Rc4 (#7)

* bump version

* Successful cross-compilation, but runtime has memory allocation issues

* Working with OpenSSL static-linked

* Got dynamic linking working, added a feature flag to toggle dynamic vs. static

* Fixed the vendored build arg

* Reintroduced the cargo chef setup

* Ported the cross-compilation stuff into PBS

* Split the dockerfiles into separate builder / image definitions

* Added a build guide

* Refactored the Github release action to use the Docker builder

* Fixed the Docker image binary filenames

* Cleaned up the Darwin artifact step

* Made the CI workflow and justfile use the same toolchain as the source

* Revert "Made the CI workflow and justfile use the same toolchain as the source"

This reverts commit 58c6117.

* Testing removal of OpenSSL vendored option

* Updating just in the CI workflow

* Refactored the signer to support host and port config settings

* Updated docs

* Fixing Clippy in CI workflow

* Removed obviated CI setup

* Minor dedup of RwLock guard acquisition

* Added rate limiting for signer clients with repeated JWT auth failures

* Added Signer config validation

* Started unit test setup for the Signer

* Finished a basic signer module unit test

* Added a JWT failure unit test

* Added a rate limit test and cleaned up a bit

* Added unique ports to unit tests for parallel execution

* Cleaned up the build Dockerfile and removed an extra dependency layer

* Ported the build script over to the justfile

* Added a justfile recipe for installing protoc

* Update crates/cli/src/docker_init.rs

Co-authored-by: ltitanb <[email protected]>

* Added example signer config params

* Cleaned up signer config loading from feedback

* Added JWT auth fields to the example config

* Started building the JWT config file

* Added tests

* Started migration from JWTS_ENV to the config file

* Signing requests now uses the module's signing ID

* Finished added signing ID support and a quick test

* Fixed some example config parameters

* Added a test to ensure modules can't create the same sigs

* Made the jwt_config_file optional

* Started working on docs

* Redid implementation with the original JWTS env var

* Started the signer doc

* Overhauled the signing_id setup to be directly in the signed struct

* Made proposer commitments nested Merkle trees to allow Dirk support

* Added the signer request guide

* Added quotes to some HTML

* Added some simple JWT secret info

* Adding a closing tag

* Added prop commit signature verification helpers for modules to use

* Fixed some params in da_commit

* Cleaned load_module_signing_configs a bit

* Fixed some docs language

* Refactored into compute_prop_commit_signing_root

* CBST2-04: Update JWT secrets on reload and revoke module endpoint (Commit-Boost#295)

* Signing IDs are no longer optional in the config

* Refactored some of the signer consts for consistency

* Updated the Signer API docs

* Merge sigp-audit-fixes (Commit-Boost#348)

Co-authored-by: Manuel Iñaki Bilbao <[email protected]>
Co-authored-by: ltitanb <[email protected]>

* Move from [u8; 32] to B256 everywhere (Commit-Boost#347)

* Cleaned up some hashmap usage

* Removed compute_tree_hash_root()

* Some minor cleanup

* Fixed some docs

---------

Co-authored-by: eltitanb <[email protected]>
Co-authored-by: Joe Clapis <[email protected]>
Co-authored-by: ltitanb <[email protected]>
Co-authored-by: Manuel Iñaki Bilbao <[email protected]>

Author: 4 people

Cargo.lock

@@ -60,7 +60,7 @@ paths:
 
