diff --git a/Cargo.lock b/Cargo.lock index 43734f0c6..d4b01f3fc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -561,6 +561,23 @@ dependencies = [ "thiserror 1.0.69", ] +[[package]] +name = "alloy-signer-aws" +version = "0.1.4" +source = "git+https://github.com/alloy-rs/alloy.git?rev=83343b172585fe4e040fb104b4d1421f58cbf9a2#83343b172585fe4e040fb104b4d1421f58cbf9a2" +dependencies = [ + "alloy-consensus", + "alloy-network", + "alloy-primitives 0.7.7", + "alloy-signer", + "async-trait", + "aws-sdk-kms", + "k256", + "spki 0.7.3", + "thiserror 1.0.69", + "tracing", +] + [[package]] name = "alloy-signer-local" version = "0.1.4" @@ -6354,7 +6371,7 @@ version = "18.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7413c5f74cc903ea37386a8965a936cbeb334bd270862fdece542c1b2dcbc898" dependencies = [ - "ethereum-types", + "ethereum-types 0.14.1", "hex", "once_cell", "regex", @@ -6365,6 +6382,19 @@ dependencies = [ "uint", ] +[[package]] +name = "ethbloom" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfb684ac8fa8f6c5759f788862bb22ec6fe3cb392f6bfd08e3c64b603661e3f8" +dependencies = [ + "crunchy", + "fixed-hash 0.7.0", + "impl-rlp", + "impl-serde 0.3.2", + "tiny-keccak", +] + [[package]] name = "ethbloom" version = "0.13.0" @@ -6378,13 +6408,27 @@ dependencies = [ "tiny-keccak", ] +[[package]] +name = "ethereum-types" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f64b5df66a228d85e4b17e5d6c6aa43b0310898ffe8a85988c4c032357aaabfd" +dependencies = [ + "ethbloom 0.11.1", + "fixed-hash 0.7.0", + "impl-rlp", + "impl-serde 0.3.2", + "primitive-types 0.9.1", + "uint", +] + [[package]] name = "ethereum-types" version = "0.14.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "02d215cbf040552efcbe99a38372fe80ab9d00268e20012b79fcd0f073edd8ee" dependencies = [ - "ethbloom", + "ethbloom 0.13.0", "fixed-hash 0.8.0", "impl-rlp", "impl-serde 0.4.0", @@ -10527,8 +10571,13 @@ dependencies = [ name = "movement-signer-aws-kms" version = "0.0.2" dependencies = [ + "alloy-signer", + "async-trait", + "aws-config", "aws-sdk-kms", + "k256", "movement-signer", + "spki 0.7.3", ] [[package]] @@ -10551,6 +10600,31 @@ dependencies = [ "thiserror 1.0.69", ] +[[package]] +name = "movement-signing-eth" +version = "0.0.2" +dependencies = [ + "alloy", + "alloy-consensus", + "alloy-network", + "alloy-primitives 0.7.7", + "alloy-signer", + "alloy-signer-aws", + "alloy-transport-http", + "anyhow", + "async-trait", + "aws-config", + "aws-sdk-kms", + "ethereum-types 0.11.0", + "hex", + "k256", + "keccak-hash", + "movement-signer", + "movement-signer-aws-kms", + "sha3 0.10.8", + "tokio", +] + [[package]] name = "movement-tracing" version = "0.0.2" @@ -11944,6 +12018,19 @@ dependencies = [ "elliptic-curve 0.13.8", ] +[[package]] +name = "primitive-types" +version = "0.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06345ee39fbccfb06ab45f3a1a5798d9dafa04cb8921a76d227040003a234b0e" +dependencies = [ + "fixed-hash 0.7.0", + "impl-codec 0.5.1", + "impl-rlp", + "impl-serde 0.3.2", + "uint", +] + [[package]] name = "primitive-types" version = "0.10.1" diff --git a/Cargo.toml b/Cargo.toml index e044247fc..db7ddec7d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -3,6 +3,7 @@ resolver = "2" members = [ + "demo/hsm", "protocol-units/bridge/config", "protocol-units/bridge/setup", "protocol-units/execution/maptos/dof", @@ -41,7 +42,7 @@ members = [ "protocol-units/bridge/indexer-db", "protocol-units/bridge/util", "benches/*", - "util/signing/interface", + "util/signing/integrations/eth", "util/signing/integrations/aptos", "util/signing/providers/aws-kms", "util/signing/providers/hashicorp-vault", @@ -213,6 +214,7 @@ alloy-eips = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b17258 alloy-contract = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" } alloy-network = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" } alloy-primitives = { version = "0.7.2", default-features = false } +alloy-consensus = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" } alloy-provider = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2", features = [ "ws", ] } @@ -221,6 +223,7 @@ alloy-rpc-types = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b alloy-sol-types = { version = "0.7.2", features = ["json"] } alloy-signer = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" } alloy-transport = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" } +alloy-transport-http = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2", features = ["reqwest-rustls-tls"] } alloy-transport-ws = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" } anyhow = "1.0" diff --git a/util/signing/aws-kms/Cargo.toml b/util/signing/aws-kms/Cargo.toml new file mode 100644 index 000000000..9cce4f8cc --- /dev/null +++ b/util/signing/aws-kms/Cargo.toml @@ -0,0 +1,34 @@ +[package] +name = "aws-kms-signer" +version = { workspace = true } +edition = { workspace = true } +license = { workspace = true } +authors = { workspace = true } +repository = { workspace = true } +homepage = { workspace = true } +publish = { workspace = true } +rust-version = { workspace = true } + +[dependencies] +tokio = { workspace = true, features = ["full"] } +async-trait = { workspace = true } +vaultrs = { workspace = true } +anyhow = { workspace = true } +aws-sdk-kms = { workspace = true } +aws-config = { workspace = true } +rand = { workspace = true } +base64 = { workspace = true } +dotenv = "0.15" +ed25519 = { workspace = true } +ring-compat = { workspace = true } +k256 = { workspace = true, features = ["ecdsa", "pkcs8"] } +google-cloud-kms = { workspace = true } +reqwest = { version = "0.12", features = ["json"] } +axum = "0.6" +serde = { version = "1.0", features = ["derive"] } +serde_json = "1.0" +clap = { workspace = true } +movement-signer = { workspace = true } + +[lints] +workspace = true diff --git a/util/signing/aws-kms/src/cryptography/mod.rs b/util/signing/aws-kms/src/cryptography/mod.rs new file mode 100644 index 000000000..3e5840107 --- /dev/null +++ b/util/signing/aws-kms/src/cryptography/mod.rs @@ -0,0 +1 @@ +pub mod secp256k1; diff --git a/util/signing/aws-kms/src/cryptography/secp256k1/mod.rs b/util/signing/aws-kms/src/cryptography/secp256k1/mod.rs new file mode 100644 index 000000000..7b0f0026d --- /dev/null +++ b/util/signing/aws-kms/src/cryptography/secp256k1/mod.rs @@ -0,0 +1,28 @@ +use aws_sdk_kms::types::{KeySpec, KeyUsageType, SigningAlgorithmSpec}; +use signer::cryptography::secp256k1::Secp256k1; + +/// Defines the needed methods for providing a definition of cryptography used with AWS KMS +pub trait AwsKmsCryptography { + /// Returns the [KeySpec] for the desired cryptography + fn key_spec() -> KeySpec; + + /// Returns the [KeyUsageType] for the desired cryptography + fn key_usage_type() -> KeyUsageType; + + /// Returns the [SigningAlgorithmSpec] for the desired cryptography + fn signing_algorithm_spec() -> SigningAlgorithmSpec; +} + +impl AwsKmsCryptography for Secp256k1 { + fn key_spec() -> KeySpec { + KeySpec::EccSecgP256K1 + } + + fn key_usage_type() -> KeyUsageType { + KeyUsageType::SignVerify + } + + fn signing_algorithm_spec() -> SigningAlgorithmSpec { + SigningAlgorithmSpec::EcdsaSha256 + } +} diff --git a/util/signing/aws-kms/src/lib.rs b/util/signing/aws-kms/src/lib.rs new file mode 100644 index 000000000..18f57b93b --- /dev/null +++ b/util/signing/aws-kms/src/lib.rs @@ -0,0 +1 @@ +pub mod cryptography; diff --git a/util/signing/hashicorp-vault/Cargo.toml b/util/signing/hashicorp-vault/Cargo.toml new file mode 100644 index 000000000..7abe1231f --- /dev/null +++ b/util/signing/hashicorp-vault/Cargo.toml @@ -0,0 +1,34 @@ +[package] +name = "hashicorp-vault-signer" +version = { workspace = true } +edition = { workspace = true } +license = { workspace = true } +authors = { workspace = true } +repository = { workspace = true } +homepage = { workspace = true } +publish = { workspace = true } +rust-version = { workspace = true } + +[dependencies] +tokio = { workspace = true, features = ["full"] } +async-trait = { workspace = true } +vaultrs = { workspace = true } +anyhow = { workspace = true } +aws-sdk-kms = { workspace = true } +aws-config = { workspace = true } +rand = { workspace = true } +base64 = { workspace = true } +dotenv = "0.15" +ed25519 = { workspace = true } +ring-compat = { workspace = true } +k256 = { workspace = true, features = ["ecdsa", "pkcs8"] } +google-cloud-kms = { workspace = true } +reqwest = { version = "0.12", features = ["json"] } +axum = "0.6" +serde = { version = "1.0", features = ["derive"] } +serde_json = "1.0" +clap = { workspace = true } +signer = { workspace = true } + +[lints] +workspace = true \ No newline at end of file diff --git a/util/signing/hashicorp-vault/src/cryptography/ed25519/mod.rs b/util/signing/hashicorp-vault/src/cryptography/ed25519/mod.rs new file mode 100644 index 000000000..7b0f0026d --- /dev/null +++ b/util/signing/hashicorp-vault/src/cryptography/ed25519/mod.rs @@ -0,0 +1,28 @@ +use aws_sdk_kms::types::{KeySpec, KeyUsageType, SigningAlgorithmSpec}; +use signer::cryptography::secp256k1::Secp256k1; + +/// Defines the needed methods for providing a definition of cryptography used with AWS KMS +pub trait AwsKmsCryptography { + /// Returns the [KeySpec] for the desired cryptography + fn key_spec() -> KeySpec; + + /// Returns the [KeyUsageType] for the desired cryptography + fn key_usage_type() -> KeyUsageType; + + /// Returns the [SigningAlgorithmSpec] for the desired cryptography + fn signing_algorithm_spec() -> SigningAlgorithmSpec; +} + +impl AwsKmsCryptography for Secp256k1 { + fn key_spec() -> KeySpec { + KeySpec::EccSecgP256K1 + } + + fn key_usage_type() -> KeyUsageType { + KeyUsageType::SignVerify + } + + fn signing_algorithm_spec() -> SigningAlgorithmSpec { + SigningAlgorithmSpec::EcdsaSha256 + } +} diff --git a/util/signing/hashicorp-vault/src/cryptography/mod.rs b/util/signing/hashicorp-vault/src/cryptography/mod.rs new file mode 100644 index 000000000..58845d3fa --- /dev/null +++ b/util/signing/hashicorp-vault/src/cryptography/mod.rs @@ -0,0 +1 @@ +pub mod ed25519; diff --git a/util/signing/hashicorp-vault/src/hsm/mod.rs b/util/signing/hashicorp-vault/src/hsm/mod.rs new file mode 100644 index 000000000..ff1f0d21d --- /dev/null +++ b/util/signing/hashicorp-vault/src/hsm/mod.rs @@ -0,0 +1,12 @@ +// ! Develop HSM here under [SignerOperations] +// use signer::{cryptography::ed25519, SignerOperations}; + +pub struct HashicorpVault; + +/*#[async_trait::async_trait] +impl SignerOperations for HashicorpVault { + async fn sign(&self, _message: Bytes) -> Result { + // Sign the message. + Ok(Signature::default()) + } +}*/ diff --git a/util/signing/hashicorp-vault/src/lib.rs b/util/signing/hashicorp-vault/src/lib.rs new file mode 100644 index 000000000..63d77a7f1 --- /dev/null +++ b/util/signing/hashicorp-vault/src/lib.rs @@ -0,0 +1,2 @@ +pub mod cryptography; +pub mod hsm; diff --git a/util/signing/integrations/eth/Cargo.toml b/util/signing/integrations/eth/Cargo.toml new file mode 100644 index 000000000..c19fc17d5 --- /dev/null +++ b/util/signing/integrations/eth/Cargo.toml @@ -0,0 +1,39 @@ +[package] +name = "movement-signing-eth" +version.workspace = true +edition.workspace = true +license.workspace = true +authors.workspace = true +repository.workspace = true +homepage.workspace = true +publish.workspace = true +rust-version.workspace = true + +[dependencies] +movement-signer = { workspace = true } +movement-signer-aws-kms = { workspace = true } +async-trait.workspace = true + +# Alloy needed crates +alloy-primitives.workspace = true +alloy-signer.workspace = true +alloy-network.workspace = true +alloy-consensus.workspace = true +alloy-transport-http = { workspace = true, features = ["reqwest-rustls-tls"] } +k256 = "0.13.4" + +[dev-dependencies] +aws-sdk-kms = { workspace = true } +anyhow = { workspace = true } +tokio = { workspace = true } +alloy.workspace = true +alloy-signer-aws = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" } +aws-config = { workspace = true } + +ethereum-types = "0.11" +keccak-hash = "0.10" +hex = "0.4" +sha3 = "0.10.8" + +[lints] +workspace = true diff --git a/util/signing/integrations/eth/src/lib.rs b/util/signing/integrations/eth/src/lib.rs new file mode 100644 index 000000000..3a72e21ff --- /dev/null +++ b/util/signing/integrations/eth/src/lib.rs @@ -0,0 +1,136 @@ +use alloy_consensus::SignableTransaction; +use alloy_primitives::{hex, Address, ChainId, B256}; +use alloy_signer::{sign_transaction_with_chain_id, Result, Signature as AlloySignature, Signer}; +use k256::ecdsa::{self, VerifyingKey}; +use movement_signer::cryptography::secp256k1::{self, Secp256k1}; +use movement_signer::SignerError; +use movement_signer::Signing; +use std::fmt; + +pub struct HsmSigner + Sync + Send> { + kms: S , + pubkey: VerifyingKey, + address: Address, + chain_id: Option, +} + +impl + Sync + Send> fmt::Debug for HsmSigner { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + f.debug_struct("HsmSigner") + .field("chain_id", &self.chain_id) + .field("pubkey", &hex::encode(self.pubkey.to_sec1_bytes())) + .field("address", &self.address) + .finish() + } +} + +#[async_trait::async_trait] +impl + Sync + Send> alloy_network::TxSigner for HsmSigner { + fn address(&self) -> Address { + self.address + } + + async fn sign_transaction( + &self, + tx: &mut dyn SignableTransaction, + ) -> Result { + sign_transaction_with_chain_id!(self, tx, self.sign_hash(&tx.signature_hash()).await) + } +} + +#[async_trait::async_trait] +impl + Sync + Send> Signer for HsmSigner { + async fn sign_hash(&self, hash: &B256) -> Result { + self.sign_digest(hash).await.map(|sign| sign.into()).map_err(alloy_signer::Error::other) + } + + #[inline] + fn address(&self) -> Address { + self.address + } + + #[inline] + fn chain_id(&self) -> Option { + self.chain_id + } + + #[inline] + fn set_chain_id(&mut self, chain_id: Option) { + self.chain_id = chain_id; + } +} + +impl + Sync + Send> HsmSigner { + /// Instantiate a new signer from an existing `Client` and key ID. + /// + /// Retrieves the public key from HMS and calculates the Ethereum address. + pub async fn try_new( + kms: S, + chain_id: Option, + ) -> Result, SignerError> { + let resp = request_get_pubkey(&kms).await?; + let pubkey = decode_pubkey(resp)?; + let address = alloy_signer::utils::public_key_to_address(&pubkey); + Ok(Self { kms, chain_id, pubkey, address }) + } + + /// Fetch the pubkey associated with this signer's key ID. + pub async fn get_pubkey(&self) -> Result { + request_get_pubkey(&self.kms).await.and_then(decode_pubkey) + } + + /// Sign a digest with this signer's key and applies EIP-155. + pub async fn sign_digest(&self, digest: &B256) -> Result { + let sig = request_sign_digest(&self.kms, digest).await?; + let sig = ecdsa::Signature::from_slice(sig.as_bytes()).map_err(|e| SignerError::Decode(e.into()))?; + let mut sig = sig_from_digest_bytes_trial_recovery(sig, digest, &self.pubkey); + if let Some(chain_id) = self.chain_id { + sig = sig.with_chain_id(chain_id); + } + Ok(sig) + } +} + +async fn request_get_pubkey>( + kms: &S, +) -> Result { + kms.public_key().await +} + +async fn request_sign_digest>( + kms: &S, + digest: &B256, +) -> Result { + kms.sign(digest.as_slice()).await +} + +/// Decode an AWS KMS Pubkey response. +fn decode_pubkey(pk: secp256k1::PublicKey) -> Result { + let key = VerifyingKey::from_sec1_bytes(pk.as_bytes()).map_err(|err| SignerError::Sign(err.to_string().into()))?; + Ok(key) +} + +/// Recover an rsig from a signature under a known key by trial/error. +fn sig_from_digest_bytes_trial_recovery( + sig: ecdsa::Signature, + hash: &B256, + pubkey: &VerifyingKey, +) -> AlloySignature { + let signature = AlloySignature::from_signature_and_parity(sig, false).unwrap(); + + if check_candidate(&signature, hash, pubkey) { + return signature; + } + + let signature = signature.with_parity(true); + if check_candidate(&signature, hash, pubkey) { + return signature; + } + + panic!("bad sig"); +} + +/// Makes a trial recovery to check whether an RSig corresponds to a known `VerifyingKey`. +fn check_candidate(signature: &AlloySignature, hash: &B256, pubkey: &VerifyingKey) -> bool { + signature.recover_from_prehash(hash).map(|key| key == *pubkey).unwrap_or(false) +} \ No newline at end of file diff --git a/util/signing/integrations/eth/tests/aws_test.rs b/util/signing/integrations/eth/tests/aws_test.rs new file mode 100644 index 000000000..a75ae2bfb --- /dev/null +++ b/util/signing/integrations/eth/tests/aws_test.rs @@ -0,0 +1,101 @@ +use alloy::node_bindings::Anvil; +use alloy::providers::{Provider, ProviderBuilder}; +use alloy::rpc::types::TransactionRequest; +use alloy::signers::local::PrivateKeySigner; +use alloy_network::EthereumWallet; +use alloy_network::TransactionBuilder; +use alloy_network::TxSigner; +use alloy_primitives::U256; +use movement_signer::cryptography::secp256k1::Secp256k1; +use movement_signer::Signing; +use movement_signer::Verify; +use movement_signer_aws_kms::hsm::AwsKmsSigner; +use movement_signing_eth::HsmSigner; +use sha3::{Digest, Keccak256}; +use std::env; + +#[tokio::test] +async fn basic_signing_verify() -> Result<(), anyhow::Error> { + let message = b"Hello, world!"; + let digest: [u8; 32] = Keccak256::new_with_prefix(&message).finalize().into(); + let key_id = env::var("AWS_KEY_ID").expect("AWS_KEY_ID not set"); + let aws = AwsKmsSigner::new(key_id).await; + let public_key = aws.public_key().await?; + let signature = aws.sign(&digest).await?; + + assert!(Secp256k1.verify(&digest, &signature, &public_key)?); + Ok(()) +} + +#[tokio::test] +async fn test_aws_kms_send_tx() -> Result<(), anyhow::Error> { + // Start Anvil + let anvil = Anvil::new().port(8545u16).arg("-vvvvv").spawn(); + let rpc_url = anvil.endpoint_url(); + let chain_id = anvil.chain_id(); + + // Use AWS KMS + let _access_key = env::var("AWS_ACCESS_KEY").expect("AWS_ACCESS_KEY not set"); + let _secret_key = env::var("AWS_SECRET_KEY").expect("AWS_SECRET_KEY not set"); + let key_id = env::var("AWS_KEY_ID").expect("AWS_KEY_ID not set"); + + println!("key_id:{key_id}"); + + let aws = AwsKmsSigner::new(key_id).await; + let signer = HsmSigner::try_new(aws, Some(chain_id)).await?; + let address = signer.address(); + println!("DEEEEB Key address:{}", address); + + let key_provider = ProviderBuilder::new() + .with_recommended_fillers() + .wallet(EthereumWallet::new(signer)) + .on_builtin(&rpc_url.to_string()) + .await?; + + let admin: PrivateKeySigner = anvil.keys()[1].clone().into(); + let admin_address = admin.address(); + let admin_provider = ProviderBuilder::new() + .with_recommended_fillers() + .wallet(EthereumWallet::new(admin)) + .on_builtin(&rpc_url.to_string()) + .await?; + + //transfer some eth to the key. + let tx = TransactionRequest::default() + .with_to(address) + .with_value(U256::from(1000000000)); + let receipt = admin_provider.send_transaction(tx).await?.get_receipt().await?; + println!("Admin -> Key receipt: {receipt:?}",); + + let account = key_provider.get_accounts().await; + println!("Account: {:?}", account); + let balance = key_provider.get_balance(address).await; + println!("Balance: {:?}", balance); + + //transfer back some eth. + let tx = TransactionRequest::default() + .with_from(address) + .with_to(admin_address) + .with_value(U256::from(5)) + .gas_limit(3000000); + println!("Tx from {:?}", tx.from); + + let receipt = key_provider.send_transaction(tx).await; //.get_receipt().await?; + println!("Key -> Admin receipt: {receipt:?