byzcoin/api.go

package byzcoin

import (
	"bytes"
	"errors"
	"fmt"
	"go.dedis.ch/cothority/v3/blscosi/protocol"
	"math/rand"
	"time"

	"go.dedis.ch/cothority/v3"
	"go.dedis.ch/cothority/v3/darc"
	"go.dedis.ch/cothority/v3/darc/expression"
	"go.dedis.ch/cothority/v3/skipchain"
	"go.dedis.ch/kyber/v3/sign/schnorr"
	"go.dedis.ch/onet/v3"
	"go.dedis.ch/onet/v3/log"
	"go.dedis.ch/onet/v3/network"
	"go.dedis.ch/protobuf"
	"golang.org/x/xerrors"
)

// ServiceName is used for registration on the onet.
const ServiceName = "ByzCoin"

// Client is a structure to communicate with the ByzCoin service.
type Client struct {
	*onet.Client
	ID     skipchain.SkipBlockID
	Roster onet.Roster
	// Genesis is required when a full proof is sent by the server
	// to verify the roster provided.
	Genesis *skipchain.SkipBlock
	// Latest keeps track of the most recent known block for the client.
	Latest *skipchain.SkipBlock
	// nodes that are most probably useful and alive
	nodes []*network.ServerIdentity
	// Keeps the server identities that replied first to a DownloadState request
	noncesSI map[uint64]*network.ServerIdentity
	// Used for SendProtobufParallel. If it is nil, default values will be used.
	options *onet.ParallelOptions
}

// NewClient instantiates a new ByzCoin client.
func NewClient(ID skipchain.SkipBlockID, Roster onet.Roster) *Client {
	return &Client{
		Client:   onet.NewClient(cothority.Suite, ServiceName),
		ID:       ID,
		Roster:   Roster,
		noncesSI: make(map[uint64]*network.ServerIdentity),
	}
}

// NewClientKeep is like NewClient, but does not close the connection when
// sending requests to the same conode.
func NewClientKeep(ID skipchain.SkipBlockID, Roster onet.Roster) *Client {
	c := NewClient(ID, Roster)
	c.Client = onet.NewClientKeep(cothority.Suite, ServiceName)
	return c
}

// NewLedger sets up a new ByzCoin ledger.
func NewLedger(msg *CreateGenesisBlock, keep bool) (*Client, *CreateGenesisBlockResponse, error) {
	var c *Client
	if keep {
		c = NewClientKeep(nil, msg.Roster)
	} else {
		c = NewClient(nil, msg.Roster)
	}

	reply, err := newLedgerWithClient(msg, c)
	if err != nil {
		return nil, nil, xerrors.Errorf("creating ledger: %v", err)
	}

	c.ID = reply.Skipblock.Hash
	c.Genesis = reply.Skipblock
	c.Latest = c.Genesis
	return c, reply, nil
}

func (c *Client) getLatestKnownBlock() *skipchain.SkipBlock {
	if c.Latest == nil {
		return c.Genesis
	}

	return c.Latest
}

type nodeBlock struct {
	si *network.ServerIdentity
	sb *skipchain.SkipBlock
}

// UpdateNodes asks all nodes for their last skipblock and creates a list of the
// nodes with the highest block number.
func (c *Client) UpdateNodes() {
	nodes := make(chan nodeBlock, 1)
	scCl := skipchain.NewClient()
	latestID := c.ID
	if c.Latest != nil {
		latestID = c.Latest.SkipChainID()
	}

	// Get the latest block from all nodes.
	for _, si := range c.Roster.List {
		go func(si *network.ServerIdentity) {
			r := onet.NewRoster([]*network.ServerIdentity{si})
			reply, err := scCl.GetUpdateChain(r, latestID)
			if err != nil {
				log.Lvl2("Error in GetUpdateChain:", err)
				return
			}
			nodes <- nodeBlock{si, reply.Update[len(reply.Update)-1]}
		}(si)
	}

	// Wait for all nodes to reply or for the timeout to happen
	var nodeList []nodeBlock
	for i := 0; i < len(c.Roster.List); i++ {
		select {
		case n := <-nodes:
			if c.Latest == nil || n.sb.Index > c.Latest.Index {
				c.Latest = n.sb
				c.Roster = *n.sb.Roster
			}
			nodeList = append(nodeList, n)
		case <-time.After(time.Second * 2):
			break
		}
	}

	// Choose all nodes that are alive and have the latest block
	c.nodes = []*network.ServerIdentity{}
	for _, si := range c.Roster.List {
		for _, n := range nodeList {
			if n.si.Equal(si) && n.sb.Index == c.Latest.Index {
				c.nodes = append(c.nodes, si)
				break
			}
		}
	}
}

