Update ERC-6538 contract and tests

script/Deploy.s.sol

@@ -10,12 +10,40 @@ import {ERC6538Registry} from "src/ERC6538Registry.sol";
 contract Deploy is Script {
   ERC5564Announcer announcer;
   ERC6538Registry registry;
+  address deployer = 0x4e59b44847b379578588920cA78FbF26c0B4956C;
+  bytes32 salt = "";
 
   function run() public {
+    bytes memory ERC5564CreationCode = abi.encodePacked(type(ERC5564Announcer).creationCode);
+    bytes memory ERC6538CreationCode = abi.encodePacked(type(ERC6538Registry).creationCode);
+    address ERC5564ComputedAddress = computeAddress(salt, keccak256(ERC5564CreationCode), deployer);
+    address ERC6538ComputedAddress = computeAddress(salt, keccak256(ERC6538CreationCode), deployer);
+
     vm.broadcast();
-    announcer = new ERC5564Announcer();
+    announcer = new ERC5564Announcer{salt: salt}();
 
     vm.broadcast();
-    registry = new ERC6538Registry();
+    registry = new ERC6538Registry{salt: salt}();
+
+    require(address(announcer) == ERC5564ComputedAddress);
+    require(address(registry) == ERC6538ComputedAddress);
+  }
+
+  function computeAddress(bytes32 _salt, bytes32 _bytecodeHash, address _deployer)
+    internal
+    pure
+    returns (address addr)
+  {
+    /// @solidity memory-safe-assembly
+    assembly {
+      let ptr := mload(0x40) // Get free memory pointer
+      mstore(add(ptr, 0x40), _bytecodeHash)
+      mstore(add(ptr, 0x20), _salt)
+      mstore(ptr, _deployer) // Right-aligned with 12 preceding garbage bytes
+      let start := add(ptr, 0x0b) // The hashed data starts at the final garbage byte which we will
+        // set to 0xff
+      mstore8(start, 0xff)
+      addr := keccak256(start, 85)
+    }
   }
 }

src/ERC5564Announcer.sol

@@ -1,5 +1,5 @@
-// SPDX-License-Identifier: UNLICENSED
+// SPDX-License-Identifier: MIT
 pragma solidity 0.8.20;
 
 import {IERC5564Announcer} from "./interfaces/IERC5564Announcer.sol";
 

src/ERC6538Registry.sol

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: UNLICENSED
+// SPDX-License-Identifier: MIT
 pragma solidity 0.8.20;
 
 import {IERC6538Registry} from "./interfaces/IERC6538Registry.sol";
@@ -9,13 +9,47 @@
   /// @notice Maps a registrant's identifier to the scheme ID to the stealth meta-address.
   /// @dev `registrant` may be a standard 160-bit address or any other identifier.
   /// @dev `schemeId` is an integer identifier for the stealth address scheme.
-  mapping(bytes registrant => mapping(uint256 schemeId => bytes)) public stealthMetaAddressOf;
+  mapping(address registrant => mapping(uint256 schemeId => bytes stealthMetaAddress)) public
+    stealthMetaAddressOf;
+  mapping(address user => uint256 nonce) public nonceOf;
+
+  bytes32 private constant TYPE_HASH =
+    keccak256("EIP712Domain(string name,string version,uint256 chainId,address registryContract)");
+
+  // Cache the domain separator as an immutable value, but also store the chain id that it
+  // corresponds to, in order to
+  // invalidate the cached domain separator if the chain id changes.
+  bytes32 private immutable _cachedDomainSeparator;
+  uint256 private immutable _cachedChainId;
+  address private immutable _cachedThis;
+
+  bytes32 private immutable _hashedName;
+  bytes32 private immutable _hashedVersion;
+
+  string private _name;
+  string private _version;
+
+  enum RecoverError {
+    NoError,
+    InvalidSignature,
+    InvalidSignatureLength,
+    InvalidSignatureS
+  }
+
+  constructor() {
+    _name = "ERC6538Registry";
+    _version = "1";
+    _hashedName = keccak256(bytes("ERC6538Registry"));
+    _hashedVersion = keccak256(bytes("1"));
+    _cachedChainId = block.chainid;
+    _cachedDomainSeparator = _buildDomainSeparator();
+    _cachedThis = address(this);
+  }
 
   /// @inheritdoc IERC6538Registry
   function registerKeys(uint256 schemeId, bytes memory stealthMetaAddress) external {
-    bytes memory registrant = _toBytes(msg.sender);
-    stealthMetaAddressOf[registrant][schemeId] = stealthMetaAddress;
-    emit StealthMetaAddressSet(registrant, schemeId, stealthMetaAddress);
+    stealthMetaAddressOf[msg.sender][schemeId] = stealthMetaAddress;
+    emit StealthMetaAddressSet(msg.sender, schemeId, stealthMetaAddress);
   }
 
