Merge branch 'develop' into query-cctx-by-status

Makefile

@@ -26,6 +26,7 @@ MAINNET_BUILD_FLAGS := -ldflags '$(ldflags)' -tags pebbledb,ledger
 TEST_DIR?="./..."
 TEST_BUILD_FLAGS := -tags TESTNET,pebbledb,ledger
 PRIV_BUILD_FLAGS := -tags PRIVNET,pebbledb,ledger
+HSM_BUILD_FLAGS := -tags TESTNET,pebbled,ledger,hsm_test
 
 clean: clean-binaries clean-dir clean-test-dir clean-coverage
 
@@ -65,6 +66,9 @@ test :clean-test-dir run-test
 test-priv:
 	@go test ${PRIV_BUILD_FLAGS} ${TEST_DIR}
 
+test-hsm:
+	@go test ${HSM_BUILD_FLAGS} ${TEST_DIR}
+
 gosec:
 	gosec  -exclude-dir=localnet ./...
 

changelog.md

@@ -4,6 +4,8 @@
 
 ### Features
 * [1395](https://github.com/zeta-chain/node/pull/1395) - Add state variable to track aborted zeta amount
+* [1387](https://github.com/zeta-chain/node/pull/1387) - Add HSM capability for zetaclient hot key
+
 ### Fixes
 
 * [1372](https://github.com/zeta-chain/node/pull/1372) - Include Event Index as part for inbound tx digest

cmd/zetaclientd/aux.go

@@ -16,6 +16,11 @@ func CreateAuthzSigner(granter string, grantee sdk.AccAddress) {
 }
 
 func CreateZetaBridge(cfg *config.Config) (*zetaclient.ZetaCoreBridge, error) {
+	hotKey := cfg.AuthzHotkey
+	if cfg.HsmMode {
+		hotKey = cfg.HsmHotKey
+	}
+
 	chainIP := cfg.ZetaCoreURL
 
 	kb, _, err := zetaclient.GetKeyringKeybase(cfg)
@@ -30,7 +35,7 @@ func CreateZetaBridge(cfg *config.Config) (*zetaclient.ZetaCoreBridge, error) {
 
 	k := zetaclient.NewKeysWithKeybase(kb, granterAddreess, cfg.AuthzHotkey)
 
-	bridge, err := zetaclient.NewZetaCoreBridge(k, chainIP, cfg.AuthzHotkey, cfg.ChainID)
+	bridge, err := zetaclient.NewZetaCoreBridge(k, chainIP, hotKey, cfg.ChainID, cfg.HsmMode)
 	if err != nil {
 		return nil, err
 	}

cmd/zetaclientd/debug.go

@@ -53,7 +53,7 @@ func DebugCmd() *cobra.Command {
 			txHash := args[0]
 			var ballotIdentifier string
 			chainLogger := zerolog.New(io.Discard).Level(zerolog.Disabled)
-			bridge, err := zetaclient.NewZetaCoreBridge(&zetaclient.Keys{OperatorAddress: sdk.MustAccAddressFromBech32(sample.AccAddress())}, debugArgs.zetaNode, "", debugArgs.zetaChainID)
+			bridge, err := zetaclient.NewZetaCoreBridge(&zetaclient.Keys{OperatorAddress: sdk.MustAccAddressFromBech32(sample.AccAddress())}, debugArgs.zetaNode, "", debugArgs.zetaChainID, false)
 			if err != nil {
 				return err
 			}

