Update dependencies and implement AWS KMS signing support

- Updated `Cargo.lock` to reflect new versions for several dependencies, including `alloy-consensus`, `alloy-eips`, and AWS-related packages.
- Introduced `AwsKmsCredential` for AWS KMS signing, allowing integration of AWS KMS into the signing process.
- Enhanced `SigningCredential` enum to support AWS KMS credentials.
- Implemented error handling for AWS KMS signing errors in the `EngineError` enum.
- Updated user operation signing logic to utilize AWS KMS for signing user operations.
- Refactored HTTP extractors to support AWS KMS credentials extraction from headers.

These changes improve the integration of AWS KMS for signing operations, enhancing the overall functionality and security of the application.

Author: d4mr

Cargo.lock

@@ -1,6 +1,6 @@
 use alloy::{
     core::sol_types::SolValue,
-    primitives::{Address, B256, Bytes, ChainId, U256, keccak256},
+    primitives::{Address, B256, Bytes, ChainId, U256, address, keccak256},
     rpc::types::{PackedUserOperation, UserOperation},
 };
 use serde::{Deserialize, Serialize};
@@ -13,6 +13,9 @@ pub enum VersionedUserOp {
     V0_7(PackedUserOperation),
 }
 
+pub const ENTRYPOINT_ADDRESS_V0_6: Address = address!("0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789"); // v0.6
+pub const ENTRYPOINT_ADDRESS_V0_7: Address = address!("0x0000000071727De22E5E9d8BAf0edAc6f37da032"); // v0.7
+
 /// Error type for UserOp operations
 #[derive(
     Debug,
@@ -182,3 +185,34 @@ pub fn compute_user_op_v07_hash(
     let final_hash = keccak256(&outer_encoded);
     Ok(final_hash)
 }
+
+impl VersionedUserOp {
+    pub fn hash(&self, chain_id: ChainId) -> Result<B256, UserOpError> {
+        match self {
+            VersionedUserOp::V0_6(op) => {
+                compute_user_op_v06_hash(op, ENTRYPOINT_ADDRESS_V0_6, chain_id)
+            }
+            VersionedUserOp::V0_7(op) => {
+                compute_user_op_v07_hash(op, ENTRYPOINT_ADDRESS_V0_7, chain_id)
+            }
+        }
+    }
+
+    pub fn hash_with_custom_entrypoint(
+        &self,
+        chain_id: ChainId,
+        entrypoint: Address,
+    ) -> Result<B256, UserOpError> {
+        match self {
+            VersionedUserOp::V0_6(op) => compute_user_op_v06_hash(op, entrypoint, chain_id),
+            VersionedUserOp::V0_7(op) => compute_user_op_v07_hash(op, entrypoint, chain_id),
+        }
+    }
+
+    pub fn default_entrypoint(&self) -> Address {
+        match self {
+            VersionedUserOp::V0_6(_) => ENTRYPOINT_ADDRESS_V0_6,
+            VersionedUserOp::V0_7(_) => ENTRYPOINT_ADDRESS_V0_7,
+        }
+    }
+}

aa-types/src/userop.rs

@@ -19,3 +19,7 @@ thirdweb-core = { version = "0.1.0", path = "../thirdweb-core" }
 uuid = { version = "1.17.0", features = ["v4"] }
 utoipa = { version = "5.4.0", features = ["preserve_order"] }
 serde_with = "3.13.0"
+alloy-signer-aws = { version = "1.0.23", features = ["eip712"] }
+aws-config = "1.8.2"
+aws-sdk-kms = "1.79.0"
+aws-credential-types = "1.2.4"

core/Cargo.toml

@@ -11,7 +11,3 @@ pub const DEFAULT_FACTORY_ADDRESS_V0_6: Address =
 
 pub const DEFAULT_IMPLEMENTATION_ADDRESS_V0_6: Address =
     address!("0xf22175c80c6e074C171811C59C6c0087e2a6a346");
-
-pub const ENTRYPOINT_ADDRESS_V0_6: Address = address!("0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789"); // v0.6
-
-pub const ENTRYPOINT_ADDRESS_V0_7: Address = address!("0x0000000071727De22E5E9d8BAf0edAc6f37da032"); // v0.7

