Alloy signing integration

Cargo.toml

@@ -3,6 +3,7 @@
 resolver = "2"
 
 members = [
+    "demo/hsm",
     "protocol-units/bridge/config",
     "protocol-units/bridge/setup",
     "protocol-units/execution/maptos/dof",
@@ -41,6 +42,10 @@ members = [
     "protocol-units/bridge/indexer-db",
     "protocol-units/bridge/util",
     "benches/*",
+    "util/signing/signer",
+    "util/signing/aws-kms",
+    "util/signing/hashicorp-vault",
+    "util/signing/integrations/alloy",
 ]
 
 [workspace.package]
@@ -113,6 +118,17 @@ whitelist = { path = "util/whitelist" }
 ## access control
 aptos-account-whitelist = { path = "protocol-units/access-control/aptos/account-whitelist" }
 
+# signing
+signer = { path = "util/signing/signer" }
+aws-kms-signer = { path = "util/signing/aws-kms" }
+hashicorp-vault-signer = { path = "util/signing/hashicorp-vault" }
+
+## vault
+vaultrs = { version = "0.7.3" }
+aws-sdk-kms = "1.51.0"
+google-cloud-kms = "0.6.0"
+base64 = { version = "0.13.0" }
+
 # Serialization and Deserialization
 borsh = { version = "0.10" } # todo: internalize jmt and bump
 serde = "1.0"
@@ -212,6 +228,7 @@ alloy-eips = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b17258
 alloy-contract = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" }
 alloy-network = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" }
 alloy-primitives = { version = "0.7.2", default-features = false }
+alloy-consensus = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2" }
 alloy-provider = { git = "https://github.com/alloy-rs/alloy.git", rev = "83343b172585fe4e040fb104b4d1421f58cbf9a2", features = [
     "ws",
 ] }
@@ -301,6 +318,8 @@ tracing-test = "0.2.5"
 trie-db = "0.28.0"
 url = "2.2.2"
 x25519-dalek = "1.0.1"
+ed25519 = "2.2.3"
+ring-compat = "0.8.0"
 zstd-sys = "2.0.9"
 zstd = "0.13"
 inotify = "0.10.2"

demo/hsm/Cargo.toml

@@ -0,0 +1,33 @@
+[package]
+name = "hsm-demo"
+version = { workspace = true }
+edition  = { workspace = true }
+license  = { workspace = true }
+authors = { workspace = true }
+repository = { workspace = true }
+homepage = { workspace = true }
+publish = { workspace = true }
+rust-version = { workspace = true }
+
+[dependencies]
+tokio = { workspace = true, features = ["full"] }
+async-trait = { workspace = true }
+vaultrs = { workspace = true }
+anyhow = { workspace = true }
+aws-sdk-kms = { workspace = true }
+aws-config = { workspace = true }
+rand = { workspace = true }
+base64 = { workspace = true }
+dotenv = "0.15"
+ed25519 = { workspace = true }
+ring-compat = { workspace = true }
+k256 = { workspace = true, features = ["ecdsa", "pkcs8"] }
+google-cloud-kms = { workspace = true }
+reqwest = { version = "0.12", features = ["json"] }
+axum = "0.6"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+clap = { workspace = true }
+
+[lints]
+workspace = true

demo/hsm/src/action_stream/join.rs

@@ -0,0 +1,41 @@
+use crate::{ActionStream, Message};
+
+/// Joins several streams together.
+/// Notifies all streams of messages emitted from elsewhere in the system.
+/// Round-robins through streams for next.
+pub struct Join {
+	streams: Vec<Box<dyn ActionStream + Send>>,
+	current: usize,
+}
+
+impl Join {
+	/// Creates a new `Join` stream.
+	pub fn new(streams: Vec<Box<dyn ActionStream + Send>>) -> Self {
+		Self { streams, current: 0 }
+	}
+}
+
+#[async_trait::async_trait]
+impl ActionStream for Join {
+	/// Notifies the stream of a message emitted from elsewhere in the system.
+	async fn notify(&mut self, message: Message) -> Result<(), anyhow::Error> {
+		for stream in &mut self.streams {
+			stream.notify(message.clone()).await?;
+		}
+		Ok(())
+	}
+
+	/// Gets the message to act upon.
+	async fn next(&mut self) -> Result<Option<Message>, anyhow::Error> {
+		let mut next = None;
+		for _ in 0..self.streams.len() {
+			let stream = &mut self.streams[self.current];
+			next = stream.next().await?;
+			self.current = (self.current + 1) % self.streams.len();
+			if next.is_some() {
+				break;
+			}
+		}
+		Ok(next)
+	}
+}

