Extract process of signing into a trait (#3696)

## Motivation

Currently client processes own a private key (`AccountSecretKey`) which
is potentially insecure but also prevents implementation of external
signers (wallet extensions, hardware wallets, etc.). This PR addresses
that.

## Proposal

We achieve that by the introduction of a new `Signer` trait that
encapsulates the actions of signing and getting a public key for an
`AccountOwner` instance. A couple of other changes were made/introduced
to support that:
- `Signer` is passed around as `Box<dyn Signer>` to hide the
implementation details of the actual `Signer` instance.
- `Signer::sign` signs a `CryptoHash` (rather than `T: BcsSignable`).
- (required by the above ☝️ ) New `sign_prehash(self, CryptoHash)`
methods added on all secret keys types in the `linera-crypto`
- An `InMemSigner` was introduced for backwards-compatibility and
intermediate usage in native and web clients.
- Removed `assigned_keys` and `unassignd_keys` from the `Wallet`. Now
the `Signer` is the source of truth about which keys are available.

## Test Plan

All tests have been updated to pass.

## Release Plan

- Nothing to do / These changes follow the usual release cycle.

## Links

<!--
Optional section for related PRs, related issues, and other references.

If needed, please create issues to track future improvements and link
them here.
-->
- [reviewer
checklist](https://github.com/linera-io/linera-protocol/blob/main/CONTRIBUTING.md#reviewer-checklist)

Author: deuszx

.github/workflows/docker-compose.yml

@@ -72,4 +72,4 @@ jobs:
           max_attempts: 10
           timeout_minutes: 2
           retry_wait_seconds: 10
-          command: linera --wallet docker/wallet.json --storage rocksdb:docker/linera.db sync-balance
+          command: linera --wallet docker/wallet.json --keystore docker/keystore.json --storage rocksdb:docker/linera.db sync-balance

.github/workflows/rust.yml

@@ -33,6 +33,7 @@ env:
   RUST_LOG_FORMAT: plain
   LINERA_STORAGE_SERVICE: 127.0.0.1:1235
   LINERA_WALLET: /tmp/local-linera-net/wallet_0.json
+  LINERA_KEYSTORE: /tmp/local-linera-net/keystore_0.json
   LINERA_STORAGE: rocksdb:/tmp/local-linera-net/client_0.db
   LINERA_FAUCET_URL: http://localhost:8079
 

CLI.md

@@ -9,6 +9,7 @@ This document contains the help content for the `linera` command-line program.
 * [`linera open-chain`↴](#linera-open-chain)
 * [`linera open-multi-owner-chain`↴](#linera-open-multi-owner-chain)
 * [`linera change-ownership`↴](#linera-change-ownership)
+* [`linera set-preferred-owner`↴](#linera-set-preferred-owner)
 * [`linera change-application-permissions`↴](#linera-change-application-permissions)
 * [`linera close-chain`↴](#linera-close-chain)
 * [`linera local-balance`↴](#linera-local-balance)
@@ -71,6 +72,7 @@ A Byzantine-fault tolerant sidechain with low-latency finality and high throughp
 * `open-chain` — Open (i.e. activate) a new chain deriving the UID from an existing one
 * `open-multi-owner-chain` — Open (i.e. activate) a new multi-owner chain deriving the UID from an existing one
 * `change-ownership` — Change who owns the chain, and how the owners work together proposing blocks
+* `set-preferred-owner` — Change the preferred owner of a chain
 * `change-application-permissions` — Changes the application permissions configuration
 * `close-chain` — Close an existing chain
 * `local-balance` — Read the current native-token balance of the given account directly from the local state
@@ -95,7 +97,7 @@ A Byzantine-fault tolerant sidechain with low-latency finality and high throughp
 * `create-application` — Create an application
 * `publish-and-create` — Create an application, and publish the required module
 * `keygen` — Create an unassigned key pair
-* `assign` — Link an owner with a key pair in the wallet to a chain that was created for that owner
+* `assign` — Link the owner to the chain. Expects that the caller has a private key corresponding to the `public_key`, otherwise block proposals will fail when signing with it
 * `retry-pending-block` — Retry a block we unsuccessfully tried to propose earlier
 * `wallet` — Show the contents of the wallet
 * `project` — Manage Linera projects
@@ -106,6 +108,7 @@ A Byzantine-fault tolerant sidechain with low-latency finality and high throughp
 
 * `--storage <STORAGE_CONFIG>` — Storage configuration for the blockchain history
 * `--wallet <WALLET_STATE_PATH>` — Sets the file storing the private state of user chains (an empty one will be created if missing)
+* `--keystore <KEYSTORE_PATH>` — Sets the file storing the keystore state
 * `-w`, `--with-wallet <WITH_WALLET>` — Given an ASCII alphanumeric parameter `X`, read the wallet state and the wallet storage config from the environment variables `LINERA_WALLET_{X}` and `LINERA_STORAGE_{X}` instead of `LINERA_WALLET` and `LINERA_STORAGE`
 * `--send-timeout-ms <SEND_TIMEOUT>` — Timeout for sending queries (milliseconds)
 
@@ -267,6 +270,19 @@ Specify the complete set of new owners, by public key. Existing owners that are
 
