Skip to content
This repository was archived by the owner on May 22, 2023. It is now read-only.

CLI command to sign and verify operator's signature#613

Merged
dimpar merged 10 commits into
masterfrom
operator-signing
Nov 19, 2020
Merged

CLI command to sign and verify operator's signature#613
dimpar merged 10 commits into
masterfrom
operator-signing

Conversation

@nkuba
Copy link
Copy Markdown
Member

@nkuba nkuba commented Nov 18, 2020
edited
Loading

We added functions to let the operator running the client calculate and verify ethereum signatures. This gives an easy way of confirming messages with the operator's key without a need to pull the key out of the node running the client or installing additional libraries to handle the signing.

It calculates a signature in ethereum R, S, V format. The V property is needed to recover a public key (and address) from a signature on verification.

Closes: #612

Sign message

Documentation

$ ./keep-ecdsa signing ethereum sign --help
NAME:
   keep-ecdsa signing ethereum sign - Sign a message using the operator's key

USAGE:
   keep-ecdsa signing ethereum sign [command options] [message]

DESCRIPTION:
   Calculates an ethereum signature for a given message.
The message is expected to be provided as a string, it is later hashed with SHA-256
and passed to Ethereum ECDSA signing. Signature is calculated in Ethereum specific
format as a hexadecimal string representation of 65-byte {R, S, V} parameters.

It requires an Ethereum key to be provided in an encrypted file. A path to the key file
can be configured in a config file or specified directly with an 'eth-key-file' flag.

The key file is expected to be encrypted with a password provided as KEEP_ETHEREUM_PASSWORD
environment variable.
  
The result is outputted in a common Ethereum signature format:
{
  "address": "<address>",
  "msg": "<content>",
  "sig": "<signature>",
  "version": "2"
}

If 'output-file' flag is set the result will be stored in a specified file path.


OPTIONS:
   --eth-key-file value, -k value  Path to the ethereum key file. If not provided read the path from a config file.
   --output-file value, -o value   Output file for the signature

Examples

# read default config
$ KEEP_ETHEREUM_PASSWORD="password" ./keep-ecdsa signing ethereum sign verySecretMessage
{"address":"0x6299496199d99941193fdd2d717ef585f431ea05","msg":"verySecretMessage","sig":"e2e7f8f540b8d0274e78f666113be50b76050e19c73d9999f840cc09201097d562d93d0aa2fe44daaec50aefece8242178758be297e826a79ea6d826e4dd7e0501","version":2}

# read custom config path
$ KEEP_ETHEREUM_PASSWORD="password" ./keep-ecdsa --config ./configs/config.toml signing ethereum sign verySecretMessage
{"address":"0x6299496199d99941193fdd2d717ef585f431ea05","msg":"verySecretMessage","sig":"e2e7f8f540b8d0274e78f666113be50b76050e19c73d9999f840cc09201097d562d93d0aa2fe44daaec50aefece8242178758be297e826a79ea6d826e4dd7e0501","version":2}

# read key file directly
$ KEEP_ETHEREUM_PASSWORD="password" ./keep-ecdsa signing ethereum sign --eth-key-file /ethereum/keystore/93df7c54c41a9d7fb17c1e8039d387a2a924708c verySecretMessage
{"address":"0x93df7c54c41a9d7fb17c1e8039d387a2a924708c","msg":"verySecretMessage","sig":"d472bf16d88a4b516a7c7d846f9b2c96d4911109ed5b3c87fb3de7304ed06e590bd1d30259e1d3ea68572088ebfca825a541e4240ab3520b098b4d8536af606401","version":2}

# output to a file
$ KEEP_ETHEREUM_PASSWORD="password" ./keep-ecdsa signing ethereum sign --output-file signature.json verySecretMessage
output stored to a file: signature.json

Verify signature

Documentation

$ ./keep-ecdsa signing ethereum verify --help
NAME:
   keep-ecdsa signing ethereum verify - Verifies a signature

USAGE:
   keep-ecdsa signing ethereum verify [command options] [ethereum-signature]

DESCRIPTION:
   Verifies if a signature was calculated for a message 
by an ethereum account identified by an address. 

It expects a signature to be provided in a common Ethereum signature format:
{
  "address": "<address>",
  "msg": "<content>",
  "sig": "<signature>",
  "version": "2"
}

If 'input-file' flag is set the input will be read from a specified file path.


OPTIONS:
   --input-file value, -i value  Input file with the signature

Examples

# valid signature
$ ./keep-ecdsa signing ethereum verify '{"address":"0x6299496199d99941193fdd2d717ef585f431ea05","msg":"verySecretMessage","sig":"e2e7f8f540b8d0274e78f666113be50b76050e19c73d9999f840cc09201097d562d93d0aa2fe44daaec50aefece8242178758be297e826a79ea6d826e4dd7e0501","version":2}'
signature verified correctly, message [verySecretMessage] was signed by [0x6299496199d99941193Fdd2d717ef585F431eA05]

# valid signature
$ ./keep-ecdsa signing ethereum verify --input-file signature.json
signature verified correctly, message [verySecretMessage] was signed by [0x6299496199d99941193Fdd2d717ef585F431eA05]