}",); + + // // Print ANvil output. + // use std::io; + // use std::io::BufRead; + // use std::io::BufReader; + // use std::io::Write; + + // let anvil_out = anvil.child_mut().stdout.take().unwrap(); + // let mut stdout_writer = io::stdout(); + // let mut reader = BufReader::new(anvil_out).lines(); + // while let Some(Ok(line)) = reader.next() { + // stdout_writer.write_all(line.as_bytes())?; + // stdout_writer.write_all(b"\n")?; + // } + + Ok(()) +} diff --git a/util/signing/interface/src/cryptography/secp256k1.rs b/util/signing/interface/src/cryptography/secp256k1.rs index ec5e049eb..98ba328d8 100644 --- a/util/signing/interface/src/cryptography/secp256k1.rs +++ b/util/signing/interface/src/cryptography/secp256k1.rs @@ -1,13 +1,16 @@ use crate::cryptography::Curve; use crate::{Verify, VerifyError}; use anyhow::Context; -use k256::ecdsa::{self, signature::Verifier}; +use ed25519_dalek::ed25519::signature::hazmat::PrehashVerifier; +use k256::ecdsa::{self}; /// The secp256k1 elliptic curve. #[derive(Debug, Clone, Copy)] pub struct Secp256k1; -fixed_size!(pub struct PublicKey([u8; 32])); +// Public Key in sec1 format. First byte is a 4 then the key in bytes. +fixed_size!(pub struct PublicKey([u8; 65])); +// ECDSA Signature noralized: 64 bytes, the first 32 bytes are the r value, the second 32 bytes the s value. fixed_size!(pub struct Signature([u8; 64])); impl Curve for Secp256k1 { @@ -31,6 +34,6 @@ impl Verify for Secp256k1 { .context("Failed to create signature") .map_err(|e| VerifyError(e.into()))?; - Ok(verifying_key.verify(message, &signature).is_ok()) + Ok(verifying_key.verify_prehash(message, &signature).is_ok()) } } diff --git a/util/signing/providers/aws-kms/Cargo.toml b/util/signing/providers/aws-kms/Cargo.toml index 018066fdc..ce9a70f0f 100644 --- a/util/signing/providers/aws-kms/Cargo.toml +++ b/util/signing/providers/aws-kms/Cargo.toml @@ -11,7 +11,13 @@ rust-version = { workspace = true } [dependencies] movement-signer = { workspace = true } + +alloy-signer.workspace = true +async-trait = { workspace = true } aws-sdk-kms = { workspace = true } +aws-config = { workspace = true } +k256 = "0.13.4" +spki = "0.7.3" [lints] workspace = true diff --git a/util/signing/providers/aws-kms/src/hsm/mod.rs b/util/signing/providers/aws-kms/src/hsm/mod.rs new file mode 100644 index 000000000..0f964447a --- /dev/null +++ b/util/signing/providers/aws-kms/src/hsm/mod.rs @@ -0,0 +1,85 @@ +use crate::cryptography::secp256k1::AwsKmsCryptography; +use aws_sdk_kms::primitives::Blob; +use aws_sdk_kms::Client; +use k256::ecdsa; +use movement_signer::cryptography::secp256k1::{self, Secp256k1}; +use movement_signer::cryptography::TryFromBytes; +use movement_signer::SignerError; +use movement_signer::Signing; + +/// A AWS KMS HSM. +#[derive(Debug, Clone)] +pub struct AwsKmsSigner { + pub client: Client, + key_id: String, +} + +impl Signing for AwsKmsSigner { + /// Signs some bytes. + async fn sign(&self, message: &[u8]) -> Result { + let res = self + .client + .sign() + .key_id(&self.key_id) + .message(Blob::new(message)) + .message_type(aws_sdk_kms::types::MessageType::Digest) + .signing_algorithm(Secp256k1::signing_algorithm_spec()) + .send() + .await + .map_err(|e| SignerError::Internal(e.to_string()))?; + + // Decode signature. + let sign_bytes = res.signature().ok_or(SignerError::KeyNotFound)?.as_ref(); + let sig = + ecdsa::Signature::from_der(sign_bytes).map_err(|e| SignerError::Decode(e.into()))?; + let sig = sig.normalize_s().unwrap_or(sig); + let signature = secp256k1::Signature::try_from_bytes(&sig.to_bytes()) + .map_err(|e| SignerError::Decode(e.into()))?; + Ok(signature) + } + + /// Gets the public key in Sec1 format. + async fn public_key(&self) -> Result { + let res = self.client.get_public_key().key_id(&self.key_id).send().await.unwrap(); + //decode AWS public key + let pk_ref: &[u8] = res.public_key().ok_or(SignerError::KeyNotFound)?.as_ref(); + let spki = spki::SubjectPublicKeyInfoRef::try_from(pk_ref) + .map_err(|err| SignerError::PublicKey(Box::new(err)))?; + let raw_bytes = spki.subject_public_key.raw_bytes(); + let public_key = secp256k1::PublicKey::try_from_bytes(&raw_bytes) + .map_err(|e| SignerError::Decode(e.into()))?; + Ok(public_key) + } +} + +impl AwsKmsSigner { + pub async fn new(key_id: String) -> Self { + let config = aws_config::load_from_env().await; + let client = aws_sdk_kms::Client::new(&config); + AwsKmsSigner { client, key_id } + } + + /// Creates in AWS KMS matching the provided key id. + pub async fn create_key(&self) -> Result { + let res = self + .client + .create_key() + .key_spec(Secp256k1::key_spec()) + .key_usage(Secp256k1::key_usage_type()) + .send() + .await + .map_err(|e| SignerError::Internal(e.to_string()))?; + + let key_id = res + .key_metadata() + .ok_or(SignerError::PublicKey("No key metadata available".into()))? + .key_id() + .to_string(); + + Ok(key_id) + } + + pub fn set_key_id(&mut self, key_id: String) { + self.key_id = key_id; + } +} diff --git a/util/signing/providers/aws-kms/src/lib.rs b/util/signing/providers/aws-kms/src/lib.rs index 18f57b93b..63d77a7f1 100644 --- a/util/signing/providers/aws-kms/src/lib.rs +++ b/util/signing/providers/aws-kms/src/lib.rs @@ -1 +1,2 @@ pub mod cryptography; +pub mod hsm; diff --git a/util/signing/signer.old/Cargo.toml b/util/signing/signer.old/Cargo.toml new file mode 100644 index 000000000..fa855726d --- /dev/null +++ b/util/signing/signer.old/Cargo.toml @@ -0,0 +1,22 @@ +[package] +name = "signer" +version.workspace = true +edition.workspace = true +license.workspace = true +authors.workspace = true +repository.workspace = true +homepage.workspace = true +publish.workspace = true +rust-version.workspace = true + +[dependencies] +thiserror = { workspace = true } +async-trait = { workspace = true } +ed25519 = { workspace = true } +ring-compat = { workspace = true } +k256 = { workspace = true, features = ["ecdsa", "pkcs8"] } +anyhow = { workspace = true } + + +[lints] +workspace = true diff --git a/util/signing/signer.old/src/cryptography/ed25519.rs b/util/signing/signer.old/src/cryptography/ed25519.rs new file mode 100644 index 000000000..aa34725e4 --- /dev/null +++ b/util/signing/signer.old/src/cryptography/ed25519.rs @@ -0,0 +1,34 @@ +use crate::cryptography::Curve; +use crate::{Bytes, PublicKey, Signature, VerifierError, VerifierOperations}; +use anyhow::Context; +use ring_compat::signature::{ + ed25519::{self, VerifyingKey}, + Verifier, +}; + +/// The Ed25519 curve. +#[derive(Debug, Clone)] +pub struct Ed25519; + +impl Curve for Ed25519 {} + +/// Built-in verifier for Ed25519. +#[async_trait::async_trait] +impl VerifierOperations for Ed25519 { + async fn verify( + &self, + message: Bytes, + signature: Signature, + public_key: PublicKey, + ) -> Result { + let verifying_key = VerifyingKey::from_slice(public_key.0 .0.as_slice()) + .context("Failed to create verifying key") + .map_err(|e| VerifierError::Verify(e.to_string()))?; + + let signature = ed25519::Signature::from_slice(signature.0 .0.as_slice()) + .context("Failed to create signature") + .map_err(|e| VerifierError::Verify(e.to_string()))?; + + Ok(verifying_key.verify(message.0.as_slice(), &signature).is_ok()) + } +} diff --git a/util/signing/signer.old/src/cryptography/mod.rs b/util/signing/signer.old/src/cryptography/mod.rs new file mode 100644 index 000000000..8681cce3d --- /dev/null +++ b/util/signing/signer.old/src/cryptography/mod.rs @@ -0,0 +1,5 @@ +pub mod ed25519; +pub mod secp256k1; +/// A curve. +/// Currently this has no methods, but it is used to bound the `Signer` trait. +pub trait Curve {} diff --git a/util/signing/signer.old/src/cryptography/secp256k1.rs b/util/signing/signer.old/src/cryptography/secp256k1.rs new file mode 100644 index 000000000..d9db5f062 --- /dev/null +++ b/util/signing/signer.old/src/cryptography/secp256k1.rs @@ -0,0 +1,39 @@ +use crate::cryptography::Curve; +use crate::{Bytes, PublicKey, Signature, VerifierError, VerifierOperations}; +use anyhow::Context; +use k256::ecdsa::{self, VerifyingKey}; +use