root, valnode, nil // The whole path is resolved 203 } 204 key, parent = keyrest, child 205 } 206 } 207 208 // unsetInternal removes all internal node references(hashnode, embedded node). 209 // It should be called after a trie is constructed with two edge paths. Also 210 // the given boundary keys must be the one used to construct the edge paths. 211 // 212 // It's the key step for range proof. All visited nodes should be marked dirty 213 // since the node content might be modified. Besides it can happen that some 214 // fullnodes only have one child which is disallowed. But if the proof is valid, 215 // the missing children will be filled, otherwise it will be thrown anyway. 216 // 217 // Note we have the assumption here the given boundary keys are different 218 // and right is larger than left. 219 func unsetInternal(n node, left []byte, right []byte) error { 220 left, right = keybytesToHex(left), keybytesToHex(right) 221 222 // Step down to the fork point. There are two scenarios can happen: 223 // - the fork point is a shortnode: either the key of left proof or 224 // right proof doesn't match with shortnode's key. 225 // - the fork point is a fullnode: both two edge proofs are allowed 226 // to point to a non-existent key. 227 var ( 228 pos = 0 229 parent node 230 231 // fork indicator, 0 means no fork, -1 means proof is less, 1 means proof is greater 232 shortForkLeft, shortForkRight int 233 ) 234 findFork: 235 for { 236 switch rn := (n).(type) { 237 case *shortNode: 238 rn.flags = nodeFlag{dirty: true} 239 240 // If either the key of left proof or right proof doesn't match with 241 // shortnode, stop here and the forkpoint is the shortnode. 242 if len(left)-pos < len(rn.Key) { 243 shortForkLeft = bytes.Compare(left[pos:], rn.Key) 244 } else { 245 shortForkLeft = bytes.Compare(left[pos:pos+len(rn.Key)], rn.Key) 246 } 247 if len(right)-pos < len(rn.Key) { 248 shortForkRight = bytes.Compare(right[pos:], rn.Key) 249 } else { 250 shortForkRight = bytes.Compare(right[pos:pos+len(rn.Key)], rn.Key) 251 } 252 if shortForkLeft != 0 || shortForkRight != 0 { 253 break findFork 254 } 255 parent = n 256 n, pos = rn.Val, pos+len(rn.Key) 257 case *fullNode: 258 rn.flags = nodeFlag{dirty: true} 259 260 // If either the node pointed by left proof or right proof is nil, 261 // stop here and the forkpoint is the fullnode. 262 leftnode, rightnode := rn.Children[left[pos]], rn.Children[right[pos]] 263 if leftnode == nil || rightnode == nil || leftnode != rightnode { 264 break findFork 265 } 266 parent = n 267 n, pos = rn.Children[left[pos]], pos+1 268 default: 269 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 270 } 271 } 272 switch rn := n.(type) { 273 case *shortNode: 274 // There can have these five scenarios: 275 // - both proofs are less than the trie path => no valid range 276 // - both proofs are greater than the trie path => no valid range 277 // - left proof is less and right proof is greater => valid range, unset the shortnode entirely 278 // - left proof points to the shortnode, but right proof is greater 279 // - right proof points to the shortnode, but left proof is less 280 if shortForkLeft == -1 && shortForkRight == -1 { 281 return errors.New("empty range") 282 } 283 if shortForkLeft == 1 && shortForkRight == 1 { 284 return errors.New("empty range") 285 } 286 if shortForkLeft != 0 && shortForkRight != 0 { 287 parent.(*fullNode).Children[left[pos-1]] = nil 288 return nil 289 } 290 // Only one proof points to non-existent key. 291 if shortForkRight != 0 { 292 // Unset left proof's path 293 if _, ok := rn.Val.(valueNode); ok { 294 parent.(*fullNode).Children[left[pos-1]] = nil 295 return nil 296 } 297 return unset(rn, rn.Val, left[pos:], len(rn.Key), false) 298 } 299 if shortForkLeft != 0 { 300 // Unset right proof's path. 301 if _, ok := rn.Val.(valueNode); ok { 302 parent.(*fullNode).Children[right[pos-1]] = nil 303 return nil 304 } 305 return unset(rn, rn.Val, right[pos:], len(rn.Key), true) 306 } 307 return nil 308 case *fullNode: 309 // unset all internal nodes in the forkpoint 310 for i := left[pos] + 1; i < right[pos]; i++ { 311 rn.Children[i] = nil 312 } 313 if err := unset(rn, rn.Children[left[pos]], left[pos:], 1, false); err != nil { 314 return err 315 } 316 if err := unset(rn, rn.Children[right[pos]], right[pos:], 1, true); err != nil { 317 return err 318 } 319 return nil 320 default: 321 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 322 } 323 } 324 325 // unset removes all internal node references either the left most or right most. 326 // It can meet these scenarios: 327 // 328 // - The given path is existent in the trie, unset the associated nodes with the 329 // specific direction 330 // - The given path is non-existent in the trie 331 // - the fork point is a fullnode, the corresponding child pointed by path 332 // is nil, return 333 // - the fork point is a shortnode, the shortnode is included in the range, 334 // keep the entire branch and return. 