Merge pull request #1 from courtyard-nft/devin/1744245257-migrate-kms-signer-tests

[ENG-xxx] Migrate KMS signer tests and set up CI

Author: jpetrich

.github/workflows/ci.yml

@@ -0,0 +1,60 @@
+name: Go
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.head_ref }}
+          fetch-depth: 0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+  
+      - name: Set up gcloud (for KMS client lib to auth)
+        uses: google-github-actions/setup-gcloud@v1
+        with:
+          project_id: courtyard-frontend
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.24.1
+
+      - name: Lint Go files
+        run: |
+          find . -name '*.go' | xargs gofmt -d -s -w
+          if ! git diff-index --quiet HEAD --; then
+              echo "Code style issues found. Please run 'go fmt ./...' locally and commit changes."
+              exit 1
+          fi
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: Run unit tests
+        env:
+          GOOGLE_CLOUD_PROJECT: courtyard-frontend
+          TEST_KMS_KEY_NAME: ${{ secrets.KMS_KEY_NAME }}
+        run: go test -v -timeout 120s ./... -short
+
+      - name: Run integration tests
+        env:
+          GOOGLE_CLOUD_PROJECT: courtyard-frontend
+          TEST_KMS_KEY_NAME: ${{ secrets.KMS_KEY_NAME }}
+        run: go test -v -timeout 300s ./... -run "TestKMSSigner(Integration|Retry)"

go.mod

@@ -6,6 +6,7 @@ require (
 	cloud.google.com/go/kms v1.21.1
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/ethereum/go-ethereum v1.15.7
+	github.com/stretchr/testify v1.10.0
 )
 
 require (
@@ -22,6 +23,7 @@ require (
 	github.com/consensys/gnark-crypto v0.14.0 // indirect
 	github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a // indirect
 	github.com/crate-crypto/go-kzg-4844 v1.1.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/deckarep/golang-set/v2 v2.6.0 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
 	github.com/ethereum/c-kzg-4844 v1.0.0 // indirect
@@ -38,6 +40,7 @@ require (
 	github.com/gorilla/websocket v1.4.2 // indirect
 	github.com/holiman/uint256 v1.3.2 // indirect
 	github.com/mmcloughlin/addchain v0.4.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible // indirect
 	github.com/supranational/blst v0.3.14 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
@@ -61,5 +64,6 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250227231956-55c901821b1e // indirect
 	google.golang.org/grpc v1.71.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	rsc.io/tmplfunc v0.0.3 // indirect
 )

go.sum

@@ -261,6 +261,9 @@ google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
 google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
 google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

kms_signer.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/x509"
 	"encoding/asn1"
 	"encoding/pem"
 	"fmt"
@@ -106,23 +105,32 @@ func (s *KMSSigner) fetchAndCachePublicKey(ctx context.Context) error {
 		return fmt.Errorf("failed to get public key from KMS: %w", err)
 	}
 
-	// Parse the PEM-encoded public key
 	block, _ := pem.Decode([]byte(pubKeyResp.Pem))
 	if block == nil {
 		return fmt.Errorf("failed to decode PEM block containing public key")
 	}
-	if block.Type != "PUBLIC KEY" {
-		return fmt.Errorf("invalid PEM block type: %s", block.Type)
+
+	// Parse the ASN.1 structure
+	var spki struct {
+		Algorithm struct {
+			Algorithm  asn1.ObjectIdentifier
+			Parameters asn1.ObjectIdentifier
+		}
+		PublicKey asn1.BitString
+	}
+	if _, err := asn1.Unmarshal(block.Bytes, &spki); err != nil {
+		return fmt.Errorf("failed to parse ASN.1 structure: %w", err)
 	}
 
-	// Parse the public key using standard library functions
-	genericPubKey, err := x509.ParsePKIXPublicKey(block.Bytes)
-	if err != nil {
-		return fmt.Errorf("failed to parse PKIX public key: %w", err)
+	// Convert the public key bytes to ECDSA public key
+	x, y := elliptic.Unmarshal(crypto.S256(), spki.PublicKey.Bytes)
+	if x == nil {
+		return fmt.Errorf("failed to unmarshal public key")
 	}
-	parsedPubKey, ok := genericPubKey.(*ecdsa.PublicKey)
-	if !ok {
-		return fmt.Errorf("key is not an ECDSA public key")
+	parsedPubKey := &ecdsa.PublicKey{
+		Curve: crypto.S256(),
+		X:     x,
+		Y:     y,
 	}
 