// GetNodes returns either the list of nodes that are alive and have the latest
// block, or the full roster.
func (c *Client) GetNodes() []*network.ServerIdentity {
	if len(c.nodes) > 0 {
		return c.nodes
	}
	return c.Roster.List
}

// UseNode sets the options so that only the given node will be contacted
func (c *Client) UseNode(n int) error {
	if n < 0 || n >= len(c.Roster.List) {
		return xerrors.New("index of node points past roster-list")
	}
	c.options = &onet.ParallelOptions{
		DontShuffle: true,
		StartNode:   n,
		AskNodes:    1,
		Parallel:    1,
	}
	return nil
}

// DontContact adds the given serverIdentity to the list of nodes that will
// not be contacted.
func (c *Client) DontContact(si *network.ServerIdentity) {
	if c.options == nil {
		c.options = &onet.ParallelOptions{}
	}
	c.options.IgnoreNodes = []*network.ServerIdentity{si}
}

func newLedgerWithClient(msg *CreateGenesisBlock, c *Client) (*CreateGenesisBlockResponse, error) {
	reply := &CreateGenesisBlockResponse{}
	if err := c.SendProtobuf(msg.Roster.List[0], msg, reply); err != nil {
		return nil, xerrors.Errorf("client request: %v", err)
	}

	// checks if the returned genesis block has the same parameters
	if err := verifyGenesisBlock(reply.Skipblock, msg); err != nil {
		return nil, xerrors.Errorf("genesis verification: %v", err)
	}

	return reply, nil
}

// GetAllByzCoinIDs returns the list of Byzcoin chains known by the server given in
// parameter.
func (c *Client) GetAllByzCoinIDs(si *network.ServerIdentity) (*GetAllByzCoinIDsResponse, error) {
	reply := &GetAllByzCoinIDsResponse{}
	if err := c.SendProtobuf(si, &GetAllByzCoinIDsRequest{}, reply); err != nil {
		return nil, xerrors.Errorf("client request: %v", err)
	}

	return reply, nil
}

// CreateTransaction creates a transaction from a list of instructions.
func (c *Client) CreateTransaction(instrs ...Instruction) (ClientTransaction, error) {
	if c.Latest == nil {
		if _, err := c.GetChainConfig(); err != nil {
			return ClientTransaction{}, xerrors.Errorf("chain config: %v", err)
		}
	}

	h, err := decodeBlockHeader(c.Latest)
	if err != nil {
		return ClientTransaction{}, xerrors.Errorf("decoding header: %v", err)
	}

	tx := NewClientTransaction(h.Version, instrs...)
	return tx, nil
}

// AddTransaction adds a transaction. It does not return any feedback
// on the transaction. Use GetProof to find out if the transaction
// was committed. The Client's Roster and ID should be initialized before
// calling this method (see NewClientFromConfig).
func (c *Client) AddTransaction(tx ClientTransaction) (*AddTxResponse, error) {
	resp, err := c.AddTransactionAndWait(tx, 0)
	return resp, cothority.ErrorOrNil(err, "request failed")
}

// AddTransactionAndWait adds a transaction and will wait for it to be included
// in the ledger, up to a maximum of wait block intervals. It does not return
// any feedback on the transaction. The Client's Roster and ID should be
// initialized before calling this method (see NewClientFromConfig).
func (c *Client) AddTransactionAndWait(tx ClientTransaction, wait int) (*AddTxResponse, error) {
	if c.Genesis == nil {
		if err := c.fetchGenesis(); err != nil {
			return nil, xerrors.Errorf("fetching genesis: %v", err)
		}
	}

	for _, inst := range tx.Instructions {
		if inst.version < VersionInstructionHash {
			return nil, xerrors.New(
				"got instruction with pre-hash version - please use byzcoin." +
					"NewClientTransaction")
		}
	}

