feat(test-suite): introduce context-aware extraData changes

* feat(host-contracts): implement context-aware KMSVerifier (#2028)

* feat(kms-connector): context-aware extraData handling for decryption (#2032)

* chore(kms-connector): rename fhe module to handle

* chore(kms-connector): add and use helper function

* chore(kms-connector): add kms_context table

* chore(kms-connector): prepare ethereum listener

* feat(kms-connector): kms context validation

* chore(kms-connector): kms context tests

* chore(kms-connector): ethereum listener termination

* feat(gateway-contracts): implement context-aware KMS node configs and decryption

* feat: implement context-aware KMS node configs and decryption

* chore(gateway-contracts): apply a few arguments renaming

* fix(gateway-contracts): refresh rust bindings

* chore(gateway-contracts): reuse setter methods and adjust NatSpecs

* chore(gateway-contracts): refresh rust bindings

* refactor: apply suggested naming

* refactor(gateway-contracts): apply suggested renaming

* refactor: revert updateKmsContext naming

* refactor(gateway-contracts): enable decryption upgrade workflow

* chore(gateway-contracts): refresh bindings

* chore(test-suite): introduce getExtraData() method from SDK

* chore(test-suite): restore missed user decrypt ebool test case

* feat(kms-connector): propagate empty extra_data for 0x00

* feat(kms-connector): propagate empty extra_data for 0x00

* chore(kms-connector): add TODO comment for the workaround and upgrade quinn-proto

* chore(kms-connector): add TODO comment for the workaround and upgrade quinn-proto

* chore(kms-connector): use dedicated core config for tests

---------

Co-authored-by: Simon Eudeline <simon.eudeline@zama.ai>

* chore(test-suite): upgrade relayer-sdk version

* chore(test-suite): upgrade test-suite version in fhevm-cli

---------

Co-authored-by: Oba <obatirou@gmail.com>
Co-authored-by: Simon E. <simon.eudeline@zama.ai>

Author: 3 people

kms-connector/Cargo.lock

@@ -304,7 +304,19 @@ where
         let ciphertexts = self.prepare_ciphertexts(&key_id, sns_materials).await?;
 
         let request_id = Some(u256_to_request_id(decryption_id));
-        let extra_data = extra_data.to_vec();
+
+        // TODO(https://github.com/zama-ai/fhevm-internal/issues/1167):
+        // Workaround for backward compatibility with relayer-sdk <=0.4.2.
+        // The SDK sends extraData=0x00 in the user decryption request, but does not pass extraData
+        // to the TKMS library during response signature verification (reconstruction step),
+        // effectively verifying against empty bytes. We normalize 0x00 → vec![] here so the KMS
+        // signs over empty extraData, matching what the SDK expects during verification.
+        // This is fixed in relayer-sdk v0.5.0.
+        let extra_data = if extra_data.as_ref() == [0x00] {
+            vec![]
+        } else {
+            extra_data.to_vec()
+        };
 
         if let Some(user_decrypt_data) = user_decrypt_data {
             let client_address = user_decrypt_data.user_address.to_checksum(None);

kms-connector/crates/kms-worker/src/core/event_processor/decryption.rs

@@ -53,7 +53,7 @@ impl KmsInstance {
             .with_copy_to(
                 "/app/kms/core/service/config/config.toml".to_string(),
                 PathBuf::from_str(&format!(
-                    "{}/../../../test-suite/fhevm/config/kms-core/config.toml",
+                    "{}/tests/data/core-service-config.toml",
                     env!("CARGO_MANIFEST_DIR"),
                 ))
                 .unwrap(),

kms-connector/crates/utils/src/tests/setup/kms.rs

@@ -0,0 +1,43 @@
+# See default_1.toml for the documentation.
+
+[service]
+listen_address = "0.0.0.0"
+listen_port = 50051
+timeout_secs = 360
+grpc_max_message_size = 104857600 # 100 MiB
+
+[telemetry]
+tracing_service_name = "kms-centralized"
+tracing_otlp_timeout_ms = 10000
+metrics_bind_address = "0.0.0.0:9646"
+
+[telemetry.batch]
+max_queue_size = 8192
+max_export_batch_size = 2048
+max_concurrent_exports = 4
+scheduled_delay_ms = 500
+export_timeout_ms = 5000
+
+[aws]
+region = "eu-west-1"
+s3_endpoint = "http://minio:9000"
+
+[public_vault]
+storage_cache_size = 1000
+
+[public_vault.storage.s3]
+bucket = "kms-public"
+prefix = "PUB"
+
+[private_vault.storage.file]
+path = "./keys"
+
+[rate_limiter_conf]
+bucket_size = 50000
+pub_decrypt = 1
+user_decrypt = 1
+crsgen = 100
+preproc = 25000
+keygen = 1000
+reshare = 25
+

kms-connector/crates/utils/tests/data/core-service-config.toml

@@ -16,9 +16,9 @@
   "dependencies": {
     "@fhevm/solidity": "*",
     "@openzeppelin/contracts": "^5.3.0",
-    "@zama-fhe/relayer-sdk": "^0.4.2",
+    "@zama-fhe/relayer-sdk": "^0.5.0-alpha.1",
     "bigint-buffer": "^1.1.5",
     "dotenv": "^16.0.3",
     "encrypted-types": "^0.0.4"
   }
-}
+}

package-lock.json

@@ -167,7 +167,10 @@ describe('User decryption', function () {
         const durationDays = 10;
         const contractAddresses = [this.signers.alice.address];
 
