Add payload hash to signer JWT claims

Cargo.toml

@@ -34,6 +34,7 @@ cb-signer = { path = "crates/signer" }
 cipher = "0.4"
 clap = { version = "4.5.4", features = ["derive", "env"] }
 color-eyre = "0.6.3"
+const_format = "0.2.34"
 ctr = "0.9.2"
 derive_more = { version = "2.0.1", features = ["deref", "display", "from", "into"] }
 docker-compose-types = "0.16.0"

crates/common/Cargo.toml

@@ -15,6 +15,7 @@ bimap.workspace = true
 blst.workspace = true
 bytes.workspace = true
 cipher.workspace = true
+const_format.workspace = true
 ctr.workspace = true
 derive_more.workspace = true
 docker-image.workspace = true

crates/common/src/commit/client.rs

@@ -1,22 +1,29 @@
 use std::time::{Duration, Instant};
 
-use alloy::{primitives::Address, rpc::types::beacon::BlsSignature};
+use alloy::primitives::Address;
 use eyre::WrapErr;
 use reqwest::header::{HeaderMap, HeaderValue, AUTHORIZATION};
-use serde::Deserialize;
+use serde::{Deserialize, Serialize};
 use url::Url;
 
 use super::{
-    constants::{GENERATE_PROXY_KEY_PATH, GET_PUBKEYS_PATH, REQUEST_SIGNATURE_PATH},
+    constants::{GENERATE_PROXY_KEY_PATH, GET_PUBKEYS_PATH},
     error::SignerClientError,
     request::{
         EncryptionScheme, GenerateProxyRequest, GetPubkeysResponse, ProxyId, SignConsensusRequest,
-        SignProxyRequest, SignRequest, SignedProxyDelegation,
+        SignProxyRequest, SignedProxyDelegation,
     },
 };
 use crate::{
+    commit::{
+        constants::{
+            REQUEST_SIGNATURE_BLS_PATH, REQUEST_SIGNATURE_PROXY_BLS_PATH,
+            REQUEST_SIGNATURE_PROXY_ECDSA_PATH,
+        },
+        response::{BlsSignResponse, EcdsaSignResponse},
+    },
     constants::SIGNER_JWT_EXPIRATION,
-    signer::{BlsPublicKey, EcdsaSignature},
+    signer::BlsPublicKey,
     types::{Jwt, ModuleId},
     utils::create_jwt,
     DEFAULT_REQUEST_TIMEOUT,
@@ -36,7 +43,7 @@ pub struct SignerClient {
 impl SignerClient {
     /// Create a new SignerClient
     pub fn new(signer_server_url: Url, jwt_secret: Jwt, module_id: ModuleId) -> eyre::Result<Self> {
-        let jwt = create_jwt(&module_id, &jwt_secret)?;
+        let jwt = create_jwt(&module_id, &jwt_secret, None)?;
 
         let mut auth_value =
             HeaderValue::from_str(&format!("Bearer {}", jwt)).wrap_err("invalid jwt")?;
@@ -61,7 +68,7 @@ impl SignerClient {
 
     fn refresh_jwt(&mut self) -> Result<(), SignerClientError> {
         if self.last_jwt_refresh.elapsed() > Duration::from_secs(SIGNER_JWT_EXPIRATION) {
-            let jwt = create_jwt(&self.module_id, &self.jwt_secret)?;
+            let jwt = create_jwt(&self.module_id, &self.jwt_secret, None)?;
 
             let mut auth_value =
                 HeaderValue::from_str(&format!("Bearer {}", jwt)).wrap_err("invalid jwt")?;
@@ -79,6 +86,16 @@ impl SignerClient {
         Ok(())
     }
 
+    fn create_jwt_for_payload<T: Serialize>(
+        &mut self,
+        payload: &T,
+    ) -> Result<Jwt, SignerClientError> {
+        let payload_vec = serde_json::to_vec(payload)?;
+        create_jwt(&self.module_id, &self.jwt_secret, Some(&payload_vec))
+            .wrap_err("failed to create JWT for payload")
+            .map_err(SignerClientError::JWTError)
+    }
+
     /// Request a list of validator pubkeys for which signatures can be
     /// requested.
     // TODO: add more docs on how proxy keys work
@@ -99,14 +116,19 @@ impl SignerClient {
     }
 
     /// Send a signature request
-    async fn request_signature<T>(&mut self, request: &SignRequest) -> Result<T, SignerClientError>
+    async fn request_signature<Q, T>(
+        &mut self,
+        route: &str,
+        request: &Q,
+    ) -> Result<T, SignerClientError>
     where
+        Q: Serialize,
         T: for<'de> Deserialize<'de>,
     {
-        self.refresh_jwt()?;
+        let jwt = self.create_jwt_for_payload(request)?;
 