335 // - the fork point is a shortnode, the shortnode is excluded in the range, 336 // unset the entire branch. 337 func unset(parent node, child node, key []byte, pos int, removeLeft bool) error { 338 switch cld := child.(type) { 339 case *fullNode: 340 if removeLeft { 341 for i := 0; i < int(key[pos]); i++ { 342 cld.Children[i] = nil 343 } 344 cld.flags = nodeFlag{dirty: true} 345 } else { 346 for i := key[pos] + 1; i < 16; i++ { 347 cld.Children[i] = nil 348 } 349 cld.flags = nodeFlag{dirty: true} 350 } 351 return unset(cld, cld.Children[key[pos]], key, pos+1, removeLeft) 352 case *shortNode: 353 if len(key[pos:]) < len(cld.Key) || !bytes.Equal(cld.Key, key[pos:pos+len(cld.Key)]) { 354 // Find the fork point, it's an non-existent branch. 355 if removeLeft { 356 if bytes.Compare(cld.Key, key[pos:]) < 0 { 357 // The key of fork shortnode is less than the path 358 // (it belongs to the range), unset the entrie 359 // branch. The parent must be a fullnode. 360 fn := parent.(*fullNode) 361 fn.Children[key[pos-1]] = nil 362 } else { 363 // The key of fork shortnode is greater than the 364 // path(it doesn't belong to the range), keep 365 // it with the cached hash available. 366 } 367 } else { 368 if bytes.Compare(cld.Key, key[pos:]) > 0 { 369 // The key of fork shortnode is greater than the 370 // path(it belongs to the range), unset the entrie 371 // branch. The parent must be a fullnode. 372 fn := parent.(*fullNode) 373 fn.Children[key[pos-1]] = nil 374 } else { 375 // The key of fork shortnode is less than the 376 // path(it doesn't belong to the range), keep 377 // it with the cached hash available. 378 } 379 } 380 return nil 381 } 382 if _, ok := cld.Val.(valueNode); ok { 383 fn := parent.(*fullNode) 384 fn.Children[key[pos-1]] = nil 385 return nil 386 } 387 cld.flags = nodeFlag{dirty: true} 388 return unset(cld, cld.Val, key, pos+len(cld.Key), removeLeft) 389 case nil: 390 // If the node is nil, then it's a child of the fork point 391 // fullnode(it's a non-existent branch). 392 return nil 393 default: 394 panic("it shouldn't happen") // hashNode, valueNode 395 } 396 } 397 398 // hasRightElement returns the indicator whether there exists more elements 399 // in the right side of the given path. The given path can point to an existent 400 // key or a non-existent one. This function has the assumption that the whole 401 // path should already be resolved. 402 func hasRightElement(node node, key []byte) bool { 403 pos, key := 0, keybytesToHex(key) 404 for node != nil { 405 switch rn := node.(type) { 406 case *fullNode: 407 for i := key[pos] + 1; i < 16; i++ { 408 if rn.Children[i] != nil { 409 return true 410 } 411 } 412 node, pos = rn.Children[key[pos]], pos+1 413 case *shortNode: 414 if len(key)-pos < len(rn.Key) || !bytes.Equal(rn.Key, key[pos:pos+len(rn.Key)]) { 415 return bytes.Compare(rn.Key, key[pos:]) > 0 416 } 417 node, pos = rn.Val, pos+len(rn.Key) 418 case valueNode: 419 return false // We have resolved the whole path 420 default: 421 panic(fmt.Sprintf("%T: invalid node: %v", node, node)) // hashnode 422 } 423 } 424 return false 425 } 426 427 // VerifyRangeProof checks whether the given leaf nodes and edge proof 428 // can prove the given trie leaves range is matched with the specific root. 429 // Besides, the range should be consecutive(no gap inside) and monotonic 430 // increasing. 431 // 432 // Note the given proof actually contains two edge proofs. Both of them can 433 // be non-existent proofs. For example the first proof is for a non-existent 434 // key 0x03, the last proof is for a non-existent key 0x10. The given batch 435 // leaves are [0x04, 0x05, .. 0x09]. It's still feasible to prove the given 436 // batch is valid. 437 // 438 // The firstKey is paired with firstProof, not necessarily the same as keys[0] 439 // (unless firstProof is an existent proof). Similarly, lastKey and lastProof 440 // are paired. 441 // 442 // Expect the normal case, this function can also be used to verify the following 443 // range proofs: 444 // 445 // - All elements proof. In this case the proof can be nil, but the range should 446 // be all the leaves in the trie. 447 // 448 // - One element proof. In this case no matter the edge proof is a non-existent 449 // proof or not, we can always verify the correctness of the proof. 450 // 451 // - Zero element proof. In this case a single non-existent proof is enough to prove. 452 // Besides, if there are still some other leaves available on the right side, then 453 // an error will be returned. 