   /signer/v1/request_signature:
     post:
-      summary: Send a signature request
+      summary: Request a signature for a 32-byte blob of data (typically a hash), signed by the requested BLS or ECDSA key.
       tags:
         - Signer
       security:
@@ -81,15 +81,15 @@ paths:
                   type: string
                   enum: [consensus, proxy_bls, proxy_ecdsa]
                 pubkey:
-                  description: Public key of the validator for consensus signatures
+                  description: The 48-byte BLS public key, with optional `0x` prefix, of the proposer key that you want to request a signature from.
                   $ref: "#/components/schemas/BlsPubkey"
                 proxy:
-                  description: BLS proxy pubkey or ECDSA address for proxy signatures
+                  description: The 48-byte BLS public key (for `proxy_bls` mode) or the 20-byte Ethereum address (for `proxy_ecdsa` mode), with optional `0x` prefix, of the proxy key that you want to request a signature from.
                   oneOf:
                     - $ref: "#/components/schemas/BlsPubkey"
                     - $ref: "#/components/schemas/EcdsaAddress"
                 object_root:
-                  description: The root of the object to be signed
+                  description: The 32-byte data you want to sign, with optional `0x` prefix.
                   type: string
                   format: hex
                   pattern: "^0x[a-fA-F0-9]{64}$"
@@ -112,7 +112,7 @@ paths:
                   object_root: "0x3e9f4a78b5c21d64f0b8e3d9a7f5c02b4d1e67a3c8f29b5d6e4a3b1c8f72e6d9"
       responses:
         "200":
-          description: Success
+          description: A successful signature response. The returned signature is the Merkle root hash of the provided `object_root` field and the requesting module's Signing ID as specified in the Commit-Boost configuration. For details on this signature, see the [signature structure documentation](https://commit-boost.github.io/commit-boost-client/developing/prop-commit-signing.md#structure-of-a-signature).
           content:
             application/json:
               schema:
@@ -126,8 +126,45 @@ paths:
                   value: "0xa3ffa9241f78279f1af04644cb8c79c2d8f02bcf0e28e2f186f6dcccac0a869c2be441fda50f0dea895cfce2e53f0989a3ffa9241f78279f1af04644cb8c79c2d8f02bcf0e28e2f186f6dcccac0a869c2be441fda50f0dea895cfce2e53f0989"
                 ProxyEcdsa:
                   value: "0x985b495f49d1b96db3bba3f6c5dd1810950317c10d4c2042bd316f338cdbe74359072e209b85e56ac492092d7860063dd096ca31b4e164ef27e3f8d508e656801c"
+        "400":
+          description: |
+            This can occur in several scenarios:
+            
+            - You requested an operation while using the Dirk signer mode instead of locally-managed signer mode, but Dirk doesn't support that operation.
+            - Something went wrong while preparing your request; the error text will provide more information.
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - code
+                  - message
+                properties:
+                  code:
+                    type: number
+                    example: 400
+                  message:
+                    type: string
+                    example: "Bad request: Invalid pubkey format"
+        "401":
+          description: The requesting module did not provide a JWT string in the request's authorization header, or the JWT string was not configured in the signer service's configuration file as belonging to the module.
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - code
+                  - message
+                properties:
+                  code:
+                    type: number
+                    example: 401
+                  message:
+                    type: string
+                    example: "Unauthorized"
+        
         "404":
-          description: Unknown value (pubkey, etc.)
+          description: You either requested a route that doesn't exist, or you requested a signature from a key that does not exist.
           content:
             application/json:
               schema:
@@ -142,8 +179,24 @@ paths:
                   message:
                     type: string
                     example: "Unknown pubkey"
+        "429":
+          description: Your module attempted and failed JWT authentication too many times recently, and is currently timed out. It cannot make any more requests until the timeout ends.
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - code
+                  - message
+                properties:
+                  code:
+                    type: number
+                    example: 429
+                  message:
+                    type: string
+                    example: "Too many requests"
         "500":
-          description: Internal error
+          description: Your request was valid, but something went wrong internally that prevented it from being fulfilled.
           content:
             application/json:
               schema:
@@ -158,6 +211,22 @@ paths:
                   message:
                     type: string
                     example: "Internal error"
+        "502":
+          description: The signer service is running in Dirk signer mode, but Dirk could not be reached.
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - code
+                  - message
+                properties:
+                  code:
+                    type: number
+                    example: 502
+                  message:
+                    type: string
+                    example: "Bad gateway: Dirk signer service is unreachable"
 
   /signer/v1/generate_proxy_key:
     post:

api/signer-api.yml

@@ -10,6 +10,9 @@ pub mod prelude {
             load_pbs_custom_config, LogsSettings, StartCommitModuleConfig, PBS_MODULE_NAME,
         },
         pbs::{BuilderEvent, BuilderEventClient, OnBuilderApiEvent},
+        signature::{
+            verify_proposer_commitment_signature_bls, verify_proposer_commitment_signature_ecdsa,
+        },
         signer::{BlsPublicKey, BlsSignature, EcdsaSignature},
         types::Chain,
         utils::{initialize_tracing_log, utcnow_ms, utcnow_ns, utcnow_sec, utcnow_us},

bin/src/lib.rs

@@ -152,10 +152,10 @@ url = "http://0xa119589bb33ef52acbb8116832bec2b58fca590fe5c85eac5d3230b44d5bc09f
 #   - Dirk: a remote Dirk instance
 #   - Local: a local Signer module
 # More details on the docs (https://commit-boost.github.io/commit-boost-client/get_started/configuration/#signer-module)
-# [signer]
+[signer]
 # Docker image to use for the Signer module.
 # OPTIONAL, DEFAULT: ghcr.io/commit-boost/signer:latest
-# docker_image = "ghcr.io/commit-boost/signer:latest"
+docker_image = "ghcr.io/commit-boost/signer:latest"
 # Host to bind the Signer API server to
 # OPTIONAL, DEFAULT: 127.0.0.1
 host = "127.0.0.1"
@@ -249,6 +249,8 @@ proxy_dir = "./proxies"
 [[modules]]
 # Unique ID of the module
 id = "DA_COMMIT"
+# Unique hash that the Signer service will combine with the incoming data in signing requests to generate a signature specific to this module
+signing_id = "0x6a33a23ef26a4836979edff86c493a69b26ccf0b4a16491a815a13787657431b"
 # Type of the module. Supported values: commit, events
 type = "commit"
 # Docker image of the module

