OpenZeppelin
diff --git a/‎contracts/interfaces/IERC7913.sol
Lines changed: 17 additions & 0 deletions b/‎contracts/interfaces/IERC7913.sol
Lines changed: 17 additions & 0 deletions
diff --git a/‎contracts/utils/README.adoc
Lines changed: 17 additions & 0 deletions b/‎contracts/utils/README.adoc
Lines changed: 17 additions & 0 deletions
diff --git a/‎contracts/utils/cryptography/ERC7913Utils.sol
Lines changed: 82 additions & 0 deletions b/‎contracts/utils/cryptography/ERC7913Utils.sol
Lines changed: 82 additions & 0 deletions
diff --git a/‎contracts/utils/cryptography/MultiSignerERC7913.sol
Lines changed: 246 additions & 0 deletions b/‎contracts/utils/cryptography/MultiSignerERC7913.sol
Lines changed: 246 additions & 0 deletions
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.0;
+
+/**
+ * @dev Signature verifier interface.
+ */
+interface IERC7913SignatureVerifier {
+    /**
+     * @dev Verifies `signature` as a valid signature of `hash` by `key`.
+     *
+     * MUST return the bytes4 magic value IERC7913SignatureVerifier.verify.selector if the signature is valid.
+     * SHOULD return 0xffffffff or revert if the signature is not valid.
+     * SHOULD return 0xffffffff or revert if the key is empty
+     */
+    function verify(bytes calldata key, bytes32 hash, bytes calldata signature) external view returns (bytes4);
+}
@@ -50,8 +50,11 @@ Miscellaneous contracts and libraries containing utility functions you can use t
  * {AbstractSigner}: Abstract contract for internal signature validation in smart contracts.
  * {ERC7739}: An abstract contract to validate signatures following the rehashing scheme from `ERC7739Utils`.
  * {ERC7739Utils}: Utilities library that implements a defensive rehashing mechanism to prevent replayability of smart contract signatures based on ERC-7739.
+ * {ERC7913Utils}: utilities library that implements ERC-7913 signature verification with fallback to ERC-1271 and ECDSA.
  * {SignerECDSA}, {SignerP256}, {SignerRSA}: Implementations of an {AbstractSigner} with specific signature validation algorithms.
  * {SignerERC7702}: Implementation of {AbstractSigner} that validates signatures using the contract's own address as the signer, useful for delegated accounts following EIP-7702.
+ * {SignerERC7913}, {MultiSignerERC7913}, {MultiSignerERC7913Weighted}: Implementations of {AbstractSigner} that validate signatures based on ERC-7913. Including a simple and weighted multisignature scheme.
+ * {ERC7913SignatureVerifierP256}, {ERC7913SignatureVerifierRSA}: Ready to use ERC-7913 signature verifiers for P256 and RSA keys
 
 [NOTE]
 ====
@@ -100,6 +103,20 @@ Because Solidity does not support generic types, {EnumerableMap} and {Enumerable
 
 {{SignerRSA}}
 
+{{SignerERC7913}}
+
+{{MultiSignerERC7913}}
+
+{{MultiSignerERC7913Weighted}}
+
+=== ERC-7913
+
+{{ERC7913Utils}}
+
+{{ERC7913SignatureVerifierP256}}
+
+{{ERC7913SignatureVerifierRSA}}
+
 == Security
 
