Cartouche.Solana.Signer.CloudKMS (Cartouche v0.5.0)

Copy Markdown View Source

Ed25519 signing backend using Google Cloud KMS.

GCP KMS supports Ed25519 signing (algorithm EC_SIGN_ED25519) since April 2024. This is the Solana equivalent of Cartouche.Signer.CloudKMS for Ethereum.

Key differences from the Ethereum KMS signer:

  • Uses data field (raw bytes) instead of digest.sha256 (pre-hashed)
  • PEM contains Ed25519 SubjectPublicKeyInfo (RFC 8410), not an EC point
  • Signature is raw 64 bytes, not DER-encoded

Implements Cartouche.Signer.Backend — its config is the {credentials, project, location, keychain, key, version} key-coordinate tuple. Ed25519 signs raw message bytes, so Cartouche.Signer.Backend.sign_payload/2 is the raw-message signer.

Summary

Types

Cloud KMS key coordinates: {credentials, project, location, keychain, key, version}.

Functions

Alias for public_key/1 (arg-spread form) — on Solana the public key is the address.

Get the Ed25519 public key (32 bytes) from a KMS key version.

Sign raw message bytes via a KMS Ed25519 key — the pure-payload contract.

Types

config()

@type config() :: {term(), String.t(), String.t(), String.t(), String.t(), String.t()}

Cloud KMS key coordinates: {credentials, project, location, keychain, key, version}.

Functions

get_address(cred, project, location, keychain, key, version)

@spec get_address(term(), String.t(), String.t(), String.t(), String.t(), String.t()) ::
  {:ok, <<_::256>>} | {:error, term()}

Alias for public_key/1 (arg-spread form) — on Solana the public key is the address.

public_key(arg)

@spec public_key(config()) :: {:ok, <<_::256>>} | {:error, term()}

Get the Ed25519 public key (32 bytes) from a KMS key version.

For Solana the public key is the address, so get_address/6 is an alias.

sign(message, cred, project, location, keychain, key, version)

@spec sign(
  binary(),
  term(),
  String.t(),
  String.t(),
  String.t(),
  String.t(),
  String.t()
) ::
  {:ok, <<_::512>>} | {:error, term()}

Back-compat alias for sign_payload/2 (arg-spread form).

sign_payload(message, arg)

@spec sign_payload(binary(), config()) :: {:ok, <<_::512>>} | {:error, term()}

Sign raw message bytes via a KMS Ed25519 key — the pure-payload contract.

Ed25519 signs raw message bytes (no external hashing). The message is sent to KMS via the data field (not digest).

Returns {:ok, signature} where signature is exactly 64 bytes.