keytool: add sign personal message cli and verify with zklogin (Myste…

…nLabs#14596) ## Description Add a keytool to verify a zklogin signature offchain. ## Test Plan unit test and local cli test ``` target/debug/sui keytool zk-login-sign-personal-message --data hello  ✔  10086  11:54:56 ────────────────────────────────────────────────╮ │ sig │ BQNNMTczMTgwODkxMjU5NTI0MjE3MzYzNDIyNjM3MTc5MzI3MTk0Mzc3MTc4NDQyODI0MTAxODc5NTc5ODQ3NTE5Mzk5NDI4OTgyNTEyNTBNMTEzNzM5NjY2NDU0NjkxMjI1ODIwNzQwODIyOTU5ODUzODgyNTg4NDA2ODE2MTgyNjg1OTM5NzY2OTczMjU4OTIyODA5MTU2ODEyMDcBMQMCTDU5Mzk4NzExNDczNDg4MzQ5OTczNjE3MjAxMjIyMzg5ODAxNzcxNTIzMDMyNzQzMTEwNDcyNDk5MDU5NDIzODQ5MTU3Njg2OTA4OTVMNDUzMzU2ODI3MTEzNDc4NTI3ODczMTIzNDU3MDM2MTQ4MjY1MTk5Njc0MDc5MTg4ODI4NTg2NDk2Njg4NDAzMjcxNzA0OTgxMTcwOAJNMTA1NjQzODcyODUwNzE1NTU0Njk3NTM5OTA2NjE0MTA4NDAxMTg2MzU5MjU0NjY1OTcwMzcwMTgwNTg3NzAwNDEzNDc1MTg0NjEzNjhNMTI1OTczMjM1NDcyNzc1NzkxNDQ2OTg0OTYzNzIyNDI2MTUzNjgwODU4MDEzMTMzNDMxNTU3MzU1MTEzMzAwMDM4ODQ3Njc5NTc4NTQCATEBMANNMTU3OTE1ODk0NzI1NTY4MjYyNjMyMzE2NDQ3Mjg4NzMzMzc2MjkwMTUyNjk5ODQ2OTk0MDQwNzM2MjM2MDMzNTI1Mzc2Nzg4MTMxNzFMNDU0Nzg2NjQ5OTI0ODg4MTQ0OTY3NjE2MTE1ODAyNDc0ODA2MDQ4NTM3MzI1MDAyOTQyMzkwNDExMzAxNzQyMjUzOTAzNzE2MjUyNwExMXdpYVhOeklqb2lhSFIwY0hNNkx5OXBaQzUwZDJsMFkyZ3VkSFl2YjJGMWRHZ3lJaXcCMmV5SmhiR2NpT2lKU1V6STFOaUlzSW5SNWNDSTZJa3BYVkNJc0ltdHBaQ0k2SWpFaWZRTTIwNzk0Nzg4NTU5NjIwNjY5NTk2MjA2NDU3MDIyOTY2MTc2OTg2Njg4NzI3ODc2MTI4MjIzNjI4MTEzOTE2MzgwOTI3NTAyNzM3OTExCgAAAAAAAABhAPl6x1AzJDGj7MEyBbKiIMd8l+o+yL1NU/9cs8OJIysI4Cy9GbT0GY3NnY1+0PaRaAXTm5EmeiWeHqYjn9OauAa5xu4WMO8+cRFEpkjbBruyKE9ydM++5T/87lA8waSSAA== │ │ bytes │ BWhlbGxv ────────────────────────────────────────────────╯ target/debug/sui keytool zk-login-sig-verify --sig BQNNMTczMTgwODkxMjU5NTI0MjE3MzYzNDIyNjM3MTc5MzI3MTk0Mzc3MTc4NDQyODI0MTAxODc5NTc5ODQ3NTE5Mzk5NDI4OTgyNTEyNTBNMTEzNzM5NjY2NDU0NjkxMjI1ODIwNzQwODIyOTU5ODUzODgyNTg4NDA2ODE2MTgyNjg1OTM5NzY2OTczMjU4OTIyODA5MTU2ODEyMDcBMQMCTDU5Mzk4NzExNDczNDg4MzQ5OTczNjE3MjAxMjIyMzg5ODAxNzcxNTIzMDMyNzQzMTEwNDcyNDk5MDU5NDIzODQ5MTU3Njg2OTA4OTVMNDUzMzU2ODI3MTEzNDc4NTI3ODczMTIzNDU3MDM2MTQ4MjY1MTk5Njc0MDc5MTg4ODI4NTg2NDk2Njg4NDAzMjcxNzA0OTgxMTcwOAJNMTA1NjQzODcyODUwNzE1NTU0Njk3NTM5OTA2NjE0MTA4NDAxMTg2MzU5MjU0NjY1OTcwMzcwMTgwNTg3NzAwNDEzNDc1MTg0NjEzNjhNMTI1OTczMjM1NDcyNzc1NzkxNDQ2OTg0OTYzNzIyNDI2MTUzNjgwODU4MDEzMTMzNDMxNTU3MzU1MTEzMzAwMDM4ODQ3Njc5NTc4NTQCATEBMANNMTU3OTE1ODk0NzI1NTY4MjYyNjMyMzE2NDQ3Mjg4NzMzMzc2MjkwMTUyNjk5ODQ2OTk0MDQwNzM2MjM2MDMzNTI1Mzc2Nzg4MTMxNzFMNDU0Nzg2NjQ5OTI0ODg4MTQ0OTY3NjE2MTE1ODAyNDc0ODA2MDQ4NTM3MzI1MDAyOTQyMzkwNDExMzAxNzQyMjUzOTAzNzE2MjUyNwExMXdpYVhOeklqb2lhSFIwY0hNNkx5OXBaQzUwZDJsMFkyZ3VkSFl2YjJGMWRHZ3lJaXcCMmV5SmhiR2NpT2lKU1V6STFOaUlzSW5SNWNDSTZJa3BYVkNJc0ltdHBaQ0k2SWpFaWZRTTIwNzk0Nzg4NTU5NjIwNjY5NTk2MjA2NDU3MDIyOTY2MTc2OTg2Njg4NzI3ODc2MTI4MjIzNjI4MTEzOTE2MzgwOTI3NTAyNzM3OTExCgAAAAAAAABhAPl6x1AzJDGj7MEyBbKiIMd8l+o+yL1NU/9cs8OJIysI4Cy9GbT0GY3NnY1+0PaRaAXTm5EmeiWeHqYjn9OauAa5xu4WMO8+cRFEpkjbBruyKE9ydM++5T/87lA8waSSAA== --bytes BWhlbGxv --intent-scope 3 --curr-epoch 9 ─────────────────╮ │ data │ {"message":[104,101,108,108,111]} │ │ parsed │ {"inputs":{"proofPoints":{"a":["17318089125952421736342263717932719437717844282410187957984751939942898251250","11373966645469122582074082295985388258840681618268593976697325892280915681207","1"],"b":[["5939871147348834997361720122238980177152303274311047249905942384915768690895","4533568271134785278731234570361482651996740791888285864966884032717049811708"],["10564387285071555469753990661410840118635925466597037018058770041347518461368","12597323547277579144698496372242615368085801313343155735511330003884767957854"],["1","0"]],"c":["15791589472556826263231644728873337629015269984699404073623603352537678813171","4547866499248881449676161158024748060485373250029423904113017422539037162527","1"]},"issBase64Details":{"value":"wiaXNzIjoiaHR0cHM6Ly9pZC50d2l0Y2gudHYvb2F1dGgyIiw","indexMod4":2},"headerBase64":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ","addressSeed":"20794788559620669596206457022966176986688727876128223628113916380927502737911"},"maxEpoch":10,"userSignature":"APl6x1AzJDGj7MEyBbKiIMd8l+o+yL1NU/9cs8OJIysI4Cy9GbT0GY3NnY1+0PaRaAXTm5EmeiWeHqYjn9OauAa5xu4WMO8+cRFEpkjbBruyKE9ydM++5T/87lA8waSSAA=="} │ │ jwks │ [[{"iss":"https://accounts.google.com","kid":"a06af0b68a2119d692cac4abf415ff3788136f65"},{"kty":"RSA","e":"AQAB","n":"yrIpMnHYrVPwlbC-IY8aU2Q6QKnLf_p1FQXNiTO9mWFdeYXP4cNF6QKWgy4jbVSrOs-4qLZbKwRvZhfTuuKW6fwj5lVZcNsq5dd6GXR65I8kwomMH-Zv_pDt9zLiiJCp5_GU6Klb8zMY_jEE1fZp88HIk2ci4GrmtPTbw8LHAkn0P54sQQqmCtzqAWp8qkZ-GGNITxMIdQMY225kX7Dx91ruCb26jPCvF5uOrHT-I6rFU9fZbIgn4T9PthruubbUCutKIR-JK8B7djf61f8ETuKomaHVbCcxA-Q7xD0DEJzeRMqiPrlb9nJszZjmp_VsChoQQg-wl0jFP-1Rygsx9w","alg":"RS256"}],[{"iss":"https://accounts.google.com","kid":"f5f4bf46e52b31d9b6249f7309ad0338400680cd"},{"kty":"RSA","e":"AQAB","n":"q5hcowR4IuPiSvHbwj9Rv9j2XRnrgbAAFYBqoLBwUV5GVIiNPKnQBYa8ZEIK2naj9gqpo3DU9lx7d7RzeVlzCS5eUA2LV94--KbT0YgIJnApj5-hyDIaevI1Sf2YQr_cntgVLvxqfW1n9ZvbQSitz5Tgh0cplZvuiWMFPu4_mh6B3ShEKIl-qi-h0cZJlRcIf0ZwkfcDOTE8bqEzWUvlCpCH9FK6Mo9YLjw5LroBcHdUbOg3Keu0uW5SCEi-2XBQgCF6xF3kliciwwnv2HhCPyTiX0paM_sT2uKspYock-IQglQ2TExoJqbYZe6CInSHiAA68fkSkJQDnuRZE7XTJQ","alg":"RS256"}],[{"iss":"https://id.twitch.tv/oauth2","kid":"1"},{"kty":"RSA","e":"AQAB","n":"6lq9MQ-q6hcxr7kOUp-tHlHtdcDsVLwVIw13iXUCvuDOeCi0VSuxCCUY6UmMjy53dX00ih2E4Y4UvlrmmurK0eG26b-HMNNAvCGsVXHU3RcRhVoHDaOwHwU72j7bpHn9XbP3Q3jebX6KIfNbei2MiR0Wyb8RZHE-aZhRYO8_-k9G2GycTpvc-2GBsP8VHLUKKfAs2B6sW3q3ymU6M0L-cFXkZ9fHkn9ejs-sqZPhMJxtBPBxoUIUQFTgv4VXTSv914f_YkNw-EjuwbgwXMvpyr06EyfImxHoxsZkFYB-qBYHtaMxTnFsZBr6fn8Ha2JqT1hoP7Z5r5wxDu3GQhKkHw","alg":"RS256"}],[{"iss":"https://www.facebook.com","kid":"7aeca42948d037b8f738453c1e790260bc418570"},{"kty":"RSA","e":"AQAB","n":"0LtxaQsz_3C4CXxBVUPROKHB5iwCWUEtq9_EqHD_G5BtdH7xB0KGFxZWoKEhdA3bPIwvg0gcq6LAiDqHuisNqvUR8cdcHisOTKUg6nDbuic8ZrqKepDoUP8u-yFB-yxm0oaYJZ7-g4R5ai1xHGEwHWNZPDc1hbEqQs-v5b-7jjKTcIWKFDIe71uCyqWv3s-0R4hIv7wRKiGhjbzAbEDodI9ubU4leF9AbgCir7h9H4OGpLZ_3DnktHO35zBupDfazx9qUhY8BKEJ61d27r8NMC0Ed7FBPC2PhGhzyZInN_Xktb1p2UD-Ona70OOzBuTowtzyhOEUQiPoZTlcR-a6Uw","alg":"RS256"}],[{"iss":"https://www.facebook.com","kid":"7f74f4e44b7e37b0861984864a054ea23d271ece"},{"kty":"RSA","e":"AQAB","n":"pttDerCdKTdqXxU-YAtoGpwG49StZ_5-UXYWX2xU3mtD3oEZ7mXVuC3Nv2juGtgMW6AjIaKojXVn8fk4hz2xzgsjCHhGKIStvvJIoIhQCyoGkOg-2Hs9ozJ1OD3iN7vl4jyEgxtNhuFtxXnk5shlLCu5RVETZm5dARJxuTyZNmLXhulhmzdho6mUPwZkdibznNaTnFCEO3tnRSXyBFJqZ987UBIe6wU-38GBhBwgtrDbYPAfnf5GuGuGLNuvg2jzRs-pdkgN2fuy3UCbYoKSCOOaRtr-kzCre3lqKJTKzWwlwgljLd6N653-ayFqlp7uSP1DpvTbpQZ6VWs9HxnFew","alg":"RS256"}],[{"iss":"https://slack.com","kid":"mB2MAyKSn555isd0EbdhKx6nkyAi9xLq8rvCEb_nOyY"},{"kty":"RSA","e":"AQAB","n":"zQqzXfb677bpMKw0idKC5WkVLyqk04PWMsWYJDKqMUUuu_PmzdsvXBfHU7tcZiNoHDuVvGDqjqnkLPEzjXnaZY0DDDHvJKS0JI8fkxIfV1kNy3DkpQMMhgAwnftUiSXgb5clypOmotAEm59gHPYjK9JHBWoHS14NYEYZv9NVy0EkjauyYDSTz589aiKU5lA-cePG93JnqLw8A82kfTlrJ1IIJo2isyBGANr0YzR-d3b_5EvP7ivU7Ph2v5JcEUHeiLSRzIzP3PuyVFrPH659Deh-UAsDFOyJbIcimg9ITnk5_45sb_Xcd_UN6h5I7TGOAFaJN4oi4aaGD4elNi_K1Q","alg":"RS256"}],[{"iss":"https://appleid.apple.com","kid":"YuyXoY"},{"kty":"RSA","e":"AQAB","n":"1JiU4l3YCeT4o0gVmxGTEK1IXR-Ghdg5Bzka12tzmtdCxU00ChH66aV-4HRBjF1t95IsaeHeDFRgmF0lJbTDTqa6_VZo2hc0zTiUAsGLacN6slePvDcR1IMucQGtPP5tGhIbU-HKabsKOFdD4VQ5PCXifjpN9R-1qOR571BxCAl4u1kUUIePAAJcBcqGRFSI_I1j_jbN3gflK_8ZNmgnPrXA0kZXzj1I7ZHgekGbZoxmDrzYm2zmja1MsE5A_JX7itBYnlR41LOtvLRCNtw7K3EFlbfB6hkPL-Swk5XNGbWZdTROmaTNzJhV-lWT0gGm6V1qWAK2qOZoIDa_3Ud0Gw","alg":"RS256"}],[{"iss":"https://appleid.apple.com","kid":"W6WcOKB"},{"kty":"RSA","e":"AQAB","n":"2Zc5d0-zkZ5AKmtYTvxHc3vRc41YfbklflxG9SWsg5qXUxvfgpktGAcxXLFAd9Uglzow9ezvmTGce5d3DhAYKwHAEPT9hbaMDj7DfmEwuNO8UahfnBkBXsCoUaL3QITF5_DAPsZroTqs7tkQQZ7qPkQXCSu2aosgOJmaoKQgwcOdjD0D49ne2B_dkxBcNCcJT9pTSWJ8NfGycjWAQsvC8CGstH8oKwhC5raDcc2IGXMOQC7Qr75d6J5Q24CePHj_JD7zjbwYy9KNH8wyr829eO_G4OEUW50FAN6HKtvjhJIguMl_1BLZ93z2KJyxExiNTZBUBQbbgCNBfzTv7JrxMw","alg":"RS256"}],[{"iss":"https://kauth.kakao.com","kid":"3f96980381e451efad0d2ddd30e3d3"},{"kty":"RSA","e":"AQAB","n":"q8zZ0b_MNaLd6Ny8wd4cjFomilLfFIZcmhNSc1ttx_oQdJJZt5CDHB8WWwPGBUDUyY8AmfglS9Y1qA0_fxxs-ZUWdt45jSbUxghKNYgEwSutfM5sROh3srm5TiLW4YfOvKytGW1r9TQEdLe98ork8-rNRYPybRI3SKoqpci1m1QOcvUg4xEYRvbZIWku24DNMSeheytKUz6Ni4kKOVkzfGN11rUj1IrlRR-LNA9V9ZYmeoywy3k066rD5TaZHor5bM5gIzt1B4FmUuFITpXKGQZS5Hn_Ck8Bgc8kLWGAU8TzmOzLeROosqKE0eZJ4ESLMImTb2XSEZuN1wFyL0VtJw","alg":"RS256"}],[{"iss":"https://kauth.kakao.com","kid":"9f252dadd5f233f93d2fa528d12fea"},{"kty":"RSA","e":"AQAB","n":"qGWf6RVzV2pM8YqJ6by5exoixIlTvdXDfYj2v7E6xkoYmesAjp_1IYL7rzhpUYqIkWX0P4wOwAsg-Ud8PcMHggfwUNPOcqgSk1hAIHr63zSlG8xatQb17q9LrWny2HWkUVEU30PxxHsLcuzmfhbRx8kOrNfJEirIuqSyWF_OBHeEgBgYjydd_c8vPo7IiH-pijZn4ZouPsEg7wtdIX3-0ZcXXDbFkaDaqClfqmVCLNBhg3DKYDQOoyWXrpFKUXUFuk2FTCqWaQJ0GniO4p_ppkYIf4zhlwUYfXZEhm8cBo6H2EgukntDbTgnoha8kNunTPekxWTDhE5wGAt6YpT4Yw","alg":"RS256"}]] │ │ res │ ╭────┬──╮ │ │ │ │ Ok │ │ │ │ │ ╰────┴──╯ │ ╰────────┴─────────────────────────────────────────────── ``` --- If your changes are not user-facing and not a breaking change, you can skip the following section. Otherwise, please indicate what changed, and then add to the Release Notes section as highlighted during the release process. ### Type of Change (Check all that apply) - [ ] protocol change - [ ] user-visible impact - [ ] breaking change for a client SDKs - [ ] breaking change for FNs (FN binary must upgrade) - [ ] breaking change for validators or node operators (must upgrade binaries) - [ ] breaking change for on-chain data layout - [ ] necessitate either a data wipe or data migration ### Release notes
BoilingOil · Nov 6, 2023 · 0d2d6ff · 0d2d6ff
1 parent 8ef121b
commit 0d2d6ff
Show file tree

