ethcontract 0.25.8

Runtime library and proc macro for interacting and generating type-safe bindings to Ethereum smart contracts.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251

//! AWS KMS account implementation.
//!
//! The implementation was heavily guided by this guide for doing the same in javascript:
//! https://luhenning.medium.com/the-dark-side-of-the-elliptic-curve-signing-ethereum-transactions-with-aws-kms-in-javascript-83610d9a6f81
//!
//! It's quite hacky, however the hackiness does not leak outside this module.

use aws_sdk_kms::{
    primitives::Blob,
    types::{KeySpec, KeyUsageType, MessageType, SigningAlgorithmSpec},
    Client, Config,
};
use ethcontract_common::hash::keccak256;
use primitive_types::U256;
use rlp::{Rlp, RlpStream};
use secp256k1::constants::CURVE_ORDER;
use web3::{
    signing::{self, Signature},
    types::{Address, Bytes, SignedTransaction, TransactionParameters, H256},
    Transport, Web3,
};

use crate::errors::ExecutionError;

/// An AWS KMS account abstraction.
#[derive(Clone, Debug)]
pub struct Account {
    client: Client,
    key_id: String,
    address: Address,
}

impl Account {
    /// Creates a new KMS account.
    pub async fn new(config: Config, key_id: &str) -> Result<Self, Error> {
        let client = Client::from_conf(config);
        let key_id = key_id.to_string();
        let key = client
            .get_public_key()
            .key_id(&key_id)
            .send()
            .await
            .map_err(aws_sdk_kms::Error::from)?;

        if !matches!(
            (key.key_spec(), key.key_usage()),
            (
                Some(&KeySpec::EccSecgP256K1),
                Some(&KeyUsageType::SignVerify),
            ),
        ) {
            return Err(Error::InvalidKey);
        }

        // The private key block is a DER-encoded X.509 public key (also known as `SubjectPublicKeyInfo`, as defined in RFC 5280).
        // Luckily, the uncompressed key is just the last 64 bytes :).
        let info = key.public_key().unwrap().as_ref();
        let uncompressed = &info[info.len().checked_sub(64).ok_or(Error::InvalidKey)?..];
        let address = {
            let mut buffer = Address::default();
            let hash = keccak256(uncompressed);
            buffer.0.copy_from_slice(&hash[12..]);
            buffer
        };

        Ok(Self {
            client,
            key_id,
            address,
        })
    }

    /// Returns the public address of the AWS KMS account.
    pub fn public_address(&self) -> Address {
        self.address
    }

    /// Signs a message.
    pub async fn sign(&self, message: [u8; 32]) -> Result<Signature, Error> {
        let output = self
            .client
            .sign()
            .key_id(&self.key_id)
            .message(Blob::new(message))
            .message_type(MessageType::Digest)
            .signing_algorithm(SigningAlgorithmSpec::EcdsaSha256)
            .send()
            .await
            .map_err(aws_sdk_kms::Error::from)?;
        let signature = secp256k1::ecdsa::Signature::from_der(
            output.signature().ok_or(Error::InvalidSignature)?.as_ref(),
        )
        .map_err(|_| Error::InvalidSignature)?;

        let compact = signature.serialize_compact();
        let mut r = H256::default();
        r.0.copy_from_slice(&compact[..32]);

        // If `s` happens to be "on the dark side of the curve", we need to invert it (EIP-2)
        let mut s_tentative: U256 = U256::from_big_endian(&compact[32..]);
        let secp256k1_n = U256::from_big_endian(&CURVE_ORDER);
        if s_tentative > secp256k1_n / 2 {
            s_tentative = secp256k1_n - s_tentative;
        }
        let mut s = H256::default();
        s_tentative.to_big_endian(&mut s.0);

        // Recover correct v by trying which of the two options recovers to our public key
        let v = if signing::recover(&message, &[r.as_bytes(), s.as_bytes()].concat(), 0).ok()
            == Some(self.address)
        {
            0
        } else if signing::recover(&message, &[r.as_bytes(), s.as_bytes()].concat(), 1).ok()
            == Some(self.address)
        {
            1
        } else {
            return Err(Error::InvalidSignature);
        };