k256::pkcs8::DecodePublicKey; +use ring_compat::signature::Verifier; + +/// The secp256k1 elliptic curve. +#[derive(Debug, Clone)] +pub struct Secp256k1; + +impl Curve for Secp256k1 {} + +/// Built-in verifier for secp256k1. +#[async_trait::async_trait] +impl VerifierOperations for Secp256k1 { + async fn verify( + &self, + message: Bytes, + signature: Signature, + public_key: PublicKey, + ) -> Result { + let verifying_key = VerifyingKey::from_public_key_der(&public_key.0 .0) + .context("Failed to create verifying key") + .map_err(|e| VerifierError::Verify(e.to_string()))?; + + let signature = ecdsa::Signature::from_der(&signature.0 .0) + .context("Failed to create signature") + .map_err(|e| VerifierError::Verify(e.to_string()))?; + + match verifying_key.verify(message.0.as_slice(), &signature) { + Ok(_) => Ok(true), + Err(e) => { + println!("Error verifying signature: {:?}", e); + Ok(false) + } + } + } +} diff --git a/util/signing/signer.old/src/lib.rs b/util/signing/signer.old/src/lib.rs new file mode 100644 index 000000000..49d3196c5 --- /dev/null +++ b/util/signing/signer.old/src/lib.rs @@ -0,0 +1,124 @@ +pub mod cryptography; + +/// A collection of bytes. +#[derive(Debug, Clone)] +pub struct Bytes(pub Vec); + +/// A signature. +#[derive(Debug, Clone)] +pub struct Signature(pub Bytes); + +/// A public key. +#[derive(Debug, Clone)] +pub struct PublicKey(pub Bytes); + +/// Version of a key. +/// Default mean the current key. +#[derive(Debug, Clone, Default)] +pub struct KeyVersion(pub String); + +/// Id that identify a Key. +#[derive(Debug, Clone)] +pub struct KeyId(pub String); + +/// Errors thrown by Signer +#[derive(Debug, thiserror::Error)] +pub enum SignerError { + #[error("Error during signing : {0}")] + Sign(String), + #[error("Error during public key retrieval : {0}")] + PublicKey(String), + #[error("Error can't decode provided hex data : {0}")] + Hex(String), + #[error("Signature not found.")] + SignatureNotFound, + #[error("public key not found.")] + PublicKeyNotFound, +} + +#[async_trait::async_trait] +pub trait SignerOperations { + /// Signs some bytes. + async fn sign(&self, message: Bytes) -> Result; + + /// Gets the public key. + async fn public_key(&self) -> Result; +} + +pub struct Signer +where + O: SignerOperations, + C: cryptography::Curve, +{ + operations: O, + _curve_marker: std::marker::PhantomData, +} + +/// Signer wraps an implementation of [SignerOperations] and provides a simple API for signing and getting the public key. +impl Signer +where + O: SignerOperations, + C: cryptography::Curve, +{ + pub fn new(operations: O) -> Self { + Self { operations, _curve_marker: std::marker::PhantomData } + } + + /// Signs some bytes. + pub async fn sign(&self, message: Bytes) -> Result { + self.operations.sign(message).await + } + + /// Gets the public key. + pub async fn public_key(&self) -> Result { + self.operations.public_key().await + } +} + +/// Errors thrown by the verifier. +#[derive(Debug, thiserror::Error)] +pub enum VerifierError { + #[error("Error during verification : {0}")] + Verify(String), +} + +#[async_trait::async_trait] +pub trait VerifierOperations { + /// Verifies a signature. + async fn verify( + &self, + message: Bytes, + signature: Signature, + public_key: PublicKey, + ) -> Result; +} + +pub struct Verifier +where + O: VerifierOperations, + C: cryptography::Curve, +{ + operations: O, + _curve_marker: std::marker::PhantomData, +} + +/// Verifier wraps an implementation of [VerifierOperations] and provides a simple API for verifying signatures. +impl Verifier +where + O: VerifierOperations, + C: cryptography::Curve, +{ + pub fn new(operations: O) -> Self { + Self { operations, _curve_marker: std::marker::PhantomData } + } + + /// Verifies a signature. + pub async fn verify( + &self, + message: Bytes, + signature: Signature, + public_key: PublicKey, + ) -> Result { + self.operations.verify(message, signature, public_key).await + } +}