-        let url = self.url.join(REQUEST_SIGNATURE_PATH)?;
-        let res = self.client.post(url).json(&request).send().await?;
+        let url = self.url.join(route)?;
+        let res = self.client.post(url).json(&request).bearer_auth(jwt).send().await?;
 
         let status = res.status();
         let response_bytes = res.bytes().await?;
@@ -126,22 +148,22 @@ impl SignerClient {
     pub async fn request_consensus_signature(
         &mut self,
         request: SignConsensusRequest,
-    ) -> Result<BlsSignature, SignerClientError> {
-        self.request_signature(&request.into()).await
+    ) -> Result<BlsSignResponse, SignerClientError> {
+        self.request_signature(REQUEST_SIGNATURE_BLS_PATH, &request).await
     }
 
     pub async fn request_proxy_signature_ecdsa(
         &mut self,
         request: SignProxyRequest<Address>,
-    ) -> Result<EcdsaSignature, SignerClientError> {
-        self.request_signature(&request.into()).await
+    ) -> Result<EcdsaSignResponse, SignerClientError> {
+        self.request_signature(REQUEST_SIGNATURE_PROXY_ECDSA_PATH, &request).await
     }
 
     pub async fn request_proxy_signature_bls(
         &mut self,
         request: SignProxyRequest<BlsPublicKey>,
-    ) -> Result<BlsSignature, SignerClientError> {
-        self.request_signature(&request.into()).await
+    ) -> Result<BlsSignResponse, SignerClientError> {
+        self.request_signature(REQUEST_SIGNATURE_PROXY_BLS_PATH, &request).await
     }
 
     async fn generate_proxy_key<T>(
@@ -151,10 +173,10 @@ impl SignerClient {
     where
         T: ProxyId + for<'de> Deserialize<'de>,
     {
-        self.refresh_jwt()?;
+        let jwt = self.create_jwt_for_payload(request)?;
 
         let url = self.url.join(GENERATE_PROXY_KEY_PATH)?;
-        let res = self.client.post(url).json(&request).send().await?;
+        let res = self.client.post(url).json(&request).bearer_auth(jwt).send().await?;
 
         let status = res.status();
         let response_bytes = res.bytes().await?;

crates/common/src/commit/constants.rs

@@ -1,5 +1,12 @@
+use const_format::concatcp;
+
 pub const GET_PUBKEYS_PATH: &str = "/signer/v1/get_pubkeys";
-pub const REQUEST_SIGNATURE_PATH: &str = "/signer/v1/request_signature";
+pub const REQUEST_SIGNATURE_BASE_PATH: &str = "/signer/v1/request_signature";
+pub const REQUEST_SIGNATURE_BLS_PATH: &str = concatcp!(REQUEST_SIGNATURE_BASE_PATH, "/bls");
+pub const REQUEST_SIGNATURE_PROXY_BLS_PATH: &str =
+    concatcp!(REQUEST_SIGNATURE_BASE_PATH, "/proxy-bls");
+pub const REQUEST_SIGNATURE_PROXY_ECDSA_PATH: &str =
+    concatcp!(REQUEST_SIGNATURE_BASE_PATH, "/proxy-ecdsa");
 pub const GENERATE_PROXY_KEY_PATH: &str = "/signer/v1/generate_proxy_key";
 pub const STATUS_PATH: &str = "/status";
 pub const RELOAD_PATH: &str = "/reload";

crates/common/src/commit/mod.rs

@@ -2,3 +2,4 @@ pub mod client;
 pub mod constants;
 pub mod error;
 pub mod request;
+pub mod response;

crates/common/src/commit/request.rs

@@ -9,7 +9,6 @@ use alloy::{
     primitives::{aliases::B32, Address, B256},
     rpc::types::beacon::BlsSignature,
 };
-use derive_more::derive::From;
 use serde::{Deserialize, Deserializer, Serialize};
 use tree_hash::TreeHash;
 use tree_hash_derive::TreeHash;
@@ -74,53 +73,20 @@ impl<T: ProxyId> fmt::Display for SignedProxyDelegation<T> {
     }
 }
 
-// TODO(David): This struct shouldn't be visible to module authors
-#[derive(Debug, Clone, Serialize, Deserialize, From)]
-#[serde(tag = "type", rename_all = "snake_case")]
-pub enum SignRequest {
-    Consensus(SignConsensusRequest),
-    ProxyBls(SignProxyRequest<BlsPublicKey>),
-    ProxyEcdsa(SignProxyRequest<Address>),
-}
-
-impl Display for SignRequest {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self {
-            SignRequest::Consensus(req) => write!(
-                f,
-                "Consensus(pubkey: {}, object_root: {})",
-                req.pubkey,
-                hex::encode_prefixed(req.object_root)
-            ),
-            SignRequest::ProxyBls(req) => write!(
-                f,
-                "BLS(proxy: {}, object_root: {})",
-                req.proxy,
-                hex::encode_prefixed(req.object_root)
-            ),
-            SignRequest::ProxyEcdsa(req) => write!(
-                f,
-                "ECDSA(proxy: {}, object_root: {})",
-                req.proxy,
-                hex::encode_prefixed(req.object_root)
-            ),
-        }
-    }
-}
-
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SignConsensusRequest {
     pub pubkey: BlsPublicKey,
     pub object_root: B256,
+    pub nonce: u64,
 }
 