        Ok(Signature { v, r, s })
    }

    /// Signs a transaction.
    pub async fn sign_transaction<T>(
        &self,
        web3: Web3<T>,
        params: TransactionParameters,
    ) -> Result<SignedTransaction, Error>
    where
        T: Transport,
    {
        // Note that we build a signed transaction with a dummy signature. We
        // make use of the returned raw transaction and signing message to
        // actually generate a signature using AWS KMS.
        let transaction = web3.accounts().sign_transaction(params, Key(self)).await?;
        let signature = self.sign(transaction.message_hash.0).await?;

        // transaction.v has the EIP155 value w/ 0 parity, signature.v has the parity bit, together they from the correct v
        let v = transaction.v + signature.v;

        // Split the transaction into its ID and its raw RLP encoded form.
        let (id, raw) = match transaction.raw_transaction.0.first().copied() {
            Some(x) if x < 0x80 => (Some(x), &transaction.raw_transaction.0[1..]),
            _ => (None, &transaction.raw_transaction.0[..]),
        };

        // Fortunately for us, raw transactions always RLP append the signature,
        // meaning the last 3 list values are `v`, `r`, and `s` respectively.
        // Re-encode the transaction, replacing the last 3 list values.
        let len = match Rlp::new(raw).prototype()? {
            rlp::Prototype::List(len) => len
                .checked_sub(3)
                .ok_or(rlp::DecoderError::Custom("transaction fields too short"))?,
            _ => return Err(rlp::DecoderError::RlpExpectedToBeList.into()),
        };
        let mut encoder = RlpStream::new_list(len + 3);
        for item in Rlp::new(raw).iter().take(len) {
            encoder.append_raw(item.as_raw(), 1);
        }
        encoder.append(&v);
        // RLP encoding doesn't allow leading zeros for s & r, yet default H256 RLP encoding preserves leading 0s
        // By converting and encoding U256, we get rid of the leading zeros.
        encoder.append(&U256::from_big_endian(signature.r.as_bytes()));
        encoder.append(&U256::from_big_endian(signature.s.as_bytes()));

        let raw_transaction = Bytes(match id {
            Some(id) => [&[id], encoder.as_raw()].concat(),
            None => encoder.out().to_vec(),
        });
        let transaction_hash = H256(keccak256(&raw_transaction.0));

        Ok(SignedTransaction {
            message_hash: transaction.message_hash,
            v,
            r: signature.r,
            s: signature.s,
            raw_transaction,
            transaction_hash,
        })
    }
}

/// A web3 signing key adapter.
///
/// The `web3` crate has utility methods for building and RLP encoding signed
/// transactions that we want to reuse. Unfortunately it expects `sign`-ing to
/// **not** be asynchronous. To work around this, we create this adapter that
/// returns dummy signatures including the all-important signing message and
/// then use AWS KMS to sign the transaction and adjust the returned
/// `SignedTransaction` result.
///
/// Ugly, but effective...
struct Key<'a>(&'a Account);

impl web3::signing::Key for Key<'_> {
    fn sign(
        &self,
        message: &[u8],
        chain_id: Option<u64>,
    ) -> Result<Signature, web3::signing::SigningError> {
        let signature = self.sign_message(message)?;
        // apply EIP155
        Ok(Signature {
            v: if let Some(chain_id) = chain_id {
                signature.v + 35 + chain_id * 2
            } else {
                signature.v + 27
            },
            ..signature
        })
    }

    fn sign_message(&self, _: &[u8]) -> Result<Signature, web3::signing::SigningError> {
        Ok(Signature {
            r: H256::default(),
            s: H256::default(),
            v: 0,
        })
    }

    fn address(&self) -> Address {
        self.0.public_address()
    }
}

/// Error type for when KMS Signing fails
#[derive(Debug, thiserror::Error)]
pub enum Error {
    /// Error related to the KMS interactions
    #[error(transparent)]
    Kms(#[from] aws_sdk_kms::Error),
    /// Error related to the Key stored in KMS being incorrect
    #[error("invalid key")]
    InvalidKey,
    /// Error related to the signing algorithm used
    #[error("invalid signature")]
    InvalidSignature,
    /// Error related to the Web3 interactions needed for signing
    #[error(transparent)]
    Web3(#[from] web3::error::Error),
    /// Error related to decoding the transaction object
    #[error(transparent)]
    Rlp(#[from] rlp::DecoderError),
}

impl From<Error> for ExecutionError {
    fn from(_: Error) -> Self {
        web3::error::Error::Internal.into()
    }
}