feat(stellar): Add Google Cloud KMS signer support (#481)

Co-authored-by: Dylan Kilkenny <[email protected]>

Author: LuisUrrutia

README.md

@@ -61,6 +61,7 @@ The repository includes several ready-to-use examples to help you get started wi
 | [`evm-turnkey-signer`](./examples/evm-turnkey-signer/)                               | Using Turnkey Signer for EVM secure signing             |
 | [`solana-turnkey-signer`](./examples/solana-turnkey-signer/)                         | Using Turnkey Signer for Solana secure signing          |
 | [`solana-google-cloud-kms-signer`](./examples/solana-google-cloud-kms-signer/)       | Using Google Cloud KMS Signer for Solana secure signing |
+| [`stellar-gcp-kms-signer`](./examples/stellar-gcp-kms-signer/)                       | Using Google Cloud KMS Signer for Stellar secure signing |
 | [`evm-cdp-signer`](./examples/evm-cdp-signer/)                                       | Using CDP Signer for EVM secure signing                 |
 | [`network-configuration-config-file`](./examples/network-configuration-config-file/) | Using Custom network configuration via config file      |
 | [`network-configuration-json-file`](./examples/network-configuration-json-file/)     | Using Custom network configuration via json file        |

docs/modules/ROOT/pages/signers.adoc

@@ -70,7 +70,7 @@ The following table shows which signer types are compatible with each network ty
 |`google_cloud_kms`
 |✅ Supported
 |✅ Supported
-|❌ Not supported
+|✅ Supported
 
 |`aws_kms`
 |✅ Supported
@@ -89,9 +89,9 @@ The following table shows which signer types are compatible with each network ty
 
 - **EVM Networks**: Use secp256k1 cryptography. Most signers support EVM networks with proper key generation.
 - **Solana Networks**: Use ed25519 cryptography. Ensure your signer supports ed25519 key generation and signing.
-- **Stellar Networks**: Use ed25519 cryptography with specific Stellar requirements. Limited signer support due to network-specific implementation requirements.
+- **Stellar Networks**: Use ed25519 cryptography with specific Stellar requirements. Currently supported by local and Google Cloud KMS signers.
 - **AWS KMS**: Currently optimized for EVM networks with secp256k1 support.
-- **Google Cloud KMS**: Supports both secp256k1 (EVM) and ed25519 (Solana) key types.
+- **Google Cloud KMS**: Supports secp256k1 (EVM) and ed25519 (Solana, Stellar) key types.
 - **Turnkey**: Supports EVM and Solana networks with appropriate key management.
 ====
 
@@ -341,12 +341,17 @@ Uses Google Cloud Key Management Service for secure key operations.
 
 [NOTE]
 ====
-For EVM transaction signing, ensure your Google Cloud KMS key is created with:
+**Network-specific key requirements:**
+
+For **EVM** transaction signing, ensure your Google Cloud KMS key is created with:
 - Protection level: HSM
 - Purpose: Asymmetric sign
 - Algorithm: "Elliptic Curve secp256k1 - SHA256 Digest"
 
-This provides secp256k1 compatibility required for Ethereum transactions.
+For **Solana** and **Stellar** transaction signing, ensure your Google Cloud KMS key is created with:
+- Protection level: Software or HSM
+- Purpose: Asymmetric sign
+- Algorithm: "Elliptic Curve ED25519 Key"
 ====
 
 [source,json]

docs/modules/ROOT/pages/stellar.adoc

@@ -469,6 +469,17 @@ Soroban operations support different authorization modes:
 |Advanced: provide base64-encoded XDR entries. This allows you to provide pre-signed SorobanAuthorizationEntry objects for complex authorization scenarios. See the link:https://developers.stellar.org/docs/learn/smart-contract-internals/authorization[official Stellar documentation on authorization] for detailed information about SorobanAuthorizationEntries.
 |===
 
+== Signer Support
+
+Stellar networks support the following signer types:
+
+- **Local Signer**: Uses encrypted keystore files (suitable for development)
+- **Google Cloud KMS**: Uses Google Cloud Key Management Service with ED25519 keys (recommended for production)
+
+For detailed signer configuration, see the xref:signers.adoc[Signers Configuration] guide.
+
+For a complete example of using Google Cloud KMS with Stellar, check out the link:https://github.com/OpenZeppelin/openzeppelin-relayer/tree/main/examples/stellar-gcp-kms-signer[stellar-gcp-kms-signer example].
+
 == Security
 