Hide file tree

Showing 6 changed files with 149 additions and 48 deletions.
diff --git a/crates/shared-crypto/src/intent.rs b/crates/shared-crypto/src/intent.rs
@@ -117,6 +117,14 @@ impl Intent {
         }
     }
 
+    pub fn personal_message() -> Self {
+        Self {
+            scope: IntentScope::PersonalMessage,
+            version: IntentVersion::V0,
+            app_id: AppId::Sui,
+        }
+    }
+
     pub fn narwhal_app(scope: IntentScope) -> Self {
         Self {
             scope,

diff --git a/crates/sui-types/src/unit_tests/utils.rs b/crates/sui-types/src/unit_tests/utils.rs
@@ -154,10 +154,11 @@ pub fn mock_certified_checkpoint<'a>(
 
 mod zk_login {
     use fastcrypto_zkp::bn254::{utils::big_int_str_to_bytes, zk_login::ZkLoginInputs};
+    use shared_crypto::intent::PersonalMessage;
 
     use super::*;
 
-    fn get_inputs() -> ZkLoginInputs {
+    pub fn get_inputs() -> ZkLoginInputs {
         thread_local! {
         static ZKLOGIN_INPUTS: ZkLoginInputs = ZkLoginInputs::from_json("{\"proofPoints\":{\"a\":[\"17318089125952421736342263717932719437717844282410187957984751939942898251250\",\"11373966645469122582074082295985388258840681618268593976697325892280915681207\",\"1\"],\"b\":[[\"5939871147348834997361720122238980177152303274311047249905942384915768690895\",\"4533568271134785278731234570361482651996740791888285864966884032717049811708\"],[\"10564387285071555469753990661410840118635925466597037018058770041347518461368\",\"12597323547277579144698496372242615368085801313343155735511330003884767957854\"],[\"1\",\"0\"]],\"c\":[\"15791589472556826263231644728873337629015269984699404073623603352537678813171\",\"4547866499248881449676161158024748060485373250029423904113017422539037162527\",\"1\"]},\"issBase64Details\":{\"value\":\"wiaXNzIjoiaHR0cHM6Ly9pZC50d2l0Y2gudHYvb2F1dGgyIiw\",\"indexMod4\":2},\"headerBase64\":\"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ\"}", "20794788559620669596206457022966176986688727876128223628113916380927502737911").unwrap(); }
         ZKLOGIN_INPUTS.with(|a| a.clone())
@@ -221,13 +222,21 @@ mod zk_login {
         sign_zklogin_tx(data, legacy)
     }
 
+    pub fn sign_zklogin_personal_msg(data: PersonalMessage) -> (SuiAddress, GenericSignature) {
+        let inputs = get_inputs();
+        let msg = IntentMessage::new(Intent::personal_message(), data);
+        let s = Signature::new_secure(&msg, &get_zklogin_user_key());
+        let authenticator =
+            GenericSignature::ZkLoginAuthenticator(ZkLoginAuthenticator::new(inputs, 10, s));
+        let address = get_zklogin_user_address();
+        (address, authenticator)
+    }
+
     pub fn sign_zklogin_tx(
         data: TransactionData,
         legacy: bool,
     ) -> (SuiAddress, Transaction, GenericSignature) {
         // Sign the user transaction with the user's ephemeral key.
-        //let tx = make_transaction(user_address, &user_key, Intent::sui_transaction());
-
         let tx = Transaction::from_data_and_signer(
             data,
             Intent::sui_transaction(),

diff --git a/crates/sui-types/src/unit_tests/zk_login_authenticator_test.rs b/crates/sui-types/src/unit_tests/zk_login_authenticator_test.rs
@@ -3,15 +3,15 @@
 
 use crate::error::SuiError;
 use crate::signature::{AuthenticatorTrait, VerifyParams};
-use crate::utils::make_zklogin_tx;
+use crate::utils::{make_zklogin_tx, sign_zklogin_personal_msg};
 use crate::{
     base_types::SuiAddress, signature::GenericSignature, zk_login_util::DEFAULT_JWK_BYTES,
 };
 use fastcrypto::traits::ToFromBytes;
 use fastcrypto_zkp::bn254::zk_login::{parse_jwks, JwkId, OIDCProvider, JWK};
 use fastcrypto_zkp::bn254::zk_login_api::ZkLoginEnv;
 use im::hashmap::HashMap as ImHashMap;
-use shared_crypto::intent::{Intent, IntentMessage};
+use shared_crypto::intent::{Intent, IntentMessage, PersonalMessage};
 
 #[test]
 fn zklogin_authenticator_jwk() {
@@ -92,3 +92,23 @@ fn test_serde_zk_login_signature() {
     let addr: SuiAddress = (&authenticator).try_into().unwrap();
     assert_eq!(addr, user_address);
 }
+
+#[test]
+fn zklogin_sign_personal_message() {
+    let data = PersonalMessage {
+        message: b"hello world".to_vec(),
+    };
+    let (user_address, authenticator) = sign_zklogin_personal_msg(data.clone());
+    let intent_msg = IntentMessage::new(Intent::personal_message(), data);
+    let parsed: ImHashMap<JwkId, JWK> = parse_jwks(DEFAULT_JWK_BYTES, &OIDCProvider::Twitch)
+        .unwrap()
+        .into_iter()
+        .collect();
+
+    // Construct the required info to verify a zk login authenticator, jwks, supported providers list and env (prod/test).
+    let aux_verify_data = VerifyParams::new(parsed, vec![], ZkLoginEnv::Test, true);
+    let res =
+        authenticator.verify_authenticator(&intent_msg, user_address, Some(0), &aux_verify_data);
+    // Verify passes.
+    assert!(res.is_ok());
+}
diff --git a/crates/sui/src/keytool.rs b/crates/sui/src/keytool.rs
@@ -23,11 +23,10 @@ use rusoto_core::Region;
 use rusoto_kms::{Kms, KmsClient, SignRequest};
 use serde::Serialize;
 use serde_json::json;
-use shared_crypto::intent::{Intent, IntentMessage};
+use shared_crypto::intent::{Intent, IntentMessage, IntentScope, PersonalMessage};
 use std::fmt::{Debug, Display, Formatter};
 use std::fs;
 use std::path::{Path, PathBuf};
-use std::str::FromStr;
 use sui_keys::key_derive::generate_new_key;
 use sui_keys::keypair_file::{
     read_authority_keypair_from_file, read_keypair_from_file, write_authority_keypair_to_file,
@@ -43,6 +42,8 @@ use sui_types::multisig::{MultiSig, MultiSigPublicKey, ThresholdUnit, WeightUnit
 use sui_types::multisig_legacy::{MultiSigLegacy, MultiSigPublicKeyLegacy};
 use sui_types::signature::{AuthenticatorTrait, GenericSignature, VerifyParams};
 use sui_types::transaction::TransactionData;
+use sui_types::utils::get_inputs;
+use sui_types::zk_login_authenticator::ZkLoginAuthenticator;
 use tabled::builder::Builder;
 use tabled::settings::Rotate;
 use tabled::settings::{object::Rows, Modify, Width};
@@ -208,18 +209,34 @@ pub enum KeyToolCommand {
         network: String,
     },
 
-    /// Given a zkLogin signature, parse it if valid. If tx_bytes provided,
-    /// it verifies the zkLogin signature based on provider and its latest JWK fetched.
-    /// Example request: sui keytool zk-login-sig-verify --sig $SERIALIZED_ZKLOGIN_SIG --tx-bytes $TX_BYTES --provider Google --curr-epoch 10
+    /// Given a zkLogin signature, parse it if valid. If `bytes` provided,
+    /// parse it as either as TransactionData or PersonalMessage based on `intent_scope`.
+    /// It verifies the zkLogin signature based its latest JWK fetched.
+    /// Example request: sui keytool zk-login-sig-verify --sig $SERIALIZED_ZKLOGIN_SIG --bytes $BYTES --intent-scope 0 --network devnet --curr-epoch 10
     ZkLoginSigVerify {
+        /// The Base64 of the serialized zkLogin signature.
         #[clap(long)]
         sig: String,
+        /// The Base64 of the BCS encoded TransactionData or PersonalMessage.
         #[clap(long)]
-        tx_bytes: Option<String>,
+        bytes: Option<String>,
+        /// Either 0 for TransactionData or 3 for PersonalMessage.
         #[clap(long)]
-        provider: Option<String>,
+        intent_scope: u8,
+        /// The current epoch for the network to verify the signature's max_epoch against.
         #[clap(long)]
         curr_epoch: Option<EpochId>,
+        /// The network to verify the signature for, determines ZkLoginEnv.
+        #[clap(long, default_value = "devnet")]
+        network: String,
+    },
+
+    /// TESTING ONLY: Given a string of data, sign with the fixed dev-only ephemeral key
+    /// and output a zkLogin signature with a fixed dev-only proof with fixed max epoch 10.
+    ZkLoginInsecureSignPersonalMessage {
+        /// The string of data to sign.
+        #[clap(long)]
+        data: String,
     },
 }
 
@@ -340,12 +357,19 @@ pub struct ZkLoginSignAndExecuteTx {
 #[derive(Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct ZkLoginSigVerifyResponse {
-    tx_data: Option<String>,
+    data: Option<String>,
     parsed: Option<String>,
     jwks: Option<String>,
     res: Option<SuiResult>,
 }
 
+#[derive(Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ZkLoginInsecureSignPersonalMessage {
+    sig: String,
+    bytes: String,
+}
+
 #[derive(Serialize)]
 #[serde(untagged)]
 pub enum CommandOutput {
@@ -365,6 +389,7 @@ pub enum CommandOutput {
     Sign(SignData),
     SignKMS(SerializedSig),
     ZkLoginSignAndExecuteTx(ZkLoginSignAndExecuteTx),
+    ZkLoginInsecureSignPersonalMessage(ZkLoginInsecureSignPersonalMessage),
     ZkLoginSigVerify(ZkLoginSigVerifyResponse),
 }
 
@@ -741,6 +766,28 @@ impl KeyToolCommand {
                 CommandOutput::Show(key)
             }
 
+            KeyToolCommand::ZkLoginInsecureSignPersonalMessage { data } => {
+                let msg = PersonalMessage {
+                    message: data.as_bytes().to_vec(),
+                };
+                let intent_msg = IntentMessage::new(Intent::personal_message(), msg.clone());
+
+                let skp =
+                    SuiKeyPair::Ed25519(Ed25519KeyPair::generate(&mut StdRng::from_seed([0; 32])));
+                let s = Signature::new_secure(&intent_msg, &skp);
+
+                let sig = GenericSignature::ZkLoginAuthenticator(ZkLoginAuthenticator::new(
+                    get_inputs(), // this is for the fixed keypair
+                    10,
+                    s,
+                ));
+                CommandOutput::ZkLoginInsecureSignPersonalMessage(
+                    ZkLoginInsecureSignPersonalMessage {
+                        sig: Base64::encode(sig.as_bytes()),
+                        bytes: Base64::encode(bcs::to_bytes(&msg).unwrap()),
+                    },
+                )
+            }
             KeyToolCommand::ZkLoginSignAndExecuteTx {
                 max_epoch,
                 network,
@@ -878,53 +925,72 @@ impl KeyToolCommand {
 
             KeyToolCommand::ZkLoginSigVerify {
                 sig,
-                tx_bytes,
-                provider,
+                bytes,
+                intent_scope,
                 curr_epoch,
+                network,
             } => {
                 match GenericSignature::from_bytes(
                     &Base64::decode(&sig).map_err(|e| anyhow!("Invalid base64 sig: {:?}", e))?,
                 )? {
                     GenericSignature::ZkLoginAuthenticator(zk) => {
-                        if tx_bytes.is_none() || provider.is_none() || curr_epoch.is_none() {
+                        if bytes.is_none() || curr_epoch.is_none() {
                             return Ok(CommandOutput::ZkLoginSigVerify(ZkLoginSigVerifyResponse {
-                                tx_data: None,
+                                data: None,
                                 parsed: Some(serde_json::to_string(&zk)?),
                                 res: None,
                                 jwks: None,
                             }));
                         }
 
-                        let tx_data: TransactionData = bcs::from_bytes(
-                            &Base64::decode(&tx_bytes.unwrap())
-                                .map_err(|e| anyhow!("Invalid base64 tx data: {:?}", e))?,
-                        )?;
                         let client = reqwest::Client::new();
-                        let jwks = fetch_jwks(
-                            &OIDCProvider::from_str(&provider.clone().unwrap())
-                                .map_err(|_| anyhow!("Unsupported provider:"))?,
-                            &client,
-                        )
-                        .await?;
+                        let provider = OIDCProvider::from_iss(zk.get_iss())
+                            .map_err(|_| anyhow!("Invalid iss"))?;
+                        let jwks = fetch_jwks(&provider, &client).await?;
                         let parsed: ImHashMap<JwkId, JWK> = jwks.clone().into_iter().collect();
-                        let aux_verify_data = VerifyParams::new(
-                            parsed,
-                            vec![
-                                OIDCProvider::Facebook,
-                                OIDCProvider::Twitch,
-                                OIDCProvider::Google,
-                            ],
-                            ZkLoginEnv::Prod,
-                            true,
-                        );
-                        let res = zk.verify_authenticator(
-                            &IntentMessage::new(Intent::sui_transaction(), tx_data.clone()),
-                            tx_data.execution_parts().1,
-                            Some(curr_epoch.unwrap()),
-                            &aux_verify_data,
-                        );
+                        let env = match network.as_str() {
+                            "devnet" | "localnet" => ZkLoginEnv::Test,
+                            "mainnet" | "testnet" => ZkLoginEnv::Prod,
+                            _ => return Err(anyhow!("Invalid network")),
+                        };
+                        let aux_verify_data = VerifyParams::new(parsed, vec![], env, true);
+
+                        let (serialized, res) = match IntentScope::try_from(intent_scope)
+                            .map_err(|_| anyhow!("Invalid scope"))?
+                        {
+                            IntentScope::TransactionData => {
+                                let tx_data: TransactionData = bcs::from_bytes(
+                                    &Base64::decode(&bytes.unwrap())
+                                        .map_err(|e| anyhow!("Invalid base64 tx data: {:?}", e))?,
+                                )?;
+
+                                let res = zk.verify_authenticator(
+                                    &IntentMessage::new(Intent::sui_transaction(), tx_data.clone()),
+                                    tx_data.execution_parts().1,
+                                    Some(curr_epoch.unwrap()),
+                                    &aux_verify_data,
+                                );
+                                (serde_json::to_string(&tx_data)?, res)
+                            }
+                            IntentScope::PersonalMessage => {
+                                let data: PersonalMessage = bcs::from_bytes(
+                                    &Base64::decode(&bytes.unwrap()).map_err(|e| {
+                                        anyhow!("Invalid base64 personal message data: {:?}", e)
+                                    })?,
+                                )?;
+
+                                let res = zk.verify_authenticator(
+                                    &IntentMessage::new(Intent::personal_message(), data.clone()),
+                                    (&zk).try_into()?,
+                                    Some(curr_epoch.unwrap()),
+                                    &aux_verify_data,
+                                );
+                                (serde_json::to_string(&data)?, res)
+                            }
+                            _ => return Err(anyhow!("Invalid intent scope")),
+                        };
                         CommandOutput::ZkLoginSigVerify(ZkLoginSigVerifyResponse {
-                            tx_data: Some(serde_json::to_string(&tx_data)?),
+                            data: Some(serialized),
                             parsed: Some(serde_json::to_string(&zk)?),
                             jwks: Some(serde_json::to_string(&jwks)?),
                             res: Some(res),

diff --git a/crates/sui/src/zklogin_commands_util.rs b/crates/sui/src/zklogin_commands_util.rs
@@ -84,7 +84,7 @@ pub async fn perform_zk_login_test_tx(
         "https://prover-dev.mystenlabs.com/v1",
     )
     .await
-    .map_err(|_| anyhow!("Failed to get salt"))?;
+    .map_err(|_| anyhow!("Failed to get proof"))?;
     println!("ZkLogin inputs:");
     println!("{:?}", serde_json::to_string(&reader).unwrap());
     let (sub, aud) = parse_and_validate_jwt(parsed_token)?;

diff --git a/docs/content/concepts/cryptography/zklogin.mdx b/docs/content/concepts/cryptography/zklogin.mdx
@@ -743,6 +743,4 @@ The following options support a zkLogin signature over either transaction data o
 $SUI_BINARY keytool zk-login-sig-verify -h
 ```
 
-2. Use a self hosted server endpoint: See usage in [here](https://github.com/MystenLabs/zklogin-verifier). 
-
-3. Use Sui RPC endpoint: In progress.
+2. Use a self hosted server endpoint: See usage in [here](https://github.com/MystenLabs/zklogin-verifier).