keyless authenticator fixes: b64 fixes, training wheels signature

[alinush]

Description

• JWT header in KeylessSignature should not be b64url-encoded
• Rename exp_timestamp_secs to exp_date_secs for consistency with our terminology
• JWT payload and signature in OpenIdSig should not be b64url-encoded
• Training wheels signature should cover ZK relation statement
• Add _json suffix

No passkey support, because it would require working around the need for two passkey signatures: one one the TXN and another on the ZKP (non-malleability)

[trunk-io]

⏱️ 20h 17m total CI duration on this PR

Job	Cumulative Duration	Recent Runs
windows-build	5h 6m	🟩 🟩 🟩 🟩 🟩 (+15 more)
rust-unit-tests	3h 12m	⬜ ⬜ ⬜ ⬜ 🟩 (+11 more)
run-tests-main-branch	2h 7m	🟥 🟥 🟥 ⬜ 🟥 (+15 more)
execution-performance / single-node-performance	1h 26m	🟩 🟩 🟩 🟩
rust-move-tests	1h 3m	⬜ ⬜ 🟩 ⬜ 🟩 (+1 more)
rust-move-unit-coverage	1h 1m	⬜ ⬜ 🟩 ⬜ 🟩 (+1 more)
rust-smoke-tests	1h 1m	⬜ 🟩 🟩
check	1h 1m	🟩 🟩 🟩 ⬜ 🟩 (+14 more)
rust-lints	59m	🟥 🟥 ⬜ 🟩 🟩 (+11 more)
check-dynamic-deps	42m	🟩 🟩 🟩 🟩 🟩 (+15 more)
general-lints	34m	🟩 🟩 🟩 🟩 🟩 (+11 more)
forge-compat-test / forge	33m	🟩 🟩
rust-images / rust-all	28m	⬜ 🟩 🟩
forge-e2e-test / forge	27m	🟩 🟩
cli-e2e-tests / run-cli-tests	15m	🟩 🟩
semgrep/ci	8m	🟩 🟩 🟩 🟩 🟩 (+15 more)
file_change_determinator	4m	🟩 🟩 🟩 🟩 🟩 (+15 more)
file_change_determinator	3m	🟩 🟩 🟩 ⬜ 🟩 (+13 more)
node-api-compatibility-tests / node-api-compatibility-tests	2m	🟩 🟩
permission-check	1m	🟩 🟩 🟩 🟩 🟩 (+15 more)
permission-check	1m	🟩 🟩 🟩 🟩 🟩 (+15 more)
permission-check	1m	🟩 🟩 🟩 🟩 🟩 (+15 more)
permission-check	1m	🟩 🟩 🟩 🟩 🟩 (+15 more)
execution-performance / file_change_determinator	45s	🟩 🟩 🟩 🟩
file_change_determinator	37s	🟩 🟩 🟩
determine-docker-build-metadata	10s	🟩 🟩 🟩
permission-check	9s	🟩 🟩 🟩

🚨 3 jobs on the last run were significantly faster/slower than expected

Job	Duration	vs 7d avg	Delta
run-tests-main-branch	7m	4m
forge-compat-test / forge	21m	14m
cli-e2e-tests / run-cli-tests	9m	7m

_{settings ⋅ feedback ⋅ docs ⋅ learn more about trunk.io}

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 51 lines in your changes are missing coverage. Please review.

Project coverage is 64.2%. Comparing base (fba8cce) to head (7c14de9).
Report is 1 commits behind head on main.

❗ Current head 7c14de9 differs from pull request most recent head c5a48d2. Consider uploading reports for the commit c5a48d2 to get more accurate results

Files	Patch %	Lines
types/src/keyless/groth16_sig.rs	0.0%	17 Missing ⚠️
types/src/keyless/openid_sig.rs	0.0%	9 Missing ⚠️
aptos-move/aptos-vm/src/keyless_validation.rs	0.0%	8 Missing ⚠️
types/src/keyless/test_utils.rs	0.0%	7 Missing ⚠️
types/src/keyless/bn254_circom.rs	0.0%	4 Missing ⚠️
types/src/keyless/circuit_testcases.rs	0.0%	4 Missing ⚠️
types/src/keyless/mod.rs	0.0%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             main   #12287     +/-   ##
=========================================
- Coverage    64.2%    64.2%   -0.1%     
=========================================
  Files         793      793             
  Lines      176259   176268      +9     
=========================================
  Hits       113188   113188             
- Misses      63071    63080      +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[hariria]

LGTM overall. Seems like we may not do this since do signatures are required (one over the ZKP and another over the txn).

One thing I would do is just double check MAX_SIZE of the ZkidSignature to make sure it can accommodate a potentially 1024 byte Passkey signature inside.

[hariria]

If we want to be consistent with the naming we have in aptos-core maybe something like KeylessAccountWithWebAuthnCredential would make more sense but I see we're calling OIDC -> Keyless so maybe that's not what you're going for

[github-actions]

✅ Forge suite realistic_env_max_load success on c5a48d2d8526b1d2ca2be6622b6e12f04e963c51

two traffics test: inner traffic : committed: 7952 txn/s, latency: 4941 ms, (p50: 4800 ms, p90: 5700 ms, p99: 10400 ms), latency samples: 3427340
two traffics test : committed: 100 txn/s, latency: 1928 ms, (p50: 1800 ms, p90: 2100 ms, p99: 6300 ms), latency samples: 1780
Latency breakdown for phase 0: ["QsBatchToPos: max: 0.248, avg: 0.205", "QsPosToProposal: max: 0.278, avg: 0.247", "ConsensusProposalToOrdered: max: 0.459, avg: 0.412", "ConsensusOrderedToCommit: max: 0.326, avg: 0.304", "ConsensusProposalToCommit: max: 0.732, avg: 0.716"]
Max round gap was 1 [limit 4] at version 1633503. Max no progress secs was 4.057147 [limit 15] at version 1633503.
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite compat success on aptos-node-v1.9.5 ==> c5a48d2d8526b1d2ca2be6622b6e12f04e963c51

Compatibility test results for aptos-node-v1.9.5 ==> c5a48d2d8526b1d2ca2be6622b6e12f04e963c51 (PR)
1. Check liveness of validators at old version: aptos-node-v1.9.5
compatibility::simple-validator-upgrade::liveness-check : committed: 4781 txn/s, latency: 6453 ms, (p50: 6300 ms, p90: 9900 ms, p99: 16300 ms), latency samples: 186460
2. Upgrading first Validator to new version: c5a48d2d8526b1d2ca2be6622b6e12f04e963c51
compatibility::simple-validator-upgrade::single-validator-upgrade : committed: 730 txn/s, latency: 33597 ms, (p50: 34800 ms, p90: 51400 ms, p99: 54200 ms), latency samples: 57720
3. Upgrading rest of first batch to new version: c5a48d2d8526b1d2ca2be6622b6e12f04e963c51
compatibility::simple-validator-upgrade::half-validator-upgrade : committed: 166 txn/s, submitted: 445 txn/s, expired: 279 txn/s, latency: 26146 ms, (p50: 30200 ms, p90: 39800 ms, p99: 47700 ms), latency samples: 18109
4. upgrading second batch to new version: c5a48d2d8526b1d2ca2be6622b6e12f04e963c51
compatibility::simple-validator-upgrade::rest-validator-upgrade : committed: 2532 txn/s, latency: 11913 ms, (p50: 12900 ms, p90: 14500 ms, p99: 15700 ms), latency samples: 108900
5. check swarm health
Compatibility test for aptos-node-v1.9.5 ==> c5a48d2d8526b1d2ca2be6622b6e12f04e963c51 passed
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Test runner output
• Test run is land-blocking