 impl SignConsensusRequest {
-    pub fn new(pubkey: BlsPublicKey, object_root: B256) -> Self {
-        Self { pubkey, object_root }
+    pub fn new(pubkey: BlsPublicKey, object_root: B256, nonce: u64) -> Self {
+        Self { pubkey, object_root, nonce }
     }
 
     pub fn builder(pubkey: BlsPublicKey) -> Self {
-        Self::new(pubkey, B256::ZERO)
+        Self::new(pubkey, B256::ZERO, u64::MAX - 1)
     }
 
     pub fn with_root<R: Into<B256>>(self, object_root: R) -> Self {
@@ -130,21 +96,38 @@ impl SignConsensusRequest {
     pub fn with_msg(self, msg: &impl TreeHash) -> Self {
         self.with_root(msg.tree_hash_root().0)
     }
+
+    pub fn with_nonce(self, nonce: u64) -> Self {
+        Self { nonce, ..self }
+    }
+}
+
+impl Display for SignConsensusRequest {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(
+            f,
+            "Consensus(pubkey: {}, object_root: {}, nonce: {})",
+            self.pubkey,
+            hex::encode_prefixed(self.object_root),
+            self.nonce
+        )
+    }
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SignProxyRequest<T: ProxyId> {
     pub proxy: T,
     pub object_root: B256,
+    pub nonce: u64,
 }
 
 impl<T: ProxyId> SignProxyRequest<T> {
-    pub fn new(proxy: T, object_root: B256) -> Self {
-        Self { proxy, object_root }
+    pub fn new(proxy: T, object_root: B256, nonce: u64) -> Self {
+        Self { proxy, object_root, nonce }
     }
 
     pub fn builder(proxy: T) -> Self {
-        Self::new(proxy, B256::ZERO)
+        Self::new(proxy, B256::ZERO, 0)
     }
 
     pub fn with_root<R: Into<B256>>(self, object_root: R) -> Self {
@@ -154,6 +137,34 @@ impl<T: ProxyId> SignProxyRequest<T> {
     pub fn with_msg(self, msg: &impl TreeHash) -> Self {
         self.with_root(msg.tree_hash_root().0)
     }
+
+    pub fn with_nonce(self, nonce: u64) -> Self {
+        Self { nonce, ..self }
+    }
+}
+
+impl Display for SignProxyRequest<BlsPublicKey> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(
+            f,
+            "BLS(proxy: {}, object_root: {}, nonce: {})",
+            self.proxy,
+            hex::encode_prefixed(self.object_root),
+            self.nonce
+        )
+    }
+}
+
+impl Display for SignProxyRequest<Address> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(
+            f,
+            "ECDSA(proxy: {}, object_root: {}, nonce: {})",
+            self.proxy,
+            hex::encode_prefixed(self.object_root),
+            self.nonce
+        )
+    }
 }
 
 #[derive(Debug, Clone, Copy, Serialize, Deserialize)]
@@ -249,36 +260,6 @@ mod tests {
     use super::*;
     use crate::signer::EcdsaSignature;
 
-    #[test]
-    fn test_decode_request_signature() {
-        let data = r#"{
-            "type": "consensus",
-            "pubkey": "0xa3366b54f28e4bf1461926a3c70cdb0ec432b5c92554ecaae3742d33fb33873990cbed1761c68020e6d3c14d30a22050",
-            "object_root": "0x5c89913beafa0472168e0ec05e349b4ceb9985d25ab9fa8de53a60208c85b3a5"
-        }"#;
-
-        let request: SignRequest = serde_json::from_str(data).unwrap();
-        assert!(matches!(request, SignRequest::Consensus(..)));
-
-        let data = r#"{
-            "type": "proxy_bls",
-            "proxy": "0xa3366b54f28e4bf1461926a3c70cdb0ec432b5c92554ecaae3742d33fb33873990cbed1761c68020e6d3c14d30a22050",
-            "object_root": "0x5c89913beafa0472168e0ec05e349b4ceb9985d25ab9fa8de53a60208c85b3a5"
-        }"#;
-
-        let request: SignRequest = serde_json::from_str(data).unwrap();
-        assert!(matches!(request, SignRequest::ProxyBls(..)));
-
-        let data = r#"{
-            "type": "proxy_ecdsa",
-            "proxy": "0x4ca9939a8311a7cab3dde201b70157285fa81a9d",
-            "object_root": "0x5c89913beafa0472168e0ec05e349b4ceb9985d25ab9fa8de53a60208c85b3a5"
-        }"#;
-
-        let request: SignRequest = serde_json::from_str(data).unwrap();
-        assert!(matches!(request, SignRequest::ProxyEcdsa(..)));
-    }
-
     #[test]
     fn test_decode_response_signature() {
         let data = r#""0xa3ffa9241f78279f1af04644cb8c79c2d8f02bcf0e28e2f186f6dcccac0a869c2be441fda50f0dea895cfce2e53f0989a3ffa9241f78279f1af04644cb8c79c2d8f02bcf0e28e2f186f6dcccac0a869c2be441fda50f0dea895cfce2e53f0989""#;