diff --git a/modules/passkey/contracts/SafeWebAuthnSigner.sol b/modules/passkey/contracts/SafeWebAuthnSigner.sol deleted file mode 100644 index f6aca350..00000000 --- a/modules/passkey/contracts/SafeWebAuthnSigner.sol +++ /dev/null @@ -1,37 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -pragma solidity >=0.8.0; - -import {SignatureValidator} from "./base/SignatureValidator.sol"; -import {IP256Verifier} from "./interfaces/IP256Verifier.sol"; -import {WebAuthn} from "./libraries/WebAuthn.sol"; - -/** - * @title WebAuthn Safe Signature Validator - * @dev A contract that represents a WebAuthn signer. - * @custom:security-contact bounty@safe.global - */ -contract SafeWebAuthnSigner is SignatureValidator { - uint256 public immutable X; - uint256 public immutable Y; - IP256Verifier public immutable VERIFIER; - - /** - * @dev Constructor function. - * @param x The X coordinate of the signer's public key. - * @param y The Y coordinate of the signer's public key. - * @param verifier The P-256 verifier to use for signature validation. It MUST implement the - * same interface as the EIP-7212 precompile. - */ - constructor(uint256 x, uint256 y, address verifier) { - X = x; - Y = y; - VERIFIER = IP256Verifier(verifier); - } - - /** - * @inheritdoc SignatureValidator - */ - function _verifySignature(bytes32 message, bytes calldata signature) internal view virtual override returns (bool success) { - success = WebAuthn.verifySignature(message, signature, WebAuthn.USER_VERIFICATION, X, Y, VERIFIER); - } -} diff --git a/modules/passkey/contracts/SafeWebAuthnSignerFactory.sol b/modules/passkey/contracts/SafeWebAuthnSignerFactory.sol deleted file mode 100644 index 59df815c..00000000 --- a/modules/passkey/contracts/SafeWebAuthnSignerFactory.sol +++ /dev/null @@ -1,63 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -pragma solidity >=0.8.0; - -import {ICustomECDSASignerFactory} from "./interfaces/ICustomECDSASignerFactory.sol"; -import {IP256Verifier} from "./interfaces/IP256Verifier.sol"; -import {ERC1271} from "./libraries/ERC1271.sol"; -import {WebAuthn} from "./libraries/WebAuthn.sol"; -import {SafeWebAuthnSigner} from "./SafeWebAuthnSigner.sol"; - -/** - * @title WebAuthnSignerFactory - * @dev A factory contract for creating and managing WebAuthn signers. - */ -contract SafeWebAuthnSignerFactory is ICustomECDSASignerFactory { - /** - * @inheritdoc ICustomECDSASignerFactory - */ - function getSigner(uint256 x, uint256 y, address verifier) public view override returns (address signer) { - bytes32 codeHash = keccak256(abi.encodePacked(type(SafeWebAuthnSigner).creationCode, x, y, uint256(uint160(verifier)))); - signer = address(uint160(uint256(keccak256(abi.encodePacked(hex"ff", address(this), bytes32(0), codeHash))))); - } - - /** - * @inheritdoc ICustomECDSASignerFactory - */ - function createSigner(uint256 x, uint256 y, address verifier) external returns (address signer) { - signer = getSigner(x, y, verifier); - - if (_hasNoCode(signer)) { - SafeWebAuthnSigner created = new SafeWebAuthnSigner{salt: bytes32(0)}(x, y, verifier); - require(address(created) == signer); - } - } - - /** - * @inheritdoc ICustomECDSASignerFactory - */ - function isValidSignatureForSigner( - bytes32 message, - bytes calldata signature, - uint256 x, - uint256 y, - address verifier - ) external view override returns (bytes4 magicValue) { - if (WebAuthn.verifySignature(message, signature, WebAuthn.USER_VERIFICATION, x, y, IP256Verifier(verifier))) { - magicValue = ERC1271.MAGIC_VALUE; - } - } - - /** - * @dev Checks if the provided account has no code. - * @param account The address of the account to check. - * @return True if the account has no code, false otherwise. - */ - function _hasNoCode(address account) internal view returns (bool) { - uint256 size; - // solhint-disable-next-line no-inline-assembly - assembly ("memory-safe") { - size := extcodesize(account) - } - return size == 0; - } -} diff --git a/modules/passkey/contracts/SafeWebAuthnSignerProxy.sol b/modules/passkey/contracts/SafeWebAuthnSignerProxy.sol index 5a6b9fd2..df3486aa 100644 --- a/modules/passkey/contracts/SafeWebAuthnSignerProxy.sol +++ b/modules/passkey/contracts/SafeWebAuthnSignerProxy.sol @@ -4,7 +4,7 @@ import {IP256Verifier} from "./interfaces/IP256Verifier.sol"; /** * @title SafeWebAuthnSignerProxy - * @dev A proxy contract that points to SafeWebAuthnSigner. + * @dev A proxy contract that points to SafeWebAuthnSigner singleton. */ contract SafeWebAuthnSignerProxy { uint256 internal immutable X; diff --git a/modules/passkey/contracts/SafeWebAuthnSignerProxyFactory.sol b/modules/passkey/contracts/SafeWebAuthnSignerProxyFactory.sol index 48ef10fa..17435d8c 100644 --- a/modules/passkey/contracts/SafeWebAuthnSignerProxyFactory.sol +++ b/modules/passkey/contracts/SafeWebAuthnSignerProxyFactory.sol @@ -2,10 +2,8 @@ pragma solidity >=0.8.0; import {ICustomECDSASignerFactory} from "./interfaces/ICustomECDSASignerFactory.sol"; -import {IP256Verifier} from "./interfaces/IP256Verifier.sol"; -import {ERC1271} from "./libraries/ERC1271.sol"; -import {WebAuthn} from "./libraries/WebAuthn.sol"; import {SafeWebAuthnSignerProxy} from "./SafeWebAuthnSignerProxy.sol"; +import {SafeWebAuthnSignerSingleton} from "./SafeWebAuthnSignerSingleton.sol"; /** * @title SafeWebAuthnSignerProxyFactory * @dev A factory contract for creating and managing WebAuthn proxy signers. @@ -49,8 +47,25 @@ contract SafeWebAuthnSignerProxyFactory is ICustomECDSASignerFactory { uint256 y, address verifier ) external view override returns (bytes4 magicValue) { - if (WebAuthn.verifySignature(message, signature, WebAuthn.USER_VERIFICATION, x, y, IP256Verifier(verifier))) { - magicValue = ERC1271.MAGIC_VALUE; + address _singleton = SINGLETON; + bytes memory data = abi.encodePacked( + abi.encodeWithSignature("isValidSignature(bytes32,bytes)", message, signature), + x, + y, + verifier + ); + + // solhint-disable-next-line no-inline-assembly + assembly { + let dataSize := mload(data) + let dataLocation := add(data, 0x20) + + let success := staticcall(gas(), _singleton, dataLocation, dataSize, 0, 0) + returndatacopy(magicValue, 0, returndatasize()) + if iszero(success) { + // TODO + } + return(0, returndatasize()) } } diff --git a/modules/passkey/contracts/SafeWebAuthnSignerSingleton.sol b/modules/passkey/contracts/SafeWebAuthnSignerSingleton.sol index 4b08e039..32cbae21 100644 --- a/modules/passkey/contracts/SafeWebAuthnSignerSingleton.sol +++ b/modules/passkey/contracts/SafeWebAuthnSignerSingleton.sol @@ -19,7 +19,7 @@ contract SafeWebAuthnSignerSingleton is SignatureValidatorProxy { uint256 x, uint256 y, address verifier - ) public view virtual override returns (bool success) { + ) internal view virtual override returns (bool success) { success = WebAuthn.verifySignature(message, signature, WebAuthn.USER_VERIFICATION, x, y, IP256Verifier(verifier)); } } diff --git a/modules/passkey/contracts/base/SignatureValidatorProxy.sol b/modules/passkey/contracts/base/SignatureValidatorProxy.sol index f1eae9d0..7c9dc89c 100644 --- a/modules/passkey/contracts/base/SignatureValidatorProxy.sol +++ b/modules/passkey/contracts/base/SignatureValidatorProxy.sol @@ -66,5 +66,5 @@ abstract contract SignatureValidatorProxy { uint256 x, uint256 y, address verifier - ) public view virtual returns (bool success); + ) internal view virtual returns (bool success); } diff --git a/modules/passkey/src/deploy/webauthn.ts b/modules/passkey/src/deploy/webauthn.ts index dd9f8e81..148ed99b 100644 --- a/modules/passkey/src/deploy/webauthn.ts +++ b/modules/passkey/src/deploy/webauthn.ts @@ -4,23 +4,9 @@ const deploy: DeployFunction = async ({ deployments, getNamedAccounts }) => { const { deployer } = await getNamedAccounts() const { deploy } = deployments - await deploy('SafeWebAuthnSignerFactory', { - from: deployer, - args: [], - log: true, - deterministicDeployment: true, - }) - - const singletonDeployment = await deploy('SafeWebAuthnSignerSingleton', { - from: deployer, - args: [], - log: true, - deterministicDeployment: true, - }) - await deploy('SafeWebAuthnSignerProxyFactory', { from: deployer, - args: [singletonDeployment.address], + args: [], log: true, deterministicDeployment: true, }) diff --git a/modules/passkey/test/4337/WebAuthn.spec.ts b/modules/passkey/test/4337/WebAuthn.spec.ts index 87c23035..f1cca98c 100644 --- a/modules/passkey/test/4337/WebAuthn.spec.ts +++ b/modules/passkey/test/4337/WebAuthn.spec.ts @@ -21,7 +21,7 @@ describe('Safe4337Module - WebAuthn Owner', () => { Safe4337Module, SafeECDSASignerLaunchpad, EntryPoint, - SafeWebAuthnSignerFactory, + SafeWebAuthnSignerProxyFactory, } = await deployments.fixture() const [user] = await ethers.getSigners() @@ -32,7 +32,7 @@ describe('Safe4337Module - WebAuthn Owner', () => { const signerLaunchpad = await ethers.getContractAt('SafeECDSASignerLaunchpad', SafeECDSASignerLaunchpad.address) const singleton = await ethers.getContractAt(SafeL2.abi, SafeL2.address) const verifier = await ethers.getContractAt('IP256Verifier', FCLP256Verifier.address) - const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerFactory', SafeWebAuthnSignerFactory.address) + const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerProxyFactory', SafeWebAuthnSignerProxyFactory.address) const navigator = { credentials: new WebAuthnCredentials(), @@ -228,7 +228,7 @@ describe('Safe4337Module - WebAuthn Owner', () => { const publicKey = decodePublicKey(credential.response) await signerFactory.createSigner(publicKey.x, publicKey.y, verifierAddress) const signer = await ethers.getContractAt( - 'SafeWebAuthnSigner', + 'SafeWebAuthnSignerProxy', await signerFactory.getSigner(publicKey.x, publicKey.y, verifierAddress), ) diff --git a/modules/passkey/test/4337/WebAuthnSigner.spec.ts b/modules/passkey/test/4337/WebAuthnSigner.spec.ts index 4d227f6e..fcc09bba 100644 --- a/modules/passkey/test/4337/WebAuthnSigner.spec.ts +++ b/modules/passkey/test/4337/WebAuthnSigner.spec.ts @@ -20,7 +20,7 @@ describe('WebAuthn Signers [@4337]', () => { SafeModuleSetup, SafeL2, FCLP256Verifier, - SafeWebAuthnSignerFactory, + SafeWebAuthnSignerProxyFactory, } = await deployments.run() const [user] = await prepareAccounts() const bundler = bundlerRpc() @@ -32,7 +32,7 @@ describe('WebAuthn Signers [@4337]', () => { const signerLaunchpad = await ethers.getContractAt('SafeECDSASignerLaunchpad', SafeECDSASignerLaunchpad.address) const singleton = await ethers.getContractAt(SafeL2.abi, SafeL2.address) const verifier = await