	// As we fetch the genesis if required, this will never be
	// nil but either the genesis or the latest.
	latest := c.getLatestKnownBlock()

	reply := &AddTxResponse{}
	_, err := c.SendProtobufParallel(c.GetNodes(), &AddTxRequest{
		Version:       CurrentVersion,
		SkipchainID:   c.ID,
		Transaction:   tx,
		InclusionWait: wait,
		ProofFrom:     latest.Hash,
	}, reply, c.options)
	if err != nil {
		return nil, xerrors.Errorf("sending: %v", err)
	}

	if reply.Error != "" {
		return reply, xerrors.New(reply.Error)
	}

	if reply.Proof != nil {
		if err := reply.Proof.VerifyFromBlock(latest); err != nil {
			return reply, xerrors.Errorf("proof verification: %v", err)
		}

		if c.Latest == nil || c.Latest.Index < reply.Proof.Latest.Index {
			c.Latest = &reply.Proof.Latest
		}
	}

	return reply, nil
}

// GetInstance returns the buffer of an instance. Internally it calls
// GetProofFromlatest, and verifies that the proof actually exists and that
// the contract-type is correct.
func (c *Client) GetInstance(iid InstanceID, contractID string,
	inst interface{}) (darc.ID, error) {
	proof, err := c.GetProofFromLatest(iid[:])
	if err != nil {
		return nil, xerrors.Errorf("getting proof: %v", err)
	}
	buf, cid, did, err := proof.Proof.Get(iid[:])
	if cid != contractID {
		return nil, xerrors.Errorf("contractID mismatch: %v != %v", cid,
			contractID)
	}
	return did, protobuf.Decode(buf, inst)
}

// GetProof returns a proof for the key stored in the skipchain starting from
// the genesis block. The proof can prove the existence or the absence of the
// key. Note that the integrity of the proof is verified.
// The Client's Roster and ID should be initialized before calling this method
// (see NewClientFromConfig).
func (c *Client) GetProof(key []byte) (*GetProofResponse, error) {
	if c.Genesis == nil {
		if err := c.fetchGenesis(); err != nil {
			return nil, xerrors.Errorf("fetching genesis block: %v", err)
		}
	}

	rep, err := c.GetProofFrom(key, c.Genesis)
	return rep, cothority.ErrorOrNil(err, "request failed")
}

// GetProofFromLatest returns a proof for the key stored in the skipchain
// starting from the latest known block by this client. The proof
// can prove the existence or the absence of the key. Note that the integrity
// of the proof is verified.
// Caution: the proof will be verifiable only by client/service that knows the
// state of the chain up to the block. If you need to pass the Proof onwards to
// another server, you must use GetProof in order to create a complete standalone
// proof starting from the genesis block.
func (c *Client) GetProofFromLatest(key []byte) (*GetProofResponse, error) {
	if c.Latest == nil {
		return c.GetProof(key)
	}

	rep, err := c.GetProofFrom(key, c.Latest)
	return rep, cothority.ErrorOrNil(err, "request failed")
}

// GetProofFrom returns a proof for the key stored in the skipchain starting
// from the block given in parameter. The proof can prove the existence or
// the absence of the key. Note that the integrity of the proof is verified.
// Caution: the proof will be verifiable only by client/service that know the
// state of the chain up to the block. If you need to pass the Proof onwards to
// another server, you must use GetProof in order to create a complete standalone
// proof starting from the genesis block.
func (c *Client) GetProofFrom(key []byte, from *skipchain.SkipBlock) (*GetProofResponse, error) {
	rep, err := c.getProofRaw(key, from, nil)
	return rep, cothority.ErrorOrNil(err, "request failed")
}

// GetProofAfter returns a proof for the key stored in the skipchain
// starting from the latest known block by this client. The proof will always
// be newer than the barrier or it will return an error.
//
// 	key - Instance ID to be included in the proof.
//	full - When true, the proof returned will start from the genesis block.
//	block - The latest block won't be older than the barrier.
//
func (c *Client) GetProofAfter(key []byte, full bool, block *skipchain.SkipBlock) (rep *GetProofResponse, err error) {
	if full {
		rep, err = c.getProofRaw(key, c.Genesis, block)
	} else {
		rep, err = c.getProofRaw(key, c.getLatestKnownBlock(), block)
	}

	return rep, cothority.ErrorOrNil(err, "request failed")
}

// GetUpdates returns only new proofs.
// The client sends a list of instances/version pairs,
// and the server returns only proofs for the instances that have been
// changed.
//
// The available flag(s) are:
//   - 	GUFSendVersion0 - always send version0 instances
func (c *Client) GetUpdates(keyVer []IDVersion, flags GetUpdatesFlags,
	latest skipchain.SkipBlockID) (rep *GetUpdatesReply,
	err error) {
	rep = &GetUpdatesReply{}
	if latest == nil {
		if c.Latest == nil {
			return nil, errors.New("didn't find latest block")
		}
		latest = c.Latest.Hash
	}
	req := &GetUpdatesRequest{
		Instances:     keyVer,
		Flags:         flags,
		LatestBlockID: latest,
	}
	_, err = c.SendProtobufParallel(c.GetNodes(), req, rep, c.options)
	if err != nil {
		return nil, fmt.Errorf("couldn't get updates: %v", err)
	}
	return
}

