• Add API key to generate and import response
• Add Admin APIs

Why this API change

Problem

Multiple AVS can use single Cerberus instance to sign with their key by sending the public key in the request. This creates a problem with a malicious AVS can ask keys from other AVS to sign. We need a way to make sure AVS1 can only sign with keys registered from them. Following are some potential ways we can solve this problem

Solution

Every new BLS key pair which is either created or imported will return a new API Key. This will be a unique identifier (uuid) for authorizing the key to sign. In Cerberus we will persist the mapping of hash of API Key and public key (with some other metadata). All the signing requests should come with API Key and if that API key doesn’t match with the public key it is mapped with, Cerberus will reject the request.

Sample Go Client code

import "google.golang.org/grpc/metadata"

ctx = metadata.AppendToOutgoingContext(ctx, "authorization", api_key)

Sample cerberus validation code

md, ok := metadata.FromIncomingContext(ctx)
if !ok {
	return nil, status.Errorf(codes.Unauthenticated, "metadata is not provided")
}

values := md["authorization"]
if len(values) == 0 {
	return nil, status.Errorf(codes.Unauthenticated, "authorization token is not provided")
}
	
	
// Check if this value matches the pub key in the request

• Cerberus will implement a persistant storage to store these mappings
• Admin API will be exposed on separate port so a super admin can expose them to a bastion server for any API Key rotation or locking/unlocking keys