config.example.toml

@@ -6,16 +6,16 @@ use std::{
 
 use cb_common::{
     config::{
-        CommitBoostConfig, LogsSettings, ModuleKind, SignerConfig, SignerType, BUILDER_PORT_ENV,
-        BUILDER_URLS_ENV, CHAIN_SPEC_ENV, CONFIG_DEFAULT, CONFIG_ENV, DIRK_CA_CERT_DEFAULT,
-        DIRK_CA_CERT_ENV, DIRK_CERT_DEFAULT, DIRK_CERT_ENV, DIRK_DIR_SECRETS_DEFAULT,
-        DIRK_DIR_SECRETS_ENV, DIRK_KEY_DEFAULT, DIRK_KEY_ENV, JWTS_ENV, LOGS_DIR_DEFAULT,
-        LOGS_DIR_ENV, METRICS_PORT_ENV, MODULE_ID_ENV, MODULE_JWT_ENV, PBS_ENDPOINT_ENV,
-        PBS_MODULE_NAME, PROXY_DIR_DEFAULT, PROXY_DIR_ENV, PROXY_DIR_KEYS_DEFAULT,
-        PROXY_DIR_KEYS_ENV, PROXY_DIR_SECRETS_DEFAULT, PROXY_DIR_SECRETS_ENV, SIGNER_DEFAULT,
-        SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV, SIGNER_DIR_SECRETS_DEFAULT,
-        SIGNER_DIR_SECRETS_ENV, SIGNER_ENDPOINT_ENV, SIGNER_KEYS_ENV, SIGNER_MODULE_NAME,
-        SIGNER_PORT_DEFAULT, SIGNER_URL_ENV,
+        CommitBoostConfig, LogsSettings, ModuleKind, SignerConfig, SignerType, ADMIN_JWT_ENV,
+        BUILDER_PORT_ENV, BUILDER_URLS_ENV, CHAIN_SPEC_ENV, CONFIG_DEFAULT, CONFIG_ENV,
+        DIRK_CA_CERT_DEFAULT, DIRK_CA_CERT_ENV, DIRK_CERT_DEFAULT, DIRK_CERT_ENV,
+        DIRK_DIR_SECRETS_DEFAULT, DIRK_DIR_SECRETS_ENV, DIRK_KEY_DEFAULT, DIRK_KEY_ENV, JWTS_ENV,
+        LOGS_DIR_DEFAULT, LOGS_DIR_ENV, METRICS_PORT_ENV, MODULE_ID_ENV, MODULE_JWT_ENV,
+        PBS_ENDPOINT_ENV, PBS_MODULE_NAME, PROXY_DIR_DEFAULT, PROXY_DIR_ENV,
+        PROXY_DIR_KEYS_DEFAULT, PROXY_DIR_KEYS_ENV, PROXY_DIR_SECRETS_DEFAULT,
+        PROXY_DIR_SECRETS_ENV, SIGNER_DEFAULT, SIGNER_DIR_KEYS_DEFAULT, SIGNER_DIR_KEYS_ENV,
+        SIGNER_DIR_SECRETS_DEFAULT, SIGNER_DIR_SECRETS_ENV, SIGNER_ENDPOINT_ENV, SIGNER_KEYS_ENV,
+        SIGNER_MODULE_NAME, SIGNER_PORT_DEFAULT, SIGNER_URL_ENV,
     },
     pbs::{BUILDER_V1_API_PATH, GET_STATUS_PATH},
     signer::{ProxyStore, SignerLoader},
@@ -333,6 +333,7 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
                 let mut signer_envs = IndexMap::from([
                     get_env_val(CONFIG_ENV, CONFIG_DEFAULT),
                     get_env_same(JWTS_ENV),
+                    get_env_same(ADMIN_JWT_ENV),
                 ]);
 
                 // Bind the signer API to 0.0.0.0
@@ -366,6 +367,7 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
 
                 // write jwts to env
                 envs.insert(JWTS_ENV.into(), format_comma_separated(&jwts));
+                envs.insert(ADMIN_JWT_ENV.into(), random_jwt_secret());
 