   /// @inheritdoc IERC6538Registry
@@ -24,22 +58,185 @@
     uint256 schemeId,
     bytes memory signature,
     bytes memory stealthMetaAddress
-  ) external pure {
-    registerKeysOnBehalf(_toBytes(registrant), schemeId, signature, stealthMetaAddress);
+  ) external {
+    // Check for nonce
+    bytes32 digest = _hashTypedDataV4(
+      keccak256(
+        abi.encode(TYPE_HASH, registrant, schemeId, stealthMetaAddress, nonceOf[registrant]++)
+      )
+    );
+    require(isValidSignatureNow(registrant, digest, signature), "Invalid signature");
+    stealthMetaAddressOf[registrant][schemeId] = stealthMetaAddress;
+    emit StealthMetaAddressSet(registrant, schemeId, stealthMetaAddress);
   }
 
-  /// @inheritdoc IERC6538Registry
-  function registerKeysOnBehalf(
-    bytes memory, // registrant
-    uint256, // schemeId
-    bytes memory, // signature
-    bytes memory // stealthMetaAddress
-  ) public pure {
-    revert("not implemented");
+  /**
+   * @dev Returns the domain separator for the current chain.
+   */
+  function _domainSeparatorV4() public view returns (bytes32) {
+    if (address(this) == _cachedThis && block.chainid == _cachedChainId) {
+      return _cachedDomainSeparator;
+    } else {
+      return _buildDomainSeparator();
+    }
+  }
+
+  function _buildDomainSeparator() private view returns (bytes32) {
+    return
+      keccak256(abi.encode(TYPE_HASH, _hashedName, _hashedVersion, block.chainid, address(this)));
+  }
+
+  /**
+   * @dev Given an already https://eips.ethereum.org/EIPS/eip-712#definition-of-hashstruct[hashed
+   * struct], this
+   * function returns the hash of the fully encoded EIP712 message for this domain.
+   *
+   * This hash can be used together with {ECDSA-recover} to obtain the signer of a message. For
+   * example:
+   *
+   * ```solidity
+   * bytes32 digest = _hashTypedDataV4(keccak256(abi.encode(
+   *     keccak256("Mail(address to,string contents)"),
+   *     mailTo,
+   *     keccak256(bytes(mailContents))
+   * )));
+   * address signer = ECDSA.recover(digest, signature);
+   * ```
+   */
+  function _hashTypedDataV4(bytes32 structHash) internal view virtual returns (bytes32) {
+    return toTypedDataHash(_domainSeparatorV4(), structHash);
+  }
+
+  /**
+   * @dev Returns the keccak256 digest of an EIP-712 typed data (ERC-191 version `0x01`).
+   *
+   * The digest is calculated from a `domainSeparator` and a `structHash`, by prefixing them with
+   * `\x19\x01` and hashing the result. It corresponds to the hash signed by the
+   * https://eips.ethereum.org/EIPS/eip-712[`eth_signTypedData`] JSON-RPC method as part of EIP-712.
+   *
+   * See {ECDSA-recover}.
+   */
+  function toTypedDataHash(bytes32 domainSeparator, bytes32 structHash)
+    internal
+    pure
+    returns (bytes32 digest)
+  {
+    /// @solidity memory-safe-assembly
+    assembly {
+      let ptr := mload(0x40)
+      mstore(ptr, hex"1901")
+      mstore(add(ptr, 0x02), domainSeparator)
+      mstore(add(ptr, 0x22), structHash)
+      digest := keccak256(ptr, 0x42)
+    }
+  }
+
+  /**
+   * @dev Checks if a signature is valid for a given signer and data hash. If the signer is a smart
+   * contract, the
+   * signature is validated against that smart contract using ERC1271, otherwise it's validated
+   * using `ECDSA.recover`.
+   */
+  function isValidSignatureNow(address signer, bytes32 hash, bytes memory signature)
+    internal
+    view
+    returns (bool)
+  {
+    (address recovered, RecoverError error,) = tryRecover(hash, signature);
+    return (error == RecoverError.NoError && recovered == signer)
+      || isValidERC1271SignatureNow(signer, hash, signature);
   }
 
