feat(signer): add ERC2335 ProxyStore

config.example.toml

@@ -149,12 +149,17 @@ key_path = "./keys.example.json"
 # For teku, it's the path to the directory where all `<pubkey>.txt` files are located.
 # For lodestar, it's the path to the file containing the decryption password.
 # secrets_path = ""
-# Configuration for how the Signer module should store proxy delegations. Currently one type of store is supported:
+# Configuration for how the Signer module should store proxy delegations. Supported types of store are:
 #   - File: store keys and delegations from a plain text file (unsafe, use only for testing purposes)
+#   - ERC2335: store keys and delegations safely using ERC-2335 style keystores. More details can be found in the docs (https://commit-boost.github.io/commit-boost-client/get_started/configuration#proxy-keys-store)
 # OPTIONAL, if missing proxies are lost on restart
 [signer.store]
 # File: path to the keys file
 proxy_dir = "./proxies"
+# ERC2335: path to the keys directory
+# keys_path = ""
+# ERC2335: path to the secrets directory
+# secrets_path = ""
 
 # Commit-Boost can optionally run "modules" which extend the capabilities of the sidecar.
 # Currently, two types of modules are supported:

crates/cli/src/docker_init.rs

@@ -9,7 +9,8 @@ use cb_common::{
         CommitBoostConfig, LogsSettings, ModuleKind, BUILDER_PORT_ENV, BUILDER_URLS_ENV,
         CHAIN_SPEC_ENV, CONFIG_DEFAULT, CONFIG_ENV, JWTS_ENV, LOGS_DIR_DEFAULT, LOGS_DIR_ENV,
         METRICS_PORT_ENV, MODULE_ID_ENV, MODULE_JWT_ENV, PBS_ENDPOINT_ENV, PBS_MODULE_NAME,
-        PROXY_DIR_DEFAULT, PROXY_DIR_ENV, SIGNER_DEFAULT, SIGNER_DIR_KEYS_DEFAULT,
+        PROXY_DIR_DEFAULT, PROXY_DIR_ENV, PROXY_DIR_KEYS_DEFAULT, PROXY_DIR_KEYS_ENV,
+        PROXY_DIR_SECRETS_DEFAULT, PROXY_DIR_SECRETS_ENV, SIGNER_DEFAULT, SIGNER_DIR_KEYS_DEFAULT,
         SIGNER_DIR_KEYS_ENV, SIGNER_DIR_SECRETS_DEFAULT, SIGNER_DIR_SECRETS_ENV, SIGNER_KEYS_ENV,
         SIGNER_MODULE_NAME, SIGNER_PORT_ENV, SIGNER_URL_ENV,
     },
@@ -359,6 +360,23 @@ pub fn handle_docker_init(config_path: String, output_dir: String) -> Result<()>
                         let (k, v) = get_env_val(PROXY_DIR_ENV, PROXY_DIR_DEFAULT);
                         signer_envs.insert(k, v);
                     }
+                    ProxyStore::ERC2335 { keys_path, secrets_path } => {
+                        volumes.push(Volumes::Simple(format!(
+                            "{}:{}:rw",
+                            keys_path.display(),
+                            PROXY_DIR_KEYS_DEFAULT
+                        )));
+                        let (k, v) = get_env_val(PROXY_DIR_KEYS_ENV, PROXY_DIR_KEYS_DEFAULT);
+                        signer_envs.insert(k, v);
+
+                        volumes.push(Volumes::Simple(format!(
+                            "{}:{}:rw",
+                            secrets_path.display(),
+                            PROXY_DIR_SECRETS_DEFAULT
+                        )));
+                        let (k, v) = get_env_val(PROXY_DIR_SECRETS_ENV, PROXY_DIR_SECRETS_DEFAULT);
+                        signer_envs.insert(k, v);
+                    }
                 }
             }
 

crates/common/src/commit/request.rs

@@ -1,4 +1,7 @@
-use std::fmt::{self, Debug, Display, LowerHex};
+use std::{
+    fmt::{self, Debug, Display, LowerHex},
+    str::FromStr,
+};
 
 use alloy::rpc::types::beacon::BlsSignature;
 use derive_more::derive::From;
@@ -133,6 +136,27 @@ pub enum EncryptionScheme {
     Ecdsa,
 }
 