func (c *Client) getProofRaw(key []byte, from, include *skipchain.SkipBlock) (*GetProofResponse, error) {
	decoder := func(buf []byte, msg interface{}) error {
		err := protobuf.Decode(buf, msg)
		if err != nil {
			return xerrors.Errorf("decoding: %+v", err)
		}

		gpr, ok := msg.(*GetProofResponse)
		if !ok {
			return xerrors.New("couldn't cast msg")
		}

		if err := gpr.Proof.VerifyFromBlock(from); err != nil {
			return xerrors.Errorf("proof verification: %+v", err)
		}

		if include != nil && gpr.Proof.Latest.Index < include.Index {
			return xerrors.New("latest block in proof is too old")
		}

		return nil
	}

	req := &GetProof{
		Version: CurrentVersion,
		Key:     key,
		ID:      from.Hash,
	}

	if include != nil {
		req.MustContainBlock = include.Hash
	}

	reply := &GetProofResponse{}
	_, err := c.SendProtobufParallelWithDecoder(c.GetNodes(), req, reply, c.options, decoder)
	if err != nil {
		return nil, xerrors.Errorf("sending: %+v", err)
	}

	if c.Latest == nil || c.Latest.Index < reply.Proof.Latest.Index {
		c.Latest = &reply.Proof.Latest
	}

	return reply, nil
}

// GetDeferredData makes a request to retrieve the deferred instruction data
// and return the reply if the proof can be verified.
func (c *Client) GetDeferredData(instrID InstanceID) (*DeferredData, error) {
	rep, err := c.GetDeferredDataAfter(instrID, nil)
	return rep, cothority.ErrorOrNil(err, "request failed")
}

// GetDeferredDataAfter makes a request to retrieve the deferred instruction data
// and returns the reply if the proof can be verified and the block is not
// older than the barrier.
func (c *Client) GetDeferredDataAfter(instrID InstanceID, barrier *skipchain.SkipBlock) (*DeferredData, error) {
	pr, err := c.getProofRaw(instrID.Slice(), c.getLatestKnownBlock(), barrier)
	if err != nil {
		return nil, xerrors.Errorf("getting proof: %w", err)
	}

	if !pr.Proof.InclusionProof.Match(instrID.Slice()) {
		return nil, xerrors.New("key not set")
	}

	dataBuf, _, _, err := pr.Proof.Get(instrID.Slice())
	if err != nil {
		return nil, xerrors.Errorf("getting proof value: %w", err)
	}
	var result DeferredData
	if err = protobuf.Decode(dataBuf, &result); err != nil {
		return nil, xerrors.Errorf("decoding data: %w", err)
	}

	header, err := decodeBlockHeader(c.Latest)
	if err != nil {
		return nil, xerrors.Errorf("decoding header: %v", err)
	}

	result.ProposedTransaction.Instructions.SetVersion(header.Version)

	return &result, nil
}

// CheckAuthorization verifies which actions the given set of identities can
// execute in the given darc.
func (c *Client) CheckAuthorization(dID darc.ID, ids ...darc.Identity) ([]darc.Action, error) {
	reply := &CheckAuthorizationResponse{}
	_, err := c.SendProtobufParallel(c.GetNodes(), &CheckAuthorization{
		Version:    CurrentVersion,
		ByzCoinID:  c.ID,
		DarcID:     dID,
		Identities: ids,
	}, reply, c.options)
	if err != nil {
		return nil, xerrors.Errorf("request: %v", err)
	}
	var ret []darc.Action
	for _, a := range reply.Actions {
		ret = append(ret, darc.Action(a))
	}
	return ret, nil
}

// GetGenDarc uses the GetProof method to fetch the latest version of the
// Genesis Darc from ByzCoin and parses it.
func (c *Client) GetGenDarc() (*darc.Darc, error) {
	// Get proof of the genesis darc.
	p, err := c.GetProofFromLatest(NewInstanceID(nil).Slice())
	if err != nil {
		return nil, xerrors.Errorf("proof request: %v", err)
	}
	ok, err := p.Proof.InclusionProof.Exists(NewInstanceID(nil).Slice())
	if err != nil {
		return nil, xerrors.Errorf("invalid proof: %v", err)
	}
	if !ok {
		return nil, xerrors.New("cannot find genesis Darc ID")
	}

	// Sanity check the values.
	_, _, contract, darcID, err := p.Proof.KeyValue()
	if err != nil {
		return nil, fmt.Errorf("couldn't get genesis darc: %v", err)
	}
	if contract != ContractConfigID {
		return nil, xerrors.New("expected contract to be config but got: " + contract)
	}
	if len(darcID) != 32 {
		return nil, xerrors.New("genesis darc ID is wrong length")
	}

