feat(signer): add ECDSA proxy keys

Cargo.toml

@@ -29,7 +29,7 @@ cb-signer = { path = "crates/signer" }
 alloy = { version = "0.2.0", features = ["rpc-types-beacon"] }
 ethereum_ssz = "0.5"
 ethereum_ssz_derive = "0.5.3"
-ssz_types = "0.5"
+ssz_types = "0.6.0"
 ethereum_serde_utils = "0.5.2"
 ethereum-types = "0.14.1"
 
@@ -59,9 +59,12 @@ prometheus = "0.13.4"
 
 # crypto
 blst = "0.3.11"
-tree_hash = "0.5"
-tree_hash_derive = "0.5"
+tree_hash = "0.6.0"
+tree_hash_derive = "0.6.0"
 eth2_keystore = { git = "https://github.com/sigp/lighthouse", rev = "9e12c21f268c80a3f002ae0ca27477f9f512eb6f" }
+elliptic-curve = { version = "0.13", features = ["serde"] }
+generic-array = { version = "0.14.7", features = ["serde"] }
+k256 = "0.13"
 
 # docker
 docker-compose-types = "0.12.0"
@@ -79,4 +82,4 @@ dotenvy = "0.15.7"
 indexmap = "2.2.6"
 lazy_static = "1.5.0"
 bimap = { version = "0.6.3", features = ["serde"] }
-derive_more = "0.99.18"
+derive_more = { version = "1.0.0", features = ["from", "into", "deref", "display"] }

bin/src/lib.rs

@@ -1,12 +1,16 @@
 pub mod prelude {
     pub use cb_common::{
         commit,
-        commit::request::{SignRequest, SignedProxyDelegation},
+        commit::request::{
+            SignConsensusRequest, SignedProxyDelegation, SignedProxyDelegationBls,
+            SignedProxyDelegationEcdsa,
+        },
         config::{
             load_builder_module_config, load_commit_module_config, load_pbs_config,
             load_pbs_custom_config, StartCommitModuleConfig,
         },
         pbs::{BuilderEvent, BuilderEventClient, OnBuilderApiEvent},
+        signer::{EcdsaPublicKey, EcdsaSignature},
         utils::{
             initialize_pbs_tracing_log, initialize_tracing_log, utcnow_ms, utcnow_ns, utcnow_sec,
             utcnow_us,

config.example.toml

@@ -1,4 +1,4 @@
-# The main configuration file for the Commit-Boost sidecar. 
+# The main configuration file for the Commit-Boost sidecar.
 # Some fields are optional and can be omitted, in which case the default value, if present, will be used.
 
