Key Standard

.github/workflows/hsm-demo-containers.yml

@@ -13,7 +13,7 @@ on:
 jobs:
 
   hsm-demo-build:
-    if: github.event.label.name == 'cicd:hsm-demo-containers' ||  github.ref == 'refs/heads/main'
+    # if: github.event.label.name == 'cicd:hsm-demo-containers' ||  github.ref == 'refs/heads/main'
     permissions:
       contents: read
       packages: write

Cargo.toml

@@ -45,6 +45,7 @@ members = [
     "util/signing/integrations/aptos",
     "util/signing/providers/aws-kms",
     "util/signing/providers/hashicorp-vault",
+    "util/signing/signing-admin",
     "demo/hsm"
 ]
 
@@ -354,4 +355,4 @@ opt-level = 3
 
 [patch.crates-io]
 merlin = { git = "https://github.com/aptos-labs/merlin" }
-x25519-dalek = { git = "https://github.com/aptos-labs/x25519-dalek", branch = "zeroize_v1" }
+x25519-dalek = { git = "https://github.com/aptos-labs/x25519-dalek", branch = "zeroize_v1" }

demo/hsm/Cargo.toml

@@ -22,12 +22,16 @@ dotenv = "0.15"
 ed25519 = { workspace = true }
 ring-compat = { workspace = true }
 k256 = { workspace = true, features = ["ecdsa", "pkcs8"] }
+ed25519-dalek = { workspace = true }
 google-cloud-kms = { workspace = true }
 reqwest = { version = "0.12", features = ["json"] }
 axum = "0.6"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 clap = { workspace = true }
+movement-signer = { workspace = true }
+movement-signer-aws-kms = { workspace = true }
+movement-signer-hashicorp-vault = { workspace = true }
 
 [lints]
 workspace = true

demo/hsm/src/cli/mod.rs

@@ -4,14 +4,14 @@ use clap::Parser;
 #[derive(Parser)]
 #[clap(rename_all = "kebab-case")]
 pub enum HsmDemo {
-	#[clap(subcommand)]
-	Server(server::Server),
+        #[clap(subcommand)]
+        Server(server::Server),
 }
 
 impl HsmDemo {
-	pub async fn run(&self) -> Result<(), anyhow::Error> {
-		match self {
-			HsmDemo::Server(server) => server.run().await,
-		}
-	}
+        pub async fn run(&self) -> Result<(), anyhow::Error> {
+                match self {
+                        HsmDemo::Server(server) => server.run().await,
+                }
+        }
 }

demo/hsm/src/cli/server/ed25519/hashi_corp_vault.rs

@@ -1,30 +1,39 @@
-use crate::{cryptography::Ed25519, hsm, server::create_server};
+use crate::server::{create_server, AppState};
 use axum::Server;
 use clap::Parser;
+use movement_signer::cryptography::ed25519::Ed25519;
+use movement_signer::key::Key;
+use movement_signer::key::SignerBuilder;
+use movement_signer::Signer;
+use movement_signer_hashicorp_vault::hsm::key::Builder;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use tokio::sync::Mutex;
 
 #[derive(Debug, Parser, Clone)]
 #[clap(rename_all = "kebab-case", about = "Runs signing app for ed25519 against HashiCorp Vault")]
-pub struct HashiCorpVault {}
+pub struct HashiCorpVault {
+        canonical_key: String,
+        #[arg(long)]
+        create_key: bool,
+}
 
 impl HashiCorpVault {
-	pub async fn run(&self) -> Result<(), anyhow::Error> {
-		let hsm = hsm::hashi_corp_vault::HashiCorpVault::<Ed25519>::try_from_env()?
-			.create_key()
-			.await?
-			.fill_with_public_key()
-			.await?;
+        pub async fn run(&self) -> Result<(), anyhow::Error> {
+                let key = Key::try_from_canonical_string(self.canonical_key.as_str())
+                        .map_err(|e| anyhow::anyhow!(e))?;
+                let builder = Builder::<Ed25519>::new().create_key(self.create_key);
+                let hsm = Signer::new(builder.build(key).await?);
 
-		let server_hsm = Arc::new(Mutex::new(hsm));
+                let server_hsm = Arc::new(Mutex::new(hsm));
+                let app_state = Arc::new(AppState::new());
 