-        const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays);
+        // Build the extraData field
+        const extraData = await this.instances.alice.getExtraData();
+
+        const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays, extraData);
 
         const signature = await this.signers.alice.signTypedData(
           eip712.domain,
@@ -186,6 +189,7 @@ describe('User decryption', function () {
           this.signers.alice.address,
           startTimeStamp,
           durationDays,
+          extraData,
         );
 
         expect.fail('Expected an error to be thrown - userAddress and contractAddress cannot be equal');
@@ -208,7 +212,11 @@ describe('User decryption', function () {
       const startTimeStamp = Math.floor(Date.now() / 1000);
       const durationDays = 10;
       const contractAddresses = [wrongContractAddress];
-      const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays);
+
+      // Build the extraData field
+      const extraData = await this.instances.alice.getExtraData();
+
+      const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays, extraData);
       const signature = await this.signers.alice.signTypedData(
         eip712.domain,
         { UserDecryptRequestVerification: eip712.types.UserDecryptRequestVerification },
@@ -225,6 +233,7 @@ describe('User decryption', function () {
           this.signers.alice.address,
           startTimeStamp,
           durationDays,
+          extraData,
         );
         expect.fail('Expected an error - contract should not be allowed');
       } catch (error) {
@@ -245,7 +254,10 @@ describe('User decryption', function () {
       const durationDays = 10;
       const contractAddresses = [this.contractAddress];
 
-      const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays);
+      // Build the extraData field
+      const extraData = await this.instances.alice.getExtraData();
+
+      const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays, extraData);
 
       const signature = await this.signers.alice.signTypedData(
         eip712.domain,
@@ -265,6 +277,7 @@ describe('User decryption', function () {
           this.signers.alice.address,
           startTimeStamp,
           durationDays,
+          extraData,
         );
         expect.fail('Expected an error to be thrown - request should have expired');
       } catch (error) {

test-suite/e2e/package.json

@@ -141,8 +141,11 @@ export const userDecryptSingleHandle = async (
   const durationDays = 10; // Relayer-sdk expects numbers from now on
   const contractAddresses = [contractAddress];
 
+  // Build the extraData field
+  const extraData = await instance.getExtraData();
+
   // Use the new createEIP712 function
-  const eip712 = instance.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays);
+  const eip712 = instance.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays, extraData);
 
   // Update the signing to match the new primaryType
   const signature = await signer.signTypedData(
@@ -163,6 +166,7 @@ export const userDecryptSingleHandle = async (
     signerAddress,
     startTimeStamp,
     durationDays,
+    extraData,
   );
 
   const decryptedValue = result[handle];
@@ -189,13 +193,17 @@ export const delegatedUserDecryptSingleHandle = async (
   const durationDays = 10;
   const contractAddresses = [contractAddress];
 
+  // Build the extraData field
+  const extraData = await instance.getExtraData();
+
   // The `delegate` creates a EIP712 with the `delegator` address
   const eip712 = instance.createDelegatedUserDecryptEIP712(
     delegatePublicKey,
     contractAddresses,
     delegatorAddress,
     startTimeStamp,
     durationDays,
+    extraData,
   );
 
   // Update the signing to match the new primaryType
@@ -217,6 +225,7 @@ export const delegatedUserDecryptSingleHandle = async (
     delegateAddress,
     startTimeStamp,
     durationDays,
+    extraData,
   );
 
   return result[handle];

test-suite/e2e/test/userDecryption/userDecryption.ts

@@ -39,4 +39,4 @@ user_decrypt = 1
 crsgen = 100
 preproc = 25000
 keygen = 1000
-reshare = 25
+new_epoch = 1

test-suite/e2e/test/utils.ts

@@ -52,7 +52,9 @@ gateway:
       - type: subscription
         url: "ws://gateway-node:8546"
   tx_engine:
-    private_key: 0xcb97ef45d352446a6adf810cf8f63c73ada027160c271da9bb8cfcb3d944d257
+    signer:
+      type: "private_key"
+      private_key: "0xcb97ef45d352446a6adf810cf8f63c73ada027160c271da9bb8cfcb3d944d257"
     max_concurrency: 100
     retry:
       max_attempts: 100