demo/hsm/src/action_stream/mod.rs

@@ -0,0 +1,3 @@
+pub mod join;
+pub mod notify_verify;
+pub mod random;

demo/hsm/src/action_stream/notify_verify.rs

@@ -0,0 +1,28 @@
+use crate::{ActionStream, Message};
+use std::collections::VecDeque;
+
+/// Adds all verify messages of which the stream is notified back to the stream
+pub struct NotifyVerify {
+	buffer: VecDeque<Message>,
+}
+
+impl NotifyVerify {
+	/// Creates a new `NotifyVerify` stream.
+	pub fn new() -> Self {
+		Self { buffer: VecDeque::new() }
+	}
+}
+
+#[async_trait::async_trait]
+impl ActionStream for NotifyVerify {
+	/// Notifies the stream of a message emitted from elsewhere in the system.
+	async fn notify(&mut self, message: Message) -> Result<(), anyhow::Error> {
+		self.buffer.push_back(message);
+		Ok(())
+	}
+
+	/// Gets the message to act upon.
+	async fn next(&mut self) -> Result<Option<Message>, anyhow::Error> {
+		Ok(self.buffer.pop_front())
+	}
+}

demo/hsm/src/action_stream/random.rs

@@ -0,0 +1,24 @@
+use crate::{ActionStream, Bytes, Message};
+use rand::{Rng, RngCore};
+
+/// A stream of random messages.
+pub struct Random;
+
+#[async_trait::async_trait]
+impl ActionStream for Random {
+	/// Notifies the stream of a message emitted from elsewhere in the system.
+	async fn notify(&mut self, _message: Message) -> Result<(), anyhow::Error> {
+		Ok(())
+	}
+
+	/// Gets the message to act upon.
+	async fn next(&mut self) -> Result<Option<Message>, anyhow::Error> {
+		// Generate a random vec of bytes
+		let mut rng = rand::thread_rng();
+		let len = rng.gen_range(32, 256);
+		let mut bytes = vec![0u8; len];
+		rng.fill_bytes(&mut bytes);
+
+		Ok(Some(Message::Sign(Bytes(bytes))))
+	}
+}

demo/hsm/src/cli/mod.rs

@@ -0,0 +1,17 @@
+pub mod server;
+use clap::Parser;
+
+#[derive(Parser)]
+#[clap(rename_all = "kebab-case")]
+pub enum HsmDemo {
+	#[clap(subcommand)]
+	Server(server::Server),
+}
+
+impl HsmDemo {
+	pub async fn run(&self) -> Result<(), anyhow::Error> {
+		match self {
+			HsmDemo::Server(server) => server.run().await,
+		}
+	}
+}

demo/hsm/src/cli/server/ed25519/hashi_corp_vault.rs

@@ -0,0 +1,30 @@
+use crate::{cryptography::Ed25519, hsm, server::create_server};
+use axum::Server;
+use clap::Parser;
+use std::net::SocketAddr;
+use std::sync::Arc;
+use tokio::sync::Mutex;
+
+#[derive(Debug, Parser, Clone)]
+#[clap(rename_all = "kebab-case", about = "Runs signing app for ed25519 against HashiCorp Vault")]
+pub struct HashiCorpVault {}
+
+impl HashiCorpVault {
+	pub async fn run(&self) -> Result<(), anyhow::Error> {
+		let hsm = hsm::hashi_corp_vault::HashiCorpVault::<Ed25519>::try_from_env()?
+			.create_key()
+			.await?
+			.fill_with_public_key()
+			.await?;
+
+		let server_hsm = Arc::new(Mutex::new(hsm));
+
+		let app = create_server(server_hsm);
+		let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
+		println!("Server listening on {}", addr);
+
+		Server::bind(&addr).serve(app.into_make_service()).await?;
+
+		Ok(())
+	}
+}

demo/hsm/src/cli/server/ed25519/mod.rs

@@ -0,0 +1,17 @@
+pub mod hashi_corp_vault;
+
+use clap::Subcommand;
+
+#[derive(Subcommand, Debug)]
+#[clap(rename_all = "kebab-case", about = "Commands for signing with Ed25519")]
+pub enum Ed25519 {
+	HashiCorpVault(hashi_corp_vault::HashiCorpVault),
+}
+
+impl Ed25519 {
+	pub async fn run(&self) -> Result<(), anyhow::Error> {
+		match self {
+			Ed25519::HashiCorpVault(hcv) => hcv.run().await,
+		}
+	}
+}