 	// Validate the curve
@@ -235,71 +243,63 @@ func (s *KMSSigner) signAttempt(ctx context.Context, message []byte) ([]byte, er
 // `hash` is the original message hash that was signed.
 // `pubKey` is the public key corresponding to the KMS key used for signing.
 func derToEthereumSignature(derSig, hash []byte, pubKey *ecdsa.PublicKey) ([]byte, error) {
+	// DER signature structure
 	var sig struct {
 		R, S *big.Int
 	}
+
+	// Decode DER signature
 	if _, err := asn1.Unmarshal(derSig, &sig); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal DER signature: %w", err)
 	}
 
-	// Ensure S is in the lower half of the curve order (prevents malleability)
-	// As per EIP-2: https://github.com/ethereum/EIPs/blob/master/EIPS/eip-2.md
-	curveOrder := crypto.S256().Params().N
-	if sig.S.Cmp(new(big.Int).Div(curveOrder, big.NewInt(2))) > 0 {
-		sig.S.Sub(curveOrder, sig.S)
-	}
+	// Create the signature
+	signature := make([]byte, 65)
 
+	// Fill R and S values
 	rBytes := sig.R.Bytes()
 	sBytes := sig.S.Bytes()
 
-	// Ethereum signature format [R (32 bytes) || S (32 bytes) || V (1 byte)]
-	signature := make([]byte, 65)
-
-	// Left-pad R and S to 32 bytes
+	// Ensure R and S are exactly 32 bytes
 	copy(signature[32-len(rBytes):32], rBytes)
 	copy(signature[64-len(sBytes):64], sBytes)
 
-	// Calculate recovery ID (V)
-	// V = 27 + recovery_id (where recovery_id is 0 or 1)
-	// Reference: go-ethereum/crypto/signature_nocgo.go's Sign function logic
-
-	// We need to try both possible recovery IDs (0 and 1) and see which one
-	// recovers the correct public key.
-	var recoveredPubKey *ecdsa.PublicKey
-
-	// Try V = 27 (recovery ID = 0)
-	signature[64] = 0 // Use 0 for Ecrecover's V parameter
-	recPubBytes, err := crypto.Ecrecover(hash, signature)
-	// Need to handle errors from Ecrecover carefully
-	if err == nil {
-		// Unmarshal the recovered public key bytes (format: 0x04 || X || Y)
-		x, y := elliptic.Unmarshal(crypto.S256(), recPubBytes)
-		if x != nil { // Check if unmarshal was successful
-			recoveredPubKey = &ecdsa.PublicKey{Curve: crypto.S256(), X: x, Y: y}
-			if recoveredPubKey.X.Cmp(pubKey.X) == 0 && recoveredPubKey.Y.Cmp(pubKey.Y) == 0 {
-				signature[64] = 27 // Set Ethereum V
-				return signature, nil
-			}
-		}
+	// Try v = 0
+	signature[64] = 0x0
+	if verifySignature(pubKey, hash, signature) {
+		signature[64] = 0x1b // Ethereum signature requires 27 added to v
+		return signature, nil
 	}
 