 
 
+## `linera set-preferred-owner`
+
+Change the preferred owner of a chain
+
+**Usage:** `linera set-preferred-owner [OPTIONS] --owner <OWNER>`
+
+###### **Options:**
+
+* `--chain-id <CHAIN_ID>` — The ID of the chain whose preferred owner will be changed
+* `--owner <OWNER>` — The new preferred owner
+
+
+
 ## `linera change-application-permissions`
 
 Changes the application permissions configuration
@@ -718,7 +734,7 @@ Create an unassigned key pair
 
 ## `linera assign`
 
-Link an owner with a key pair in the wallet to a chain that was created for that owner
+Link the owner to the chain. Expects that the caller has a private key corresponding to the `public_key`, otherwise block proposals will fail when signing with it
 
 **Usage:** `linera assign --owner <OWNER> --chain-id <CHAIN_ID>`
 

Cargo.lock

@@ -90,6 +90,7 @@ FAUCET_URL=http://localhost:8080
 
 # Set the path of the future wallet.
 export LINERA_WALLET="$LINERA_TMP_DIR/wallet.json"
+export LINERA_KEYSTORE="$LINERA_TMP_DIR/keystore.json"
 export LINERA_STORAGE="rocksdb:$LINERA_TMP_DIR/client.db"
 
 # Initialize a new user wallet.

README.md

@@ -17,6 +17,7 @@ cleanup() {
     rm -r linera.db
     rm server.json
     rm wallet.json
+    rm keystore.json
     SCYLLA_VOLUME=docker_linera-scylla-data
     SHARED_VOLUME=docker_linera-shared
     docker rm -f $(docker ps -a -q --filter volume=$SCYLLA_VOLUME)
@@ -63,7 +64,7 @@ linera-server generate --validators "$CONF_DIR/validator.toml" --committee commi
 # * Private chain states are stored in one local wallet `wallet.json`.
 # * `genesis.json` will contain the initial balances of chains as well as the initial committee.
 
-linera --wallet wallet.json --storage rocksdb:linera.db create-genesis-config 10 --genesis genesis.json --initial-funding 10 --committee committee.json --testing-prng-seed 2
+linera --wallet wallet.json --keystore keystore.json --storage rocksdb:linera.db create-genesis-config 10 --genesis genesis.json --initial-funding 10 --committee committee.json --testing-prng-seed 2
 
 if [ "${DOCKER_COMPOSE_WAIT:-false}" = "true" ]; then
     docker compose up --wait

docker/compose.sh

@@ -54,6 +54,7 @@ Create the user wallet and add chains to it:
 
 ```bash
 export LINERA_WALLET="$LINERA_TMP_DIR/wallet.json"
+export LINERA_KEYSTORE="$LINERA_TMP_DIR/keystore.json"
 export LINERA_STORAGE="rocksdb:$LINERA_TMP_DIR/client.db"
 
 linera wallet init --faucet $FAUCET_URL

examples/amm/README.md

@@ -43,6 +43,7 @@ Create the user wallet and add chains to it:
 
 ```bash
 export LINERA_WALLET="$LINERA_TMP_DIR/wallet.json"
+export LINERA_KEYSTORE="$LINERA_TMP_DIR/keystore.json"
 export LINERA_STORAGE="rocksdb:$LINERA_TMP_DIR/client.db"
 
 linera wallet init --faucet $FAUCET_URL

examples/counter/README.md

@@ -66,8 +66,10 @@ Create the user wallets and add chains to them:
 
 ```bash
 export LINERA_WALLET_1="$LINERA_TMP_DIR/wallet_1.json"
+export LINERA_KEYSTORE_1="$LINERA_TMP_DIR/keystore_1.json"
 export LINERA_STORAGE_1="rocksdb:$LINERA_TMP_DIR/client_1.db"
 export LINERA_WALLET_2="$LINERA_TMP_DIR/wallet_2.json"
+export LINERA_KEYSTORE_2="$LINERA_TMP_DIR/keystore_2.json"
 export LINERA_STORAGE_2="rocksdb:$LINERA_TMP_DIR/client_2.db"
 
 linera --with-wallet 1 wallet init --faucet $FAUCET_URL
@@ -81,7 +83,7 @@ OWNER_1="${INFO_1[2]}"
 OWNER_2="${INFO_2[2]}"
 ```
 
-Note that `linera --with-wallet 1` is equivalent to `linera --wallet "$LINERA_WALLET_1"
+Note that `linera --with-wallet 1` is equivalent to `linera --wallet "$LINERA_WALLET_1" --keystore "$LINERA_KEYSTORE_1"
 --storage "$LINERA_STORAGE_1"`.
 
 The command below can be used to list the chains created for the test as known by each

examples/crowd-funding/README.md

@@ -58,6 +58,7 @@ Create the user wallet and add chains to it:
 
 ```bash
 export LINERA_WALLET="$LINERA_TMP_DIR/wallet.json"
+export LINERA_KEYSTORE="$LINERA_TMP_DIR/keystore.json"
 export LINERA_STORAGE="rocksdb:$LINERA_TMP_DIR/client.db"
 
 linera wallet init --faucet $FAUCET_URL