                 // volumes
                 let mut volumes = vec![config_volume.clone()];

crates/cli/src/docker_init.rs

@@ -3,3 +3,4 @@ pub const REQUEST_SIGNATURE_PATH: &str = "/signer/v1/request_signature";
 pub const GENERATE_PROXY_KEY_PATH: &str = "/signer/v1/generate_proxy_key";
 pub const STATUS_PATH: &str = "/status";
 pub const RELOAD_PATH: &str = "/reload";
+pub const REVOKE_MODULE_PATH: &str = "/revoke_jwt";

crates/common/src/commit/constants.rs

@@ -1,21 +1,26 @@
 use std::{
+    collections::HashMap,
     fmt::{self, Debug, Display},
     str::FromStr,
 };
 
 use alloy::{
     hex,
-    primitives::{Address, B256},
+    primitives::{aliases::B32, Address, B256},
     rpc::types::beacon::BlsSignature,
 };
 use derive_more::derive::From;
-use serde::{Deserialize, Serialize};
+use serde::{Deserialize, Deserializer, Serialize};
 use tree_hash::TreeHash;
 use tree_hash_derive::TreeHash;
 
 use crate::{
-    constants::COMMIT_BOOST_DOMAIN, error::BlstErrorWrapper, signature::verify_signed_message,
-    signer::BlsPublicKey, types::Chain,
+    config::decode_string_to_map,
+    constants::COMMIT_BOOST_DOMAIN,
+    error::BlstErrorWrapper,
+    signature::verify_signed_message,
+    signer::BlsPublicKey,
+    types::{Chain, ModuleId},
 };
 
 pub trait ProxyId: AsRef<[u8]> + Debug + Clone + Copy + TreeHash + Display {}
@@ -57,7 +62,8 @@ impl<T: ProxyId> SignedProxyDelegation<T> {
             &self.message.delegator,
             &self.message,
             &self.signature,
-            COMMIT_BOOST_DOMAIN,
+            None,
+            &B32::from(COMMIT_BOOST_DOMAIN),
         )
     }
 }
@@ -198,6 +204,31 @@ pub struct GetPubkeysResponse {
     pub keys: Vec<ConsensusProxyMap>,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ReloadRequest {
+    #[serde(default, deserialize_with = "deserialize_jwt_secrets")]
+    pub jwt_secrets: Option<HashMap<ModuleId, String>>,
+    pub admin_secret: Option<String>,
+}
+
+pub fn deserialize_jwt_secrets<'de, D>(
+    deserializer: D,
+) -> Result<Option<HashMap<ModuleId, String>>, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let raw: String = Deserialize::deserialize(deserializer)?;
+
+    decode_string_to_map(&raw)
+        .map(Some)
+        .map_err(|_| serde::de::Error::custom("Invalid format".to_string()))
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct RevokeModuleRequest {
+    pub module_id: ModuleId,
+}
+
 /// Map of consensus pubkeys to proxies
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct ConsensusProxyMap {
@@ -288,7 +319,7 @@ mod tests {
 
         let _: SignedProxyDelegationBls = serde_json::from_str(data).unwrap();
 
-        let data = r#"{ 
+        let data = r#"{
             "message": {
                 "delegator": "0xa3366b54f28e4bf1461926a3c70cdb0ec432b5c92554ecaae3742d33fb33873990cbed1761c68020e6d3c14d30a22050",
                 "proxy": "0x4ca9939a8311a7cab3dde201b70157285fa81a9d"

crates/common/src/commit/request.rs

@@ -47,6 +47,7 @@ pub const SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_DEFAULT: u32 = 5 * 60;
 
 /// Comma separated list module_id=jwt_secret
 pub const JWTS_ENV: &str = "CB_JWTS";
+pub const ADMIN_JWT_ENV: &str = "CB_SIGNER_ADMIN_JWT";
 
 /// Path to json file with plaintext keys (testing only)
 pub const SIGNER_KEYS_ENV: &str = "CB_SIGNER_LOADER_FILE";

crates/common/src/config/constants.rs

@@ -1,5 +1,6 @@
 use std::collections::HashMap;
 
+use alloy::primitives::B256;
 use eyre::{ContextCompat, Result};
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
 use toml::Table;
@@ -37,6 +38,8 @@ pub struct StaticModuleConfig {
     /// Type of the module
     #[serde(rename = "type")]
     pub kind: ModuleKind,
+    /// Signing ID for the module to use when requesting signatures
+    pub signing_id: B256,
 }
 
 /// Runtime config to start a module