KMS

Cargo.toml

@@ -3,6 +3,7 @@ members = [
   "aa-types",
   "aa-core",
   "core",
+  "eip7702-core",
   "executors",
   "server",
   "thirdweb-core",

aa-types/src/userop.rs

@@ -1,6 +1,6 @@
 use alloy::{
     core::sol_types::SolValue,
-    primitives::{Address, B256, Bytes, ChainId, U256, keccak256},
+    primitives::{Address, B256, Bytes, ChainId, U256, address, keccak256},
     rpc::types::{PackedUserOperation, UserOperation},
 };
 use serde::{Deserialize, Serialize};
@@ -13,6 +13,9 @@ pub enum VersionedUserOp {
     V0_7(PackedUserOperation),
 }
 
+pub const ENTRYPOINT_ADDRESS_V0_6: Address = address!("0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789"); // v0.6
+pub const ENTRYPOINT_ADDRESS_V0_7: Address = address!("0x0000000071727De22E5E9d8BAf0edAc6f37da032"); // v0.7
+
 /// Error type for UserOp operations
 #[derive(
     Debug,
@@ -182,3 +185,34 @@ pub fn compute_user_op_v07_hash(
     let final_hash = keccak256(&outer_encoded);
     Ok(final_hash)
 }
+
+impl VersionedUserOp {
+    pub fn hash(&self, chain_id: ChainId) -> Result<B256, UserOpError> {
+        match self {
+            VersionedUserOp::V0_6(op) => {
+                compute_user_op_v06_hash(op, ENTRYPOINT_ADDRESS_V0_6, chain_id)
+            }
+            VersionedUserOp::V0_7(op) => {
+                compute_user_op_v07_hash(op, ENTRYPOINT_ADDRESS_V0_7, chain_id)
+            }
+        }
+    }
+
+    pub fn hash_with_custom_entrypoint(
+        &self,
+        chain_id: ChainId,
+        entrypoint: Address,
+    ) -> Result<B256, UserOpError> {
+        match self {
+            VersionedUserOp::V0_6(op) => compute_user_op_v06_hash(op, entrypoint, chain_id),
+            VersionedUserOp::V0_7(op) => compute_user_op_v07_hash(op, entrypoint, chain_id),
+        }
+    }
+
+    pub fn default_entrypoint(&self) -> Address {
+        match self {
+            VersionedUserOp::V0_6(_) => ENTRYPOINT_ADDRESS_V0_6,
+            VersionedUserOp::V0_7(_) => ENTRYPOINT_ADDRESS_V0_7,
+        }
+    }
+}

core/Cargo.toml

@@ -19,3 +19,7 @@ thirdweb-core = { version = "0.1.0", path = "../thirdweb-core" }
 uuid = { version = "1.17.0", features = ["v4"] }
 utoipa = { version = "5.4.0", features = ["preserve_order"] }
 serde_with = "3.13.0"
+alloy-signer-aws = { version = "1.0.23", features = ["eip712"] }
+aws-config = "1.8.2"
+aws-sdk-kms = "1.79.0"
+aws-credential-types = "1.2.4"

core/src/constants.rs

@@ -11,7 +11,3 @@ pub const DEFAULT_FACTORY_ADDRESS_V0_6: Address =
 
 pub const DEFAULT_IMPLEMENTATION_ADDRESS_V0_6: Address =
     address!("0xf22175c80c6e074C171811C59C6c0087e2a6a346");
-
-pub const ENTRYPOINT_ADDRESS_V0_6: Address = address!("0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789"); // v0.6
-
-pub const ENTRYPOINT_ADDRESS_V0_7: Address = address!("0x0000000071727De22E5E9d8BAf0edAc6f37da032"); // v0.7

core/src/credentials.rs

@@ -1,13 +1,59 @@
+use alloy::primitives::ChainId;
+use alloy_signer_aws::AwsSigner;
+use aws_config::{BehaviorVersion, Region};
+use aws_credential_types::provider::future::ProvideCredentials as ProvideCredentialsFuture;
+use aws_sdk_kms::config::{Credentials, ProvideCredentials};
 use serde::{Deserialize, Serialize};
 use thirdweb_core::auth::ThirdwebAuth;
 use thirdweb_core::iaw::AuthToken;
-use vault_types::enclave::auth::Auth;
+use vault_types::enclave::auth::Auth as VaultAuth;
+
+use crate::error::EngineError;
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub enum SigningCredential {
-    Vault(Auth),
-    Iaw { 
-        auth_token: AuthToken, 
-        thirdweb_auth: ThirdwebAuth 
+    Vault(VaultAuth),
+    Iaw {
+        auth_token: AuthToken,
+        thirdweb_auth: ThirdwebAuth,
     },
+    AwsKms(AwsKmsCredential),
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AwsKmsCredential {
+    pub access_key_id: String,
+    pub secret_access_key: String,
+    pub key_id: String,
+    pub region: String,
+}
+
+impl ProvideCredentials for AwsKmsCredential {
+    fn provide_credentials<'a>(&'a self) -> ProvideCredentialsFuture<'a>
+    where
+        Self: 'a,
+    {
+        let credentials = Credentials::new(
+            self.access_key_id.clone(),
+            self.secret_access_key.clone(),
+            None,
+            None,
+            "engine-core",
+        );
+        ProvideCredentialsFuture::ready(Ok(credentials))
+    }
+}
+
+impl AwsKmsCredential {
+    pub async fn get_signer(&self, chain_id: Option<ChainId>) -> Result<AwsSigner, EngineError> {
+        let config = aws_config::defaults(BehaviorVersion::latest())
+            .credentials_provider(self.clone())
+            .region(Region::new(self.region.clone()))
+            .load()
+            .await;
+        let client = aws_sdk_kms::Client::new(&config);
+
+        let signer = AwsSigner::new(client, self.key_id.clone(), chain_id).await?;
+        Ok(signer)
+    }
 }

core/src/error.rs

@@ -1,10 +1,14 @@
+use std::fmt::Debug;
+
 use crate::defs::AddressDef;
 use alloy::{
     primitives::Address,
     transports::{
         RpcError as AlloyRpcError, TransportErrorKind, http::reqwest::header::InvalidHeaderValue,
     },
 };
+use alloy_signer_aws::AwsSignerError;
+use aws_sdk_kms::error::SdkError;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use thirdweb_core::error::ThirdwebError;
@@ -242,11 +246,150 @@ pub enum EngineError {
     #[error("Thirdweb error: {message}")]
     ThirdwebError { message: String },
 
+    #[schema(title = "AWS KMS Error")]
+    #[error(transparent)]
+    #[serde(rename_all = "camelCase")]
+    AwsKmsSignerError {
+        #[serde(flatten)]
+        error: SerialisableAwsSignerError,
+    },
+
     #[schema(title = "Engine Internal Error")]
     #[error("Internal error: {message}")]
     InternalError { message: String },
 }
 
+#[derive(thiserror::Error, Debug, Serialize, Clone, Deserialize, utoipa::ToSchema)]
+#[serde(rename_all = "SCREAMING_SNAKE_CASE", tag = "type")]
+pub enum SerialisableAwsSdkError {
+    /// The request failed during construction. It was not dispatched over the network.
+    #[error("Construction failure: {message}")]
+    ConstructionFailure { message: String },
+
+    /// The request failed due to a timeout. The request MAY have been sent and received.
+    #[error("Timeout error: {message}")]
+    TimeoutError { message: String },
+
+    /// The request failed during dispatch. An HTTP response was not received. The request MAY
+    /// have been sent.
+    #[error("Dispatch failure: {message}")]
+    DispatchFailure { message: String },
+
+    /// A response was received but it was not parseable according the the protocol (for example
+    /// the server hung up without sending a complete response)
+    #[error("Response error: {message}")]
+    ResponseError { message: String },
+
+    /// An error response was received from the service
+    #[error("Service error: {message}")]
+    ServiceError { message: String },
+
+    #[error("Other error: {message}")]
+    Other { message: String },
+}
+
+#[derive(Error, Debug, Serialize, Clone, Deserialize, utoipa::ToSchema)]
+#[serde(rename_all = "SCREAMING_SNAKE_CASE", tag = "type")]
+pub enum SerialisableAwsSignerError {
+    /// Thrown when the AWS KMS API returns a signing error.
+    #[error(transparent)]
+    Sign {
+        aws_sdk_error: SerialisableAwsSdkError,
+    },
+
+    /// Thrown when the AWS KMS API returns an error.
+    #[error(transparent)]
+    GetPublicKey {
+        aws_sdk_error: SerialisableAwsSdkError,
+    },
+
+    /// [`ecdsa`] error.
+    #[error("ECDSA error: {message}")]
+    K256 { message: String },
+
+    /// [`spki`] error.
+    #[error("SPKI error: {message}")]
+    Spki { message: String },
+
+    /// [`hex`](mod@hex) error.
+    #[error("Hex error: {message}")]
+    Hex { message: String },
+
+    /// Thrown when the AWS KMS API returns a response without a signature.
+    #[error("signature not found in response")]
+    SignatureNotFound,
+
+    /// Thrown when the AWS KMS API returns a response without a public key.
+    #[error("public key not found in response")]
+    PublicKeyNotFound,
+
+    #[error("Unknown error: {message}")]
+    Unknown { message: String },
+}
+
+impl<T: Debug> From<SdkError<T>> for SerialisableAwsSdkError {
+    fn from(err: SdkError<T>) -> Self {
+        match err {
+            SdkError::ConstructionFailure(err) => SerialisableAwsSdkError::ConstructionFailure {
+                message: format!("{:?}", err),
+            },
+            SdkError::TimeoutError(err) => SerialisableAwsSdkError::TimeoutError {
+                message: format!("{:?}", err),
+            },
+            SdkError::DispatchFailure(err) => SerialisableAwsSdkError::DispatchFailure {
+                message: format!("{:?}", err),
+            },
+            SdkError::ResponseError(err) => SerialisableAwsSdkError::ResponseError {
+                message: format!("{:?}", err),
+            },
+            SdkError::ServiceError(err) => SerialisableAwsSdkError::ServiceError {
+                message: format!("{:?}", err),
+            },
+            _ => SerialisableAwsSdkError::Other {
+                message: format!("{:?}", err),
+            },
+        }
+    }
+}
+
+impl From<AwsSignerError> for EngineError {
+    fn from(err: AwsSignerError) -> Self {
+        match err {
+            AwsSignerError::Sign(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::Sign {
+                    aws_sdk_error: err.into(),
+                },
+            },
+            AwsSignerError::GetPublicKey(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::GetPublicKey {
+                    aws_sdk_error: err.into(),
+                },
+            },
+            AwsSignerError::K256(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::K256 {
+                    message: err.to_string(),
+                },
+            },
+            AwsSignerError::Spki(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::Spki {
+                    message: err.to_string(),
+                },
+            },
+            AwsSignerError::Hex(err) => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::Hex {
+                    message: err.to_string(),
+                },
+            },
+            AwsSignerError::SignatureNotFound => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::SignatureNotFound,
+            },
+            AwsSignerError::PublicKeyNotFound => EngineError::AwsKmsSignerError {
+                error: SerialisableAwsSignerError::PublicKeyNotFound,
+            },
+        }
+    }
+}
+
 impl From<vault_sdk::error::VaultError> for EngineError {
     fn from(err: vault_sdk::error::VaultError) -> Self {
         let message = match &err {

