aptos: use keccak256 (#1506)

* aptos: use keccak256

* aptos: Add option to run tests via docker

* CI: run aptos tests via docker

.github/workflows/build.yml

@@ -87,22 +87,13 @@ jobs:
     defaults:
       run:
         shell: bash
-        working-directory: ./aptos/contracts
+        working-directory: ./aptos
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Get Aptos
-        uses: pontem-network/get-aptos@main
-        with:
-          version: latest
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build
-        run: aptos move compile
-
-      - name: Test
-        run: aptos move test
+      - name: Run tests via docker
+        run: make test-docker
 
   terra:
     runs-on: ubuntu-20.04

Tiltfile

@@ -741,6 +741,7 @@ if aptos:
         ref = "aptos-node",
         context = "aptos",
         dockerfile = "aptos/Dockerfile",
+        target = "aptos",
         only = ["Dockerfile", "node_builder.sh", "start_node.sh", "README.md", "cert.pem"],
     )
 

aptos/Dockerfile

@@ -1,3 +1,15 @@
-FROM ghcr.io/wormhole-foundation/aptos:0.3.3n@sha256:d321c61d6da379357e3e1e0765cd8a0c0d9d706cf6f34f8fb6e9f0abf55f04e6 as aptos-node
+FROM ghcr.io/wormhole-foundation/aptos:0.3.3n@sha256:d321c61d6da379357e3e1e0765cd8a0c0d9d706cf6f34f8fb6e9f0abf55f04e6 as aptos
 
+# Support additional root CAs
+COPY cert.pem* /certs/
+RUN if [ -e /certs/cert.pem ]; then cp /certs/cert.pem /etc/ssl/certs/ca-certificates.crt; fi
 
+FROM aptos as tests
+
+WORKDIR /tmp
+
+COPY contracts/ contracts
+COPY deployer/ deployer
+COPY Makefile Makefile
+
+RUN make test

aptos/Dockerfile.contracts

@@ -1,29 +0,0 @@
-FROM debian@sha256:2ce44bbc00a79113c296d9d25524e15d423b23303fdbbe20190d2f96e0aeb251 as near-contracts
-
-# Support additional root CAs
-COPY README.md cert.pem* /certs/
-# Debian
-RUN if [ -e /certs/cert.pem ]; then cp /certs/cert.pem /etc/ssl/certs/ca-certificates.crt; fi
-# git
-RUN if [ -e /certs/cert.pem ]; then git config --global http.sslCAInfo /certs/cert.pem; fi
-
-RUN apt-get update && apt-get install apt-utils && apt-get install -y python3 npm curl --no-install-recommends
-
-#ADD setup-rust.sh .
-#RUN ./setup-rust.sh
-
-#RUN mkdir -p /.npm /home/node/appa /home/node/.npm
-#WORKDIR /home/node/app
-#RUN chown -R 1000:1000 /home/node
-#RUN chown -R 1000:1000 /.npm
-
-#USER 1000
-
-#ADD --chown=1000:1000 package.json .
-#ADD --chown=1000:1000 package-lock.json .
-#ADD --chown=1000:1000 .env .env
-
-#RUN npm ci
-
-#ADD --chown=1000:1000 devnet_deploy.* .
-#ADD --chown=1000:1000 ./contracts/*/target/wasm32-unknown-unknown/release/*.wasm .

aptos/Makefile

@@ -1,3 +1,10 @@
 build:
 	make -C deployer build
 	make -C contracts build
+
+test:
+	make -C deployer test
+	make -C contracts test
+
+test-docker:
+	DOCKER_BUILDKIT=1 docker build -f Dockerfile --target tests .

aptos/contracts/Move.toml

@@ -5,10 +5,10 @@ upgrade_policy = "compatible"
 
 #TODO: pin versions before mainnet release
 [dependencies]
-AptosFramework = { git = "https://github.com/aptos-labs/aptos-core.git", subdir = "aptos-move/framework/aptos-framework/", rev = "devnet" }
-MoveStdlib = { git = "https://github.com/aptos-labs/aptos-core.git", subdir = "aptos-move/framework/move-stdlib/", rev = "devnet" }
-AptosStdlib = { git = "https://github.com/aptos-labs/aptos-core.git", subdir = "aptos-move/framework/aptos-stdlib/", rev = "devnet" }
-AptosToken = { git = "https://github.com/aptos-labs/aptos-core.git", subdir = "aptos-move/framework/aptos-token/", rev = "devnet" }
+AptosFramework = { git = "https://github.com/aptos-labs/aptos-core.git", subdir = "aptos-move/framework/aptos-framework/", rev = "alin/move-keccak" }
+MoveStdlib = { git = "https://github.com/aptos-labs/aptos-core.git", subdir = "aptos-move/framework/move-stdlib/", rev = "alin/move-keccak" }
+AptosStdlib = { git = "https://github.com/aptos-labs/aptos-core.git", subdir = "aptos-move/framework/aptos-stdlib/", rev = "alin/move-keccak" }
+AptosToken = { git = "https://github.com/aptos-labs/aptos-core.git", subdir = "aptos-move/framework/aptos-token/", rev = "alin/move-keccak" }
 Deployer = { local = "../deployer/" }
 # U256 = { git = "https://github.com/pontem-network/u256", rev = "main"  }
 

