feat(server): integrity envelope engine for EVM grants with HMAC verification

2026-04-04 21:52:50 +02:00
parent f5eb51978d
commit 4057c1fc12
20 changed files with 889 additions and 32 deletions
--- a/server/crates/arbiter-server/src/actors/evm/mod.rs
+++ b/server/crates/arbiter-server/src/actors/evm/mod.rs
@@ -7,7 +7,7 @@ use kameo::{Actor, actor::ActorRef, messages};
 use rand::{SeedableRng, rng, rngs::StdRng};

 use crate::{
-    actors::keyholder::{CreateNew, Decrypt, KeyHolder},
+    actors::keyholder::{CreateNew, Decrypt, GetState, KeyHolder, KeyHolderState},
    db::{
        DatabaseError, DatabasePool,
        models::{self, SqliteTimestamp},
@@ -20,6 +20,7 @@ use crate::{
            ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
        },
    },
+    integrity,
    safe_cell::{SafeCell, SafeCellHandle as _},
 };

@@ -56,6 +57,10 @@ pub enum Error {

    #[error("Database error: {0}")]
    Database(#[from] DatabaseError),
+
+    #[error("Vault is sealed")]
+    #[diagnostic(code(arbiter::evm::vault_sealed))]
+    VaultSealed,
 }

 #[derive(Actor)]
@@ -71,7 +76,7 @@ impl EvmActor {
        // is it safe to seed rng from system once?
        // todo: audit
        let rng = StdRng::from_rng(&mut rng());
-        let engine = evm::Engine::new(db.clone());
+        let engine = evm::Engine::new(db.clone(), keyholder.clone());
        Self {
            keyholder,
            db,
@@ -79,6 +84,20 @@ impl EvmActor {
            engine,
        }
    }
+
+    async fn ensure_unsealed(&self) -> Result<(), Error> {
+        let state = self
+            .keyholder
+            .ask(GetState)
+            .await
+            .map_err(|_| Error::KeyholderSend)?;
+
+        if state != KeyHolderState::Unsealed {
+            return Err(Error::VaultSealed);
+        }
+
+        Ok(())
+    }
 }

 #[messages]
@@ -132,7 +151,9 @@ impl EvmActor {
        &mut self,
        basic: SharedGrantSettings,
        grant: SpecificGrant,
-    ) -> Result<i32, DatabaseError> {
+    ) -> Result<i32, Error> {
+        self.ensure_unsealed().await?;
+
        match grant {
            SpecificGrant::EtherTransfer(settings) => {
                self.engine
@@ -141,6 +162,7 @@ impl EvmActor {
                        specific: settings,
                    })
                    .await
+                    .map_err(Error::from)
            }
            SpecificGrant::TokenTransfer(settings) => {
                self.engine
@@ -149,29 +171,43 @@ impl EvmActor {
                        specific: settings,
                    })
                    .await
+                    .map_err(Error::from)
            }
        }
    }

    #[message]
    pub async fn useragent_delete_grant(&mut self, grant_id: i32) -> Result<(), Error> {
+        self.ensure_unsealed().await?;
+
        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
-        diesel::update(schema::evm_basic_grant::table)
-            .filter(schema::evm_basic_grant::id.eq(grant_id))
-            .set(schema::evm_basic_grant::revoked_at.eq(SqliteTimestamp::now()))
-            .execute(&mut conn)
-            .await
-            .map_err(DatabaseError::from)?;
+        let keyholder = self.keyholder.clone();
+
+        diesel_async::AsyncConnection::transaction(&mut conn, |conn| {
+            Box::pin(async move {
+                diesel::update(schema::evm_basic_grant::table)
+                    .filter(schema::evm_basic_grant::id.eq(grant_id))
+                    .set(schema::evm_basic_grant::revoked_at.eq(SqliteTimestamp::now()))
+                    .execute(conn)
+                    .await?;
+
+                let signed = integrity::evm::load_signed_grant_by_basic_id(conn, grant_id).await?;
+                integrity::sign_entity(conn, &keyholder, &signed)
+                    .await
+                    .map_err(|_| diesel::result::Error::RollbackTransaction)?;
+
+                diesel::result::QueryResult::Ok(())
+            })
+        })
+        .await
+        .map_err(DatabaseError::from)?;
+
        Ok(())
    }

    #[message]
    pub async fn useragent_list_grants(&mut self) -> Result<Vec<Grant<SpecificGrant>>, Error> {
-        Ok(self
-            .engine
-            .list_all_grants()
-            .await
-            .map_err(DatabaseError::from)?)
+        Ok(self.engine.list_all_grants().await?)
    }

    #[message]
--- a/server/crates/arbiter-server/src/actors/keyholder/mod.rs
+++ b/server/crates/arbiter-server/src/actors/keyholder/mod.rs
@@ -4,7 +4,9 @@ use diesel::{
    dsl::{insert_into, update},
 };
 use diesel_async::{AsyncConnection, RunQueryDsl};
+use hmac::{Hmac, Mac as _};
 use kameo::{Actor, Reply, messages};
+use sha2::Sha256;
 use strum::{EnumDiscriminants, IntoDiscriminant};
 use tracing::{error, info};