+impl Display for EncryptionScheme {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            EncryptionScheme::Bls => write!(f, "bls"),
+            EncryptionScheme::Ecdsa => write!(f, "ecdsa"),
+        }
+    }
+}
+
+impl FromStr for EncryptionScheme {
+    type Err = String;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "bls" => Ok(EncryptionScheme::Bls),
+            "ecdsa" => Ok(EncryptionScheme::Ecdsa),
+            _ => Err(format!("Unknown scheme: {s}")),
+        }
+    }
+}
+
 // TODO(David): This struct shouldn't be visible to module authors
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct GenerateProxyRequest {

crates/common/src/config/constants.rs

@@ -47,9 +47,15 @@ pub const SIGNER_DIR_KEYS_DEFAULT: &str = "/keys";
 /// Path to `secrets` folder
 pub const SIGNER_DIR_SECRETS_ENV: &str = "CB_SIGNER_LOADER_SECRETS_DIR";
 pub const SIGNER_DIR_SECRETS_DEFAULT: &str = "/secrets";
-/// Path to store proxies
+/// Path to store proxies with plaintext keys (testing only)
 pub const PROXY_DIR_ENV: &str = "CB_PROXY_STORE_DIR";
 pub const PROXY_DIR_DEFAULT: &str = "/proxies";
+/// Path to store proxy keys
+pub const PROXY_DIR_KEYS_ENV: &str = "CB_PROXY_KEYS_DIR";
+pub const PROXY_DIR_KEYS_DEFAULT: &str = "/proxy_keys";
+/// Path to store proxy secrets
+pub const PROXY_DIR_SECRETS_ENV: &str = "CB_PROXY_SECRETS_DIR";
+pub const PROXY_DIR_SECRETS_DEFAULT: &str = "/proxy_secrets";
 
 ///////////////////////// MODULES /////////////////////////
 

crates/common/src/signer/loader.rs

@@ -10,14 +10,14 @@ use aes::{
     Aes128,
 };
 use alloy::{primitives::hex::FromHex, rpc::types::beacon::BlsPublicKey};
-use eth2_keystore::Keystore;
+use eth2_keystore::{json_keystore::JsonKeystore, Keystore};
 use eyre::{eyre, Context, OptionExt};
 use pbkdf2::{hmac, pbkdf2};
 use serde::{de, Deserialize, Deserializer, Serialize};
 use tracing::warn;
 use unicode_normalization::UnicodeNormalization;
 
-use super::{PrysmDecryptedKeystore, PrysmKeystore};
+use super::{BlsSigner, EcdsaSigner, PrysmDecryptedKeystore, PrysmKeystore};
 use crate::{
     config::{load_env_var, SIGNER_DIR_KEYS_ENV, SIGNER_DIR_SECRETS_ENV, SIGNER_KEYS_ENV},
     signer::ConsensusSigner,
@@ -288,6 +288,20 @@ fn load_one(ks_path: String, pw_path: String) -> eyre::Result<ConsensusSigner> {
     ConsensusSigner::new_from_bytes(key.sk.serialize().as_bytes())
 }
 
+pub fn load_bls_signer(keys_path: PathBuf, secrets_path: PathBuf) -> eyre::Result<BlsSigner> {
+    load_one(keys_path.to_string_lossy().to_string(), secrets_path.to_string_lossy().to_string())
+}
+
+pub fn load_ecdsa_signer(keys_path: PathBuf, secrets_path: PathBuf) -> eyre::Result<EcdsaSigner> {
+    let key_file = std::fs::File::open(keys_path.to_string_lossy().to_string())?;
+    let key_reader = std::io::BufReader::new(key_file);
+    let keystore: JsonKeystore = serde_json::from_reader(key_reader)?;
+    let password = std::fs::read(secrets_path)?;
+    let decrypted_password = eth2_keystore::decrypt(&password, &keystore.crypto).unwrap();
+
+    EcdsaSigner::new_from_bytes(decrypted_password.as_bytes())
+}
+
 #[cfg(test)]
 mod tests {