 - Do not expose the relayer directly to the public internet

examples/stellar-gcp-kms-signer/.env.example

@@ -0,0 +1,9 @@
+REDIS_URL=redis://redis:6379
+API_KEY=your_api_key_here
+WEBHOOK_SIGNING_KEY=your_webhook_signing_key_here
+
+# Google Cloud KMS Configuration
+# Extract these values from your service account JSON file
+GCP_PRIVATE_KEY_ID=your_private_key_id_from_service_account_json
+GCP_PRIVATE_KEY="-----BEGIN PRIVATE EXAMPLE KEY-----\nyour_private_key_here\n-----END PRIVATE EXAMPLE KEY-----\n"
+GCP_CLIENT_EMAIL=[email protected]

examples/stellar-gcp-kms-signer/README.md

@@ -0,0 +1,225 @@
+# Using Google Cloud KMS for Secure EVM Transaction Signing in OpenZeppelin Relayer
+
+This example demonstrates how to use Google Cloud KMS hosted private key to securely sign Stellar transactions in OpenZeppelin Relayer.
+
+## Prerequisites
+
+1. A Google Cloud Platform account with KMS API enabled - [Get Started](https://cloud.google.com/kms)
+2. Rust and Cargo installed
+3. Git
+4. [Docker](https://docs.docker.com/get-docker/)
+5. [Docker Compose](https://docs.docker.com/compose/install/)
+
+## Getting Started
+
+### Step 1: Clone the Repository
+
+Clone this repository to your local machine:
+
+```bash
+git clone https://github.com/OpenZeppelin/openzeppelin-relayer
+cd openzeppelin-relayer
+```
+
+### Step 2: Create KMS Key
+
+1. Login to Google Cloud Console
+2. Navigate to Security -> Key Management
+3. Create a new key ring or use an existing one
+4. Click "Create Key" and choose the following options:
+   1. Protection level: Software
+   2. Purpose: Asymmetric sign
+   3. Algorithm: Elliptic Curve ED25519 Key
+5. Take note of:
+   - Project ID
+   - Location (region)
+   - Key ring ID
+   - Key ID
+   - Key version (usually 1 for new keys)
+
+### Step 3: Setup Google Cloud Service Account
+
+1. Go to IAM & Admin -> Service Accounts
+2. Create a new service account or use an existing one
+3. Grant the following roles:
+   - Cloud KMS CryptoKey Signer
+   - Cloud KMS CryptoKey Public Key Viewer
+4. Create and download a JSON key file for the service account
+5. Extract the following values from the JSON file:
+   - `project_id`
+   - `private_key_id`
+   - `private_key` (PEM format)
+   - `client_email`
+   - `client_id`
+
+### Step 4: Configure the Relayer Service
+
+Create an environment file by copying the example:
+
+```bash
+cp examples/stellar-gcp-kms-signer/.env.example examples/stellar-gcp-kms-signer/.env
+```
+
+#### Populate Google Cloud KMS config
+
+Edit the `config.json` file and update the following variables:
+
+```json
+{
+  "signers": [
+    {
+      "id": "gcp-kms-signer-stellar",
+      "type": "google_cloud_kms",
+      "config": {
+        "service_account": {
+          "project_id": "your-gcp-project-id",
+          "private_key_id": {
+            "type": "env",
+            "value": "GCP_PRIVATE_KEY_ID"
+          },
+          "private_key": {
+            "type": "env",
+            "value": "GCP_PRIVATE_KEY"
+          },
+          "client_email": {
+            "type": "env",
+            "value": "GCP_CLIENT_EMAIL"
+          },
+          "client_id": "your-client-id"
+        },
+        "key": {
+          "location": "us-west2",
+          "key_ring_id": "your-key-ring",
+          "key_id": "your-key-id",
+          "key_version": 1
+        }
+      }
+    }
+  ]
+}
+```
+
+#### Populate Google Cloud KMS Credentials
+
+Add these values to your `.env` file (extracted from the service account JSON):
+
+```env
+GCP_PRIVATE_KEY_ID="private_key_id_from_service_account_json"
+GCP_PRIVATE_KEY="-----BEGIN PRIVATE EXAMPLE KEY-----\n...\n-----END PRIVATE EXAMPLE KEY-----\n"
+GCP_CLIENT_EMAIL="[email protected]"
+```
+
+#### Generate Security Keys
+
+Generate random keys for API authentication and webhook signing:
+
+```bash
+# Generate API key
+cargo run --example generate_uuid
+
+# Generate webhook signing key
+cargo run --example generate_uuid
+```
+
+Add these to your `.env` file:
+
+```env
+WEBHOOK_SIGNING_KEY=generated_webhook_key
+API_KEY=generated_api_key
+```
+
+#### Configure Webhook URL
+
+Update the `examples/stellar-gcp-kms-signer/config/config.json` file with your webhook configuration:
+
+1. For testing, get a webhook URL from [Webhook.site](https://webhook.site)
+2. Update the config file:
+
+```json
+{
+  "notifications": [
+    {
+      "url": "your_webhook_url"
+    }
+  ]
+}
+```
+
+### Step 5: Run the Service
+
+Start the service with Docker Compose:
+
+```bash
+docker compose -f examples/stellar-gcp-kms-signer/docker-compose.yaml up
+```
+
+### Step 6: Test the Service
+
+#### 6.1 Check Relayer Status
+
+First, verify that your relayer is running and properly configured:
+
+```bash
+curl -X GET http://localhost:8080/api/v1/relayers \
+  -H "Content-Type: application/json" \
+  -H "AUTHORIZATION: Bearer YOUR_API_KEY"
+```
+
+This should return information about your relayer, including its address derived from the Google Cloud KMS public key.
+
+#### 6.2 Test Stellar Transaction Signing
+
+Test the complete transaction signing and submission process:
+
+```bash
+curl -X POST http://localhost:8080/api/v1/relayers/your-relayer-id/transactions \
+  -H "Content-Type: application/json" \
+  -H "AUTHORIZATION: Bearer YOUR_API_KEY" \
+  -d '{
+    "value": 1,
+    "data": "0x",
+    "to": "0x742d35cc6604c532532db3ae0f4d03e7c7b17e3e",
+    "gas_limit": 21000,
+    "speed": "average"
+  }'
+```
+
+**What this does:**
+
+- Creates a transaction sending 1 wei to the specified address
+- Uses Google Cloud KMS to sign the transaction
+- Submits the signed transaction to the network
+- Returns transaction details including the transaction hash
+
+### Troubleshooting
+
+If you encounter issues:
+
+1. **Authentication Issues**:
+
+   - Verify your service account JSON is correct
+   - Ensure the service account has the required KMS permissions
+   - Check that the project ID matches your GCP project
+
+2. **Key Access Issues**:
+
+   - Verify the key location, key ring ID, and key ID are correct
+   - Ensure the key is created with the correct algorithm (Elliptic Curve ED25519)
+   - Check that the key version exists
+
+3. **Signing Failures**:
+
+   - Verify the key has signing permissions
+   - Check that the key algorithm supports ED25519 operations
+   - Review service logs for detailed error messages
+
+4. **Network Issues**:
+   - Ensure your environment can reach Google Cloud KMS APIs
+   - Check firewall settings if running in a restricted environment
+
+### Additional Resources
+
+- [Google Cloud KMS Documentation](https://cloud.google.com/kms/docs)
+- [Service Account Authentication](https://cloud.google.com/docs/authentication/getting-started)
+- [KMS Key Management](https://cloud.google.com/kms/docs/creating-keys)
+- [OpenZeppelin Relayer Documentation](https://docs.openzeppelin.com/relayer)

examples/stellar-gcp-kms-signer/config/config.json

@@ -0,0 +1,49 @@
+{
+  "relayers": [
+    {
+      "id": "stellar-example",
+      "name": "Stellar Example",
+      "network": "testnet",
+      "paused": false,
+      "signer_id": "gcp-kms-signer-stellar",
+      "network_type": "stellar",
+      "policies": {
+        "min_balance": 0
+      }
+    }
+  ],
+  "notifications": [],
+
+  "signers": [
+    {
+      "id": "gcp-kms-signer-stellar",
+      "type": "google_cloud_kms",
+      "config": {
+        "service_account": {
+          "project_id": "macro-boulevard-473712-h8",
+          "private_key_id": {
+            "type": "env",
+            "value": "GCP_PRIVATE_KEY_ID"
+          },
+          "private_key": {
+            "type": "env",
+            "value": "GCP_PRIVATE_KEY"
+          },
+          "client_email": {
+            "type": "env",
+            "value": "GCP_CLIENT_EMAIL"
+          },
+          "client_id": "108076383744345715915"
+        },
+        "key": {
+          "location": "global",
+          "key_ring_id": "relayer",
+          "key_id": "relayer",
+          "key_version": 1
+        }
+      }
+    }
+  ],
+  "networks": "./config/networks",
+  "plugins": []
+}