207 lines
9.1 KiB
Solidity
207 lines
9.1 KiB
Solidity
// SPDX-License-Identifier: MIT
|
|
|
|
pragma solidity ^0.8.20;
|
|
|
|
import {Calldata} from "../Calldata.sol";
|
|
|
|
/**
|
|
* @dev Utilities to process https://ercs.ethereum.org/ERCS/erc-7739[ERC-7739] typed data signatures
|
|
* that are specific to an EIP-712 domain.
|
|
*
|
|
* This library provides methods to wrap, unwrap and operate over typed data signatures with a defensive
|
|
* rehashing mechanism that includes the application's xref:api:utils#EIP712-_domainSeparatorV4[EIP-712]
|
|
* and preserves readability of the signed content using an EIP-712 nested approach.
|
|
*
|
|
* A smart contract domain can validate a signature for a typed data structure in two ways:
|
|
*
|
|
* - As an application validating a typed data signature. See {typedDataSignStructHash}.
|
|
* - As a smart contract validating a raw message signature. See {personalSignStructHash}.
|
|
*
|
|
* NOTE: A provider for a smart contract wallet would need to return this signature as the
|
|
* result of a call to `personal_sign` or `eth_signTypedData`, and this may be unsupported by
|
|
* API clients that expect a return value of 129 bytes, or specifically the `r,s,v` parameters
|
|
* of an xref:api:utils#ECDSA[ECDSA] signature, as is for example specified for
|
|
* xref:api:utils#EIP712[EIP-712].
|
|
*/
|
|
library ERC7739Utils {
|
|
/**
|
|
* @dev An EIP-712 type to represent "personal" signatures
|
|
* (i.e. mimic of `personal_sign` for smart contracts).
|
|
*/
|
|
bytes32 private constant PERSONAL_SIGN_TYPEHASH = keccak256("PersonalSign(bytes prefixed)");
|
|
|
|
/**
|
|
* @dev Nest a signature for a given EIP-712 type into a nested signature for the domain of the app.
|
|
*
|
|
* Counterpart of {decodeTypedDataSig} to extract the original signature and the nested components.
|
|
*/
|
|
function encodeTypedDataSig(
|
|
bytes memory signature,
|
|
bytes32 appSeparator,
|
|
bytes32 contentsHash,
|
|
string memory contentsDescr
|
|
) internal pure returns (bytes memory) {
|
|
return
|
|
abi.encodePacked(signature, appSeparator, contentsHash, contentsDescr, uint16(bytes(contentsDescr).length));
|
|
}
|
|
|
|
/**
|
|
* @dev Parses a nested signature into its components.
|
|
*
|
|
* Constructed as follows:
|
|
*
|
|
* `signature ‖ APP_DOMAIN_SEPARATOR ‖ contentsHash ‖ contentsDescr ‖ uint16(contentsDescr.length)`
|
|
*
|
|
* - `signature` is the signature for the (ERC-7739) nested struct hash. This signature indirectly signs over the
|
|
* original "contents" hash (from the app) and the account's domain separator.
|
|
* - `APP_DOMAIN_SEPARATOR` is the EIP-712 {EIP712-_domainSeparatorV4} of the application smart contract that is
|
|
* requesting the signature verification (though ERC-1271).
|
|
* - `contentsHash` is the hash of the underlying data structure or message.
|
|
* - `contentsDescr` is a descriptor of the "contents" part of the the EIP-712 type of the nested signature.
|
|
*
|
|
* NOTE: This function returns empty if the input format is invalid instead of reverting.
|
|
* data instead.
|
|
*/
|
|
function decodeTypedDataSig(
|
|
bytes calldata encodedSignature
|
|
)
|
|
internal
|
|
pure
|
|
returns (bytes calldata signature, bytes32 appSeparator, bytes32 contentsHash, string calldata contentsDescr)
|
|
{
|
|
unchecked {
|
|
uint256 sigLength = encodedSignature.length;
|
|
|
|
// 66 bytes = contentsDescrLength (2 bytes) + contentsHash (32 bytes) + APP_DOMAIN_SEPARATOR (32 bytes).
|
|
if (sigLength < 66) return (Calldata.emptyBytes(), 0, 0, Calldata.emptyString());
|
|
|
|
uint256 contentsDescrEnd = sigLength - 2; // Last 2 bytes
|
|
uint256 contentsDescrLength = uint16(bytes2(encodedSignature[contentsDescrEnd:]));
|
|
|
|
// Check for space for `contentsDescr` in addition to the 66 bytes documented above
|
|
if (sigLength < 66 + contentsDescrLength) return (Calldata.emptyBytes(), 0, 0, Calldata.emptyString());
|
|
|
|
uint256 contentsHashEnd = contentsDescrEnd - contentsDescrLength;
|
|
uint256 separatorEnd = contentsHashEnd - 32;
|
|
uint256 signatureEnd = separatorEnd - 32;
|
|
|
|
signature = encodedSignature[:signatureEnd];
|
|
appSeparator = bytes32(encodedSignature[signatureEnd:separatorEnd]);
|
|
contentsHash = bytes32(encodedSignature[separatorEnd:contentsHashEnd]);
|
|
contentsDescr = string(encodedSignature[contentsHashEnd:contentsDescrEnd]);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @dev Nests an `ERC-191` digest into a `PersonalSign` EIP-712 struct, and returns the corresponding struct hash.
|
|
* This struct hash must be combined with a domain separator, using {MessageHashUtils-toTypedDataHash} before
|
|
* being verified/recovered.
|
|
*
|
|
* This is used to simulates the `personal_sign` RPC method in the context of smart contracts.
|
|
*/
|
|
function personalSignStructHash(bytes32 contents) internal pure returns (bytes32) {
|
|
return keccak256(abi.encode(PERSONAL_SIGN_TYPEHASH, contents));
|
|
}
|
|
|
|
/**
|
|
* @dev Nests an `EIP-712` hash (`contents`) into a `TypedDataSign` EIP-712 struct, and returns the corresponding
|
|
* struct hash. This struct hash must be combined with a domain separator, using {MessageHashUtils-toTypedDataHash}
|
|
* before being verified/recovered.
|
|
*/
|
|
function typedDataSignStructHash(
|
|
string calldata contentsName,
|
|
string calldata contentsType,
|
|
bytes32 contentsHash,
|
|
bytes memory domainBytes
|
|
) internal pure returns (bytes32 result) {
|
|
return
|
|
bytes(contentsName).length == 0
|
|
? bytes32(0)
|
|
: keccak256(
|
|
abi.encodePacked(typedDataSignTypehash(contentsName, contentsType), contentsHash, domainBytes)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @dev Variant of {typedDataSignStructHash-string-string-bytes32-bytes} that takes a content descriptor
|
|
* and decodes the `contentsName` and `contentsType` out of it.
|
|
*/
|
|
function typedDataSignStructHash(
|
|
string calldata contentsDescr,
|
|
bytes32 contentsHash,
|
|
bytes memory domainBytes
|
|
) internal pure returns (bytes32 result) {
|
|
(string calldata contentsName, string calldata contentsType) = decodeContentsDescr(contentsDescr);
|
|
|
|
return typedDataSignStructHash(contentsName, contentsType, contentsHash, domainBytes);
|
|
}
|
|
|
|
/**
|
|
* @dev Compute the EIP-712 typehash of the `TypedDataSign` structure for a given type (and typename).
|
|
*/
|
|
function typedDataSignTypehash(
|
|
string calldata contentsName,
|
|
string calldata contentsType
|
|
) internal pure returns (bytes32) {
|
|
return
|
|
keccak256(
|
|
abi.encodePacked(
|
|
"TypedDataSign(",
|
|
contentsName,
|
|
" contents,string name,string version,uint256 chainId,address verifyingContract,bytes32 salt)",
|
|
contentsType
|
|
)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @dev Parse the type name out of the ERC-7739 contents type description. Supports both the implicit and explicit
|
|
* modes.
|
|
*
|
|
* Following ERC-7739 specifications, a `contentsName` is considered invalid if it's empty or it contains
|
|
* any of the following bytes , )\x00
|
|
*
|
|
* If the `contentsType` is invalid, this returns an empty string. Otherwise, the return string has non-zero
|
|
* length.
|
|
*/
|
|
function decodeContentsDescr(
|
|
string calldata contentsDescr
|
|
) internal pure returns (string calldata contentsName, string calldata contentsType) {
|
|
bytes calldata buffer = bytes(contentsDescr);
|
|
if (buffer.length == 0) {
|
|
// pass through (fail)
|
|
} else if (buffer[buffer.length - 1] == bytes1(")")) {
|
|
// Implicit mode: read contentsName from the beginning, and keep the complete descr
|
|
for (uint256 i = 0; i < buffer.length; ++i) {
|
|
bytes1 current = buffer[i];
|
|
if (current == bytes1("(")) {
|
|
// if name is empty - passthrough (fail)
|
|
if (i == 0) break;
|
|
// we found the end of the contentsName
|
|
return (string(buffer[:i]), contentsDescr);
|
|
} else if (_isForbiddenChar(current)) {
|
|
// we found an invalid character (forbidden) - passthrough (fail)
|
|
break;
|
|
}
|
|
}
|
|
} else {
|
|
// Explicit mode: read contentsName from the end, and remove it from the descr
|
|
for (uint256 i = buffer.length; i > 0; --i) {
|
|
bytes1 current = buffer[i - 1];
|
|
if (current == bytes1(")")) {
|
|
// we found the end of the contentsName
|
|
return (string(buffer[i:]), string(buffer[:i]));
|
|
} else if (_isForbiddenChar(current)) {
|
|
// we found an invalid character (forbidden) - passthrough (fail)
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
return (Calldata.emptyString(), Calldata.emptyString());
|
|
}
|
|
|
|
function _isForbiddenChar(bytes1 char) private pure returns (bool) {
|
|
return char == 0x00 || char == bytes1(" ") || char == bytes1(",") || char == bytes1("(") || char == bytes1(")");
|
|
}
|
|
}
|