demo/hsm/src/cli/server/mod.rs

@@ -0,0 +1,22 @@
+pub mod ed25519;
+pub mod secp256k1;
+
+use clap::Subcommand;
+
+#[derive(Subcommand, Debug)]
+#[clap(rename_all = "kebab-case", about = "Commands for signing")]
+pub enum Server {
+	#[clap(subcommand)]
+	Ed25519(ed25519::Ed25519),
+	#[clap(subcommand)]
+	Secp256k1(secp256k1::Secp256k1),
+}
+
+impl Server {
+	pub async fn run(&self) -> Result<(), anyhow::Error> {
+		match self {
+			Server::Ed25519(ed) => ed.run().await,
+			Server::Secp256k1(sk) => sk.run().await,
+		}
+	}
+}

demo/hsm/src/cli/server/secp256k1/aws_kms.rs

@@ -0,0 +1,30 @@
+use crate::{cryptography::Secp256k1, hsm, server::create_server};
+use axum::Server;
+use clap::Parser;
+use std::net::SocketAddr;
+use std::sync::Arc;
+use tokio::sync::Mutex;
+
+#[derive(Debug, Parser, Clone)]
+#[clap(rename_all = "kebab-case", about = "Runs signing app for secp256k1 against AWS KMS")]
+pub struct AwsKms {}
+
+impl AwsKms {
+	pub async fn run(&self) -> Result<(), anyhow::Error> {
+		let hsm = hsm::aws_kms::AwsKms::<Secp256k1>::try_from_env()
+			.await?
+			.create_key()
+			.await?
+			.fill_with_public_key()
+			.await?;
+		let server_hsm = Arc::new(Mutex::new(hsm));
+
+		let app = create_server(server_hsm);
+		let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
+		println!("Server listening on {}", addr);
+
+		Server::bind(&addr).serve(app.into_make_service()).await?;
+
+		Ok(())
+	}
+}

demo/hsm/src/cli/server/secp256k1/mod.rs

@@ -0,0 +1,17 @@
+use clap::Subcommand;
+
+pub mod aws_kms;
+
+#[derive(Subcommand, Debug)]
+#[clap(rename_all = "kebab-case", about = "Commands for signing with Secp256k1")]
+pub enum Secp256k1 {
+	AwsKms(aws_kms::AwsKms),
+}
+
+impl Secp256k1 {
+	pub async fn run(&self) -> Result<(), anyhow::Error> {
+		match self {
+			Secp256k1::AwsKms(ak) => ak.run().await,
+		}
+	}
+}

demo/hsm/src/cryptography/aws_kms.rs

@@ -0,0 +1,28 @@
+use crate::cryptography::Secp256k1;
+use aws_sdk_kms::types::{KeySpec, KeyUsageType, SigningAlgorithmSpec};
+
+/// Defines the needed methods for providing a definition of cryptography used with AWS KMS
+pub trait AwsKmsCryptography {
+	/// Returns the [KeySpec] for the desired cryptography
+	fn key_spec() -> KeySpec;
+
+	/// Returns the [KeyUsageType] for the desired cryptography
+	fn key_usage_type() -> KeyUsageType;
+
+	/// Returns the [SigningAlgorithmSpec] for the desired cryptography
+	fn signing_algorithm_spec() -> SigningAlgorithmSpec;
+}
+
+impl AwsKmsCryptography for Secp256k1 {
+	fn key_spec() -> KeySpec {
+		KeySpec::EccSecgP256K1
+	}
+
+	fn key_usage_type() -> KeyUsageType {
+		KeyUsageType::SignVerify
+	}
+
+	fn signing_algorithm_spec() -> SigningAlgorithmSpec {
+		SigningAlgorithmSpec::EcdsaSha256
+	}
+}

demo/hsm/src/cryptography/hashicorp_vault.rs

@@ -0,0 +1,14 @@
+use crate::cryptography::Ed25519;
+use vaultrs::api::transit::KeyType;
+
+/// Defines the needed methods for providing a definition of cryptography used with HashiCorp Vault
+pub trait HashiCorpVaultCryptography {
+	/// Returns the [KeyType] for the desired cryptography
+	fn key_type() -> KeyType;
+}
+
+impl HashiCorpVaultCryptography for Ed25519 {
+	fn key_type() -> KeyType {
+		KeyType::Ed25519
+	}
+}

demo/hsm/src/cryptography/mod.rs

@@ -0,0 +1,12 @@
+pub mod aws_kms;
+pub mod google_kms;
+pub mod hashicorp_vault;
+pub mod verifier;
+
+/// The Secp256k1 curve.
+#[derive(Debug, Clone, Copy)]
+pub struct Secp256k1;
+
+/// The Ed25519 curve.
+#[derive(Debug, Clone, Copy)]
+pub struct Ed25519;