ethers.getContractAt('IP256Verifier', FCLP256Verifier.address) - const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerFactory', SafeWebAuthnSignerFactory.address) + const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerProxyFactory', SafeWebAuthnSignerProxyFactory.address) const navigator = { credentials: new WebAuthnCredentials(), diff --git a/modules/passkey/test/GasBenchmarking.spec.ts b/modules/passkey/test/GasBenchmarking.spec.ts deleted file mode 100644 index fc0078ac..00000000 --- a/modules/passkey/test/GasBenchmarking.spec.ts +++ /dev/null @@ -1,94 +0,0 @@ -import { expect } from 'chai' -import { deployments, ethers } from 'hardhat' - -import { WebAuthnCredentials, decodePublicKey, encodeWebAuthnSignature } from './utils/webauthn' -import { IP256Verifier } from '../typechain-types' - -describe('Gas Benchmarking [@bench]', function () { - const navigator = { - credentials: new WebAuthnCredentials(), - } - const credential = navigator.credentials.create({ - publicKey: { - rp: { - name: 'Safe', - id: 'safe.global', - }, - user: { - id: ethers.getBytes(ethers.id('chucknorris')), - name: 'chucknorris', - displayName: 'Chuck Norris', - }, - challenge: ethers.toBeArray(Date.now()), - pubKeyCredParams: [{ type: 'public-key', alg: -7 }], - }, - }) - - const setupTests = deployments.createFixture(async ({ deployments }) => { - const { DaimoP256Verifier, FCLP256Verifier, SafeWebAuthnSignerFactory } = await deployments.fixture() - - const Benchmarker = await ethers.getContractFactory('Benchmarker') - const benchmarker = await Benchmarker.deploy() - - const factory = await ethers.getContractAt('SafeWebAuthnSignerFactory', SafeWebAuthnSignerFactory.address) - - const DummyP256Verifier = await ethers.getContractFactory('DummyP256Verifier') - const verifiers = { - fcl: await ethers.getContractAt('IP256Verifier', FCLP256Verifier.address), - daimo: await ethers.getContractAt('IP256Verifier', DaimoP256Verifier.address), - dummy: await DummyP256Verifier.deploy(), - } as Record - - return { benchmarker, factory, verifiers } - }) - - describe('SafeWebAuthnSigner', () => { - it(`Benchmark signer deployment cost`, async function () { - const { benchmarker, factory } = await setupTests() - - const { x, y } = decodePublicKey(credential.response) - const verifier = `0x${'ee'.repeat(20)}` - - const [gas] = await benchmarker.call.staticCall(factory, factory.interface.encodeFunctionData('createSigner', [x, y, verifier])) - - console.log(` ⛽ deployment: ${gas}`) - }) - - for (const [name, key] of [ - ['FreshCryptoLib', 'fcl'], - ['daimo-eth', 'daimo'], - ['Dummy', 'dummy'], - ]) { - it(`Benchmark signer verification cost with ${name} verifier`, async function () { - const { benchmarker, verifiers, factory } = await setupTests() - - const challenge = ethers.id('hello world') - const assertion = navigator.credentials.get({ - publicKey: { - challenge: ethers.getBytes(challenge), - rpId: 'safe.global', - allowCredentials: [{ type: 'public-key', id: new Uint8Array(credential.rawId) }], - userVerification: 'required', - }, - }) - - const { x, y } = decodePublicKey(credential.response) - const verifier = verifiers[key] - - await factory.createSigner(x, y, verifier) - const signer = await ethers.getContractAt('SafeWebAuthnSigner', await factory.getSigner(x, y, verifier)) - const signature = encodeWebAuthnSignature(assertion.response) - - const [gas, returnData] = await benchmarker.call.staticCall( - signer, - signer.interface.encodeFunctionData('isValidSignature(bytes32,bytes)', [challenge, signature]), - ) - - const [magicValue] = ethers.AbiCoder.defaultAbiCoder().decode(['bytes4'], returnData) - expect(magicValue).to.equal('0x1626ba7e') - - console.log(` ⛽ verification (${name}): ${gas}`) - }) - } - }) -}) diff --git a/modules/passkey/test/userstories/CreateSafeWithPasskeySignerAsOwner.spec.ts b/modules/passkey/test/userstories/CreateSafeWithPasskeySignerAsOwner.spec.ts index 68bb777d..1b7e4be4 100644 --- a/modules/passkey/test/userstories/CreateSafeWithPasskeySignerAsOwner.spec.ts +++ b/modules/passkey/test/userstories/CreateSafeWithPasskeySignerAsOwner.spec.ts @@ -17,7 +17,7 @@ import { buildSignatureBytes } from '@safe-global/safe-4337/src/utils/execution' describe('Create a Safe with Passkey signer as owner: [@userstory]', () => { // Create a fixture to setup the contracts and signer(s) const setupTests = deployments.createFixture(async ({ deployments }) => { - const { EntryPoint, Safe4337Module, SafeProxyFactory, SafeModuleSetup, SafeL2, FCLP256Verifier, SafeWebAuthnSignerFactory } = + const { EntryPoint, Safe4337Module, SafeProxyFactory, SafeModuleSetup, SafeL2, FCLP256Verifier, SafeWebAuthnSignerProxyFactory } = await deployments.run() const [user] = await ethers.getSigners() @@ -28,7 +28,7 @@ describe('Create a Safe with Passkey signer as owner: [@userstory]', () => { const safeModuleSetup = await ethers.getContractAt(SafeModuleSetup.abi, SafeModuleSetup.address) const singleton = await ethers.getContractAt(SafeL2.abi, SafeL2.address) const verifier = await ethers.getContractAt('IP256Verifier', FCLP256Verifier.address) - const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerFactory', SafeWebAuthnSignerFactory.address) + const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerProxyFactory', SafeWebAuthnSignerProxyFactory.address) const navigator = { credentials: new WebAuthnCredentials(), diff --git a/modules/passkey/test/userstories/ExecuteUserOpFromPasskeySigner.spec.ts b/modules/passkey/test/userstories/ExecuteUserOpFromPasskeySigner.spec.ts index 7d8b6baf..b1b62cda 100644 --- a/modules/passkey/test/userstories/ExecuteUserOpFromPasskeySigner.spec.ts +++ b/modules/passkey/test/userstories/ExecuteUserOpFromPasskeySigner.spec.ts @@ -16,7 +16,7 @@ import { buildSignatureBytes } from '@safe-global/safe-4337/src/utils/execution' */ describe('Execute userOp from Passkey signer [@userstory]', () => { const setupTests = deployments.createFixture(async ({ deployments }) => { - const { EntryPoint, Safe4337Module, SafeProxyFactory, SafeModuleSetup, SafeL2, FCLP256Verifier, SafeWebAuthnSignerFactory } = + const { EntryPoint, Safe4337Module, SafeProxyFactory, SafeModuleSetup, SafeL2, FCLP256Verifier, SafeWebAuthnSignerProxyFactory } = await deployments.run() const [relayer] = await ethers.getSigners() @@ -27,7 +27,7 @@ describe('Execute userOp from Passkey signer [@userstory]', () => { const safeModuleSetup = await ethers.getContractAt(SafeModuleSetup.abi, SafeModuleSetup.address) const singleton = await ethers.getContractAt(SafeL2.abi, SafeL2.address) const verifier = await ethers.getContractAt('IP256Verifier', FCLP256Verifier.address) - const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerFactory', SafeWebAuthnSignerFactory.address) + const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerProxyFactory', SafeWebAuthnSignerProxyFactory.address) const navigator = { credentials: new WebAuthnCredentials(), diff --git a/modules/passkey/test/userstories/OffchainPasskeyVerification.spec.ts b/modules/passkey/test/userstories/OffchainPasskeyVerification.spec.ts