grpc: add SignatureVerificationService #22207
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
2 Skipped Deployments
|
bmwill
temporarily deployed
to
sui-typescript-aws-kms-test-env
GitHub Actions
Inactive
|
Right now this API is designed to return a non-OK status code on sig verification failure, this probably makes sense to change to be an Ok status code with a payload with a boolean that indicates success as is done in the JSONRPC api |
Introduce the SignatureVerificationService which provides support for verifying signatures in the sui ecosystem. This is meant to be a replacement/extention of the JSONRPC method for verifying zklogin signatures.
bmwill
force-pushed
the
grpc-signature-verification-service
branch
from
69d754e to
5275357
Compare
bmwill
temporarily deployed
to
sui-typescript-aws-kms-test-env
GitHub Actions
Inactive
|
|
||
| // The set of JWKs to use when verifying Zklogin signatures. | ||
| // If this is empty the current set of valid JWKs stored onchain will be used | ||
| repeated sui.rpc.v2beta.ActiveJwk jwks = 3; |
There was a problem hiding this comment.
Something I don't think we support in GraphQL yet, but might be nice is an epoch. In GraphQL we can only verify zklogin signatures for a short period after they are created, and have no way to verify historic signatures because they are no longer valid for the current epoch
There was a problem hiding this comment.
Yep I realized this as well, technically the implication as provided by this pr doesn't do epoch checks at all and only does the proof check against the jwks and sig checks
| optional sui.rpc.v2beta.Bcs message = 1; | ||
|
|
||
| // The siganture to verify. | ||
| optional sui.rpc.v2beta.UserSignature signature = 2; |
There was a problem hiding this comment.
It might also be nice to be able to pass an address in addition to the signature. For the TS sdk we don't need this, but I could imagine it being useful for other languages where extracting the address from a signature isn't trivial.
One additional thing to account for here is zklogin legacy addresses. ZkLogin signatures have up to 2 different addresses they can be valid for, and being able to validate that a zklogin signature is valid for a specific address is slightly more complicated than extracting the address from the signature, because you need to figure out if the seed in the public key bytes are padded, get the other (padded or unpadded bytes) and then derive a second address from that
There was a problem hiding this comment.
Oh good call out. I saw this in the other implementation but was confused why it existed. This is easy to add as well as easy to account for the zklogin padding issues
Introduce the SignatureVerificationService which provides support for verifying signatures in the sui ecosystem. This is meant to be a replacement/extention of the JSONRPC method for verifying zklogin signatures.
Description
Describe the changes or additions included in this PR.
Test plan
How did you test the new or updated feature?
Release notes
Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required.
For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates.