chore(test-suite): introduce getExtraData() method from SDK

kms-connector/crates/kms-worker/src/core/event_processor/decryption.rs

@@ -304,7 +304,19 @@ where
         let ciphertexts = self.prepare_ciphertexts(&key_id, sns_materials).await?;
 
         let request_id = Some(u256_to_request_id(decryption_id));
-        let extra_data = extra_data.to_vec();
+
+        // TODO(https://github.com/zama-ai/fhevm-internal/issues/1167):
+        // Workaround for backward compatibility with relayer-sdk <=0.4.2.
+        // The SDK sends extraData=0x00 in the user decryption request, but does not pass extraData
+        // to the TKMS library during response signature verification (reconstruction step),
+        // effectively verifying against empty bytes. We normalize 0x00 → vec![] here so the KMS
+        // signs over empty extraData, matching what the SDK expects during verification.
+        // This is fixed in relayer-sdk v0.5.0.
+        let extra_data = if extra_data.as_ref() == [0x00] {
+            vec![]
+        } else {
+            extra_data.to_vec()
+        };
 
         if let Some(user_decrypt_data) = user_decrypt_data {
             let client_address = user_decrypt_data.user_address.to_checksum(None);

kms-connector/crates/utils/src/tests/setup/kms.rs

@@ -53,7 +53,7 @@ impl KmsInstance {
             .with_copy_to(
                 "/app/kms/core/service/config/config.toml".to_string(),
                 PathBuf::from_str(&format!(
-                    "{}/../../../test-suite/fhevm/config/kms-core/config.toml",
+                    "{}/tests/data/core-service-config.toml",
                     env!("CARGO_MANIFEST_DIR"),
                 ))
                 .unwrap(),

kms-connector/crates/utils/tests/data/core-service-config.toml

@@ -0,0 +1,43 @@
+# See default_1.toml for the documentation.
+
+[service]
+listen_address = "0.0.0.0"
+listen_port = 50051
+timeout_secs = 360
+grpc_max_message_size = 104857600 # 100 MiB
+
+[telemetry]
+tracing_service_name = "kms-centralized"
+tracing_otlp_timeout_ms = 10000
+metrics_bind_address = "0.0.0.0:9646"
+
+[telemetry.batch]
+max_queue_size = 8192
+max_export_batch_size = 2048
+max_concurrent_exports = 4
+scheduled_delay_ms = 500
+export_timeout_ms = 5000
+
+[aws]
+region = "eu-west-1"
+s3_endpoint = "http://minio:9000"
+
+[public_vault]
+storage_cache_size = 1000
+
+[public_vault.storage.s3]
+bucket = "kms-public"
+prefix = "PUB"
+
+[private_vault.storage.file]
+path = "./keys"
+
+[rate_limiter_conf]
+bucket_size = 50000
+pub_decrypt = 1
+user_decrypt = 1
+crsgen = 100
+preproc = 25000
+keygen = 1000
+reshare = 25
+

test-suite/e2e/test/userDecryption/userDecryption.ts

@@ -167,7 +167,10 @@ describe('User decryption', function () {
         const durationDays = 10;
         const contractAddresses = [this.signers.alice.address];
 
-        const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays);
+        // Build the extraData field
+        const extraData = await this.instances.alice.getExtraData();
+
+        const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays, extraData);
 
         const signature = await this.signers.alice.signTypedData(
           eip712.domain,
@@ -186,6 +189,7 @@ describe('User decryption', function () {
           this.signers.alice.address,
           startTimeStamp,
           durationDays,
+          extraData,
         );
 
         expect.fail('Expected an error to be thrown - userAddress and contractAddress cannot be equal');
@@ -208,7 +212,11 @@ describe('User decryption', function () {
       const startTimeStamp = Math.floor(Date.now() / 1000);
       const durationDays = 10;
       const contractAddresses = [wrongContractAddress];
-      const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays);
+
+      // Build the extraData field
+      const extraData = await this.instances.alice.getExtraData();
+
+      const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays, extraData);
       const signature = await this.signers.alice.signTypedData(
         eip712.domain,
         { UserDecryptRequestVerification: eip712.types.UserDecryptRequestVerification },
@@ -225,6 +233,7 @@ describe('User decryption', function () {
           this.signers.alice.address,
           startTimeStamp,
           durationDays,
+          extraData,
         );
         expect.fail('Expected an error - contract should not be allowed');
       } catch (error) {
@@ -245,7 +254,10 @@ describe('User decryption', function () {
       const durationDays = 10;
       const contractAddresses = [this.contractAddress];
 
-      const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays);
+      // Build the extraData field
+      const extraData = await this.instances.alice.getExtraData();
+
+      const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays, extraData);
 
       const signature = await this.signers.alice.signTypedData(
         eip712.domain,
@@ -265,6 +277,7 @@ describe('User decryption', function () {
           this.signers.alice.address,
           startTimeStamp,
           durationDays,
+          extraData,
         );
         expect.fail('Expected an error to be thrown - request should have expired');
       } catch (error) {

test-suite/e2e/test/utils.ts

@@ -141,8 +141,11 @@ export const userDecryptSingleHandle = async (
   const durationDays = 10; // Relayer-sdk expects numbers from now on
   const contractAddresses = [contractAddress];
 
+  // Build the extraData field
+  const extraData = await instance.getExtraData();
+
   // Use the new createEIP712 function
-  const eip712 = instance.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays);
+  const eip712 = instance.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays, extraData);
 
   // Update the signing to match the new primaryType
   const signature = await signer.signTypedData(
@@ -163,6 +166,7 @@ export const userDecryptSingleHandle = async (
     signerAddress,
     startTimeStamp,
     durationDays,
+    extraData,
   );
 
   const decryptedValue = result[handle];
@@ -189,13 +193,17 @@ export const delegatedUserDecryptSingleHandle = async (
   const durationDays = 10;
   const contractAddresses = [contractAddress];
 
+  // Build the extraData field
+  const extraData = await instance.getExtraData();
+
   // The `delegate` creates a EIP712 with the `delegator` address
   const eip712 = instance.createDelegatedUserDecryptEIP712(
     delegatePublicKey,
     contractAddresses,
     delegatorAddress,
     startTimeStamp,
     durationDays,
+    extraData,
   );
 
   // Update the signing to match the new primaryType
@@ -217,6 +225,7 @@ export const delegatedUserDecryptSingleHandle = async (
     delegateAddress,
     startTimeStamp,
     durationDays,
+    extraData,
   );
 
   return result[handle];

test-suite/fhevm/config/kms-core/config.toml

@@ -39,4 +39,4 @@ user_decrypt = 1
 crsgen = 100
 preproc = 25000
 keygen = 1000
-reshare = 25
+new_epoch = 1

test-suite/fhevm/env/staging/.env.gateway-sc

@@ -48,6 +48,7 @@ USER_DECRYPTION_THRESHOLD=1
 KMS_GENERATION_THRESHOLD=1
 MPC_THRESHOLD=0
 COPROCESSOR_THRESHOLD=1
+KMS_CONTEXT_ID="3166189940082864718613269121331309980362851143201109172953918312716374638593"
 
 NUM_KMS_NODES=1
 

test-suite/fhevm/env/staging/.env.kms-connector

@@ -16,6 +16,10 @@ KMS_CONNECTOR_KMS_CORE_ENDPOINTS=http://kms-core:50051
 KMS_CONNECTOR_GATEWAY_CHAIN_ID=54321
 OTEL_EXPORTER_OTLP_ENDPOINT=http://jaeger:4317
 
+KMS_CONNECTOR_ETHEREUM_URL=http://host-node:8545
+KMS_CONNECTOR_ETHEREUM_CHAIN_ID=12345
+KMS_CONNECTOR_KMS_VERIFIER_ADDRESS=0xa1880e99d86F081E8D3868A8C4732C8f65dfdB11
+
 # =============================================================================
 # SERVICE CONFIGURATION
 # =============================================================================

test-suite/fhevm/fhevm-cli

@@ -36,10 +36,10 @@ function filter_pattern() {
 # Default versions for the fhevm stack.
 
 # KMS connector services.
-export CONNECTOR_DB_MIGRATION_VERSION=${CONNECTOR_DB_MIGRATION_VERSION:-"v0.11.0-1"}
-export CONNECTOR_GW_LISTENER_VERSION=${CONNECTOR_GW_LISTENER_VERSION:-"v0.11.0-1"}
-export CONNECTOR_KMS_WORKER_VERSION=${CONNECTOR_KMS_WORKER_VERSION:-"v0.11.0-1"}
-export CONNECTOR_TX_SENDER_VERSION=${CONNECTOR_TX_SENDER_VERSION:-"v0.11.0-1"}
+export CONNECTOR_DB_MIGRATION_VERSION=${CONNECTOR_DB_MIGRATION_VERSION:-"e1c0fbd"}
+export CONNECTOR_GW_LISTENER_VERSION=${CONNECTOR_GW_LISTENER_VERSION:-"e1c0fbd"}
+export CONNECTOR_KMS_WORKER_VERSION=${CONNECTOR_KMS_WORKER_VERSION:-"e1c0fbd"}
+export CONNECTOR_TX_SENDER_VERSION=${CONNECTOR_TX_SENDER_VERSION:-"e1c0fbd"}
 
