identity_iota_interaction/
keytool_signer.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
// Copyright 2020-2025 IOTA Stiftung
// SPDX-License-Identifier: Apache-2.0

use std::path::Path;
use std::path::PathBuf;

use crate::types::base_types::IotaAddress;
use crate::types::crypto::PublicKey;
use crate::types::crypto::Signature;
use crate::types::crypto::SignatureScheme;
use crate::IotaKeySignature;
use crate::TransactionDataBcs;
use anyhow::anyhow;
use anyhow::Context as _;
use async_trait::async_trait;
use fastcrypto::encoding::Base64;
use fastcrypto::encoding::Encoding;
use jsonpath_rust::JsonPathQuery as _;
use secret_storage::Error as SecretStorageError;
use secret_storage::Signer;
use serde::Deserialize;
use serde_json::Value;

/// Builder structure to ease the creation of a [KeytoolSigner].
#[derive(Debug, Default)]
pub struct KeytoolSignerBuilder {
  address: Option<IotaAddress>,
  iota_bin: Option<PathBuf>,
}

impl KeytoolSignerBuilder {
  /// Returns a new [KeytoolSignerBuilder] with default configuration:
  /// - use current active address;
  /// - assumes `iota` binary to be in PATH;
  pub fn new() -> Self {
    Self::default()
  }

  /// Sets the address the signer will use.
  /// Defaults to current active address if no address is provided.
  pub fn with_address(mut self, address: IotaAddress) -> Self {
    self.address = Some(address);
    self
  }

  /// Sets the path to the `iota` binary to use.
  /// Assumes `iota` to be in PATH if no value is provided.
  pub fn iota_bin_location(mut self, path: impl AsRef<Path>) -> Self {
    let path = path.as_ref().to_path_buf();
    self.iota_bin = Some(path);

    self
  }

  /// Builds a new [KeytoolSigner] using the provided configuration.
  pub async fn build(self) -> anyhow::Result<KeytoolSigner> {
    let KeytoolSignerBuilder { address, iota_bin } = self;
    let iota_bin = iota_bin.unwrap_or_else(|| "iota".into());
    let address = if let Some(address) = address {
      address
    } else {
      get_active_address(&iota_bin).await?
    };

    let public_key = get_key(&iota_bin, address).await.context("cannot find key")?;

    Ok(KeytoolSigner {
      public_key,
      iota_bin,
      address,
    })
  }
}

/// IOTA Keytool [Signer] implementation.
#[derive(Debug)]
pub struct KeytoolSigner {
  public_key: PublicKey,
  iota_bin: PathBuf,
  address: IotaAddress,
}

impl KeytoolSigner {
  /// Returns a [KeytoolSignerBuilder].
  pub fn builder() -> KeytoolSignerBuilder {
    KeytoolSignerBuilder::default()
  }

  /// Returns the [IotaAddress] used by this [KeytoolSigner].
  pub fn address(&self) -> IotaAddress {
    self.address
  }

  /// Returns the [PublicKey] used by this [KeytoolSigner].
  pub fn public_key(&self) -> &PublicKey {
    &self.public_key
  }

  async fn run_iota_cli_command(&self, args: &str) -> anyhow::Result<Value> {
    run_iota_cli_command_with_bin(&self.iota_bin, args).await
  }
}

#[cfg_attr(feature = "send-sync-transaction", async_trait)]
#[cfg_attr(not(feature = "send-sync-transaction"), async_trait(?Send))]
impl Signer<IotaKeySignature> for KeytoolSigner {
  type KeyId = IotaAddress;

  fn key_id(&self) -> &Self::KeyId {
    &self.address
  }

  async fn public_key(&self) -> Result<PublicKey, SecretStorageError> {
    Ok(self.public_key.clone())
  }

  async fn sign(&self, data: &TransactionDataBcs) -> Result<Signature, SecretStorageError> {
    let base64_data = Base64::encode(data);
    let command = format!("keytool sign --address {} --data {base64_data}", self.address);

    self
      .run_iota_cli_command(&command)
      .await
      .and_then(|json| {
        json
          .get("iotaSignature")
          .context("invalid JSON output: missing iotaSignature")?
          .as_str()
          .context("not a JSON string")?
          .parse()
          .map_err(|e| anyhow!("invalid IOTA signature: {e}"))
      })
      .map_err(SecretStorageError::Other)
  }
}

async fn run_iota_cli_command_with_bin(iota_bin: impl AsRef<Path>, args: &str) -> anyhow::Result<Value> {
  let iota_bin = iota_bin.as_ref();

  cfg_if::cfg_if! {
    if #[cfg(not(target_arch = "wasm32"))] {
    let output = tokio::process::Command::new(iota_bin)
      .args(args.split_ascii_whitespace())
      .arg("--json")
      .output()
      .await
      .map_err(|e| anyhow!("failed to run command: {e}"))?;

    if !output.status.success() {
      let err_msg =
        String::from_utf8(output.stderr).map_err(|e| anyhow!("command failed with non-utf8 error message: {e}"))?;
      return Err(anyhow!("failed to run \"iota client active-address\": {err_msg}"));
    }

    serde_json::from_slice(&output.stdout).context("invalid JSON object in command output")
    } else {
      extern "Rust" {
        fn __wasm_exec_iota_cmd(cmd: &str) -> anyhow::Result<Value>;
      }
      let iota_bin = iota_bin.to_str().context("invalid IOTA bin path")?;
      let cmd = format!("{iota_bin} {args} --json");
      unsafe { __wasm_exec_iota_cmd(&cmd) }
    }
  }
}

async fn get_active_address(iota_bin: impl AsRef<Path>) -> anyhow::Result<IotaAddress> {
  run_iota_cli_command_with_bin(iota_bin, "client active-address")
    .await
    .and_then(|value| serde_json::from_value(value).context("failed to parse IotaAddress from output"))
}

async fn get_key(iota_bin: impl AsRef<Path>, address: IotaAddress) -> anyhow::Result<PublicKey> {
  let query = format!("$[?(@.iotaAddress==\"{}\")]", address);

  let pk_json_data = run_iota_cli_command_with_bin(iota_bin, "keytool list")
    .await
    .and_then(|json_value| {
      json_value
        .path(&query)
        .map_err(|e| anyhow!("failed to query JSON output: {e}"))?
        .get_mut(0)
        .context("key not found")
        .map(Value::take)
    })?;
  let Ok(KeytoolPublicKeyHelper {
    public_base64_key,
    flag,
  }) = serde_json::from_value(pk_json_data)
  else {
    return Err(anyhow!("invalid key format"));
  };

  let signature_scheme = SignatureScheme::from_flag_byte(&flag).context(format!("invalid signature flag `{flag}`"))?;
  let pk_bytes = Base64::decode(&public_base64_key).context("invalid base64 encoding for key")?;

  PublicKey::try_from_bytes(signature_scheme, &pk_bytes).map_err(|e| anyhow!("{e:?}"))
}

#[derive(Deserialize)]
#[serde(rename_all = "camelCase")]
struct KeytoolPublicKeyHelper {
  public_base64_key: String,
  flag: u8,
}