454 // 455 // Except returning the error to indicate the proof is valid or not, the function will 456 // also return a flag to indicate whether there exists more accounts/slots in the trie. 457 func VerifyRangeProof(rootHash common.Hash, firstKey []byte, lastKey []byte, keys [][]byte, values [][]byte, proof ethdb.KeyValueReader) (error, bool) { 458 if len(keys) != len(values) { 459 return fmt.Errorf("inconsistent proof data, keys: %d, values: %d", len(keys), len(values)), false 460 } 461 // Ensure the received batch is monotonic increasing. 462 for i := 0; i < len(keys)-1; i++ { 463 if bytes.Compare(keys[i], keys[i+1]) >= 0 { 464 return errors.New("range is not monotonically increasing"), false 465 } 466 } 467 // Special case, there is no edge proof at all. The given range is expected 468 // to be the whole leaf-set in the trie. 469 if proof == nil { 470 emptytrie, err := New(common.Hash{}, NewDatabase(memorydb.New())) 471 if err != nil { 472 return err, false 473 } 474 for index, key := range keys { 475 emptytrie.TryUpdate(key, values[index]) 476 } 477 if emptytrie.Hash() != rootHash { 478 return fmt.Errorf("invalid proof, want hash %x, got %x", rootHash, emptytrie.Hash()), false 479 } 480 return nil, false // no more element. 481 } 482 // Special case, there is a provided edge proof but zero key/value 483 // pairs, ensure there are no more accounts / slots in the trie. 484 if len(keys) == 0 { 485 root, val, err := proofToPath(rootHash, nil, firstKey, proof, true) 486 if err != nil { 487 return err, false 488 } 489 if val != nil || hasRightElement(root, firstKey) { 490 return errors.New("more entries available"), false 491 } 492 return nil, false 493 } 494 // Special case, there is only one element and two edge keys are same. 495 // In this case, we can't construct two edge paths. So handle it here. 496 if len(keys) == 1 && bytes.Equal(firstKey, lastKey) { 497 root, val, err := proofToPath(rootHash, nil, firstKey, proof, false) 498 if err != nil { 499 return err, false 500 } 501 if !bytes.Equal(firstKey, keys[0]) { 502 return errors.New("correct proof but invalid key"), false 503 } 504 if !bytes.Equal(val, values[0]) { 505 return errors.New("correct proof but invalid data"), false 506 } 507 return nil, hasRightElement(root, firstKey) 508 } 509 // Ok, in all other cases, we require two edge paths available. 510 // First check the validity of edge keys. 511 if bytes.Compare(firstKey, lastKey) >= 0 { 512 return errors.New("invalid edge keys"), false 513 } 514 // todo(rjl493456442) different length edge keys should be supported 515 if len(firstKey) != len(lastKey) { 516 return errors.New("inconsistent edge keys"), false 517 } 518 // Convert the edge proofs to edge trie paths. Then we can 519 // have the same tree architecture with the original one. 520 // For the first edge proof, non-existent proof is allowed. 521 root, _, err := proofToPath(rootHash, nil, firstKey, proof, true) 522 if err != nil { 523 return err, false 524 } 525 // Pass the root node here, the second path will be merged 526 // with the first one. For the last edge proof, non-existent 527 // proof is also allowed. 528 root, _, err = proofToPath(rootHash, root, lastKey, proof, true) 529 if err != nil { 530 return err, false 531 } 532 // Remove all internal references. All the removed parts should 533 // be re-filled(or re-constructed) by the given leaves range. 534 if err := unsetInternal(root, firstKey, lastKey); err != nil { 535 return err, false 536 } 537 // Rebuild the trie with the leave stream, the shape of trie 538 // should be same with the original one. 539 newtrie := &Trie{root: root, db: NewDatabase(memorydb.New())} 540 for index, key := range keys { 541 newtrie.TryUpdate(key, values[index]) 542 } 543 if newtrie.Hash() != rootHash { 544 return fmt.Errorf("invalid proof, want hash %x, got %x", rootHash, newtrie.Hash()), false 545 } 546 return nil, hasRightElement(root, keys[len(keys)-1]) 547 } 548 549 // get returns the child of the given node. Return nil if the 550 // node with specified key doesn't exist at all. 551 // 552 // There is an additional flag `skipResolved`. If it's set then 553 // all resolved nodes won't be returned. 554 func get(tn node, key []byte, skipResolved bool) ([]byte, node) { 555 for { 556 switch n := tn.(type) { 557 case *shortNode: 558 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 559 return nil, nil 560 } 561 tn = n.Val 562 key = key[len(n.Key):] 563 if !skipResolved { 564 return key, tn 565 } 566 case *fullNode: 567 tn = n.Children[key[0]] 568 key = key[1:] 569 if !skipResolved { 570 return key, tn 571 } 572 case hashNode: 573 return key, n 574 case nil: 575 return key, nil 576 case valueNode: 577 return nil, n 578 default: 579 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 580 } 581 } 582 }