feat(tee-proof-verifier): add support for Solidity-compatible pubkey in report_data

pbeza · pbeza · commit 7615bf4fe4c4 · 2024-12-31T15:47:40.000+01:00
This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
diff --git a/bin/verify-era-proof-attestation/src/verification.rs b/bin/verify-era-proof-attestation/src/verification.rs
@@ -27,22 +27,25 @@ pub async fn verify_batch_proof(
     }
 
     let batch_no = batch_number.0;
-
-    let public_key = PublicKey::from_slice(
-        &quote_verification_result.quote.get_report_data()[..PUBLIC_KEY_SIZE],
-    )?;
-    debug!(batch_no, "public key: {}", public_key);
-
     let root_hash = node_client.get_root_hash(batch_number).await?;
-    debug!(batch_no, "root hash: {}", root_hash);
+    let ethereum_address_from_quote =
+        PublicKey::from_slice(&quote_verification_result.quote.get_report_data()[..20])?;
+    let ethereum_address_from_signature = recover_signer(signature, root_hash);
+    let verification_successful = ethereum_address_from_signature == ethereum_address_from_quote;
+    debug!(
+        batch_no,
+        root_hash,
+        "Ethereum address from the attestation quote: {}. Ethereum address from the signature: {}.",
+        encode(ethereum_address_from_quote),
+        encode(ethereum_address_from_signature),
+    );
 
-    let is_verified = verify_signature(signature, public_key, root_hash)?;
-    if is_verified {
+    if verification_successful {
         info!(batch_no, signature = %encode(signature), "Signature verified successfully.");
     } else {
         warn!(batch_no, signature = %encode(signature), "Failed to verify signature!");
     }
-    Ok(is_verified)
+    Ok(verification_successful)
 }
 
 pub fn verify_attestation_quote(attestation_quote_bytes: &[u8]) -> Result<QuoteVerificationResult> {
@@ -85,12 +88,6 @@ pub fn log_quote_verification_summary(quote_verification_result: &QuoteVerificat
     );
 }
 
-fn verify_signature(signature: &[u8], public_key: PublicKey, root_hash: H256) -> Result<bool> {
-    let signature = Signature::from_compact(signature)?;
-    let root_hash_msg = Message::from_digest_slice(&root_hash.0)?;
-    Ok(signature.verify(&root_hash_msg, &public_key).is_ok())
-}
-
 fn is_quote_matching_policy(
     attestation_policy: &AttestationPolicyArgs,
     quote_verification_result: &QuoteVerificationResult,
@@ -136,3 +133,29 @@ fn check_policy(policy: Option<&str>, actual_value: &[u8], field_name: &str) ->
     }
     true
 }
+
+/// Equivalent to the ecrecover precompile, ensuring that the signatures we produce off-chain
+/// can be recovered on-chain.
+pub fn recover_signer(sig: &[u8; 65], root_hash: H256) -> Result<[u8; 20]> {
+    let root_hash_bytes = root_hash.as_bytes();
+    let msg = Message::from_slice(root_hash_bytes)?;
+    let sig = RecoverableSignature::from_compact(
+        &sig[0..64],
+        RecoveryId::from_i32(sig[64] as i32 - 27)?,
+    )?;
+    let public = SECP256K1.recover_ecdsa(msg, &sig)?;
+    Ok(public_key_to_ethereum_address(&public))
+}
+
+/// Converts a public key into an Ethereum address by hashing the encoded public key with Keccak256.
+fn public_key_to_ethereum_address(public: &PublicKey) -> [u8; 20] {
+    let public_key_bytes = public.serialize_uncompressed();
+
+    // Skip the first byte (0x04) which indicates uncompressed key
+    let hash: [u8; 32] = Keccak256::digest(&public_key_bytes[1..]).into();
+
+    // Take the last 20 bytes of the hash to get the Ethereum address
+    let mut address = [0u8; 20];
+    address.copy_from_slice(&hash[12..]);
+    address
+}
