Add client authentication to the remote signer config

Cargo.toml

@@ -57,7 +57,8 @@ prometheus = "0.14.0"
 prost = "0.13.4"
 rand = { version = "0.9", features = ["os_rng"] }
 rayon = "1.10.0"
-reqwest = { version = "0.12.4", features = ["json", "stream"] }
+rcgen = "0.14.5"
+reqwest = { version = "0.12.4", default-features = false, features = ["json", "stream", "rustls-tls"] }
 serde = { version = "1.0.202", features = ["derive"] }
 serde_json = "1.0.117"
 serde_yaml = "0.9.33"

config.example.toml

@@ -190,6 +190,13 @@ jwt_auth_fail_timeout_seconds = 300
 # [signer.remote]
 # URL of the Web3Signer instance
 # url = "https://remote.signer.url"
+# Path to the client certificate for client authentication
+# OPTIONAL
+# cert_path = "/path/to/client.crt"
+# Path to the client key for client authentication
+# OPTIONAL
+# key_path = "/path/to/client.key"
+
 # For Dirk signer:
 # [signer.dirk]
 # Path to the client certificate to authenticate with Dirk

crates/cli/src/docker_init.rs

@@ -74,7 +74,9 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
     // address for signer API communication
     let signer_port = cb_config.signer.as_ref().map(|s| s.port).unwrap_or(SIGNER_PORT_DEFAULT);
     let signer_server =
-        if let Some(SignerConfig { inner: SignerType::Remote { url }, .. }) = &cb_config.signer {
+        if let Some(SignerConfig { inner: SignerType::Remote { url, client_auth: _ }, .. }) =
+            &cb_config.signer
+        {
             url.to_string()
         } else {
             format!("http://cb_signer:{signer_port}")

crates/common/src/commit/client.rs

@@ -2,7 +2,10 @@ use std::time::{Duration, Instant};
 
 use alloy::primitives::Address;
 use eyre::WrapErr;
-use reqwest::header::{AUTHORIZATION, HeaderMap, HeaderValue};
+use reqwest::{
+    Identity,
+    header::{AUTHORIZATION, HeaderMap, HeaderValue},
+};
 use serde::Deserialize;
 use url::Url;
 
@@ -16,6 +19,7 @@ use super::{
 };
 use crate::{
     DEFAULT_REQUEST_TIMEOUT,
+    config::ClientAuthConfig,
     constants::SIGNER_JWT_EXPIRATION,
     signer::EcdsaSignature,
     types::{BlsPublicKey, BlsSignature, Jwt, ModuleId},
@@ -35,7 +39,12 @@ pub struct SignerClient {
 
 impl SignerClient {
     /// Create a new SignerClient
-    pub fn new(signer_server_url: Url, jwt_secret: Jwt, module_id: ModuleId) -> eyre::Result<Self> {
+    pub fn new(
+        signer_server_url: Url,
+        jwt_secret: Jwt,
+        module_id: ModuleId,
+        client_auth: Option<ClientAuthConfig>,
+    ) -> eyre::Result<Self> {
         let jwt = create_jwt(&module_id, &jwt_secret)?;
 
         let mut auth_value =
@@ -45,10 +54,18 @@ impl SignerClient {
         let mut headers = HeaderMap::new();
         headers.insert(AUTHORIZATION, auth_value);
 
-        let client = reqwest::Client::builder()
-            .timeout(DEFAULT_REQUEST_TIMEOUT)
-            .default_headers(headers)
-            .build()?;
+        let mut client =
+            reqwest::Client::builder().timeout(DEFAULT_REQUEST_TIMEOUT).default_headers(headers);
+
+        if let Some(ClientAuthConfig { cert_path, key_path }) = client_auth {
+            let cert = std::fs::read_to_string(cert_path)?;
+            let key = std::fs::read_to_string(key_path)?;
+            let buffer = format!("{cert}\n{key}");
+            let identity = Identity::from_pem(buffer.as_bytes())?;
+            client = client.identity(identity);
+        }
+
+        let client = client.build()?;
 
         Ok(Self {
             url: signer_server_url,

crates/common/src/config/module.rs

@@ -7,6 +7,7 @@ use toml::Table;
 use crate::{
     commit::client::SignerClient,
     config::{
+        SignerConfig, SignerType,
         constants::{CONFIG_ENV, MODULE_ID_ENV, MODULE_JWT_ENV, SIGNER_URL_ENV},
         load_env_var,
         utils::load_file_from_env,
@@ -79,6 +80,7 @@ pub fn load_commit_module_config<T: DeserializeOwned>() -> Result<StartCommitMod
     struct StubConfig<U> {
         chain: Chain,
         modules: Vec<ThisModule<U>>,
+        signer: Option<SignerConfig>,
     }
 
     // load module config including the extra data (if any)
@@ -101,7 +103,16 @@ pub fn load_commit_module_config<T: DeserializeOwned>() -> Result<StartCommitMod
         .find(|m| m.static_config.id == module_id)
         .wrap_err(format!("failed to find module for {module_id}"))?;
 
-    let signer_client = SignerClient::new(signer_server_url, module_jwt, module_id)?;
+    let client_auth = if let Some(signer) = cb_config.signer {
+        match signer.inner {
+            SignerType::Remote { url: _, client_auth } => client_auth,
+            _ => None,
+        }
+    } else {
+        None
+    };
+
+    let signer_client = SignerClient::new(signer_server_url, module_jwt, module_id, client_auth)?;
 
     Ok(StartCommitModuleConfig {
         id: module_config.static_config.id,