core/src/constants.rs

@@ -1,13 +1,58 @@
+use alloy::primitives::ChainId;
+use alloy_signer_aws::AwsSigner;
+use aws_config::BehaviorVersion;
+use aws_credential_types::provider::future::ProvideCredentials as ProvideCredentialsFuture;
+use aws_sdk_kms::config::{Credentials, ProvideCredentials};
 use serde::{Deserialize, Serialize};
 use thirdweb_core::auth::ThirdwebAuth;
 use thirdweb_core::iaw::AuthToken;
-use vault_types::enclave::auth::Auth;
+use vault_types::enclave::auth::Auth as VaultAuth;
+
+use crate::error::EngineError;
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub enum SigningCredential {
-    Vault(Auth),
-    Iaw { 
-        auth_token: AuthToken, 
-        thirdweb_auth: ThirdwebAuth 
+    Vault(VaultAuth),
+    Iaw {
+        auth_token: AuthToken,
+        thirdweb_auth: ThirdwebAuth,
     },
+    AwsKms(AwsKmsCredential),
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AwsKmsCredential {
+    pub access_key_id: String,
+    pub secret_access_key: String,
+    pub key_id: String,
+    pub region: String,
+}
+
+impl ProvideCredentials for AwsKmsCredential {
+    fn provide_credentials<'a>(&'a self) -> ProvideCredentialsFuture<'a>
+    where
+        Self: 'a,
+    {
+        let credentials = Credentials::new(
+            self.access_key_id.clone(),
+            self.secret_access_key.clone(),
+            None,
+            None,
+            "engine-core",
+        );
+        ProvideCredentialsFuture::ready(Ok(credentials))
+    }
+}
+
+impl AwsKmsCredential {
+    pub async fn get_signer(&self, chain_id: Option<ChainId>) -> Result<AwsSigner, EngineError> {
+        let config = aws_config::defaults(BehaviorVersion::latest())
+            .credentials_provider(self.clone())
+            .load()
+            .await;
+        let client = aws_sdk_kms::Client::new(&config);
+
+        let signer = AwsSigner::new(client, self.key_id.clone(), chain_id).await?;
+        Ok(signer)
+    }
 }

core/src/credentials.rs

@@ -1,10 +1,14 @@
+use std::fmt::Debug;
+
 use crate::defs::AddressDef;
 use alloy::{
     primitives::Address,
     transports::{
         RpcError as AlloyRpcError, TransportErrorKind, http::reqwest::header::InvalidHeaderValue,
     },
 };
+use alloy_signer_aws::AwsSignerError;
+use aws_sdk_kms::error::SdkError;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use thirdweb_core::error::ThirdwebError;
@@ -242,11 +246,150 @@ pub enum EngineError {
     #[error("Thirdweb error: {message}")]
     ThirdwebError { message: String },
 
+    #[schema(title = "AWS KMS Error")]
+    #[error(transparent)]
+    #[serde(rename_all = "camelCase")]
+    AwsKmsSignerError {
+        #[serde(flatten)]
+        error: SerialisableAwsSignerError,
+    },
+
     #[schema(title = "Engine Internal Error")]
     #[error("Internal error: {message}")]
     InternalError { message: String },
 }
 