aptos/contracts/sources/contract_upgrade.move

@@ -1,5 +1,5 @@
 module wormhole::contract_upgrade {
-    use std::hash;
+    use std::aptos_hash;
     use std::vector;
     use aptos_framework::code;
     use wormhole::deserialize;
@@ -68,7 +68,7 @@ module wormhole::contract_upgrade {
         vector::reverse(&mut c);
         let a = vector::empty<u8>();
         while (!vector::is_empty(&c)) vector::append(&mut a, vector::pop_back(&mut c));
-        assert!(hash::sha3_256(a) == hash, E_UNEXPECTED_HASH);
+        assert!(aptos_hash::keccak256(a) == hash, E_UNEXPECTED_HASH);
 
         let wormhole = wormhole::wormhole_signer();
         code::publish_package_txn(&wormhole, metadata_serialized, code);

aptos/contracts/sources/guardian_pubkey.move

@@ -1,6 +1,6 @@
 /// Guardian keys are EVM-style 20 byte addresses
 /// That is, they are computed by taking the last 20 bytes of the keccak256
-/// (sha3 256) hash of their 64 byte secp256k1 public key.
+/// hash of their 64 byte secp256k1 public key.
 module wormhole::guardian_pubkey {
     use 0x1::secp256k1::{
         ECDSARawPublicKey,
@@ -8,7 +8,7 @@ module wormhole::guardian_pubkey {
         ecdsa_raw_public_key_to_bytes,
         ecdsa_recover,
     };
-    use 0x1::hash;
+    use 0x1::aptos_hash;
     use 0x1::vector;
 
     /// An error occurred while deserializing, for example due to wrong input size.
@@ -28,8 +28,7 @@ module wormhole::guardian_pubkey {
     /// Computes the address from a 64 byte public key.
     public fun from_pubkey(pubkey: &ECDSARawPublicKey): Address {
         let bytes = ecdsa_raw_public_key_to_bytes(pubkey);
-        // TODO: update when keccak256 is implemented
-        let hash = hash::sha3_256(bytes);
+        let hash = aptos_hash::keccak256(bytes);
         let address = vector::empty<u8>();
         let i = 0;
         while (i < 20) {
@@ -66,9 +65,7 @@ module wormhole::guardian_pubkey_test {
         // devnet guardian public key
         let pubkey = x"d4a4629979f0c9fa0f0bb54edf33f87c8c5a1f42c0350a30d68f7e967023e34e495a8ebf5101036d0fd66e3b0a8c7c61b65fceeaf487ab3cd1b5b7b50beb7970";
         let pubkey = ecdsa_raw_public_key_from_64_bytes(pubkey);
-        // TODO: with keccak, this would be the address. Update when keccak256 hash is available
-        // 0xbeFA429d57cD18b7F8A4d91A2da9AB4AF05d0FBe
-        let expected_address = guardian_pubkey::from_bytes(x"61be3d87e39e7cc9c29ac62f0ceef9bc1939e810");
+        let expected_address = guardian_pubkey::from_bytes(x"beFA429d57cD18b7F8A4d91A2da9AB4AF05d0FBe");
 
         let address = guardian_pubkey::from_pubkey(&pubkey);
 
@@ -80,7 +77,7 @@ module wormhole::guardian_pubkey_test {
         let sig = ecdsa_signature_from_bytes(x"38535089d6eec412a00066f84084212316ee3451145a75591dbd4a1c2a2bff442223f81e58821bfa4e8ffb80a881daf7a37500b04dfa5719fff25ed4cec8dda3");
         let msg = x"43f3693ccdcb4400e1d1c5c8cec200153bd4b3d167e5b9fe5400508cf8717880";
         let addr = guardian_pubkey::from_signature(msg, 1, &sig);
-        let expected_addr = guardian_pubkey::from_bytes(x"61be3d87e39e7cc9c29ac62f0ceef9bc1939e810");
+        let expected_addr = guardian_pubkey::from_bytes(x"beFA429d57cD18b7F8A4d91A2da9AB4AF05d0FBe");
         assert!(addr == expected_addr, 0);
     }
 }

aptos/contracts/sources/vaa.move

@@ -1,7 +1,7 @@
 module wormhole::vaa {
     use 0x1::vector;
     use 0x1::secp256k1::{Self};
-    use 0x1::hash::{Self};
+    use 0x1::aptos_hash;
     // use 0x1::timestamp::{Self};
 
     use wormhole::u16::{U16};
@@ -74,7 +74,7 @@ module wormhole::vaa {
         };
 
         let body = cursor::rest(cur);
-        let hash = hash::sha3_256(hash::sha3_256(body));
+        let hash = aptos_hash::keccak256(aptos_hash::keccak256(body));
 
         let cur = cursor::init(body);
 
