feat: WIP new multisig threshold scheme

with a tree like structure allowing nested m of n schemes.

Signed-off-by: Harald Hoyer <[email protected]>

Cargo.toml

@@ -54,6 +54,7 @@ sha2 = "0.10.8"
 signature = "2.2.0"
 teepot = { path = "crates/teepot" }
 testaso = "0.1.0"
+test-log = "0.2.16"
 thiserror = "1.0.59"
 tokio = { version = "1", features = ["sync", "macros", "rt-multi-thread", "fs", "time"] }
 tracing = "0.1"

bin/tee-vault-admin/Cargo.toml

@@ -21,3 +21,6 @@ tracing.workspace = true
 tracing-actix-web.workspace = true
 tracing-log.workspace = true
 tracing-subscriber.workspace = true
+
+[dev-dependencies]
+test-log.workspace = true

bin/tee-vault-admin/src/command.rs

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023 Matter Labs
+// Copyright (c) 2023-2024 Matter Labs
 
 //! post commands
 
@@ -14,7 +14,7 @@ use teepot::json::http::{
     VaultCommandRequest, VaultCommandResponse, VaultCommands, VaultCommandsResponse,
 };
 use teepot::json::secrets::{AdminConfig, AdminState};
-use teepot::server::{signatures::VerifySig, HttpResponseError, Status};
+use teepot::server::{HttpResponseError, Status};
 use tracing::instrument;
 
 /// Post command
@@ -52,7 +52,9 @@ pub async fn post_command(
         .await?
         .context("empty admin config")
         .status(StatusCode::BAD_GATEWAY)?;
-    admin_config.check_sigs(&item.signatures, item.commands.as_bytes())?;
+    admin_config
+        .policy
+        .check_sigs(&item.signatures, item.commands.as_bytes())?;
 
     let mut hasher = Sha256::new();
     hasher.update(item.commands.as_bytes());

bin/tee-vault-admin/src/main.rs

@@ -116,6 +116,7 @@ async fn main() -> Result<()> {
 mod tests {
     use serde_json::json;
     use teepot::json::http::{VaultCommand, VaultCommands};
+    use test_log::test;
 
     const TEST_DATA: &str = include_str!("../../../crates/teepot/tests/data/test.json");
 

bin/tee-vault-admin/src/sign.rs

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023 Matter Labs
+// Copyright (c) 2023-2024 Matter Labs
 
 //! post signing request
 
@@ -12,7 +12,6 @@ use std::sync::Arc;
 use teepot::client::vault::VaultConnection;
 use teepot::json::http::{SignRequest, SignRequestData, SignResponse};
 use teepot::json::secrets::{AdminConfig, AdminState, SGXSigningKey};
-use teepot::server::signatures::VerifySig as _;
 use teepot::server::{HttpResponseError, Status};
 use teepot::sgx::sign::PrivateKey as _;
 use teepot::sgx::sign::{Author, Signature};
@@ -76,7 +75,9 @@ pub async fn post_sign(
         .await?
         .context("empty admin config")
         .status(StatusCode::BAD_GATEWAY)?;
-    admin_config.check_sigs(&item.signatures, item.sign_request_data.as_bytes())?;
+    admin_config
+        .policy
+        .check_sigs(&item.signatures, item.sign_request_data.as_bytes())?;
 
     let mut hasher = Sha256::new();
     hasher.update(item.sign_request_data.as_bytes());

bin/tee-vault-unseal/src/init.rs

@@ -2,14 +2,11 @@
 // Copyright (c) 2023-2024 Matter Labs
 
 use crate::{get_vault_status, UnsealServerState, Worker};
-use actix_web::error::ErrorBadRequest;
 use actix_web::{web, HttpResponse};
 use anyhow::{anyhow, Context, Result};
 use awc::http::StatusCode;
-use serde_json::json;
 use teepot::client::TeeConnection;
 use teepot::json::http::{Init, InitResponse, VaultInitRequest};
-use teepot::json::secrets::AdminConfig;
 use teepot::server::{HttpResponseError, Status};
 use tracing::{debug, error, info, instrument, trace};
 
@@ -22,8 +19,7 @@ pub async fn post_init(
         pgp_keys,
         secret_shares,
         secret_threshold,
-        admin_pgp_keys,
-        admin_threshold,
+        admin_config,
         admin_tee_mrenclave,
     } = init.into_inner();
     let conn = TeeConnection::new(&worker.vault_attestation);
@@ -36,17 +32,10 @@ pub async fn post_init(
         secret_threshold,
     };
 
-    if admin_threshold < 1 {
-        return Ok(HttpResponse::from_error(ErrorBadRequest(
-            json!({"error": "admin_threshold must be at least 1"}),
-        )));
-    }
-
-    if admin_threshold > admin_pgp_keys.len() {
-        return Ok(HttpResponse::from_error(ErrorBadRequest(
-            json!({"error": "admin_threshold must be less than or equal to the number of admin_pgp_keys"}),
-        )));
-    }
+    admin_config
+        .validate()
+        .context("Invalid admin config")
+        .status(StatusCode::BAD_REQUEST)?;
 
     loop {
         let current_state = worker.state.read().unwrap().clone();
@@ -123,10 +112,7 @@ pub async fn post_init(
     */
 
     *worker.state.write().unwrap() = UnsealServerState::VaultInitialized {
-        admin_config: AdminConfig {
-            admin_pgp_keys,
-            admin_threshold,
-        },
+        admin_config,
         admin_tee_mrenclave,
         root_token,
     };

bin/vault-unseal/Cargo.toml

@@ -9,7 +9,6 @@ repository.workspace = true
 [dependencies]
 actix-web.workspace = true
 anyhow.workspace = true
-base64.workspace = true
 clap.workspace = true
 serde_json.workspace = true
 teepot.workspace = true