index d2fdf670..06478474 100644 --- a/modules/passkey/test/userstories/OffchainPasskeyVerification.spec.ts +++ b/modules/passkey/test/userstories/OffchainPasskeyVerification.spec.ts @@ -14,13 +14,14 @@ import { buildSignatureBytes } from '@safe-global/safe-4337/src/utils/execution' */ describe('Offchain Passkey Signature Verification [@userstory]', () => { const setupTests = deployments.createFixture(async ({ deployments }) => { - const { SafeProxyFactory, SafeL2, FCLP256Verifier, SafeWebAuthnSignerFactory, CompatibilityFallbackHandler } = await deployments.run() + const { SafeProxyFactory, SafeL2, FCLP256Verifier, SafeWebAuthnSignerProxyFactory, CompatibilityFallbackHandler } = + await deployments.run() const proxyFactory = await ethers.getContractAt(SafeProxyFactory.abi, SafeProxyFactory.address) const singleton = await ethers.getContractAt(SafeL2.abi, SafeL2.address) const fallbackHandler = await ethers.getContractAt(CompatibilityFallbackHandler.abi, CompatibilityFallbackHandler.address) const verifier = await ethers.getContractAt('IP256Verifier', FCLP256Verifier.address) - const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerFactory', SafeWebAuthnSignerFactory.address) + const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerProxyFactory', SafeWebAuthnSignerProxyFactory.address) const navigator = { credentials: new WebAuthnCredentials(), @@ -49,7 +50,7 @@ describe('Offchain Passkey Signature Verification [@userstory]', () => { const publicKey = decodePublicKey(credential.response) await signerFactory.createSigner(publicKey.x, publicKey.y, verifierAddress) const signerAddress = await signerFactory.getSigner(publicKey.x, publicKey.y, verifierAddress) - const signer = await ethers.getContractAt('SafeWebAuthnSigner', signerAddress) + const signer = await ethers.getContractAt('SafeWebAuthnSignerProxy', signerAddress) // Deploy Safe with the WebAuthn signer as a single owner. const singletonAddress = await singleton.getAddress() diff --git a/modules/passkey/test/userstories/RotatePasskeyOwner.spec.ts b/modules/passkey/test/userstories/RotatePasskeyOwner.spec.ts index 1186534f..2f6e43e0 100644 --- a/modules/passkey/test/userstories/RotatePasskeyOwner.spec.ts +++ b/modules/passkey/test/userstories/RotatePasskeyOwner.spec.ts @@ -23,7 +23,7 @@ import { chainId } from '@safe-global/safe-4337/test/utils/encoding' describe('Rotate passkey owner [@userstory]', () => { // Create a fixture to setup the contracts and signer(s) const setupTests = deployments.createFixture(async ({ deployments }) => { - const { EntryPoint, Safe4337Module, SafeProxyFactory, SafeModuleSetup, SafeL2, FCLP256Verifier, SafeWebAuthnSignerFactory } = + const { EntryPoint, Safe4337Module, SafeProxyFactory, SafeModuleSetup, SafeL2, FCLP256Verifier, SafeWebAuthnSignerProxyFactory } = await deployments.run() // EOA which will be the owner of the Safe @@ -35,7 +35,7 @@ describe('Rotate passkey owner [@userstory]', () => { const safeModuleSetup = await ethers.getContractAt(SafeModuleSetup.abi, SafeModuleSetup.address) const singleton = await ethers.getContractAt(SafeL2.abi, SafeL2.address) const verifier = await ethers.getContractAt('IP256Verifier', FCLP256Verifier.address) - const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerFactory', SafeWebAuthnSignerFactory.address) + const signerFactory = await ethers.getContractAt('SafeWebAuthnSignerProxyFactory', SafeWebAuthnSignerProxyFactory.address) const navigator = { credentials: new WebAuthnCredentials(),