Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(op-signer): local KMS provider #252

Merged
merged 13 commits into from
Mar 21, 2025
Merged

feat(op-signer): local KMS provider #252

merged 13 commits into from
Mar 21, 2025

Conversation

edobry
Copy link
Contributor

@edobry edobry commented Mar 20, 2025
edited
Loading

Description

This PR implements a new LOCAL KMS provider in order to enable signing transactions using a local private key file, intended for use only in local development and testing environments.

Changes

This PR:

  • pulls the provider package up to the same level as service
  • renames SignerServiceConfig to ProviderConfig and moves it to the provider package
  • renames CloudKMSSignatureProvider to GCPKMSSignatureProvider
  • implements the LocalKMSSignatureProvider
  • updates the README to document the configuration format
  • updates the gen-local-tls.sh script

Testing

To test this feature, you can use the following steps:

  1. generate a private key
openssl ecparam -name secp256k1 -genkey -noout -param_enc explicit -out "ec_private.pem"
  1. configure op-signer to use this key
provider: LOCAL
auth:
  - name: localhost
    key: ec_private.pem
  1. use the ./gen-local-tls.sh script to generate a self-signed CA and mTLS keys
  2. trust the CA root on your machine (MacOS only)
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain tls/ca.crt
  1. build & run op-signer
make build && ./bin/signer
  1. send a test RPC
curl -X POST -H  "Content-Type: application/json" \
  --cert tls/tls.crt \
  --key tls/tls.key \
  -d @test-rpc.json \
  https://localhost:8080
  1. confirm that the first TX succeeds and the second fails
[
  {
    "jsonrpc": "2.0",
    "id": "1",
    "result": "0x02f89d82053980010182753094000000000000000000000000000000000000aaaa0180f838f794000000000000000000000000000000000000aaaae1a0000000000000000000000000000000000000000000000000000000000000000080a0ba1bf0d4e091881d59bd0f38f16a99906d7dfb33a2e298e04162b863672d1504a07d55d98ace9950ec23a1a0da02bb8dc497f7419e0057a930119d3e6769e61c77"
  },
  {
    "jsonrpc": "2.0",
    "id": "1",
    "error": {
      "code": -32010,
      "message": "nonce not specified"
    }
  }
]

Context

This PR currently targets the AWS KMS branch (#122) in order to simplify the diff, and needs to be repointed at main once that PR is merged.

In service of: https://github.com/ethereum-optimism/platforms-team/issues/581

@edobry edobry requested a review from a team as a code owner March 20, 2025 21:23
@edobry edobry requested review from zhwrd and removed request for a team March 20, 2025 21:23
@codecov-commenter
Copy link

codecov-commenter commented Mar 20, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 83.45865% with 22 lines in your changes missing coverage. Please review.

Project coverage is 53.55%. Comparing base (e4bcd59) to head (f7ea78a).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
op-signer/provider/local_kms.go 90.42% 6 Missing and 3 partials ⚠️
op-signer/provider/gcp_kms.go 63.63% 4 Missing ⚠️
op-signer/provider/provider.go 20.00% 4 Missing ⚠️
op-signer/app.go 0.00% 3 Missing ⚠️
op-signer/service/service.go 60.00% 2 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #252      +/-   ##
==========================================
+ Coverage   53.11%   53.55%   +0.43%     
==========================================
  Files          66       67       +1     
  Lines        7749     7845      +96     
==========================================
+ Hits         4116     4201      +85     
- Misses       3356     3364       +8     
- Partials      277      280       +3
Flag Coverage Δ
op-signer 47.60% <83.45%> (+4.43%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
op-signer/provider/aws_kms.go 56.41% <ø> (ø)
op-signer/provider/config.go 68.42% <100.00%> (ø)
op-signer/provider/mock_kms.go 82.35% <100.00%> (ø)
op-signer/provider/mock_provider.go 62.50% <ø> (ø)
op-signer/provider/utils.go 72.72% <ø> (ø)
op-signer/service/service.go 70.12% <60.00%> (ø)
op-signer/app.go 0.00% <0.00%> (ø)
op-signer/provider/gcp_kms.go 56.02% <63.63%> (ø)
op-signer/provider/provider.go 37.50% <20.00%> (ø)
op-signer/provider/local_kms.go 90.42% <90.42%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

ddaws
ddaws reviewed Mar 21, 2025
View reviewed changes
op-signer/gen-local-tls.sh
@@ -7,39 +7,51 @@ TLS_DIR=$SCRIPT_DIR/tls

version=$(openssl version)

if [[ "$version" != "LibreSSL"* ]] && [[ "$version" != "OpenSSL 1.1"* ]]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've put up a PR to change gen-local-tls.sh to use the alpine/openssl docker image. This should help make this script more portable, so we don't need to depend on specific versions of installed TLS libs

Here is the PR #255

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that seems like a good change, i'll review, ty! i'm about to merge this PR however, so we'll need to update your PR once that happens to account for my changes. happy to take that task

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @edobry. I've fixed merge conflicts #255

jelias2
jelias2 reviewed Mar 21, 2025
View reviewed changes
op-signer/gen-local-tls.sh

mkdir -p "$TLS_DIR"

org="OP Labs"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the org be something more generic? Like OP-Signer Local Org?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perhaps, I just kept it as-is. its only used in testing anyway

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update to OP-Signer Local Org here:
https://github.com/ethereum-optimism/infra/pull/255/files#diff-48ea7eacdc0406935a5d46703b44e6014f4eaa35126ee1d6d66a030b3ecd91ceR13

@zhwrd
Copy link
Contributor

zhwrd commented Mar 21, 2025

merged the upstream pr, can you rebase onto main?

@edobry edobry force-pushed the edobry/signer-local branch from ebaf355 to 0ddaf3b Compare March 21, 2025 17:56
@edobry edobry changed the base branch from ddaws/add-aws-kms-provider to main March 21, 2025 18:07
@edobry edobry merged commit ef1f296 into main Mar 21, 2025
6 checks passed
@edobry edobry deleted the edobry/signer-local branch March 21, 2025 18:08
@edobry edobry mentioned this pull request Mar 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ddaws ddaws ddaws left review comments

@jelias2 jelias2 jelias2 approved these changes

@zhwrd zhwrd Awaiting requested review from zhwrd zhwrd is a code owner automatically assigned from ethereum-optimism/infra-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@edobry @codecov-commenter @zhwrd @ddaws @jelias2