	// Find the actual darc.
	p, err = c.GetProofFromLatest(darcID)
	if err != nil {
		return nil, xerrors.Errorf("darc proof: %v", err)
	}
	ok, err = p.Proof.InclusionProof.Exists(darcID)
	if err != nil {
		return nil, xerrors.Errorf("invalid proof: %v", err)
	}
	if !ok {
		return nil, xerrors.New("cannot find genesis Darc")
	}

	// Check and parse the darc.
	_, darcBuf, contract, _, err := p.Proof.KeyValue()
	if err != nil {
		return nil, xerrors.Errorf("invalid proof: %v", err)
	}
	if contract != ContractDarcID {
		return nil, xerrors.New("expected contract to be darc but got: " + contract)
	}
	d, err := darc.NewFromProtobuf(darcBuf)
	if err != nil {
		return nil, xerrors.Errorf("making proof: %v", err)
	}
	return d, nil
}

// GetChainConfig uses the GetProof method to fetch the chain config
// from ByzCoin.
func (c *Client) GetChainConfig() (*ChainConfig, error) {
	p, err := c.GetProofFromLatest(NewInstanceID(nil).Slice())
	if err != nil {
		return nil, xerrors.Errorf("config proof: %v", err)
	}
	ok, err := p.Proof.InclusionProof.Exists(NewInstanceID(nil).Slice())
	if err != nil {
		return nil, xerrors.Errorf("config proof: %v", err)
	}
	if !ok {
		return nil, xerrors.New("cannot find config")
	}

	_, configBuf, contract, _, err := p.Proof.KeyValue()
	if err != nil {
		return nil, fmt.Errorf("couldn't get chain config: %v", err)
	}
	if contract != ContractConfigID {
		return nil, xerrors.New("expected contract to be config but got: " + contract)
	}
	config := &ChainConfig{}
	err = protobuf.DecodeWithConstructors(configBuf, config, network.DefaultConstructors(cothority.Suite))

	return config, cothority.ErrorOrNil(err, "decoding config")
}

// WaitProof will poll ByzCoin until a given instanceID exists.
// It will return the proof of the instance created. If value is
// non-nil, it will wait for the value of the proof to be equal to
// the value.
// If the timeout is reached before the proof returns 'Match' or matches
// the value, it will return an error.
// TODO: remove interval and take it directly from the Client-structure.
func (c *Client) WaitProof(id InstanceID, interval time.Duration, value []byte) (*Proof, error) {
	var pr Proof
	for i := 0; i < 10; i++ {
		// try to get the darc back, we should get the genesis back instead
		resp, err := c.GetProof(id.Slice())
		if err != nil {
			log.Warnf("Error while getting proof: %+v", err)
			continue
		}
		pr = resp.Proof
		ok, err := pr.InclusionProof.Exists(id.Slice())
		if err != nil {
			return nil, xerrors.Errorf(
				"inclusion proof couldn't be checked: %+v", err)
		}
		if ok {
			if value == nil {
				return &pr, nil
			}
			_, buf, _, _, err := pr.KeyValue()
			if err != nil {
				return nil, xerrors.Errorf("couldn't get keyvalue: %+v", err)
			}
			if bytes.Equal(buf, value) {
				return &pr, nil
			}
		}

		// wait for the block to be processed
		time.Sleep(interval / 5)
	}

	return nil, xerrors.New("timeout reached and inclusion not found")
}

// StreamTransactions sends a streaming request to the service. If successful,
// the handler will be called whenever a new response (a new block) is
// available. This function blocks, the streaming stops if the client or the
// service stops. Only the integrity of the new block is verified.
//
// It contacts any random node by default. A specific node can be chosen by
// using `c.UseNode`.
func (c *Client) StreamTransactions(handler func(StreamingResponse, error)) error {
	req := StreamingRequest{
		ID: c.ID,
	}
	n := int(rand.Int31n(int32(len(c.GetNodes()))))
	if c.options != nil {
		if c.options.DontShuffle {
			n = c.options.StartNode
		}
	}

	conn, err := c.Stream(c.GetNodes()[n], &req)
	if err != nil {
		handler(StreamingResponse{}, err)
		return xerrors.Errorf("stream error: %v", err)
	}
	for {
		resp := StreamingResponse{}
		if err := conn.ReadMessage(&resp); err != nil {
			handler(StreamingResponse{}, err)
			return nil
		}