 # Chain spec id. Supported values: Mainnet, Holesky, Helder
@@ -18,7 +18,7 @@ port = 18550
 # Whether to forward `status` calls to relays or skip and return 200
 # OPTIONAL, DEFAULT: true
 relay_check = true
-# Timeout in milliseconds for the `get_header` call to relays. Note that the CL has also a timeout (e.g. 1 second) so 
+# Timeout in milliseconds for the `get_header` call to relays. Note that the CL has also a timeout (e.g. 1 second) so
 # this should be lower than that, leaving some margin for overhead
 # OPTIONAL, DEFAULT: 950
 timeout_get_header_ms = 950
@@ -34,10 +34,11 @@ skip_sigverify = false
 # Minimum bid in ETH that will be accepted from `get_header`
 # OPTIONAL, DEFAULT: 0.0
 min_bid_eth = 0.0
+# How late in milliseconds in the slot is "late". This impacts the `get_header` requests, by shortening timeouts for `get_header` calls to
 # List of URLs of relay monitors to send registrations to
 # OPTIONAL
 relay_monitors = []
-# How late in milliseconds in the slot is "late". This impacts the `get_header` requests, by shortening timeouts for `get_header` calls to 
+# How late in milliseconds in the slot is "late". This impacts the `get_header` requests, by shortening timeouts for `get_header` calls to
 # relays and make sure a header is returned within this deadline. If the request from the CL comes later in the slot, then fetching headers is skipped
 # to force local building and miniminzing the risk of missed slots. See also the timing games section below
 # OPTIONAL, DEFAULT: 2000
@@ -55,12 +56,12 @@ url = "http://0xa1cec75a3f0661e99299274182938151e8433c61a19222347ea1313d839229cb
 headers = { X-MyCustomHeader = "MyCustomValue" }
 # Whether to enable timing games, as tuned by `target_first_request_ms` and `frequency_get_header_ms`.
 # These values should be carefully chosen for each relay, as each relay has different latency and timing games setups.
-# They should only be used by advanced users, and if mis-configured can result in unforeseen effects, e.g. fetching a lower header value, 
+# They should only be used by advanced users, and if mis-configured can result in unforeseen effects, e.g. fetching a lower header value,
 # or getting a temporary IP ban.
-# 
+#
 # EXAMPLES
 # Assuming: timeout_get_header_ms = 950, frequency_get_header_ms = 300, target_first_request_ms = 200, late_in_slot_time_ms = 2000
-# 
+#
 # 1) CL request comes at 100ms in the slot (max timeout 1050ms in the slot), then:
 #   - sleep for 100ms
 #   - send request at 200ms with 850ms timeout
@@ -112,13 +113,13 @@ id = "DA_COMMIT"
 type = "commit"
 # Docker image of the module
 docker_image = "test_da_commit"
-# Additional config needed by the business logic of the module should also be set here. 
+# Additional config needed by the business logic of the module should also be set here.
 # See also `examples/da_commit/src/main.rs` for more information
 sleep_secs = 5
 
 # Configuration for how metrics should be collected and scraped
 [metrics]
-# Path to a `prometheus.yml` file to use in Prometheus. If using a custom config file, be sure to add a 
+# Path to a `prometheus.yml` file to use in Prometheus. If using a custom config file, be sure to add a
 # file discovery section as follows:
 # ```yml
 # file_sd_configs:

crates/common/Cargo.toml

@@ -35,6 +35,9 @@ blst.workspace = true
 tree_hash.workspace = true
 tree_hash_derive.workspace = true
 eth2_keystore.workspace = true
+elliptic-curve.workspace = true
+generic-array.workspace = true
+k256.workspace = true
 
 # misc
 thiserror.workspace = true

crates/common/src/commit/client.rs

@@ -8,14 +8,21 @@ use serde::{Deserialize, Serialize};
 use super::{
     constants::{GENERATE_PROXY_KEY_PATH, GET_PUBKEYS_PATH, REQUEST_SIGNATURE_PATH},
     error::SignerClientError,
-    request::{GenerateProxyRequest, SignRequest, SignedProxyDelegation},
+    request::{
+        EncryptionScheme, GenerateProxyRequest, SignConsensusRequest, SignProxyBlsRequest,
+        SignProxyEcdsaRequest, SignProxyRequest, SignRequest, SignedProxyDelegation,
+        SignedProxyDelegationBls, SignedProxyDelegationEcdsa,
+    },
+};
+use crate::{
+    signer::{schemes::ecdsa::EcdsaSignature, GenericPubkey},
+    DEFAULT_REQUEST_TIMEOUT,
 };
-use crate::DEFAULT_REQUEST_TIMEOUT;
 
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct GetPubkeysResponse {
     pub consensus: Vec<BlsPublicKey>,
-    pub proxy: Vec<BlsPublicKey>,
+    pub proxy: Vec<GenericPubkey>,
 }
 
 /// Client used by commit modules to request signatures via the Signer API
@@ -45,7 +52,8 @@ impl SignerClient {
     }
 
     /// Request a list of validator pubkeys for which signatures can be
-    /// requested. TODO: add more docs on how proxy keys work
+    /// requested.
+    // TODO: add more docs on how proxy keys work
     pub async fn get_pubkeys(&self) -> Result<GetPubkeysResponse, SignerClientError> {
         let url = format!("{}{}", self.url, GET_PUBKEYS_PATH);
         let res = self.client.get(&url).send().await?;
@@ -66,10 +74,7 @@ impl SignerClient {
     }
 