cmd/zetaclientd/hsm.go

@@ -0,0 +1,102 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	keystone "github.com/zeta-chain/keystone/keys"
+	"github.com/zeta-chain/zetacore/cmd"
+	"github.com/zeta-chain/zetacore/common/cosmos"
+	"github.com/zeta-chain/zetacore/zetaclient/hsm"
+)
+
+var HsmCmd = &cobra.Command{
+	Use:   "hsm",
+	Short: "Utility command to interact with hsm",
+}
+
+var GetHsmAddressCmd = &cobra.Command{
+	Use:   "get-address",
+	Short: "Get the address of a particular keypair by label",
+	RunE:  GetHsmAddress,
+}
+
+var GenerateHsmKeyCmd = &cobra.Command{
+	Use:   "gen-key",
+	Short: "Generate keypair by label",
+	RunE:  GenerateHsmKey,
+}
+
+type HsmArgs struct {
+	label string
+}
+
+type HsmGenKeyArgs struct {
+	algorithm int
+}
+
+var hsmArgs = HsmArgs{}
+var hsmKeyGenArgs = HsmGenKeyArgs{}
+
+func init() {
+	RootCmd.AddCommand(HsmCmd)
+	HsmCmd.AddCommand(GetHsmAddressCmd)
+	HsmCmd.AddCommand(GenerateHsmKeyCmd)
+
+	// HSM root arguments
+	HsmCmd.PersistentFlags().StringVar(&hsmArgs.label, "key-label", "", "label used to identify key on HSM")
+
+	// HSM key gen arguments
+	GenerateHsmKeyCmd.Flags().IntVar(&hsmKeyGenArgs.algorithm, "algorithm", 0, "key algo; 0=SECP256K1, 1=SECP256R1, 2=ED25519")
+}
+
+func GetHsmAddress(_ *cobra.Command, _ []string) error {
+	SetupConfigForTest()
+
+	config, err := hsm.GetPKCS11Config()
+	if err != nil {
+		return err
+	}
+	_, pubKey, err := hsm.GetHSMAddress(config, hsmArgs.label)
+	if err != nil {
+		return err
+	}
+
+	address, err := cosmos.Bech32ifyAddressBytes(cmd.Bech32PrefixAccAddr, pubKey.Address().Bytes())
+	if err != nil {
+		return err
+	}
+	zetaPubKey, err := cosmos.Bech32ifyPubKey(cosmos.Bech32PubKeyTypeAccPub, pubKey)
+	if err != nil {
+		return err
+	}
+
+	// Print formatted result
+	fmt.Println("Address: ", address)
+	fmt.Println("Public Key: ", zetaPubKey)
+	fmt.Println("Label: ", hsmArgs.label)
+
+	return nil
+}
+
+func GenerateHsmKey(_ *cobra.Command, _ []string) error {
+	config, err := hsm.GetPKCS11Config()
+	if err != nil {
+		return err
+	}
+	if hsmKeyGenArgs.algorithm > 2 || hsmKeyGenArgs.algorithm < 0 {
+		return errors.New("invalid algorithm selected")
+	}
+	algo := []keystone.KeygenAlgorithm{keystone.KEYGEN_SECP256K1, keystone.KEYGEN_SECP256R1, keystone.KEYGEN_ED25519}
+	key, err := hsm.GenerateKey(hsmArgs.label, algo[hsmKeyGenArgs.algorithm], config)
+	if err != nil {
+		return err
+	}
+
+	// Print Generated key
+	fmt.Println("Public Key: ", key.PubKey().String())
+	fmt.Println("Label: ", hsmArgs.label)
+
+	return nil
+}

cmd/zetaclientd/init.go

@@ -32,6 +32,8 @@ type initArguments struct {
 	TssPath             string
 	TestTssKeysign      bool
 	KeyringBackend      string
+	HsmMode             bool
+	HsmHotKey           string
 }
 
 func init() {
@@ -54,6 +56,8 @@ func init() {
 	InitCmd.Flags().StringVar(&initArgs.TssPath, "tss-path", "~/.tss", "path to tss location")
 	InitCmd.Flags().BoolVar(&initArgs.TestTssKeysign, "test-tss", false, "set to to true to run a check for TSS keysign on startup")
 	InitCmd.Flags().StringVar(&initArgs.KeyringBackend, "keyring-backend", string(config.KeyringBackendTest), "keyring backend to use (test, file)")
+	InitCmd.Flags().BoolVar(&initArgs.HsmMode, "hsm-mode", false, "enable hsm signer, default disabled")
+	InitCmd.Flags().StringVar(&initArgs.HsmHotKey, "hsm-hotkey", "hsm-hotkey", "name of hotkey associated with hardware security module")
 }
 
 func Initialize(_ *cobra.Command, _ []string) error {
@@ -89,6 +93,8 @@ func Initialize(_ *cobra.Command, _ []string) error {
 	configData.P2PDiagnosticTicker = initArgs.p2pDiagnosticTicker
 	configData.ConfigUpdateTicker = initArgs.configUpdateTicker
 	configData.KeyringBackend = config.KeyringBackend(initArgs.KeyringBackend)
+	configData.HsmMode = initArgs.HsmMode
+	configData.HsmHotKey = initArgs.HsmHotKey
 
