Add KMS Support for Guardian Node

.gitignore

@@ -24,3 +24,5 @@ bigtable-writer.json
 /solana/artifacts-testnet/
 /solana/artifacts-devnet/
 /solana/artifacts-mainnet/
+go.work
+go.work.sum

clients/js/package.json

@@ -9,6 +9,7 @@
     "@improbable-eng/grpc-web-node-http-transport": "^0.15.0",
     "@solana/web3.js": "^1.22.0",
     "@terra-money/terra.js": "^1.8.9",
+    "@google-cloud/kms": "^3.0.1",
     "axios": "^0.24.0",
     "binary-parser": "^2.0.2",
     "bn.js": "^5.2.0",

clients/js/tsfmt.json

@@ -1,5 +1,5 @@
 {
-  "indentSize": 2,
+  "indentSize": 4,
   "tabSize": 2,
   "insertSpaceAfterOpeningAndBeforeClosingTemplateStringBraces": false,
   "placeOpenBraceOnNewLineForFunctions": false,

clients/js/vaa.ts

@@ -562,7 +562,7 @@ function portalRegisterChainParser<Module extends "NFTBridge" | "TokenBridge">(m
             greedy: true,
             assert: str => str === ""
         })
-)
+    )
 }
 
 function serialisePortalRegisterChain<Module extends "NFTBridge" | "TokenBridge">(payload: PortalRegisterChain<Module>): string {

node/cmd/guardiand/node.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/certusone/wormhole/node/pkg/alephium"
 	"github.com/certusone/wormhole/node/pkg/db"
+	"github.com/certusone/wormhole/node/pkg/ecdsasigner"
 	"github.com/certusone/wormhole/node/pkg/ethereum"
 	"github.com/certusone/wormhole/node/pkg/notify/discord"
 	"github.com/certusone/wormhole/node/pkg/telemetry"
@@ -151,6 +152,9 @@ var (
 	bigTableTableName          *string
 	bigTableTopicName          *string
 	bigTableKeyPath            *string
+
+	cloudKMSEnabled *bool
+	cloudKMSKeyName *string
 )
 
 func init() {
@@ -263,7 +267,9 @@ func init() {
 	bigTableInstanceName = NodeCmd.Flags().String("bigTableInstanceName", "", "BigTable instance name for storing events")
 	bigTableTableName = NodeCmd.Flags().String("bigTableTableName", "", "BigTable table name to store events in")
 	bigTableTopicName = NodeCmd.Flags().String("bigTableTopicName", "", "GCP topic name to publish to")
-	bigTableKeyPath = NodeCmd.Flags().String("bigTableKeyPath", "", "Path to json Service Account key")
+
+	cloudKMSEnabled = NodeCmd.Flags().Bool("cloudKMSEnabled", false, "Turn on Cloud KMS support for Guardian Key")
+	cloudKMSKeyName = NodeCmd.Flags().String("cloudKMSKeyName", "", "Cloud KMS key name for Guardian Key")
 }
 
 var (
@@ -588,8 +594,10 @@ func runNode(cmd *cobra.Command, args []string) {
 		if *bigTableTopicName == "" {
 			logger.Fatal("Please specify --bigTableTopicName")
 		}
-		if *bigTableKeyPath == "" {
-			logger.Fatal("Please specify --bigTableKeyPath")
+	}
+	if *cloudKMSEnabled {
+		if *cloudKMSKeyName == "" {
+			logger.Fatal("Please specify --cloudKMSKeyName")
 		}
 	}
 
@@ -689,12 +697,25 @@ func runNode(cmd *cobra.Command, args []string) {
 	defer db.Close()
 
 	// Guardian key
-	gk, err := loadGuardianKey(*guardianKeyPath)
-	if err != nil {
-		logger.Fatal("failed to load guardian key", zap.Error(err))
+	var guardianSigner ecdsasigner.ECDSASigner
+	if *cloudKMSEnabled {
+		bCtx := context.Background()
+		kmsClient, err := ecdsasigner.NewKMSClient(bCtx, *cloudKMSKeyName)
+		if err != nil {
+			log.Fatalf("Failed to setup KMS client: %v", err)
+		}
+		defer kmsClient.Client.Close()
+		guardianSigner = kmsClient
+	} else {
+		gk, err := loadGuardianKey(*guardianKeyPath)
+		if err != nil {
+			logger.Fatal("Failed to load guardian key from file", zap.Error(err))
+		}
+		guardianSigner = &ecdsasigner.ECDSAPrivateKey{Value: gk}
 	}
 
-	guardianAddr := ethcrypto.PubkeyToAddress(gk.PublicKey).String()
+	guardianPubkey := guardianSigner.PublicKey()
+	guardianAddr := ethcrypto.PubkeyToAddress(guardianPubkey).String()
 	logger.Info("Loaded guardian key", zap.String(
 		"address", guardianAddr))
 
