Proposal: Cosmos transaction signing support

[tarcieri]

NOTE: this issue was originally opened as tendermint/tmkms#386

Presently Tendermint KMS only supports signing consensus proposals/votes. That said, the prerequisites are all in place, both in the tendermint crate and the yubihsm crate, to sign data using account keys as well.

This proposal is to add first class support to sign transactions in the format used by the Cosmos SDK. Though this project is "Tendermint KMS" and intended to be agnostic to specific Tendermint applications, the Cosmos SDK's transaction format seems widely adopted among Tendermint applications, enough to warrant this support. (In the future there are various ways this support could be generalized to signing other transaction/object types, using e.g. WASM, but that sort of approach is considered out-of-scope for this particular proposal)

Motivation

Our initial use case at iqlusion is signing transactions for a Terra exchange rate oracle. The KMS-side goal of this proposal is to avoid making the KMS-side functionality hardcoded to this particular application, but rather to place a set of constraints (provided via tmkms.toml) on the transactions to be signed, and having the KMS assert those constraints are being met. Ideally this will allow the KMS to provide hardware-backed signing functionality for any type of Cosmos transaction, outsourcing the transaction composition to a separate service, but still allowing the KMS to constrain aspects of the signed transaction.

High-level Design

There are several ways such a feature could be implemented. The proposal below is one, with debatable details, which presently targets doing things as similarly to the existing Tendermint consensus signing as possible:

• KMS is configured with a key usage policy and the address of a transaction-building service to connect to. Connection is encrypted using Secret Connection.
• Transaction-building service sends a newly defined Amino-encoded request (e.g. SignTxRequest) to the KMS containing a transaction (or declaration of the desired transaction, with actual serialization handled by the KMS itself)
• KMS validates the requested transaction according to a configured policy, and if the transaction is authorized according to that policy, signs the transaction (using either a software-backed or YubiHSM2-backed key. It may be possible to also support Ledger, but that might involved changes to the Ledger validator application)

Design Rationale

Here's a brief rationale and some alternatives to consider for each of these options:

• Outbound Secret Connection: this follows the current approach used for connecting to validators. I still think it would be interesting for the KMS to support both inbound and outbound connections (as is otherwise presently possible with P2P traffic) which users can configure to their liking. Additionally there are many other options for transport encryption to consider (TLS, Noise, libp2p+Noise). However, using an outbound Secret Connection allows reuse of all of the existing networking code, and in doing so, means that we can also separately tackle the issues of different connection models or different transport encryption in a single place (in addition to moving to e.g. Tokio), rather than trying to shoehorn that work onto this proposal.
• Amino: ...is not long for this world. Protobufs are probably the main alternative to consider. However, right now both tendermint-rs as well as tmkms itself import the main Protobuf library we'd like to use, Prost, in a way which precludes using it for proper Protobufs. We could pull in an additional Protobuf library now, but the other alternative there is to just use Amino for now and switch things over to Protobufs when Tendermint itself makes that transition. Once this has been addressed it would also be possible to consider e.g. gRPC libraries based on Prost, like Tonic.

Open Questions

1. What restrictions should the KMS support on transaction signing?
2. Could Ledgers be supported in addition to YubiHSM and soft sign backends?
3. Is there a way to support generic signing with restrictions (i.e. not a pure signing oracle) without coupling directly to the Cosmos transaction format?

[tony-iqlusion]

This landed in #78. It's tested and working in production for us now and being used for Terra Oracle voting.