-	// Try V = 28 (recovery ID = 1)
-	signature[64] = 1 // Use 1 for Ecrecover's V parameter
-	recPubBytes, err = crypto.Ecrecover(hash, signature)
-	if err == nil {
-		// Unmarshal the recovered public key bytes
-		x, y := elliptic.Unmarshal(crypto.S256(), recPubBytes)
-		if x != nil { // Check if unmarshal was successful
-			recoveredPubKey = &ecdsa.PublicKey{Curve: crypto.S256(), X: x, Y: y}
-			if recoveredPubKey.X.Cmp(pubKey.X) == 0 && recoveredPubKey.Y.Cmp(pubKey.Y) == 0 {
-				signature[64] = 28 // Set Ethereum V
-				return signature, nil
-			}
-		}
+	// Try v = 1
+	signature[64] = 0x1
+	if verifySignature(pubKey, hash, signature) {
+		signature[64] = 0x1c // Ethereum signature requires 27 added to v
+		return signature, nil
+	}
+
+	return nil, fmt.Errorf("failed to determine correct recovery ID")
+}
+
+// verifySignature checks if a signature is valid for a given public key and hash
+func verifySignature(pubKey *ecdsa.PublicKey, hash, sig []byte) bool {
+	// Try to recover the public key
+	recoveredPub, err := crypto.Ecrecover(hash, sig)
+	if err != nil {
+		return false
+	}
+
+	// Convert recovered public key using crypto/ecdh
+	x, y := new(big.Int), new(big.Int)
+	x.SetBytes(recoveredPub[1:33])
+	y.SetBytes(recoveredPub[33:])
+	recoveredKey := &ecdsa.PublicKey{
+		X: x,
+		Y: y,
 	}
 
-	// If neither recovery ID worked, something is wrong.
-	return nil, fmt.Errorf("failed to determine correct recovery ID (V) for signature")
+	// Compare public keys
+	return recoveredKey.X.Cmp(pubKey.X) == 0 && recoveredKey.Y.Cmp(pubKey.Y) == 0
 }
 
 // SignerFn returns a `bind.SignerFn` compatible function for use with go-ethereum contract bindings.

kms_signer_integration_test.go

@@ -0,0 +1,103 @@
+package signer
+
+import (
+	"context"
+	"os"
+	"sync"
+	"testing"
+
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type TestKeyConfig struct {
+	KeyName string
+}
+
+func getTestKeyConfig(t *testing.T) TestKeyConfig {
+	keyName := os.Getenv("TEST_KMS_KEY_NAME")
+	if keyName == "" {
+		t.Skip("TEST_KMS_KEY_NAME not set, skipping integration test")
+	}
+
+	return TestKeyConfig{
+		KeyName: keyName,
+	}
+}
+
+func TestKMSSignerIntegration(t *testing.T) {
+	config := getTestKeyConfig(t)
+	ctx := context.Background()
+
+	signer, err := NewKMSSigner(ctx, KMSSignerConfig(config))
+	require.NoError(t, err)
+	defer signer.Close()
+
+	tests := []struct {
+		name    string
+		message []byte
+	}{
+		{
+			name:    "Simple message",
+			message: []byte("Hello, world!"),
+		},
+		{
+			name:    "Empty message",
+			message: []byte{},
+		},
+		{
+			name:    "Long message",
+			message: []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			hash := crypto.Keccak256(tt.message)
+			signature, err := signer.Sign(ctx, hash)
+			require.NoError(t, err)
+
+			assert.Equal(t, 65, len(signature))
+
+			assert.True(t, signature[64] >= 27, "v value should be >= 27")
+			sigCopy := make([]byte, len(signature))
+			copy(sigCopy, signature)
+			sigCopy[64] -= 27
+
+			_, err = crypto.Ecrecover(hash, sigCopy)
+			assert.NoError(t, err, "should be able to recover public key from signature")
+		})
+	}
+}
+
+func TestKMSSignerIntegrationRetry(t *testing.T) {
+	config := getTestKeyConfig(t)
+	ctx := context.Background()
+
+	signer, err := NewKMSSigner(ctx, KMSSignerConfig(config))
+	require.NoError(t, err)
+	defer signer.Close()
+
+	message := []byte("Test message for concurrent signing")
+	hash := crypto.Keccak256(message)
+	var wg sync.WaitGroup
+	numConcurrent := 5
+	results := make(chan error, numConcurrent)
+
+	for i := 0; i < numConcurrent; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			_, err := signer.Sign(ctx, hash)
+			results <- err
+		}()
+	}
+
+	wg.Wait()
+	close(results)
+
+	for err := range results {
+		assert.NoError(t, err, "concurrent signing operation should succeed")
+	}
+}