feat: EIP-1271 (#301)

* wip: eip1271 * fix: use trait objects * chore: move blockchain API to lib * chore: use latest version * chore: resolve rebase * fix: allow CC0-1.0 license * chore: update to tagged version
WalletConnect · Feb 5, 2024 · 1c6c3ab · 1c6c3ab
1 parent 0601203
commit 1c6c3ab
Show file tree

Hide file tree

Showing 14 changed files with 915 additions and 65 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -75,8 +75,8 @@ futures = "0.3.26"
 futures-util = "0.3"
 dashmap = "5.4.0"
 
-relay_rpc = { git = "https://github.com/WalletConnect/WalletConnectRust.git", tag = "v0.24.0", features = ["cacao"] }
-relay_client = { git = "https://github.com/WalletConnect/WalletConnectRust.git", tag = "v0.24.0" }
+relay_rpc = { git = "https://github.com/WalletConnect/WalletConnectRust.git", tag = "v0.26.0", features = ["cacao"] }
+relay_client = { git = "https://github.com/WalletConnect/WalletConnectRust.git", tag = "v0.26.0" }
 x25519-dalek = { version = "2.0.0", features = ["static_secrets"] }
 hkdf = "0.12.3"
 sha2 = "0.10.6"

diff --git a/deny.toml b/deny.toml
@@ -7,7 +7,8 @@ allow = [
     "Unlicense",
     "BSD-3-Clause",
     "0BSD",
-    "ISC"
+    "ISC",
+    "CC0-1.0"
 ]
 
 exceptions = [{ name = "unicode-ident", allow = ["Unicode-DFS-2016"] }]

diff --git a/src/auth.rs b/src/auth.rs
@@ -7,6 +7,7 @@ use {
             types::{AccountId, AccountIdParseError},
         },
         registry::storage::{redis::Redis, KeyValueStorage},
+        BlockchainApiProvider,
     },
     base64::{DecodeError, Engine},
     chrono::{DateTime, Duration as CDuration, Utc},
@@ -665,6 +666,7 @@ pub async fn verify_identity(
     ksu: &str,
     sub: &str,
     redis: Option<&Arc<Redis>>,
+    provider: &BlockchainApiProvider,
     metrics: Option<&Metrics>,
 ) -> Result<Authorization, NotifyServerError> {
     let mut url = Url::parse(ksu)?.join(KEYS_SERVER_IDENTITY_ENDPOINT)?;
@@ -680,7 +682,10 @@ pub async fn verify_identity(
 
     let account = AccountId::from_did_pkh(&cacao.p.iss).map_err(AuthError::CacaoIssNotDidPkh)?;
 
-    let always_true = cacao.verify().map_err(AuthError::CacaoValidation)?;
+    let always_true = cacao
+        .verify(provider)
+        .await
+        .map_err(AuthError::CacaoValidation)?;
     assert!(always_true);
 
     // TODO verify `cacao.p.aud`. Blocked by at least https://github.com/WalletConnect/walletconnect-utils/issues/128

diff --git a/src/lib.rs b/src/lib.rs
@@ -14,7 +14,9 @@ use {
     aws_sdk_s3::{config::Region, Client as S3Client},
     error::NotifyServerError,
     rand::prelude::*,
-    relay_rpc::auth::ed25519_dalek::Keypair,
+    relay_rpc::auth::{
+        cacao::signature::eip1271::blockchain_api::BlockchainApiProvider, ed25519_dalek::Keypair,
+    },
     sqlx::postgres::PgPoolOptions,
     std::sync::Arc,
     tokio::{select, sync::broadcast},
@@ -116,6 +118,7 @@ pub async fn bootstrap(
         redis,
         registry,
         config.clock,
+        BlockchainApiProvider::new(config.project_id),
     )?);
 
     let private_http_server =

diff --git a/src/services/websocket_server/handlers/notify_delete.rs b/src/services/websocket_server/handlers/notify_delete.rs
@@ -115,6 +115,7 @@ pub async fn handle(
             &request_auth.ksu,
             &request_auth.sub,
             state.redis.as_ref(),
+            &state.provider,
             state.metrics.as_ref(),
         )
         .await

diff --git a/src/services/websocket_server/handlers/notify_get_notifications.rs b/src/services/websocket_server/handlers/notify_get_notifications.rs
@@ -109,6 +109,7 @@ pub async fn handle(msg: PublishedMessage, state: &AppState) -> Result<(), Relay
             &request_auth.ksu,
             &request_auth.sub,
             state.redis.as_ref(),
+            &state.provider,
             state.metrics.as_ref(),
         )
         .await

