Merge pull request #513 from EdwardJES/edwardjes/web3signer

feat(cli): Add `web3signer` KeySource

bolt-cli/Cargo.toml

@@ -38,7 +38,7 @@ thiserror = "1.0"
 hex = "0.4.3"
 tracing = "0.1.40"
 tracing-subscriber = "0.3.18"
-reqwest = "0.12.8"
+reqwest = { version = "0.12.9", features = ["rustls-tls"] }
 rand = "0.8.5"
 
 [dev-dependencies]

bolt-cli/README.md

@@ -42,11 +42,12 @@ Available commands:
 The `delegate` command generates signed delegation messages for the Constraints API.
 To learn more about the Constraints API, please refer to the [Bolt documentation][bolt-docs].
 
-The `delegate` command supports three key sources:
+The `delegate` command supports different key sources:
 
 - Local BLS secret keys (as hex-encoded strings) via `secret-keys`
 - Local EIP-2335 filesystem keystore directories via `local-keystore`
 - Remote Dirk keystore via `dirk` (requires TLS credentials)
+- Remote Web3Signer keystore via `web3signer`
 
 <details>
 <summary>Usage</summary>
@@ -62,6 +63,7 @@ Commands:
 secret-keys     Use local secret keys to generate the signed messages
 local-keystore  Use an EIP-2335 filesystem keystore directory to generate the signed messages
 dirk            Use a remote DIRK keystore to generate the signed messages
+web3signer      Use a remote web3signer keystore to generate the signed messages
 help            Print this message or the help of the given subcommand(s)
 
 Options:
@@ -133,6 +135,17 @@ bolt delegate \
   --wallet-path wallet1 --passphrases secret
 ```
 
+4. Generating a delegation using a remote Web3Signer keystore
+
+```text
+bolt delegate \
+  --delegatee-pubkey 0x83eeddfac5e60f8fe607ee8713efb8877c295ad9f8ca075f4d8f6f2ae241a30dd57f78f6f3863a9fe0d5b5db9d550b93 \
+  --chain holesky \
+  web3signer --url https://localhost:9000 \
+  --ca-cert-path ./test_data/web3signer/tls/web3signer.crt \
+  --combined_pem_path ./test_data/web3signer/tls/combined.pem
+```
+
 </details>
 
 ---
@@ -144,6 +157,7 @@ The `pubkeys` command lists available BLS public keys from different key sources
 - Local BLS secret keys (as hex-encoded strings) via `secret-keys`
 - Local EIP-2335 filesystem keystore directories via `local-keystore`
 - Remote Dirk keystore via `dirk` (requires TLS credentials)
+- Remote Web3Signer via `web3signer`
 
 <details>
 <summary>Usage</summary>
@@ -159,6 +173,7 @@ Commands:
   secret-keys     Use local secret keys to generate the signed messages
   local-keystore  Use an EIP-2335 filesystem keystore directory to generate the signed messages
   dirk            Use a remote DIRK keystore to generate the signed messages
+  web3signer      Use a remote web3signer keystore to generate the signed messages
   help            Print this message or the help of the given subcommand(s)
 
 Options:
@@ -195,6 +210,14 @@ bolt pubkeys dirk --url https://localhost:9091 \
   --wallet-path wallet1 --passphrases secret
 ```
 
+4. Listing BLS public keys from a remote Web3Signer keystore
+
+```text
+bolt pubkeys web3signer --url https://localhost:9000 \
+  --ca-cert-path ./test_data/web3signer/tls/web3signer.crt \
+  --combined_pem_path ./test_data/web3signer/tls/combined.pem
+```
+
 </details>
 
 ---

bolt-cli/src/cli.rs

@@ -354,6 +354,14 @@ pub enum KeysSource {
         #[clap(flatten)]
         opts: DirkOpts,
     },
+
+    /// Use a remote web3signer keystore as source for the public keys.
+    #[clap(name = "web3signer")]
+    Web3Signer {
+        /// The options for connecting to the web3signer keystore.
+        #[clap(flatten)]
+        opts: Web3SignerOpts,
+    },
 }
 
 #[derive(Debug, Clone, Parser)]
@@ -379,6 +387,13 @@ pub enum SecretsSource {
         #[clap(flatten)]
         opts: DirkOpts,
     },
+
+    /// Use a remote Web3Signer keystore to generate the signed messages.
+    #[clap(name = "web3signer")]
+    Web3Signer {
+        #[clap(flatten)]
+        opts: Web3SignerOpts,
+    },
 }
 
 /// Options for reading a keystore folder.
@@ -426,12 +441,35 @@ pub struct DirkOpts {
 
     /// The TLS credentials for connecting to the DIRK keystore.
     #[clap(flatten)]
-    pub tls_credentials: TlsCredentials,
+    pub tls_credentials: DirkTlsCredentials,
+}
+
+/// Options for connecting to a Web3Signer keystore.
+#[derive(Debug, Clone, Parser)]
+pub struct Web3SignerOpts {
+    /// The URL of the Web3Signer keystore.
+    #[clap(long, env = "WEB3SIGNER_URL")]
+    pub url: String,
+
+    /// The TLS credentials for connecting to the Web3Signer keystore.
+    #[clap(flatten)]
+    pub tls_credentials: Web3SignerTlsCredentials,
+}
+
+/// TLS credentials for connecting to a remote Web3Signer server.
+#[derive(Debug, Clone, PartialEq, Eq, Parser)]
+pub struct Web3SignerTlsCredentials {
+    /// Path to the CA certificate file. (.crt)
+    #[clap(long, env = "CA_CERT_PATH")]
+    pub ca_cert_path: String,
+    /// Path to the PEM encoded private key and certificate file. (.pem)
+    #[clap(long, env = "CLIENT_COMBINED_PEM_PATH")]
+    pub combined_pem_path: String,
 }
 
-/// TLS credentials for connecting to a remote server.
+/// TLS credentials for connecting to a remote Dirk server.
 #[derive(Debug, Clone, PartialEq, Eq, Parser)]
-pub struct TlsCredentials {
+pub struct DirkTlsCredentials {
     /// Path to the client certificate file. (.crt)
     #[clap(long, env = "CLIENT_CERT_PATH")]
     pub client_cert_path: String,

bolt-cli/src/commands/delegate/mod.rs

@@ -18,6 +18,9 @@ mod keystore;
 /// Create delegations from remote Dirk signers.
 mod dirk;
 
+/// Create delegations from remote Web3Signers.
+mod web3signer;
+
 impl DelegateCommand {
     /// Run the `delegate` command.
     pub async fn run(self) -> Result<()> {
@@ -46,6 +49,10 @@ impl DelegateCommand {
                 let delegatee_pubkey = parse_bls_public_key(&self.delegatee_pubkey)?;
                 dirk::generate_from_dirk(opts, delegatee_pubkey, self.chain, self.action).await?
             }
+            SecretsSource::Web3Signer { opts } => {
+                let delegatee_pubkey = parse_bls_public_key(&self.delegatee_pubkey)?;
+                web3signer::generate_from_web3signer(opts, delegatee_pubkey, self.action).await?
+            }
         };
 
         debug!("Generated {} signed messages", signed_messages.len());