		if resp.Block.CalculateHash().Equal(resp.Block.Hash) {
			// send the block only if the integrity is correct
			handler(resp, nil)
		} else {
			err := xerrors.Errorf("got a corrupted block from %v", c.GetNodes()[0])
			log.Warnf("%+v", err)
			handler(StreamingResponse{}, err)
		}
	}
}

func (c *Client) signerCounterDecoder(buf []byte, data interface{}) error {
	err := protobuf.Decode(buf, data)
	if err != nil {
		return xerrors.Errorf("couldn't decode the counters reply: %w", err)
	}

	reply, ok := data.(*GetSignerCountersResponse)
	if !ok {
		return xerrors.New("wrong type of response")
	}

	// This assumes the client is up-to-date with the latest block which
	// is usually right as it is updated after each GetProof. The goal is
	// to insure that we got the data from the latest block.
	// Note: using versioning as index 0 might cause troubles.
	if c.Latest != nil {
		header, err := decodeBlockHeader(c.Latest)
		if err != nil {
			return xerrors.Errorf("decoding header: %w", err)
		}

		if header.Version < 2 {
			// Skip the check for version as the trie index is available
			// for version 2+ only.
			return nil
		}

		if uint64(c.Latest.Index) > reply.Index {
			return xerrors.New("data coming from an old block")
		}
	}

	return nil
}

// GetSignerCounters gets the signer counters from ByzCoin. The counter must be
// set correctly in the instruction for it to be verified. Every counter maps
// to a signer, if the most recent instruction is signed by the signer at count
// n, then the next instruction that the same signer signs must be on counter
// n+1.
func (c *Client) GetSignerCounters(ids ...string) (*GetSignerCountersResponse, error) {
	req := GetSignerCounters{
		SkipchainID: c.ID,
		SignerIDs:   ids,
	}
	var reply GetSignerCountersResponse
	_, err := c.SendProtobufParallelWithDecoder(c.GetNodes(), &req, &reply,
		c.options, c.signerCounterDecoder)
	return &reply, cothority.ErrorOrNil(err, "request failed")
}

// SignTransaction combines fetching the current SignerCounters from the
// chain and signing all the instructions in the ClientTransaction.
// If more than one signer is given, then every instruction will be signed
// with all the signers.
func (c *Client) SignTransaction(ctx ClientTransaction,
	signers ...darc.Signer) error {
	signersString := make([]string, len(signers))
	for i, signer := range signers {
		signersString[i] = signer.Identity().String()
	}
	counterReply, err := c.GetSignerCounters(signersString...)
	if err != nil {
		return xerrors.Errorf("while getting signers: %v", err)
	}

	for i := range ctx.Instructions {
		ctx.Instructions[i].SignerCounter = make([]uint64, len(signers))
		for j, counter := range counterReply.Counters {
			ctx.Instructions[i].SignerCounter[j] = counter + uint64(i+1)
		}
	}
	if err := ctx.FillSignersAndSignWith(signers...); err != nil {
		return xerrors.Errorf("while signing transaction: %v", err)
	}

	return nil
}

// DownloadState is used by a new node to ask to download the global state.
// The first call to DownloadState needs to have start = 0, so that the
// service creates a snapshot of the current state which it will serve over
// multiple requests.
//
// Every subsequent request should have start incremented by 'len'.
// If start > than the number of StateChanges available, an empty slice of
// StateChanges is returned.
//
// If less than 'len' StateChanges are available, only the remaining
// StateChanges are returned.
//
// The first StateChange with start == 0 holds the metadata of the
// trie which can be `protobuf.Decode`d into a struct{map[string][]byte}.
func (c *Client) DownloadState(byzcoinID skipchain.SkipBlockID, nonce uint64, length int) (reply *DownloadStateResponse, err error) {
	if length <= 0 {
		return nil, xerrors.New("invalid parameter")
	}

	reply = &DownloadStateResponse{}
	l := len(c.GetNodes())
	indexStart := 0
	if l > 3 {
		// This is the leader plus the subleaders, don't contact them
		indexStart = 1 + protocol.DefaultSubLeaders(l)
	}

	msg := &DownloadState{
		ByzCoinID: byzcoinID,
		Nonce:     nonce,
		Length:    length,
	}
	si, ok := c.noncesSI[nonce]
	if ok {
		err = cothority.ErrorOrNil(c.SendProtobuf(si, msg, reply), "request failed")
	} else {
		var si *network.ServerIdentity
		var po onet.ParallelOptions
		if c.options != nil {
			po = *c.options
		} else {
			po.Parallel = 1
			po.StartNode = indexStart
			po.DontShuffle = true
			po.AskNodes = 1
		}
		si, err = c.SendProtobufParallel(c.GetNodes(), msg, reply, &po)
		err = cothority.ErrorOrNil(err, "request failed")
		c.noncesSI[reply.Nonce] = si
	}
	return
}