@@ -24,6 +26,13 @@ use crate::{
    },
    safe_cell::SafeCellHandle as _,
 };
+use encryption::v1::{self, KeyCell, Nonce};
+
+type HmacSha256 = Hmac<Sha256>;
+
+const INTEGRITY_SUBKEY_TAG: &[u8] = b"arbiter/db-integrity-key/v1";
+
+pub mod encryption;

 #[derive(Default, EnumDiscriminants)]
 #[strum_discriminants(derive(Reply), vis(pub), name(KeyHolderState))]
@@ -133,6 +142,19 @@ impl KeyHolder {
        Ok(nonce)
    }

+    fn derive_integrity_key(root_key: &mut KeyCell) -> [u8; 32] {
+        root_key.0.read_inline(|root_key_bytes| {
+            let mut hmac = match HmacSha256::new_from_slice(root_key_bytes.as_slice()) {
+                Ok(v) => v,
+                Err(_) => unreachable!("HMAC accepts keys of any size"),
+            };
+            hmac.update(INTEGRITY_SUBKEY_TAG);
+            let mut out = [0u8; 32];
+            out.copy_from_slice(&hmac.finalize().into_bytes());
+            out
+        })
+    }
+
    #[message]
    pub async fn bootstrap(&mut self, seal_key_raw: SafeCell<Vec<u8>>) -> Result<(), Error> {
        if !matches!(self.state, State::Unbootstrapped) {
@@ -339,6 +361,59 @@ impl KeyHolder {
        self.state.discriminant()
    }

+    #[message]
+    pub fn sign_integrity(&mut self, mac_input: Vec<u8>) -> Result<(i32, Vec<u8>), Error> {
+        let State::Unsealed {
+            root_key,
+            root_key_history_id,
+        } = &mut self.state
+        else {
+            return Err(Error::NotBootstrapped);
+        };
+
+        let integrity_key = Self::derive_integrity_key(root_key);
+
+        let mut hmac = match HmacSha256::new_from_slice(&integrity_key) {
+            Ok(v) => v,
+            Err(_) => unreachable!("HMAC accepts keys of any size"),
+        };
+        hmac.update(&root_key_history_id.to_be_bytes());
+        hmac.update(&mac_input);
+
+        let mac = hmac.finalize().into_bytes().to_vec();
+        Ok((*root_key_history_id, mac))
+    }
+
+    #[message]
+    pub fn verify_integrity(
+        &mut self,
+        mac_input: Vec<u8>,
+        expected_mac: Vec<u8>,
+        key_version: i32,
+    ) -> Result<bool, Error> {
+        let State::Unsealed {
+            root_key,
+            root_key_history_id,
+        } = &mut self.state
+        else {
+            return Err(Error::NotBootstrapped);
+        };
+
+        if *root_key_history_id != key_version {
+            return Ok(false);
+        }
+
+        let integrity_key = Self::derive_integrity_key(root_key);
+        let mut hmac = match HmacSha256::new_from_slice(&integrity_key) {
+            Ok(v) => v,
+            Err(_) => unreachable!("HMAC accepts keys of any size"),
+        };
+        hmac.update(&key_version.to_be_bytes());
+        hmac.update(&mac_input);
+
+        Ok(hmac.verify_slice(&expected_mac).is_ok())
+    }
+
    #[message]
    pub fn seal(&mut self) -> Result<(), Error> {
        let State::Unsealed {
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -120,6 +120,15 @@ pub enum SignTransactionError {
    Internal,
 }

+#[derive(Debug, Error)]
+pub enum GrantMutationError {
+    #[error("Vault is sealed")]
+    VaultSealed,
+
+    #[error("Internal grant mutation error")]
+    Internal,
+}
+
 #[messages]
 impl UserAgentSession {
    #[message]
@@ -331,7 +340,7 @@ impl UserAgentSession {
        &mut self,
        basic: crate::evm::policies::SharedGrantSettings,
        grant: crate::evm::policies::SpecificGrant,
-    ) -> Result<i32, Error> {
+    ) -> Result<i32, GrantMutationError> {
        match self
            .props
            .actors
@@ -340,15 +349,21 @@ impl UserAgentSession {
            .await
        {
            Ok(grant_id) => Ok(grant_id),
+            Err(SendError::HandlerError(crate::actors::evm::Error::VaultSealed)) => {
+                Err(GrantMutationError::VaultSealed)
+            }
            Err(err) => {
                error!(?err, "EVM grant create failed");
-                Err(Error::internal("Failed to create EVM grant"))
+                Err(GrantMutationError::Internal)
            }
        }
    }

    #[message]
-    pub(crate) async fn handle_grant_delete(&mut self, grant_id: i32) -> Result<(), Error> {
+    pub(crate) async fn handle_grant_delete(
+        &mut self,
+        grant_id: i32,
+    ) -> Result<(), GrantMutationError> {
        match self
            .props
            .actors
@@ -357,9 +372,12 @@ impl UserAgentSession {
            .await
        {
            Ok(()) => Ok(()),
+            Err(SendError::HandlerError(crate::actors::evm::Error::VaultSealed)) => {
+                Err(GrantMutationError::VaultSealed)
+            }
            Err(err) => {
                error!(?err, "EVM grant delete failed");
-                Err(Error::internal("Failed to delete EVM grant"))
+                Err(GrantMutationError::Internal)
            }
        }
    }