@@ -202,7 +202,7 @@ module wormhole::vaa {
         serialize::serialize_u64(&mut bytes, vaa.sequence);
         serialize::serialize_u8(&mut bytes, vaa.consistency_level);
         serialize::serialize_vector(&mut bytes, vaa.payload);
-        hash::sha3_256(bytes)
+        aptos_hash::keccak256(bytes)
     }
 
     public fun quorum(num_guardians: u64): u64 {

aptos/contracts/sources/wormhole.move

@@ -57,10 +57,10 @@ module wormhole::wormhole {
 #[test_only]
 module wormhole::wormhole_test {
     use 0x1::hash;
+    use 0x1::aptos_hash;
     #[test]
-    public fun test_foo() {
+    public fun test_hash() {
         assert!(hash::sha3_256(vector[0]) == x"5d53469f20fef4f8eab52b88044ede69c77a6a68a60728609fc4a65ff531e7d0", 0);
-        // TODO: once keccak_256 is available, uncomment this line
-        // assert!(hash::keccak_256(vector[0]) == x"bc36789e7a1e281436464229828f817d6612f7b477d66591ff96a9e064bcc98a", 0);
+        assert!(aptos_hash::keccak256(vector[0]) == x"bc36789e7a1e281436464229828f817d6612f7b477d66591ff96a9e064bcc98a", 0);
     }
 }

aptos/deployer/Move.toml

@@ -4,7 +4,7 @@ version = '1.0.0'
 
 [dependencies.AptosFramework]
 git = 'https://github.com/aptos-labs/aptos-core.git'
-rev = 'devnet'
+rev = 'alin/move-keccak'
 subdir = 'aptos-move/framework/aptos-framework'
 
 [addresses]

aptos/scripts/deploy

@@ -4,7 +4,7 @@
 # 0xbeFA429d57cD18b7F8A4d91A2da9AB4AF05d0FBe), but derived using sha3_256
 # instead of keccak_256 because the latter is not available in the current
 # version of the runtime.
-GUARDIAN_ADDR=0x61be3d87e39e7cc9c29ac62f0ceef9bc1939e810
+GUARDIAN_ADDR=0xbeFA429d57cD18b7F8A4d91A2da9AB4AF05d0FBe
 CONTRACT_ADDR=0x251011524cd0f76881f16e7c2d822f0c1c9510bfd2430ba24e1b3d52796df204
 
 worm aptos faucet

clients/js/cmds/aptos.ts

@@ -246,7 +246,7 @@ function serializePackage(p: Package): PackageBCS {
   modules.forEach(module => serializer.serializeBytes(module));
   const serializedModules = serializer.getBytes();
 
-  const codeHash = Buffer.from(sha3.sha3_256(Buffer.concat(modules)), "hex")
+  const codeHash = Buffer.from(sha3.keccak256(Buffer.concat(modules)), "hex")
 
   return {
     meta: serializedPackageMetadata,

clients/js/vaa.ts

@@ -2,7 +2,6 @@ import { Parser } from "binary-parser"
 import { BigNumber, ethers } from "ethers"
 import { solidityKeccak256 } from "ethers/lib/utils"
 import * as elliptic from "elliptic"
-import sha3 from 'js-sha3'
 
 export interface Signature {
     guardianSetIndex: number
@@ -175,10 +174,7 @@ export function serialiseVAA(vaa: VAA<Payload>) {
 }
 
 export function vaaDigest(vaa: VAA<Payload | Other>) {
-    //TODO: since aptos has no keccak256 yet, we have to sign VAAs with sha3_256
-    //instead. This is a temporary solution until we have a keccak256 in aptos.
-    // return solidityKeccak256(["bytes"], [solidityKeccak256(["bytes"], ["0x" + vaaBody(vaa)])])
-    return "0x" + sha3.sha3_256(Buffer.from(sha3.sha3_256(Buffer.from(vaaBody(vaa), "hex")), "hex"))
+    return solidityKeccak256(["bytes"], [solidityKeccak256(["bytes"], ["0x" + vaaBody(vaa)])])
 }
 
 function vaaBody(vaa: VAA<Payload | Other>) {