feat: WIP new multisig threshold scheme

with a tree like structure allowing nested m of n schemes. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-23 07:54:48 +02:00 · 2024-08-06 09:37:30 +02:00 · 2024-08-06 09:37:30 +02:00 · e2b64d5519
commit e2b64d5519
parent 8ce8f5bccb
19 changed files with 1138 additions and 173 deletions
--- a/bin/tee-vault-admin/Cargo.toml
+++ b/bin/tee-vault-admin/Cargo.toml
@ -21,3 +21,6 @@ tracing.workspace = true
 tracing-actix-web.workspace = true
 tracing-log.workspace = true
 tracing-subscriber.workspace = true
+
+[dev-dependencies]
+test-log.workspace = true
--- a/bin/tee-vault-admin/src/command.rs
+++ b/bin/tee-vault-admin/src/command.rs
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023 Matter Labs
+// Copyright (c) 2023-2024 Matter Labs

 //! post commands

@ -14,7 +14,7 @@ use teepot::json::http::{
    VaultCommandRequest, VaultCommandResponse, VaultCommands, VaultCommandsResponse,
 };
 use teepot::json::secrets::{AdminConfig, AdminState};
-use teepot::server::{signatures::VerifySig, HttpResponseError, Status};
+use teepot::server::{HttpResponseError, Status};
 use tracing::instrument;

 /// Post command
@ -52,7 +52,9 @@ pub async fn post_command(
        .await?
        .context("empty admin config")
        .status(StatusCode::BAD_GATEWAY)?;
-    admin_config.check_sigs(&item.signatures, item.commands.as_bytes())?;
+    admin_config
+        .policy
+        .check_sigs(&item.signatures, item.commands.as_bytes())?;

    let mut hasher = Sha256::new();
    hasher.update(item.commands.as_bytes());
--- a/bin/tee-vault-admin/src/main.rs
+++ b/bin/tee-vault-admin/src/main.rs
@ -116,6 +116,7 @@ async fn main() -> Result<()> {
 mod tests {
    use serde_json::json;
    use teepot::json::http::{VaultCommand, VaultCommands};
+    use test_log::test;

    const TEST_DATA: &str = include_str!("../../../crates/teepot/tests/data/test.json");

--- a/bin/tee-vault-admin/src/sign.rs
+++ b/bin/tee-vault-admin/src/sign.rs
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023 Matter Labs
+// Copyright (c) 2023-2024 Matter Labs

 //! post signing request

@ -12,7 +12,6 @@ use std::sync::Arc;
 use teepot::client::vault::VaultConnection;
 use teepot::json::http::{SignRequest, SignRequestData, SignResponse};
 use teepot::json::secrets::{AdminConfig, AdminState, SGXSigningKey};
-use teepot::server::signatures::VerifySig as _;
 use teepot::server::{HttpResponseError, Status};
 use teepot::sgx::sign::PrivateKey as _;
 use teepot::sgx::sign::{Author, Signature};
@ -76,7 +75,9 @@ pub async fn post_sign(
        .await?
        .context("empty admin config")
        .status(StatusCode::BAD_GATEWAY)?;
-    admin_config.check_sigs(&item.signatures, item.sign_request_data.as_bytes())?;
+    admin_config
+        .policy
+        .check_sigs(&item.signatures, item.sign_request_data.as_bytes())?;

    let mut hasher = Sha256::new();
    hasher.update(item.sign_request_data.as_bytes());