// ResolveInstanceID resolves the instance ID using the given darc ID and name.
// The name must be already set by calling the naming contract.
func (c *Client) ResolveInstanceID(darcID darc.ID, name string) (InstanceID, error) {
	req := ResolveInstanceID{
		SkipChainID: c.ID,
		DarcID:      darcID,
		Name:        name,
	}
	reply := ResolvedInstanceID{}

	_, err := c.SendProtobufParallel(c.GetNodes(), &req, &reply, c.options)
	return reply.InstanceID, cothority.ErrorOrNil(err, "request failed")
}

// WaitPropagation contacts all nodes in the cl.Roster until they all
// have the same latest block. If there is an error when calling
// `GetProof`, the error will be ignored. This helps when waiting
// for the propagation, but only a subset of the nodes are actually
// participating in the consensus.
// If index >= 0, it waits to have at least this block present in all nodes.
func (c *Client) WaitPropagation(index int) error {
	var sb skipchain.SkipBlock
	sb.SkipBlockFix = &skipchain.SkipBlockFix{}
searchLatest:
	for i := 0; i < 10; i++ {
		log.Lvl2("Starting search")
		if i > 0 {
			time.Sleep(100 * time.Millisecond)
		}
		for node := range c.GetNodes() {
			log.Lvlf2("Searching node %d for block %d", node, sb.Index)
			if err := c.UseNode(node); err != nil {
				return xerrors.Errorf("couldn't set node: %+v", err)
			}
			pr, err := c.GetProof(make([]byte, 32))
			if err != nil {
				log.Warnf("error while querying node %s - ignoring",
					c.GetNodes()[node])
				continue
			}
			if pr.Proof.Latest.Index > sb.Index {
				sb = pr.Proof.Latest
				log.Lvl2("Found new block:", sb.Index)
				cc, err := c.GetChainConfig()
				if err != nil {
					log.Warnf("Couldn't get chain config: %+v", err)
					continue searchLatest
				}
				same, err := c.Roster.Equal(&cc.Roster)
				if err != nil {
					return xerrors.Errorf("couldn't compare rosters: %+v", err)
				}
				if !same {
					c.Roster = cc.Roster
					continue searchLatest
				}
				if node > 0 {
					continue searchLatest
				}
			} else if pr.Proof.Latest.Index < sb.Index {
				log.Lvlf2("Node %d returned earlier block: %d", node,
					pr.Proof.Latest.Index)
				continue searchLatest
			} else {
				log.Lvl2("Node", node, "returned same block as other nodes")
			}
		}
		if sb.Index >= index {
			return nil
		}
		log.Lvlf2("Only got block %d, waiting for %d", sb.Index, index)
	}
	return xerrors.New("didn't get the same blocks from everybody within 10 seconds")
}

// Debug can be used to dump things from a byzcoin service. If byzcoinID is nil, it will return all
// existing byzcoin instances. If byzcoinID is given, it will return all instances for that ID.
func Debug(url string, byzcoinID *skipchain.SkipBlockID) (*DebugResponse, error) {
	reply := &DebugResponse{}
	request := &DebugRequest{}
	if byzcoinID != nil {
		request.ByzCoinID = *byzcoinID
	}
	si := &network.ServerIdentity{URL: url}
	err := onet.NewClient(cothority.Suite, ServiceName).SendProtobuf(si, request, reply)
	return reply, cothority.ErrorOrNil(err, "request failed")
}

// DebugRemove deletes an existing byzcoin-instance from the conode.
func DebugRemove(si *network.ServerIdentity, byzcoinID skipchain.SkipBlockID) error {
	sig, err := schnorr.Sign(cothority.Suite, si.GetPrivate(), byzcoinID)
	if err != nil {
		return xerrors.Errorf("sign error: %v", err)
	}
	request := &DebugRemoveRequest{
		ByzCoinID: byzcoinID,
		Signature: sig,
	}
	err = onet.NewClient(cothority.Suite, ServiceName).SendProtobuf(si, request, nil)
	return cothority.ErrorOrNil(err, "request failed")
}