core/src/execution_options/aa.rs

@@ -1,13 +1,13 @@
-use crate::{
-    constants::{DEFAULT_FACTORY_ADDRESS_V0_6, ENTRYPOINT_ADDRESS_V0_6},
-    defs::AddressDef,
-    error::EngineError,
+use crate::{constants::DEFAULT_FACTORY_ADDRESS_V0_6, defs::AddressDef, error::EngineError};
+use alloy::{
+    hex::FromHex,
+    primitives::{Address, Bytes},
 };
-use alloy::{hex::FromHex, primitives::{Address, Bytes}};
+use engine_aa_types::{ENTRYPOINT_ADDRESS_V0_6, ENTRYPOINT_ADDRESS_V0_7};
 use schemars::JsonSchema;
 use serde::{Deserialize, Deserializer, Serialize};
 
-use crate::constants::{DEFAULT_FACTORY_ADDRESS_V0_7, ENTRYPOINT_ADDRESS_V0_7};
+use crate::constants::DEFAULT_FACTORY_ADDRESS_V0_7;
 
 #[derive(Deserialize, Serialize, Debug, JsonSchema, Clone, Copy, utoipa::ToSchema)]
 pub enum EntrypointVersion {

core/src/execution_options/eip7702.rs

@@ -1,15 +1,36 @@
 use alloy::primitives::Address;
-use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 use crate::defs::AddressDef;
 
-#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema, utoipa::ToSchema)]
+#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
 #[schema(title = "EIP-7702 Execution Options")]
+#[serde(rename_all = "camelCase", untagged)]
+pub enum Eip7702ExecutionOptions {
+    /// Execute the transaction as the owner of the account
+    Owner(Eip7702OwnerExecution),
+    /// Execute a transaction on a different delegated account (`account_address`), which has granted a session key to the `session_key_address`
+    /// `session_key_address` is the signer for this transaction
+    SessionKey(Eip7702SessionKeyExecution),
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
+#[schema(title = "EIP-7702 Owner Execution")]
 #[serde(rename_all = "camelCase")]
-pub struct Eip7702ExecutionOptions {
-    /// The EOA address that will sign the EIP-7702 transaction
-    #[schemars(with = "AddressDef")]
+pub struct Eip7702OwnerExecution {
     #[schema(value_type = AddressDef)]
+    /// The delegated EOA address
     pub from: Address,
 }
+
+#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
+#[schema(title = "EIP-7702 Session Key Execution")]
+#[serde(rename_all = "camelCase")]
+pub struct Eip7702SessionKeyExecution {
+    #[schema(value_type = AddressDef)]
+    /// The session key address is your server wallet, which has been granted a session key to the `account_address`
+    pub session_key_address: Address,
+    #[schema(value_type = AddressDef)]
+    /// The account address is the address of a delegated account you want to execute the transaction on. This account has granted a session key to the `session_key_address`
+    pub account_address: Address,
+}

core/src/execution_options/mod.rs

@@ -27,7 +27,7 @@ fn default_idempotency_key() -> String {
 }
 
 /// All supported specific execution options are contained here
-#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema, utoipa::ToSchema)]
+#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
 #[serde(tag = "type")]
 #[schema(title = "Execution Option Variants")]
 pub enum SpecificExecutionOptions {