Add key server staleness check#592
Open
jonas-lj wants to merge 1 commit into
Open
Conversation
jonas-lj
force-pushed
the
jonas/keyserver-staleness
branch
2 times, most recently
from
4ad09f4 to
69ab88c
Compare
Abort decryption if the key server's clock lags the chain by more than a fixed 30s, and expose it via metrics so operators can alert.
jonas-lj
force-pushed
the
jonas/keyserver-staleness
branch
from
69ab88c to
e4fbc53
Compare
benr-ml
reviewed
Jun 23, 2026
| public fun check_staleness(now: u64, allowed_staleness_in_ms: u64, clock: &clock::Clock) { | ||
| // If the clock timestamp is more recent, the check passes | ||
| /// The maximum amount the key server's time (`now`) may lag behind the on-chain time. | ||
| const ALLOWED_KEY_SERVER_STALENESS_IN_MS: u64 = 30_000; |
Collaborator
There was a problem hiding this comment.
let's change that to 1 min
| /// - Abort with `EStaleFullnode` if the on-chain time is more than `allowed_staleness_in_ms` behind `keyserver_time`. | ||
| /// - Abort with `EStaleKeyServer` if `keyserver_time` is more than `ALLOWED_KEY_SERVER_STALENESS_IN_MS` behind the on-chain time. | ||
| public fun check_staleness( | ||
| keyserver_time: u64, |
Collaborator
There was a problem hiding this comment.
can we change the arg name?
| } | ||
| Staleness::KeyServer => { | ||
| m.requests_failed_due_to_key_server_staleness.inc(); | ||
| m.key_server_stale.set(1); |
Collaborator
There was a problem hiding this comment.
why do we need key_server_stale? an alert on requests_failed_due_to_key_server_staleness would suffice, no?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Aborts decryption if the key server's clock lags the chain's by more than a fixed 30s (mirroring the existing fullnode staleness check in the other direction). Exposes the condition via a counter and a
key_server_stalegauge so operators can alert on it.