diff --git a/src/services/websocket_server/handlers/notify_subscribe.rs b/src/services/websocket_server/handlers/notify_subscribe.rs
@@ -130,6 +130,7 @@ pub async fn handle(msg: PublishedMessage, state: &AppState) -> Result<(), Relay
             &request_auth.ksu,
             &request_auth.sub,
             state.redis.as_ref(),
+            &state.provider,
             state.metrics.as_ref(),
         )
         .await

diff --git a/src/services/websocket_server/handlers/notify_update.rs b/src/services/websocket_server/handlers/notify_update.rs
@@ -108,6 +108,7 @@ pub async fn handle(msg: PublishedMessage, state: &AppState) -> Result<(), Relay
             &request_auth.ksu,
             &request_auth.sub,
             state.redis.as_ref(),
+            &state.provider,
             state.metrics.as_ref(),
         )
         .await

diff --git a/src/services/websocket_server/handlers/notify_watch_subscriptions.rs b/src/services/websocket_server/handlers/notify_watch_subscriptions.rs
@@ -103,6 +103,7 @@ pub async fn handle(msg: PublishedMessage, state: &AppState) -> Result<(), Relay
             &request_auth.ksu,
             &request_auth.sub,
             state.redis.as_ref(),
+            &state.provider,
             state.metrics.as_ref(),
         )
         .await

diff --git a/src/state.rs b/src/state.rs
@@ -9,7 +9,9 @@ use {
         Configuration,
     },
     build_info::BuildInfo,
-    relay_rpc::auth::ed25519_dalek::Keypair,
+    relay_rpc::auth::{
+        cacao::signature::eip1271::blockchain_api::BlockchainApiProvider, ed25519_dalek::Keypair,
+    },
     serde::{Deserialize, Serialize},
     sqlx::PgPool,
     std::{fmt, sync::Arc},
@@ -29,6 +31,7 @@ pub struct AppState {
     pub registry: Arc<Registry>,
     pub notify_keys: NotifyKeys,
     pub clock: Clock,
+    pub provider: BlockchainApiProvider,
 }
 
 build_info::build_info!(fn build_info);
@@ -47,6 +50,7 @@ impl AppState {
         redis: Option<Arc<Redis>>,
         registry: Arc<Registry>,
         clock: Clock,
+        provider: BlockchainApiProvider,
     ) -> Result<Self, NotifyServerError> {
         let build_info: &BuildInfo = build_info();
 
@@ -65,6 +69,7 @@ impl AppState {
             registry,
             notify_keys,
             clock,
+            provider,
         })
     }
 

diff --git a/tests/deployment.rs b/tests/deployment.rs
@@ -1,7 +1,7 @@
 use {
     crate::utils::{
-        encode_auth, generate_account, verify_jwt, UnregisterIdentityRequestAuth, JWT_LEEWAY,
-        RELAY_MESSAGE_DELIVERY_TIMEOUT,
+        encode_auth, generate_account, verify_jwt, MockGetRpcUrl, UnregisterIdentityRequestAuth,
+        JWT_LEEWAY, RELAY_MESSAGE_DELIVERY_TIMEOUT,
     },
     base64::Engine,
     chacha20poly1305::{
@@ -50,7 +50,7 @@ use {
     rand::{rngs::StdRng, SeedableRng},
     relay_rpc::{
         auth::{
-            cacao::{self, signature::Eip191},
+            cacao::{self, signature::eip191::eip191_bytes},
             ed25519_dalek::Keypair,
         },
         domain::{DecodedClientId, ProjectId},
@@ -411,14 +411,14 @@ async fn run_test(statement: String, watch_subscriptions_all_domains: bool) {
             },
         };
         let (signature, recovery): (k256::ecdsa::Signature, _) = account_signing_key
-            .sign_digest_recoverable(Keccak256::new_with_prefix(
-                Eip191.eip191_bytes(&cacao.siwe_message().unwrap()),
-            ))
+            .sign_digest_recoverable(Keccak256::new_with_prefix(eip191_bytes(
+                &cacao.siwe_message().unwrap(),
+            )))
             .unwrap();
         let cacao_signature = [&signature.to_bytes()[..], &[recovery.to_byte()]].concat();
         cacao.s.t = "eip191".to_owned();
         cacao.s.s = hex::encode(cacao_signature);
-        cacao.verify().unwrap();
+        cacao.verify(&MockGetRpcUrl).await.unwrap();
 
         let response = reqwest::Client::builder()
             .build()