 # Coprocessor services.
 export COPROCESSOR_DB_MIGRATION_VERSION=${COPROCESSOR_DB_MIGRATION_VERSION:-"2f97d13"}
@@ -51,12 +51,12 @@ export COPROCESSOR_SNS_WORKER_VERSION=${COPROCESSOR_SNS_WORKER_VERSION:-"2f97d13
 export COPROCESSOR_ZKPROOF_WORKER_VERSION=${COPROCESSOR_ZKPROOF_WORKER_VERSION:-"2f97d13"}
 
 # Gateway and Host contracts.
-export GATEWAY_VERSION=${GATEWAY_VERSION:-"2f97d13"}
-export HOST_VERSION=${HOST_VERSION:-"2f97d13"}
+export GATEWAY_VERSION=${GATEWAY_VERSION:-"e1c0fbd"}
+export HOST_VERSION=${HOST_VERSION:-"e1c0fbd"}
 
 # Other services.
-export CORE_VERSION=${CORE_VERSION:-"v0.13.0-rc.2"}
-export RELAYER_VERSION=${RELAYER_VERSION:-"v0.10.0-rc.1"}
+export CORE_VERSION=${CORE_VERSION:-"3e7fd4b"}
+export RELAYER_VERSION=${RELAYER_VERSION:-"sha-d93ae85"}
 export RELAYER_MIGRATE_VERSION=${RELAYER_MIGRATE_VERSION:-"v0.10.0-rc.1"}
 export TEST_SUITE_VERSION=${TEST_SUITE_VERSION:-"2f97d13"}
 

test-suite/fhevm/scripts/deploy-fhevm-stack.sh

@@ -33,10 +33,10 @@ DEPLOYMENT_STEPS=(
     "host-node"
     "gateway-node"
     "coprocessor"
-    "kms-connector"
     "gateway-mocked-payment"
-    "gateway-sc"
     "host-sc"
+    "kms-connector"
+    "gateway-sc"
     "relayer"
     "test-suite"
 )
@@ -863,7 +863,23 @@ else
     log_info "Skipping step: coprocessor (resuming from $RESUME_STEP)"
 fi
 
-# Step 8: kms-connector
+# Step 8: gateway-mocked-payment
+if ! should_skip_step "gateway-mocked-payment"; then
+    ${RUN_COMPOSE} "gateway-mocked-payment" "Gateway mocked payment" \
+        "gateway-deploy-mocked-zama-oft:complete" \
+        "gateway-set-relayer-mocked-payment:complete"
+else
+    log_info "Skipping step: gateway-mocked-payment (resuming from $RESUME_STEP)"
+fi
+
+# Step 9: host-sc
+if ! should_skip_step "host-sc"; then
+    ${RUN_COMPOSE} "host-sc" "Host contracts" "host-sc-deploy:complete" "host-sc-add-pausers:complete"
+else
+    log_info "Skipping step: host-sc (resuming from $RESUME_STEP)"
+fi
+
+# Step 10: kms-connector
 if ! should_skip_step "kms-connector"; then
     ${RUN_COMPOSE} "kms-connector" "KMS Connector Services" \
         "coprocessor-and-kms-db:running" \
@@ -875,16 +891,7 @@ else
     log_info "Skipping step: kms-connector (resuming from $RESUME_STEP)"
 fi
 
-# Step 9: gateway-mocked-payment
-if ! should_skip_step "gateway-mocked-payment"; then
-    ${RUN_COMPOSE} "gateway-mocked-payment" "Gateway mocked payment" \
-        "gateway-deploy-mocked-zama-oft:complete" \
-        "gateway-set-relayer-mocked-payment:complete"
-else
-    log_info "Skipping step: gateway-mocked-payment (resuming from $RESUME_STEP)"
-fi
-
-# Step 10: gateway-sc
+# Step 11: gateway-sc
 # Setup Gateway contracts, which will trigger the KMS materials generation. Note
 # that the key generation may take a few seconds to complete, meaning that executing
 # the e2e tests too soon may fail if the materials are not ready. Hence, the following
@@ -900,13 +907,6 @@ else
     log_info "Skipping step: gateway-sc (resuming from $RESUME_STEP)"
 fi
 
-# Step 11: host-sc
-if ! should_skip_step "host-sc"; then
-    ${RUN_COMPOSE} "host-sc" "Host contracts" "host-sc-deploy:complete" "host-sc-add-pausers:complete"
-else
-    log_info "Skipping step: host-sc (resuming from $RESUME_STEP)"
-fi
-
 # Step 12: relayer
 if ! should_skip_step "relayer"; then
     ${RUN_COMPOSE} "relayer" "Relayer Services" \