+#[derive(thiserror::Error, Debug, Serialize, Clone, Deserialize, utoipa::ToSchema)]
+#[serde(rename_all = "SCREAMING_SNAKE_CASE", tag = "type")]
+pub enum SerialisableAwsSdkError {
+    /// The request failed during construction. It was not dispatched over the network.
+    #[error("Construction failure: {message}")]
+    ConstructionFailure { message: String },
+
+    /// The request failed due to a timeout. The request MAY have been sent and received.
+    #[error("Timeout error: {message}")]
+    TimeoutError { message: String },
+
+    /// The request failed during dispatch. An HTTP response was not received. The request MAY
+    /// have been sent.
+    #[error("Dispatch failure: {message}")]
+    DispatchFailure { message: String },
+
+    /// A response was received but it was not parseable according the the protocol (for example
+    /// the server hung up without sending a complete response)
+    #[error("Response error: {message}")]
+    ResponseError { message: String },
+
+    /// An error response was received from the service
+    #[error("Service error: {message}")]
+    ServiceError { message: String },
+
+    #[error("Other error: {message}")]
+    Other { message: String },
+}
+
+#[derive(Error, Debug, Serialize, Clone, Deserialize, utoipa::ToSchema)]
+#[serde(rename_all = "SCREAMING_SNAKE_CASE", tag = "type")]
+pub enum SerialisableAwsSignerError {
+    /// Thrown when the AWS KMS API returns a signing error.
+    #[error(transparent)]
+    Sign {
+        aws_sdk_error: SerialisableAwsSdkError,
+    },
+
+    /// Thrown when the AWS KMS API returns an error.
+    #[error(transparent)]
+    GetPublicKey {
+        aws_sdk_error: SerialisableAwsSdkError,
+    },
+
+    /// [`ecdsa`] error.
+    #[error("ECDSA error: {message}")]
+    K256 { message: String },
+
+    /// [`spki`] error.
+    #[error("SPKI error: {message}")]
+    Spki { message: String },
+
+    /// [`hex`](mod@hex) error.
+    #[error("Hex error: {message}")]
+    Hex { message: String },
+
+    /// Thrown when the AWS KMS API returns a response without a signature.
+    #[error("signature not found in response")]
+    SignatureNotFound,
+
+    /// Thrown when the AWS KMS API returns a response without a public key.
+    #[error("public key not found in response")]
+    PublicKeyNotFound,
+
+    #[error("Unknown error: {message}")]
+    Unknown { message: String },
+}
+
+impl<T: Debug> From<SdkError<T>> for SerialisableAwsSdkError {
+    fn from(err: SdkError<T>) -> Self {
+        match err {
+            SdkError::ConstructionFailure(err) => SerialisableAwsSdkError::ConstructionFailure {
+                message: format!("{:?}", err),
+            },
+            SdkError::TimeoutError(err) => SerialisableAwsSdkError::TimeoutError {
+                message: format!("{:?}", err),
+            },
+            SdkError::DispatchFailure(err) => SerialisableAwsSdkError::DispatchFailure {
+                message: format!("{:?}", err),
+            },
+            SdkError::ResponseError(err) => SerialisableAwsSdkError::ResponseError {
+                message: format!("{:?}", err),
+            },
+            SdkError::ServiceError(err) => SerialisableAwsSdkError::ServiceError {
+                message: format!("{:?}", err),
+            },
+            _ => SerialisableAwsSdkError::Other {
+                message: format!("{:?}", err),
+            },
+        }
+    }
+}
+
+impl From<AwsSignerError> for EngineError {
+    fn from(err: AwsSignerError) -> Self {
+        match err {
+            AwsSignerError::Sign(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::Sign {
+                    aws_sdk_error: err.into(),
+                },
+            },
+            AwsSignerError::GetPublicKey(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::GetPublicKey {
+                    aws_sdk_error: err.into(),
+                },
+            },
+            AwsSignerError::K256(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::K256 {
+                    message: err.to_string(),
+                },
+            },
+            AwsSignerError::Spki(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::Spki {
+                    message: err.to_string(),
+                },
+            },
+            AwsSignerError::Hex(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::Hex {
+                    message: err.to_string(),
+                },
+            },
+            AwsSignerError::SignatureNotFound => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::SignatureNotFound,
+            },
+            AwsSignerError::PublicKeyNotFound => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::PublicKeyNotFound,
+            },
+        }
+    }
+}
+
 impl From<vault_sdk::error::VaultError> for EngineError {
     fn from(err: vault_sdk::error::VaultError) -> Self {
         let message = match &err {

core/src/error.rs

@@ -1,13 +1,13 @@
-use crate::{
-    constants::{DEFAULT_FACTORY_ADDRESS_V0_6, ENTRYPOINT_ADDRESS_V0_6},
-    defs::AddressDef,
-    error::EngineError,
+use crate::{constants::DEFAULT_FACTORY_ADDRESS_V0_6, defs::AddressDef, error::EngineError};
+use alloy::{
+    hex::FromHex,
+    primitives::{Address, Bytes},
 };
-use alloy::{hex::FromHex, primitives::{Address, Bytes}};
+use engine_aa_types::{ENTRYPOINT_ADDRESS_V0_6, ENTRYPOINT_ADDRESS_V0_7};
 use schemars::JsonSchema;
 use serde::{Deserialize, Deserializer, Serialize};
 
-use crate::constants::{DEFAULT_FACTORY_ADDRESS_V0_7, ENTRYPOINT_ADDRESS_V0_7};
+use crate::constants::DEFAULT_FACTORY_ADDRESS_V0_7;
 
 #[derive(Deserialize, Serialize, Debug, JsonSchema, Clone, Copy, utoipa::ToSchema)]
 pub enum EntrypointVersion {