-  /// @dev Converts an `address` to `bytes`.
-  function _toBytes(address who) internal pure returns (bytes memory) {
-    return bytes.concat(bytes32(uint256(uint160(who))));
+  /**
+   * @dev Checks if a signature is valid for a given signer and data hash. The signature is
+   * validated
+   * against the signer smart contract using ERC1271.
+   */
+  function isValidERC1271SignatureNow(address signer, bytes32 hash, bytes memory signature)
+    internal
+    view
+    returns (bool)
+  {
+    (bool success, bytes memory result) =
+      signer.staticcall(abi.encodeCall(IERC1271.isValidSignature, (hash, signature)));
+    return (
+      success && result.length >= 32
+        && abi.decode(result, (bytes32)) == bytes32(IERC1271.isValidSignature.selector)
+    );
   }
+
+  function tryRecover(bytes32 hash, bytes memory signature)
+    internal
+    pure
+    returns (address, RecoverError, bytes32)
+  {
+    if (signature.length == 65) {
+      bytes32 r;
+      bytes32 s;
+      uint8 v;
+      // ecrecover takes the signature parameters, and the only way to get them
+      // currently is to use assembly.
+      /// @solidity memory-safe-assembly
+      assembly {
+        r := mload(add(signature, 0x20))
+        s := mload(add(signature, 0x40))
+        v := byte(0, mload(add(signature, 0x60)))
+      }
+      return tryRecover(hash, v, r, s);
+    } else {
+      return (address(0), RecoverError.InvalidSignatureLength, bytes32(signature.length));
+    }
+  }
+
+  /**
+   * @dev Overload of {ECDSA-tryRecover} that receives the `v`,
+   * `r` and `s` signature fields separately.
+   */
+  function tryRecover(bytes32 hash, uint8 v, bytes32 r, bytes32 s)
+    internal
+    pure
+    returns (address, RecoverError, bytes32)
+  {
+    // EIP-2 still allows signature malleability for ecrecover(). Remove this possibility and make
+    // the signature
+    // unique. Appendix F in the Ethereum Yellow paper
+    // (https://ethereum.github.io/yellowpaper/paper.pdf), defines
+    // the valid range for s in (301): 0 < s < secp256k1n ÷ 2 + 1, and for v in (302): v ∈ {27,
+    // 28}. Most
+    // signatures from current libraries generate a unique signature with an s-value in the lower
+    // half order.
+    //
+    // If your library generates malleable signatures, such as s-values in the upper range,
+    // calculate a new s-value
+    // with 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 - s1 and flip v from
+    // 27 to 28 or
+    // vice versa. If your library also generates signatures with 0/1 for v instead 27/28, add 27 to
+    // v to accept
+    // these malleable signatures as well.
+    if (uint256(s) > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0) {
+      return (address(0), RecoverError.InvalidSignatureS, s);
+    }
+
+    // If the signature is valid (and not malleable), return the signer address
+    address signer = ecrecover(hash, v, r, s);
+    if (signer == address(0)) return (address(0), RecoverError.InvalidSignature, bytes32(0));
+
+    return (signer, RecoverError.NoError, bytes32(0));
+  }
+}
+
+/**
+ * @dev Interface of the ERC1271 standard signature validation method for
+ * contracts as defined in https://eips.ethereum.org/EIPS/eip-1271[ERC-1271].
+ */
+interface IERC1271 {
+  /**
+   * @dev Should return whether the signature provided is valid for the provided data
+   * @param hash      Hash of the data to be signed
+   * @param signature Signature byte array associated with _data
+   */
+  function isValidSignature(bytes32 hash, bytes memory signature)
+    external
+    view
+    returns (bytes4 magicValue);
 }

src/interfaces/IERC5564Announcer.sol

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: UNLICENSED
+// SPDX-License-Identifier: MIT
 pragma solidity ^0.8.0;
 
 /// @dev Interface for calling the `ERC5564Announcer` contract, which emits an `Announcement` event

src/interfaces/IERC6538Registry.sol

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: UNLICENSED
+// SPDX-License-Identifier: MIT
 pragma solidity ^0.8.0;
 
 /// @dev Interface for calling the `ERC6538Registry` contract to map accounts to their stealth
@@ -16,7 +16,7 @@ interface IERC6538Registry {
   /// therefore this `stealthMetaAddress` is just the `spendingPubKey` and `viewingPubKey`
   /// concatenated.
   event StealthMetaAddressSet(
-    bytes indexed registrant, uint256 indexed schemeId, bytes stealthMetaAddress
+    address indexed registrant, uint256 indexed schemeId, bytes stealthMetaAddress
   );
 
   /// @notice Sets the caller's stealth meta-address for the given scheme ID.
@@ -39,19 +39,4 @@ interface IERC6538Registry {
     bytes memory signature,
     bytes memory stealthMetaAddress
   ) external;
-
-  /// @notice Sets the `registrant`s stealth meta-address for the given scheme ID.
-  /// @param registrant Recipient identifier, such as an address.
-  /// @param schemeId Identifier corresponding to the applied stealth address scheme, e.g. 0 for
-  /// secp256k1, as specified in ERC-5564.
-  /// @param signature A signature from the `registrant` authorizing the registration.
-  /// @param stealthMetaAddress The stealth meta-address to register.
-  /// @dev Supports both EOA signatures and EIP-1271 signatures.
-  /// @dev Reverts if the signature is invalid.
-  function registerKeysOnBehalf(
-    bytes memory registrant,
-    uint256 schemeId,
-    bytes memory signature,
-    bytes memory stealthMetaAddress
-  ) external;
 }

test/ERC5564Announcer.t.sol

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: UNLICENSED
+// SPDX-License-Identifier: MIT
 pragma solidity 0.8.20;
 
 import {Test} from "forge-std/Test.sol";