@@ -859,7 +880,7 @@ func runNode(cmd *cobra.Command, args []string) {
 	// Run supervisor.
 	supervisor.New(rootCtx, logger, func(ctx context.Context) error {
 		if err := supervisor.Run(ctx, "p2p", p2p.Run(
-			obsvC, obsvReqC, obsvReqSendC, sendC, signedInC, priv, gk, gst, *p2pPort, *p2pNetworkID, *p2pBootstrap, *nodeName, *disableHeartbeatVerify, rootCtxCancel)); err != nil {
+			obsvC, obsvReqC, obsvReqSendC, sendC, signedInC, priv, guardianSigner, gst, *p2pPort, *p2pNetworkID, *p2pBootstrap, *nodeName, *disableHeartbeatVerify, rootCtxCancel)); err != nil {
 			return err
 		}
 
@@ -979,7 +1000,7 @@ func runNode(cmd *cobra.Command, args []string) {
 			obsvC,
 			injectC,
 			signedInC,
-			gk,
+			guardianSigner,
 			gst,
 			attestationEvents,
 			notifier,
@@ -1008,7 +1029,6 @@ func runNode(cmd *cobra.Command, args []string) {
 				GcpInstanceName: *bigTableInstanceName,
 				TableName:       *bigTableTableName,
 				TopicName:       *bigTableTopicName,
-				GcpKeyFilePath:  *bigTableKeyPath,
 			}
 			if err := supervisor.Run(ctx, "bigtable", reporter.BigTableWriter(attestationEvents, bigTableConnection)); err != nil {
 				return err

node/go.mod

@@ -49,14 +49,14 @@ require (
 )
 
 require (
+	cloud.google.com/go/kms v1.0.0
 	cloud.google.com/go/logging v1.4.2
 	cloud.google.com/go/pubsub v1.17.1
 	github.com/alephium/go-sdk v0.0.0-20220919082855-4fb3b6e48fc7
 	github.com/algorand/go-algorand-sdk v1.15.0
 	github.com/blendle/zapdriver v1.3.1
 	github.com/btcsuite/btcutil v1.0.3-0.20201208143702-a53e38424cce
 	github.com/cosmos/cosmos-sdk v0.44.5
-	github.com/go-delve/delve v1.9.1
 	github.com/go-test/deep v1.0.8
 	github.com/google/uuid v1.3.0
 	github.com/libp2p/go-libp2p-core v0.20.0
@@ -83,23 +83,19 @@ require (
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/cheekybits/genny v1.0.0 // indirect
-	github.com/cilium/ebpf v0.7.0 // indirect
 	github.com/confio/ics23/go v0.6.6 // indirect
 	github.com/containerd/cgroups v1.0.4 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
-	github.com/cosiner/argv v0.1.0 // indirect
 	github.com/cosmos/btcutil v1.0.4 // indirect
 	github.com/cosmos/go-bip39 v1.0.0 // indirect
 	github.com/cosmos/iavl v0.17.3 // indirect
 	github.com/cosmos/ibc-go v1.1.3 // indirect
 	github.com/cosmos/ledger-cosmos-go v0.11.1 // indirect
 	github.com/cosmos/ledger-go v0.9.2 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
 	github.com/danieljoos/wincred v1.0.2 // indirect
 	github.com/davidlazar/go-crypto v0.0.0-20200604182044-b73af7476f6c // indirect
 	github.com/deckarep/golang-set v0.0.0-20180603214616-504e848d77ea // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 // indirect
-	github.com/derekparker/trie v0.0.0-20200317170641-1fdf38b7b0e9 // indirect
 	github.com/dfuse-io/binary v0.0.0-20210216024852-4ae6830a495d // indirect
 	github.com/dfuse-io/logging v0.0.0-20210109005628-b97a57253f70 // indirect
 	github.com/dgraph-io/badger/v2 v2.2007.2 // indirect
@@ -116,7 +112,6 @@ require (
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/gballet/go-libpcsclite v0.0.0-20190607065134-2772fd86a8ff // indirect
 	github.com/gin-gonic/gin v1.7.7 // indirect
-	github.com/go-delve/liner v1.2.3-0.20220127212407-d32d89dd2a5d // indirect
 	github.com/go-kit/kit v0.10.0 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-ole/go-ole v1.2.5 // indirect
@@ -134,7 +129,6 @@ require (
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/flatbuffers v1.12.0 // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
-	github.com/google/go-dap v0.6.0 // indirect
 	github.com/google/go-querystring v1.0.0 // indirect
 	github.com/google/gopacket v1.1.19 // indirect
 	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
@@ -240,11 +234,8 @@ require (
 	github.com/rjeczalik/notify v0.9.1 // indirect
 	github.com/rogpeppe/go-internal v1.8.0 // indirect
 	github.com/rs/cors v1.7.0 // indirect
-	github.com/russross/blackfriday/v2 v2.0.1 // indirect
 	github.com/sasha-s/go-deadlock v0.2.1-0.20190427202633-1595213edefa // indirect
 	github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible // indirect
-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/spacemonkeygo/spacelog v0.0.0-20180420211403-2296661a0572 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/spf13/afero v1.6.0 // indirect
@@ -270,11 +261,9 @@ require (
 	github.com/zondax/hid v0.9.0 // indirect
 	go.etcd.io/bbolt v1.3.5 // indirect
 	go.opencensus.io v0.23.0 // indirect
-	go.starlark.net v0.0.0-20220816155156-cfacd8902214 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/ratelimit v0.2.0 // indirect
-	golang.org/x/arch v0.0.0-20190927153633-4e8777c89be4 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/net v0.0.0-20220812174116-3211cb980234 // indirect
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect