Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for external signing #53

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add support for external signing #53

wants to merge 2 commits into from

Conversation

ximinez
Copy link
Contributor

@ximinez ximinez commented Apr 9, 2024

This change, if merged, adds support for external signing tools, such as an HSM (Hardware Security Module).

Additionally:

Outline of steps to use this new functionality:

One-time setup

  1. Obtain the public key of the external tool, it can be encoded in the rippled format (e.g. nHBQi...), hex encoded, or base-64 encoded. Either way, the key must be 33 bytes decoded, and the first byte must be 0xED for an ed25519 key, and 0x02 or 0x03 for a secp256k1 key.
  2. Run validator-keys create_external <encoded_public_key>

Usage

  1. Run validator-keys start_token. This will return a hex encoded string to sign.
  2. Sign the string from step 3 using the external tool. The resulting signature must be hex encoded or base-64 encoded.
  3. Run validator-keys finish_token <encoded_signature>
  4. The result will be a token that can be copied to your rippled.cfg file just as if it was generated with create_token.

The steps to revoke a key are identical to the Usage steps, except using the start_revoke_keys and finish_revoke_keys commands.

For testing, if you don't have an HSM handy, you can accomplish the same thing in Usage step 2 using validator-keys --keyfile <path to a key file generated with create_keys> sign_hex <partial token output from Usage step 1>

@ximinez
Update xrpl version to fix standalone build
cbc494d 
* The rest of the code was updated in ripple#54 (89ab7e5) to allow for
  a combined build for the next version of rippled. Unfortunately, this
  broke the standalone build. Point conan at the latest beta so the
  build can work.
* This will need to be updated again after rippled 2.3 is released.
@ximinez
Add support for external signing
c7b9e50 
* Also add a "sign_hex" command to sign non-printable data.
* Include unit tests for external signing support functions.
* Because this is a significant change, and this project is not updated
  often, increment the version number.
* Resolves ripple#48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thejohnfreeman thejohnfreeman Awaiting requested review from thejohnfreeman

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support signing via a third party signer
1 participant
@ximinez