feat: Add NEP-413 message verification (#98)

- Added NEP-413 verify method to verify payload and check that the account has a Full AccessKey
- Made PublicKey copiable as it is at max 64 bytes, so it should be fine to copy
- Accept as reference NEP413Payload for signing
- Added tests for verify method and updated example

Author: Copilot

api/Cargo.toml

@@ -50,7 +50,7 @@ keyring = { workspace = true, features = [
 
 [features]
 default = []
-ledger = ["near-ledger"]
+ledger = ["near-ledger", "near-api-types/ledger"]
 keystore = ["dep:keyring"]
 
 [dev-dependencies]

api/examples/nep_413_signing_message.rs

@@ -1,13 +1,15 @@
-use near_api::Signer;
+use near_api::{NetworkConfig, Signer};
 
+use near_sandbox::config::{DEFAULT_GENESIS_ACCOUNT, DEFAULT_GENESIS_ACCOUNT_PRIVATE_KEY};
 use openssl::rand::rand_bytes;
 
 #[tokio::main]
 async fn main() -> testresult::TestResult {
-    let signer = Signer::from_seed_phrase(
-        "fatal edge jacket cash hard pass gallery fabric whisper size rain biology",
-        None,
-    )?;
+    let sandbox = near_sandbox::Sandbox::start_sandbox().await?;
+    let network = NetworkConfig::from_rpc_url("sandbox", sandbox.rpc_addr.parse()?);
+
+    let signer = Signer::from_secret_key(DEFAULT_GENESIS_ACCOUNT_PRIVATE_KEY.parse()?)?;
+    let public_key = signer.get_public_key().await?;
 
     let mut nonce = [0u8; 32];
     rand_bytes(&mut nonce)?;
@@ -20,14 +22,20 @@ async fn main() -> testresult::TestResult {
     };
 
     let signature = signer
-        .sign_message_nep413(
-            "round-toad.testnet".parse()?,
-            signer.get_public_key().await?,
-            payload,
-        )
+        .sign_message_nep413(DEFAULT_GENESIS_ACCOUNT.into(), public_key, &payload)
         .await?;
 
     println!("Signature: {signature}");
 
+    let result = payload
+        .verify(
+            &DEFAULT_GENESIS_ACCOUNT.into(),
+            public_key,
+            &signature,
+            &network,
+        )
+        .await?;
+    assert!(result);
+
     Ok(())
 }

api/src/common/send.rs

@@ -129,7 +129,7 @@ impl ExecuteSignedTransaction {
 
         let signed_tr = self
             .signer
-            .sign(transaction, public_key.clone(), nonce, block_hash)
+            .sign(transaction, public_key, nonce, block_hash)
             .await?;
 
         self.transaction =
@@ -161,7 +161,7 @@ impl ExecuteSignedTransaction {
             .map_err(SignerError::from)?;
         let (nonce, hash, _) = self
             .signer
-            .fetch_tx_nonce(transaction.signer_id.clone(), signer_key.clone(), network)
+            .fetch_tx_nonce(transaction.signer_id.clone(), signer_key, network)
             .await
             .map_err(MetaSignError::from)?;
         self.presign_offline(signer_key, hash, nonce).await
@@ -438,7 +438,7 @@ impl ExecuteMetaTransaction {
             .map_err(MetaSignError::from)?;
         let (nonce, block_hash, block_height) = self
             .signer
-            .fetch_tx_nonce(transaction.signer_id.clone(), signer_key.clone(), network)
+            .fetch_tx_nonce(transaction.signer_id.clone(), signer_key, network)
             .await
             .map_err(MetaSignError::from)?;
         self.presign_offline(signer_key, block_hash, nonce, block_height)

api/src/signer/keystore.rs

@@ -22,25 +22,24 @@ impl SignerTrait for KeystoreSigner {
     async fn get_secret_key(
         &self,
         signer_id: &AccountId,
-        public_key: &PublicKey,
+        public_key: PublicKey,
     ) -> Result<SecretKey, SignerError> {
         debug!(target: KEYSTORE_SIGNER_TARGET, "Searching for matching public key");
         self.potential_pubkeys
             .iter()
-            .find(|key| *key == public_key)
+            .find(|key| **key == public_key)
             .ok_or(PublicKeyError::PublicKeyIsNotAvailable)?;
 
         info!(target: KEYSTORE_SIGNER_TARGET, "Retrieving secret key");
         // TODO: fix this. Well the search is a bit suboptimal, but it's not a big deal for now
-        let secret = if let Ok(secret) =
-            Self::get_secret_key(signer_id, public_key.clone(), "mainnet").await
-        {
-            secret
-        } else {
-            Self::get_secret_key(signer_id, public_key.clone(), "testnet")
-                .await
-                .map_err(|_| SignerError::SecretKeyIsNotAvailable)?
-        };
+        let secret =
+            if let Ok(secret) = Self::get_secret_key(signer_id, public_key, "mainnet").await {
+                secret
+            } else {
+                Self::get_secret_key(signer_id, public_key, "testnet")
+                    .await
+                    .map_err(|_| SignerError::SecretKeyIsNotAvailable)?
+            };
 
         info!(target: KEYSTORE_SIGNER_TARGET, "Secret key prepared successfully");
         Ok(secret.private_key)
@@ -84,7 +83,7 @@ impl KeystoreSigner {
             .filter(|(_, access_key)| {
                 matches!(access_key.permission, AccessKeyPermission::FullAccess)
             })
-            .map(|(public_key, _)| public_key.clone())
+            .map(|(public_key, _)| *public_key)
             .map(|key| Self::get_secret_key(&account_id, key, &network.network_name));
         let potential_pubkeys: Vec<PublicKey> = join_all(potential_pubkeys)
             .await

api/src/signer/ledger.rs

@@ -137,11 +137,11 @@ impl SignerTrait for LedgerSigner {
         &self,
         _signer_id: AccountId,
         _public_key: PublicKey,
-        payload: NEP413Payload,
+        payload: &NEP413Payload,
     ) -> Result<Signature, SignerError> {
         info!(target: LEDGER_SIGNER_TARGET, "Signing NEP413 message with Ledger");
         let hd_path = self.hd_path.clone();
-        let payload = payload.into();
+        let payload = payload.to_owned().into();
 
         let signature: Vec<u8> = tokio::task::spawn_blocking(move || {
             let signature =
@@ -164,7 +164,7 @@ impl SignerTrait for LedgerSigner {
     async fn get_secret_key(
         &self,
         _signer_id: &AccountId,
-        _public_key: &PublicKey,
+        _public_key: PublicKey,
     ) -> Result<SecretKey, SignerError> {
         warn!(target: LEDGER_SIGNER_TARGET, "Attempted to access secret key, which is not available for Ledger signer");
         Err(SignerError::SecretKeyIsNotAvailable)
@@ -173,14 +173,14 @@ impl SignerTrait for LedgerSigner {
     #[instrument(skip(self))]
     fn get_public_key(&self) -> Result<PublicKey, PublicKeyError> {
         if let Some(public_key) = self.public_key.get() {
-            Ok(public_key.clone())
+            Ok(*public_key)
         } else {
             let public_key = near_ledger::get_wallet_id(self.hd_path.clone())
                 .map_err(|_| PublicKeyError::PublicKeyIsNotAvailable)?;
             let public_key = PublicKey::ED25519(
                 near_api_types::crypto::public_key::ED25519PublicKey(*public_key.as_bytes()),
             );
-            self.public_key.set(public_key.clone())?;
+            self.public_key.set(public_key)?;
             Ok(public_key)
         }
     }