-		let app = create_server(server_hsm);
-		let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
-		println!("Server listening on {}", addr);
+                let app = create_server(server_hsm, app_state);
+                let addr = SocketAddr::from(([0, 0, 0, 0], 3000));
+                println!("Server listening on {}", addr);
 
-		Server::bind(&addr).serve(app.into_make_service()).await?;
+                Server::bind(&addr).serve(app.into_make_service()).await?;
 
-		Ok(())
-	}
+                Ok(())
+        }
 }

demo/hsm/src/cli/server/secp256k1/aws_kms.rs

@@ -1,30 +1,41 @@
-use crate::{cryptography::Secp256k1, hsm, server::create_server};
+use crate::server::create_server;
+use crate::server::AppState;
 use axum::Server;
 use clap::Parser;
+use movement_signer::cryptography::secp256k1::Secp256k1;
+use movement_signer::key::Key;
+use movement_signer::key::SignerBuilder;
+use movement_signer::Signer;
+use movement_signer_aws_kms::hsm::key::Builder;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use tokio::sync::Mutex;
 
 #[derive(Debug, Parser, Clone)]
 #[clap(rename_all = "kebab-case", about = "Runs signing app for secp256k1 against AWS KMS")]
-pub struct AwsKms {}
+pub struct AwsKms {
+	canonical_key: String,
+	#[arg(long)]
+	create_key: bool,
+}
 
 impl AwsKms {
-	pub async fn run(&self) -> Result<(), anyhow::Error> {
-		let hsm = hsm::aws_kms::AwsKms::<Secp256k1>::try_from_env()
-			.await?
-			.create_key()
-			.await?
-			.fill_with_public_key()
-			.await?;
-		let server_hsm = Arc::new(Mutex::new(hsm));
+        pub async fn run(&self) -> Result<(), anyhow::Error> {
+                let key = Key::try_from_canonical_string(self.canonical_key.as_str())
+                        .map_err(|e| anyhow::anyhow!(e))?;
+                let builder = Builder::<Secp256k1>::new().create_key(self.create_key);
+                let hsm = Signer::new(builder.build(key).await?);
+
+                let server_hsm = Arc::new(Mutex::new(hsm));
+                let app_state = Arc::new(AppState::new());
+
+                let app = create_server(server_hsm, app_state);
 
-		let app = create_server(server_hsm);
-		let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
-		println!("Server listening on {}", addr);
+                let addr = SocketAddr::from(([0, 0, 0, 0], 3000));
+                println!("Server listening on {}", addr);
 
-		Server::bind(&addr).serve(app.into_make_service()).await?;
+                Server::bind(&addr).serve(app.into_make_service()).await?;
 
-		Ok(())
-	}
+                Ok(())
+        }
 }

demo/hsm/src/cryptography/aws_kms.rs

@@ -2,7 +2,7 @@ use crate::cryptography::Secp256k1;
 use aws_sdk_kms::types::{KeySpec, KeyUsageType, SigningAlgorithmSpec};
 
 /// Defines the needed methods for providing a definition of cryptography used with AWS KMS
-pub trait AwsKmsCryptography {
+pub trait AwsKmsCryptographySpec {
 	/// Returns the [KeySpec] for the desired cryptography
 	fn key_spec() -> KeySpec;
 
@@ -13,7 +13,7 @@ pub trait AwsKmsCryptography {
 	fn signing_algorithm_spec() -> SigningAlgorithmSpec;
 }
 
-impl AwsKmsCryptography for Secp256k1 {
+impl AwsKmsCryptographySpec for Secp256k1 {
 	fn key_spec() -> KeySpec {
 		KeySpec::EccSecgP256K1
 	}

demo/hsm/src/cryptography/hashicorp_vault.rs

@@ -2,12 +2,12 @@ use crate::cryptography::Ed25519;
 use vaultrs::api::transit::KeyType;
 
 /// Defines the needed methods for providing a definition of cryptography used with HashiCorp Vault
-pub trait HashiCorpVaultCryptography {
+pub trait HashiCorpVaultCryptographySpec {
 	/// Returns the [KeyType] for the desired cryptography
 	fn key_type() -> KeyType;
 }
 
-impl HashiCorpVaultCryptography for Ed25519 {
+impl HashiCorpVaultCryptographySpec for Ed25519 {
 	fn key_type() -> KeyType {
 		KeyType::Ed25519
 	}