 	//Save config file
 	return config.Save(&configData, rootArgs.zetaCoreHome)

common/cosmos/cosmos.go

@@ -38,6 +38,7 @@ var (
 	NewKVStoreKey           = sdk.NewKVStoreKey
 	NewTransientStoreKey    = sdk.NewTransientStoreKey
 	NewContext              = sdk.NewContext
+	Bech32ifyAddressBytes   = sdk.Bech32ifyAddressBytes
 	GetPubKeyFromBech32     = legacybech32.UnmarshalPubKey
 	Bech32ifyPubKey         = legacybech32.MarshalPubKey
 	Bech32PubKeyTypeConsPub = legacybech32.ConsPK

contrib/localnet/docker-compose.yml

@@ -30,6 +30,7 @@ services:
       - "1317:1317"
       - "9545:8545"
       - "9546:8546"
+      - "26657:26657"
     networks:
       mynetwork:
         ipv4_address: 172.20.0.11

contrib/localnet/zetacored/common/client.toml

@@ -6,7 +6,7 @@
 ###############################################################################
 
 # The network chain ID
-chain-id = ""
+chain-id = "athens_101-1"
 # The keyring's backend, where the keys are stored (os|file|kwallet|pass|test|memory)
 keyring-backend = "test"
 # CLI output format (text|json)

contrib/localnet/zetacored/common/config.toml

@@ -212,7 +212,7 @@ external_address = ""
 seeds = ""
 
 # Comma separated list of nodes to keep persistent connections to
-persistent_peers = "0d88fbe57ac13ba86c40f4c82b8a4170e79de21a@172.20.0.12:26656"
+persistent_peers = "0d88fbe57ac13ba86c40f4c82b8a4170e79de21a@zetacore1:26656"
 
 # UPNP port forwarding
 upnp = false

contrib/localnet/zetacored/zetacored_zetacore0/config/client.toml

@@ -6,7 +6,7 @@
 ###############################################################################
 
 # The network chain ID
-chain-id = ""
+chain-id = "athens_101-1"
 # The keyring's backend, where the keys are stored (os|file|kwallet|pass|test|memory)
 keyring-backend = "test"
 # CLI output format (text|json)

contrib/localnet/zetacored/zetacored_zetacore1/config/client.toml

@@ -6,7 +6,7 @@
 ###############################################################################
 
 # The network chain ID
-chain-id = ""
+chain-id = "athens_101-1"
 # The keyring's backend, where the keys are stored (os|file|kwallet|pass|test|memory)
 keyring-backend = "test"
 # CLI output format (text|json)

go.mod

@@ -37,10 +37,12 @@ require (
 	github.com/btcsuite/btcutil v1.0.3-0.20201208143702-a53e38424cce
 	github.com/emicklei/proto v1.11.1
 	github.com/evmos/ethermint v0.22.0
+	github.com/frumioj/crypto11 v1.2.5-0.20210823151709-946ce662cc0e
 	github.com/pkg/errors v0.9.1
 	github.com/rakyll/statik v0.1.7
 	github.com/tendermint/crypto v0.0.0-20191022145703-50d29ede1e15
 	github.com/zeta-chain/go-tss v0.1.0
+	github.com/zeta-chain/keystone/keys v0.0.0-20231105174229-903bc9405da2
 	github.com/zeta-chain/protocol-contracts v1.0.2-athens3.0.20230816152528-db7d2bf9144b
 	github.com/zeta-chain/tss-lib v0.1.7
 	google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc
@@ -83,6 +85,7 @@ require (
 	github.com/libp2p/go-yamux/v4 v4.0.0 // indirect
 	github.com/linxGnu/grocksdb v1.7.15 // indirect
 	github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.7 // indirect
 	github.com/prometheus/tsdb v0.7.1 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
@@ -94,6 +97,7 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/securego/gosec v0.0.0-20200401082031-e946c8c39989 // indirect
 	github.com/tecbot/gorocksdb v0.0.0-20191217155057-f0fad39f321c // indirect
+	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/tidwall/gjson v1.14.4 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect