node: add amazon kms and benchmark signers

[pleasew8t]

Amazon KMS Guardian Signer

This PR adds an Amazon AWS KMS Guardian signer, allowing observations to be signed using KMS! The new signer can be used by specifying the ARN of the KMS key to use, through the --guardianSignerUri commandline argument, as follows:

• --guardianSignerUri=amazonkms://<ARN>

NOTE For the best possible performance, it is recommended that the Guardian be run from an EC2 instance that is in the same region as the KMS key.

The KMS key's spec should be ECC_SECG_P256K1, and should be enabled for signing. In order for the Guardian to authenticate against the KMS service, one of two options are available:

• Create new API keys in the AWS console that are permissioned to use the KMS key for signing, and add the keys to the EC2 instance's ~/.aws/credentials file. (example here).
• Create a role that is permissioned to use the KMS key and attach that role to the Guardian EC2 instance.

[pires]

Excited about trying this one 👏🏻

[pires]

I'm sorry if I failed to flag this before, but i think it would be ideal if both Sign and Verify were to have a context.Context parameter.

[pleasew8t]

Do you think I can just pass in the contexts that are available in the calling scope, and create a new one in scopes that don't have an existing context available?

[pires]

It's better than having no Context so I'm good with it.

[pires]

This could be exposed through a Prometheus histogram.

[pires]

Here's an example of the definition of an histogram

wormhole/node/pkg/processor/processor.go

Line 169 in 02f468f

observationChanDelay = promauto.NewHistogram(

and how to observe latency

wormhole/node/pkg/processor/processor.go

Line 323 in 02f468f

observationChanDelay.Observe(float64(time.Since(m.Timestamp).Microseconds()))

[pires]

Please, document this.

[pires]

IIUC this means we can benchmark AWS KMS signer by passing its configuration to a signer of type benchmark, correct?