     /// Send a signature request
-    pub async fn request_signature(
-        &self,
-        request: &SignRequest,
-    ) -> Result<BlsSignature, SignerClientError> {
+    async fn request_signature(&self, request: &SignRequest) -> Result<Vec<u8>, SignerClientError> {
         let url = format!("{}{}", self.url, REQUEST_SIGNATURE_PATH);
         let res = self.client.post(&url).json(&request).send().await?;
 
@@ -83,17 +88,55 @@ impl SignerClient {
             });
         }
 
-        let signature: BlsSignature = serde_json::from_slice(&response_bytes)?;
+        let signature: Vec<u8> = serde_json::from_slice(&response_bytes)?;
+
+        Ok(signature)
+    }
+
+    pub async fn request_consensus_signature(
+        &self,
+        request: SignConsensusRequest,
+    ) -> Result<BlsSignature, SignerClientError> {
+        let request = SignRequest::Consensus(request);
+        let raw_signature = self.request_signature(&request).await?;
+
+        let signature = BlsSignature::from_slice(&raw_signature);
+
+        Ok(signature)
+    }
+
+    async fn request_proxy_signature(
+        &self,
+        request: SignProxyRequest,
+    ) -> Result<Vec<u8>, SignerClientError> {
+        let request = SignRequest::Proxy(request);
+        self.request_signature(&request).await
+    }
+
+    pub async fn request_proxy_ecdsa_signature(
+        &self,
+        request: SignProxyEcdsaRequest,
+    ) -> Result<EcdsaSignature, SignerClientError> {
+        let raw_signature = self.request_proxy_signature(request.into()).await?;
+        let signature = EcdsaSignature::try_from(raw_signature.as_ref())
+            .expect("requested signature should be ECDSA");
+        Ok(signature)
+    }
 
+    pub async fn request_proxy_bls_signature(
+        &self,
+        request: SignProxyBlsRequest,
+    ) -> Result<BlsSignature, SignerClientError> {
+        let raw_signature = self.request_proxy_signature(request.into()).await?;
+        let signature = BlsSignature::from_slice(&raw_signature);
         Ok(signature)
     }
 
-    pub async fn generate_proxy_key(
+    async fn generate_proxy_key(
         &self,
-        pubkey: BlsPublicKey,
+        request: &GenerateProxyRequest,
     ) -> Result<SignedProxyDelegation, SignerClientError> {
         let url = format!("{}{}", self.url, GENERATE_PROXY_KEY_PATH);
-        let request = GenerateProxyRequest::new(pubkey);
         let res = self.client.post(&url).json(&request).send().await?;
 
         let status = res.status();
@@ -110,4 +153,34 @@ impl SignerClient {
 
         Ok(signed_proxy_delegation)
     }
+
+    pub async fn generate_bls_proxy_key(
+        &self,
+        consensus_pubkey: BlsPublicKey,
+    ) -> Result<SignedProxyDelegationBls, SignerClientError> {
+        let request = GenerateProxyRequest::new(consensus_pubkey, EncryptionScheme::Bls);
+
+        let bls_signed_proxy_delegation = self
+            .generate_proxy_key(&request)
+            .await?
+            .try_into()
+            .expect("generated proxy delegation should be BLS");
+
+        Ok(bls_signed_proxy_delegation)
+    }
+
+    pub async fn generate_ecdsa_proxy_key(
+        &self,
+        consensus_pubkey: BlsPublicKey,
+    ) -> Result<SignedProxyDelegationEcdsa, SignerClientError> {
+        let request = GenerateProxyRequest::new(consensus_pubkey, EncryptionScheme::Ecdsa);
+
+        let ecdsa_signed_proxy_delegation = self
+            .generate_proxy_key(&request)
+            .await?
+            .try_into()
+            .expect("generated proxy delegation should be BLS");
+
+        Ok(ecdsa_signed_proxy_delegation)
+    }
 }