API docs by Redocly

Puffer Secure-Signer Api (0.1)

Download OpenAPI specification:Download

License: Apache 2.0

Sign Eth2 Artifacts

Signing

Signs data for ETH2 BLS public key

Signs data for the ETH2 BLS public key specified as part of the URL and returns the signature

path Parameters
identifier
required
string (Pubkey) ^0x[a-fA-F0-9]{96}$
Example: 0x93247f2209abcacf57b75a51dafae777f9dd38bc7053d1af526f220a7489a6d3a2753e5f3e8b1cfe39b56f43611df74a

Key for which data to sign

Request Body schema: application/json
type
required
string
required
object
signingRoot
string
required
object

Responses

Request samples

Content type
application/json
Example
{
  • "type": "AGGREGATION_SLOT",
  • "fork_info": {
    },
  • "signingRoot": "string",
  • "aggregation_slot": {
    }
}

Response samples

Content type
{
  • "signature": "0xb3baa751d0a9132cfe93e4e3d5ff9075111100e3789dca219ade5a24d27e19d16b3353149da1833e9b691bb38634e8dc04469be7032132906c927d7e1a49b414730612877bc6b2810c8f202daf793d1ab0d6b5cb21d52f9e52e883859887a5d9"
}

Deposit

Register a validator

Given a DepositRequest, uses the specified BLS public key to sign a DepositResponse.

path Parameters
identifier
required
string (Pubkey) ^0x[a-fA-F0-9]{96}$
Example: 0x93247f2209abcacf57b75a51dafae777f9dd38bc7053d1af526f220a7489a6d3a2753e5f3e8b1cfe39b56f43611df74a

Key for which data to sign

Responses

Response samples

Content type
application/json
{
  • "pubkey": "string",
  • "withdrawal_credentials": "string",
  • "amount": "string",
  • "signature": "string",
  • "deposit_message_root": "string",
  • "deposit_data_root": "string"
}

Server Status

Server Status

Checks the Secure-Signer server status. Confirms if Secure-Signer is connected and running.

Responses

Response samples

Content type
text/plain; charset=utf-8
OK

BLS Keygen

Generate BLS Key.

Generates a fresh BLS keypair within Secure-Signer. Returns the hex-encoded BLS public key for the private BLS key that was generated in Secure-Signer. The 48-Byte compressed BLS public key is committed to in a remote attestation report, and the resulting remote attestation evidence is also returned.

Authorizations:
None

Responses

Response samples

Content type
application/json
{
  • "pk_hex": "0x93247f2209abcacf57b75a51dafae777f9dd38bc7053d1af526f220a7489a6d3a2753e5f3e8b1cfe39b56f43611df74a",
  • "evidence": {
    }
}

ETH Keygen

Generate ETH Key.

Generates a fresh ETH (SECP256K1) keypair within Secure-Signer. Returns the hex-encoded ETH public key for the private ETH key that was generated in Secure-Signer. The 33-Byte compressed ETH public key is committed to in a remote attestation report, and the resulting remote attestation evidence is also returned. The evidence should be verified before trusting the ETH key, which is used to encrypt a BLS keystore password during importing.

Authorizations:
None

Responses

Response samples

Content type
application/json
{
  • "pk_hex": "0x025f163d5de3470d4b3bf9f739d661a88aeccc257fc4f4735d8c1a905baf5e813b",
  • "evidence": {
    }
}

List Generated ETH Keys.

Returns a list of hex-encoded ETH (SECP256K1) public keys for the private ETH keys that were generated in Secure-Signer.

Authorizations:
None

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Keymanager

List Keys.

Returns a list of hex-encoded BLS public keys for the private BLS keys that are in Secure-Signer's custody.

Authorizations:
None

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Import Keystore.

Import a single BLS keystore conforming to version 4 of EIP-2335: BLS12-381 Keystore. The keystore's password is encrypted via ECIES with the encrypting_pk_hex ETH SECP256K1 public key that is safeguarded within the enclave, producing ct_password. It is expected that the user first have Secure-Signer perform remote attestation with encrypting_pk_hex to gain trust.

The slashing_protection follows the EIP-3076: Slashing Protection Interchange Format, which may store the signing histories of multiple BLS keys. Currently Secure-Signer only supports importing a single key at a time. This limitation means only the 0th indexed key will be imported: slashing_protection["data"][0]. If this slashing_protection["data"][0]["pubkey"] does not match the pubkey decrypted from the keystore, the import will fail. If no slashing_protection is supplied, an empty one will be initialized starting from slot=0, source_epoch=0, and target_epoch=0.

Authorizations:
None
Request Body schema: application/json
keystore
required
string (Keystore)

JSON serialized representation of a single keystore in EIP-2335: BLS12-381 Keystore format.

ct_password
required
string

ECIES encrypted password to unlock the keystore.

encrypting_pk_hex
required
string

Hex-encoded ETH SECP256K1 public key (33B) used to encrypt the keystore password via ECIES.

slashing_protection
string (SlashingProtectionData)

JSON serialized representation of the slash protection data in format defined in EIP-3076: Slashing Protection Interchange Format.

Responses

Request samples

Content type
application/json
{
  • "keystore": "{ \"crypto\": { \"kdf\": { \"function\": \"scrypt\", \"params\": { \"dklen\": 32, \"n\": 262144, \"p\": 1, \"r\": 8, \"salt\": \"d4e56740f876aef8c010b86a40d5f56745a118d0906a34e69aec8c0db1cb8fa3\" }, \"message\": \"\" }, \"checksum\": { \"function\": \"sha256\", \"params\": {}, \"message\": \"d2217fe5f3e9a1e34581ef8a78f7c9928e436d36dacc5e846690a5581e8ea484\" }, \"cipher\": { \"function\": \"aes-128-ctr\", \"params\": { \"iv\": \"264daa3f303d7259501c93d997d84fe6\" }, \"message\": \"06ae90d55fe0a6e9c5c3bc5b170827b2e5cce3929ed3f116c2811e6366dfe20f\" } }, \"description\": \"This is a test keystore that uses scrypt to secure the secret.\", \"pubkey\": \"9612d7a727c9d0a22e185a1c768478dfe919cada9266988cb32359c11f2b7b27f4ae4040902382ae2910c15e2b420d07\", \"path\": \"m/12381/60/3141592653/589793238\", \"uuid\": \"1d85ae20-35c5-4611-98e8-aa14a633906f\", \"version\": 4 }",
  • "ct_password": "0x045f5ecda8ad98023b621fa216a11fa541fbb7bf98795d9af06ee1346a6cd7675c1b8a0b2a65db50c974b43609a4401533ce2b494ebb4a4dd26bea9e9172ae2bb1aea121f14577335ae970",
  • "encrypting_pk_hex": "0x02199120115ff926bbeeedf58fe46985df3168b263f47bbcc91ddbf18402804f27",
  • "slashing_protection": "{\"metadata\":{\"interchange_format_version\":\"5\",\"genesis_validators_root\":\"0xcf8e0d4e9587369b2301d0790347320302cc0943d5a1884560367e8208d920f2\"},\"data\":[{\"pubkey\":\"0x9612d7a727c9d0a22e185a1c768478dfe919cada9266988cb32359c11f2b7b27f4ae4040902382ae2910c15e2b420d07\",\"signed_blocks\":[],\"signed_attestations\":[]}]}"
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}