# invalid signature
$ ./keep-ecdsa signing ethereum verify --input-file invalid-signature.json
signature verification failed: invalid signer
        expected: 0x93df7c54c41A9D7FB17C1E8039d387a2A924708c
        actual:   0x6299496199d99941193Fdd2d717ef585F431eA05

@nkuba
CLI command to sign and verify operator's signature
4ca83c1 
We added functions to let operator running the client to calculate and
verify ethereum signatures. This gives easy way of confirming messages
with operator's key without a need to pull the key out of the node
running the client or installing additional libraries to handle the
signing.
@pdyraga pdyraga added this to the v1.5.0 milestone Nov 19, 2020
nkuba added 4 commits November 19, 2020 12:04
@nkuba
Extracted output data part to a common function
383bd44 
We can reuse the part where we provide output directory for a file in
other functions. Here we extracted this code.
@nkuba
Moved signing ethereum command to a dedicated file
b8deaf5 
We want to enhance the code for ethereum signing so it may be a good
idea to extract these to a separate file.
@nkuba
Fixed a problem with reading key file path
2991823 
We used wrong name to set the value for key file path variable.
We also don't need to introduce another variable, we can use just one.
@nkuba
Introduce common Ethereum signature JSON format
06ca54f 
We expect a signature in a common Ethereum signature JSON format:
{
  "address": "<address>",
  "msg": "<content>",
  "sig": "<signature>",
  "version": "2"
}

Added a possibility to output the signature to a file and read a file on
verification.
@nkuba
Copy link
Copy Markdown
Member Author

nkuba commented Nov 19, 2020

Updated the code to handle signature format specified in https://coda.io/d/Operator-Information_d846PmoUIrs/Interim-BTC-Recovery-Process_sutgB#_lu22Q

@nkuba nkuba requested a review from dimpar November 19, 2020 12:14
@dimpar
Copy link
Copy Markdown
Contributor

dimpar commented Nov 19, 2020 

# read default config
$ KEEP_ETHEREUM_PASSWORD="password" ./keep-ecdsa signing ethereum sign verySecretMessage

Do you think we can add to the doc file a note about where the default config is?

# output to a file
$ KEEP_ETHEREUM_PASSWORD="password" ./keep-ecdsa signing ethereum sign --output-file signature.json verySecretMessage

Is it intentional that we will throw an error signature.json already exist upon multiple execution of the command above?

@nkuba
Clean file path on input read
6a692e3 
Cleaning the user provided path should solve gosec discovered issue.
dimpar
dimpar reviewed Nov 19, 2020
View reviewed changes
Comment thread cmd/signing_ethereum.go
dimpar
dimpar reviewed Nov 19, 2020
View reviewed changes
Comment thread cmd/signing_ethereum.go
@nkuba
Copy link
Copy Markdown
Member Author

nkuba commented Nov 19, 2020

Do you think we can add to the doc file a note about where the default config is?

It's a flag inherited from the main command https://github.com/keep-network/keep-ecdsa/blob/master/main.go#L53-L58 the information can be obtained by running ./keep-ecdsa --help

@nkuba
Copy link
Copy Markdown
Member Author

nkuba commented Nov 19, 2020
edited
Loading

Is it intentional that we will throw an error signature.json already exist upon multiple execution of the command above?

It's not needed in this case. I'll update the code.

3fb44f0

dimpar
dimpar reviewed Nov 19, 2020
View reviewed changes
Comment thread cmd/signing_ethereum.go
@nkuba
Overwrite file with signature
3fb44f0 
If a file with signature already exists overwrite it.

We don't want it to be default bahaviour so left check fo key shares
files.
@nkuba nkuba requested a review from dimpar November 19, 2020 13:43
dimpar
dimpar reviewed Nov 19, 2020
View reviewed changes
Comment thread cmd/signing.go Outdated
nkuba added 2 commits November 19, 2020 15:31
@nkuba
Pass file mode to output data command
379fccc 
We can expect file mode to be provided to outputData function instead of
the boolen value. We don't need to check if the file exists before
writing to it as access permissions of the file will prevent us from
overwriting it if configured properly.
@nkuba
Merge branch 'operator-signing' of github.com:keep-network/keep-tecds…
a28bbaa 
…a into operator-signing
@nkuba nkuba requested a review from dimpar November 19, 2020 14:34
@dimpar
Copy link
Copy Markdown
Contributor

dimpar commented Nov 19, 2020

Tested:

  • scenarios described in examples when producing a signature
  • scenarios described in examples when verifying a signature

@dimpar dimpar merged commit d7e6cd0 into master Nov 19, 2020
@dimpar dimpar deleted the operator-signing branch November 19, 2020 15:05
@dimpar dimpar mentioned this pull request Nov 23, 2020
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pdyraga pdyraga Awaiting requested review from pdyraga

@lukasz-zimnoch lukasz-zimnoch Awaiting requested review from lukasz-zimnoch

1 more reviewer

@dimpar dimpar dimpar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

📟 client

Projects

None yet

Milestone

v1.5.0

Development

Successfully merging this pull request may close these issues.

Add CLI tool to sign a message with operator key

3 participants

@nkuba @dimpar @pdyraga