// DefaultGenesisMsg creates the message that is used to for creating the
// genesis Darc and block. It will contain rules for spawning and evolving the
// darc contract.
func DefaultGenesisMsg(v Version, r *onet.Roster, rules []string, ids ...darc.Identity) (*CreateGenesisBlock, error) {
	if len(ids) == 0 {
		return nil, xerrors.New("no identities ")
	}

	rs := darc.NewRules()
	ownerIDs := make([]string, len(ids))
	for i, o := range ids {
		ownerIDs[i] = o.String()
	}
	ownerExpr := expression.InitAndExpr(ownerIDs...)
	if err := rs.AddRule("invoke:"+ContractConfigID+"."+"update_config", ownerExpr); err != nil {
		log.Error(err)
		return nil, xerrors.Errorf("adding rule: %v", err)
	}
	if err := rs.AddRule("spawn:"+ContractDarcID, ownerExpr); err != nil {
		return nil, xerrors.Errorf("adding rule: %v", err)
	}
	if err := rs.AddRule("invoke:"+ContractDarcID+"."+cmdDarcEvolve, ownerExpr); err != nil {
		return nil, xerrors.Errorf("adding rule: %v", err)
	}
	if err := rs.AddRule("invoke:"+ContractDarcID+"."+cmdDarcEvolveUnrestriction, ownerExpr); err != nil {
		return nil, xerrors.Errorf("adding rule: %v", err)
	}
	if err := rs.AddRule("_sign", ownerExpr); err != nil {
		return nil, xerrors.Errorf("adding rule: %v", err)
	}
	if err := rs.AddRule("spawn:"+ContractNamingID, ownerExpr); err != nil {
		return nil, xerrors.Errorf("adding rule: %v", err)
	}
	d := darc.NewDarc(rs, []byte("genesis darc"))

	// extra rules
	for _, r := range rules {
		if err := d.Rules.AddRule(darc.Action(r), ownerExpr); err != nil {
			return nil, xerrors.Errorf("adding rule: %v", err)
		}
	}

	// Add an additional rule that allows nodes in the roster to update the
	// genesis configuration, so that we can change the leader if one
	// fails.
	rosterPubs := make([]string, len(r.List))
	for i, sid := range r.List {
		rosterPubs[i] = darc.NewIdentityEd25519(sid.Public).String()
	}
	d.Rules.AddRule(darc.Action("invoke:"+ContractConfigID+".view_change"), expression.InitOrExpr(rosterPubs...))

	m := CreateGenesisBlock{
		Version:         v,
		Roster:          *r,
		GenesisDarc:     *d,
		BlockInterval:   defaultInterval,
		DarcContractIDs: []string{ContractDarcID},
	}
	return &m, nil
}

func (c *Client) fetchGenesis() error {
	skClient := skipchain.NewClient()

	// Integrity check is done by the request function.
	sb, err := skClient.GetSingleBlock(onet.NewRoster(c.GetNodes()), c.ID)
	if err != nil {
		return xerrors.Errorf("request failed: %v", err)
	}

	c.Genesis = sb
	c.Latest = sb
	return nil
}

func verifyGenesisBlock(actual *skipchain.SkipBlock, expected *CreateGenesisBlock) error {
	if !actual.CalculateHash().Equal(actual.Hash) {
		return xerrors.New("got a corrupted block")
	}

	// check the block is like the proposal
	ok, err := actual.Roster.Equal(&expected.Roster)
	if err != nil {
		return xerrors.Errorf("roster comparison: %v", err)
	}
	if !ok {
		return xerrors.New("wrong roster in genesis block")
	}

	darcID, err := extractDarcID(actual)
	if err != nil {
		return xerrors.Errorf("darc id: %v", err)
	}

	if !darcID.Equal(expected.GenesisDarc.GetID()) {
		return xerrors.New("wrong darc spawned")
	}

	return nil
}

func extractDarcID(sb *skipchain.SkipBlock) (darc.ID, error) {
	var data DataBody
	err := protobuf.Decode(sb.Payload, &data)
	if err != nil {
		return nil, xerrors.Errorf("fail to decode data: %v", err)
	}

	if len(data.TxResults) != 1 {
		return nil, xerrors.New("genesis block should only have one transaction")
	}

	if len(data.TxResults[0].ClientTransaction.Instructions) != 1 {
		return nil, xerrors.New("genesis transaction should have exactly one instructions")
	}

	instr := data.TxResults[0].ClientTransaction.Instructions[0]
	if instr.Spawn == nil {
		return nil, xerrors.New("didn't get a spawn instruction")
	}

	var darc darc.Darc
	err = protobuf.Decode(instr.Spawn.Args.Search("darc"), &darc)
	if err != nil {
		return nil, xerrors.Errorf("fail to decode the darc: %v", err)
	}

	return darc.GetID(), nil
}