This is an ICP canister that generates a signature for a pair of a domain and a hash of a DKIM public key registered on the distributed name service (DNS). The signature can be verified on Ethereum, allowing smart contracts on Ethereum to verify that the given domain and public key hash are registered on the DNS. For example, this is used in ZK Email to update a dkim registry contract, which stores the authorized public key hashes accessed during email proof verification.
Our repository contains the implementations of theee canisters as follows:
- Poseidon hash canister: this simply computes the Poseidon hash of the given RSA public key.
- DNS client canister: this fetches an RSA public key for the given selector and domain from either Google DNS, Cloudflare DNS, or Next DNS.
- IC DNS oracle backend canister: this is our main canister that generates an ECDSA signature for the fetched public key corresponding to the given selector and domain. The output signature can be verified by smart contracts on Ethereum.
Our IC DNS oracle backend canister is available at https://a4gq6-oaaaa-aaaab-qaa4q-cai.raw.icp0.io/?id=fxmww-qiaaa-aaaaj-azu7a-cai. Once you prepare your identity and wallet on ICP, you can obtain the signature for the hash of the public key registered on DNS for the pair of the selector 20230601 and the domain gmail.com by calling the following command:
dfx canister call fxmww-qiaaa-aaaaj-azu7a-cai sign_dkim_public_key '("20230601", "gmail.com")' --network ic --with-cycles 85_414_812_012 --wallet <YOUR_WALLET_CANISTER_ID>
You can verify it as the ECDSA signature from 0x6293a80bf4bd3fff995a0cab74cbf281d922da02, which is the signer's Ethereum address output by the get_signer_ethereum_address
function.
First of all, you need to prepare the binary of pocket-ic
according to the instruction here.
After you put the binary under the ic-dns-oracle
directory or set the POCKET_IC_BIN
to the path to that binary, you can run tests by the following commands:
cargo build --target wasm32-unknown-unknown
cargo test
To protect our canisters against DDoS attacks, their update functions require the caller to pay specific amounts of cycles as fees. Specifically, each function requires the following amount of cycles.
Function Name | Required Cycles |
---|---|
public_key_hash | 52_946_839 |
get_dkim_public_key | 2_236_193_826 |
sign_dkim_public_key | 42_707_406_006 (normal domain) / 85_414_812_012 (domain with gappssmtp.com) |
revoke_dkim_public_key | 39_438_456_624 (normal domain) / 78_876_913_248 (domain with gappssmtp.com) |
- Quick Start
- SDK Developer Tools
- Rust Canister Devlopment Guide
- ic-cdk
- ic-cdk-macros
- Candid Introduction
We sincerely thank Clank Pan for generously sharing insights and feedback on ICP, which helped us improve our library.