 {{ReentrancyGuard}}
 
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.24;
+
+import {SignatureChecker} from "./SignatureChecker.sol";
+import {Bytes} from "../Bytes.sol";
+import {IERC7913SignatureVerifier} from "../../interfaces/IERC7913.sol";
+
+/**
+ * @dev Library that provides common ERC-7913 utility functions.
+ *
+ * This library extends the functionality of xref:api:utils#SignatureChecker[SignatureChecker]
+ * to support signature verification for keys that do not have an Ethereum address of their own
+ * as with ERC-1271.
+ *
+ * See https://eips.ethereum.org/EIPS/eip-7913[ERC-7913].
+ */
+library ERC7913Utils {
+    using Bytes for bytes;
+
+    /**
+     * @dev Verifies a signature for a given signer and hash.
+     *
+     * The signer is a `bytes` object that is the concatenation of an address and optionally a key:
+     * `verifier || key`. A signer must be at least 20 bytes long.
+     *
+     * Verification is done as follows:
+     * - If `signer.length < 20`: verification fails
+     * - If `signer.length == 20`: verification is done using {SignatureChecker}
+     * - Otherwise: verification is done using {IERC7913SignatureVerifier}
+     */
+    function isValidSignatureNow(
+        bytes memory signer,
+        bytes32 hash,
+        bytes memory signature
+    ) internal view returns (bool) {
+        if (signer.length < 20) {
+            return false;
+        } else if (signer.length == 20) {
+            return SignatureChecker.isValidSignatureNow(address(bytes20(signer)), hash, signature);
+        } else {
+            (bool success, bytes memory result) = address(bytes20(signer)).staticcall(
+                abi.encodeCall(IERC7913SignatureVerifier.verify, (signer.slice(20), hash, signature))
+            );
+            return (success &&
+                result.length >= 32 &&
+                abi.decode(result, (bytes32)) == bytes32(IERC7913SignatureVerifier.verify.selector));
+        }
+    }
+
+    /**
+     * @dev Verifies multiple `signatures` for a given hash using a set of `signers`.
+     *
+     * The signers must be ordered by their `keccak256` hash to ensure no duplicates and to optimize
+     * the verification process. The function will return `false` if the signers are not properly ordered.
+     *
+     * Requirements:
+     *
+     * * The `signatures` array must be at least the  `signers` array's length.
+     */
+    function areValidSignaturesNow(
+        bytes32 hash,
+        bytes[] memory signers,
+        bytes[] memory signatures
+    ) internal view returns (bool) {
+        bytes32 previousId = bytes32(0);
+
+        uint256 signersLength = signers.length;
+        for (uint256 i = 0; i < signersLength; i++) {
+            bytes memory signer = signers[i];
+            // Signers must ordered by id to ensure no duplicates
+            bytes32 id = keccak256(signer);
+            if (previousId >= id || !isValidSignatureNow(signer, hash, signatures[i])) {
+                return false;
+            }
+
+            previousId = id;
+        }
+
+        return true;
+    }
+}
@@ -0,0 +1,246 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.27;
+
+import {AbstractSigner} from "./AbstractSigner.sol";
+import {ERC7913Utils} from "./ERC7913Utils.sol";
+import {EnumerableSetExtended} from "../structs/EnumerableSetExtended.sol";
+import {Calldata} from "../../utils/Calldata.sol";
+import {SafeCast} from "../../utils/math/SafeCast.sol";
+
+/**
+ * @dev Implementation of {AbstractSigner} using multiple ERC-7913 signers with a threshold-based
+ * signature verification system.
+ *
+ * This contract allows managing a set of authorized signers and requires a minimum number of
+ * signatures (threshold) to approve operations. It uses ERC-7913 formatted signers, which
+ * concatenate a verifier address and a key: `verifier || key`.
+ *
+ * Example of usage:
+ *
+ * ```solidity
+ * contract MyMultiSignerAccount is Account, MultiSignerERC7913, Initializable {
+ *     constructor() EIP712("MyMultiSignerAccount", "1") {}
+ *
+ *     function initialize(bytes[] memory signers, uint256 threshold) public initializer {
+ *         _addSigners(signers);
+ *         _setThreshold(threshold);
+ *     }
+ *
+ *     function addSigners(bytes[] memory signers) public onlyEntryPointOrSelf {
+ *         _addSigners(signers);
+ *     }
+ *
+ *     function removeSigners(bytes[] memory signers) public onlyEntryPointOrSelf {
+ *         _removeSigners(signers);
+ *     }
+ *
+ *     function setThreshold(uint256 threshold) public onlyEntryPointOrSelf {
+ *         _setThreshold(threshold);
+ *     }
+ * }
+ * ```
+ *
+ * IMPORTANT: Failing to properly initialize the signers and threshold either during construction
+ * (if used standalone) or during initialization (if used as a clone) may leave the contract
+ * either front-runnable or unusable.
+ */
+abstract contract MultiSignerERC7913 is AbstractSigner {
+    using EnumerableSetExtended for EnumerableSetExtended.BytesSet;
+    using ERC7913Utils for *;
+    using SafeCast for uint256;
+
+    EnumerableSetExtended.BytesSet private _signersSet;
+    uint128 private _threshold;
+
+    /// @dev Emitted when signers are added.
+    event ERC7913SignersAdded(bytes[] indexed signers);
+
+    /// @dev Emitted when signers are removed.
+    event ERC7913SignersRemoved(bytes[] indexed signers);
+
+    /// @dev Emitted when the threshold is updated.
+    event ERC7913ThresholdSet(uint256 threshold);
+
+    /// @dev The `signer` already exists.
+    error MultiSignerERC7913AlreadyExists(bytes signer);
+
+    /// @dev The `signer` does not exist.
+    error MultiSignerERC7913NonexistentSigner(bytes signer);
+
+    /// @dev The `signer` is less than 20 bytes long.
+    error MultiSignerERC7913InvalidSigner(bytes signer);
+
+    /// @dev The `threshold` is unreachable given the number of `signers`.
+    error MultiSignerERC7913UnreachableThreshold(uint256 signers, uint256 threshold);
+
+    /**
+     * @dev Returns the set of authorized signers. Prefer {_signers} for internal use.
+     *
+     * WARNING: This operation copies the entire signers set to memory, which can be expensive. This is designed
+     * for view accessors queried without gas fees. Using it in state-changing functions may become uncallable
+     * if the signers set grows too large.
+     */
+    function signers() public view virtual returns (bytes[] memory) {
+        return _signers().values();
+    }
+
+    /// @dev Returns whether the `signer` is an authorized signer.
+    function isSigner(bytes memory signer) public view virtual returns (bool) {
+        return _signers().contains(signer);
+    }
+
+    /// @dev Returns the minimum number of signers required to approve a multisignature operation.
+    function threshold() public view virtual returns (uint256) {
+        return _threshold;
+    }
+
+    /// @dev Returns the set of authorized signers.
+    function _signers() internal view virtual returns (EnumerableSetExtended.BytesSet storage) {
+        return _signersSet;
+    }
+
+    /**
+     * @dev Adds the `newSigners` to those allowed to sign on behalf of this contract.
+     * Internal version without access control.
+     *
+     * Requirements:
+     *
+     * * Each of `newSigners` must be at least 20 bytes long. Reverts with {MultiSignerERC7913InvalidSigner} if not.
+     * * Each of `newSigners` must not be authorized. See {isSigner}. Reverts with {MultiSignerERC7913AlreadyExists} if so.
+     */
+    function _addSigners(bytes[] memory newSigners) internal virtual {
+        uint256 newSignersLength = newSigners.length;
+        for (uint256 i = 0; i < newSignersLength; i++) {
+            bytes memory signer = newSigners[i];
+            require(signer.length >= 20, MultiSignerERC7913InvalidSigner(signer));
+            require(_signers().add(signer), MultiSignerERC7913AlreadyExists(signer));
+        }
+        emit ERC7913SignersAdded(newSigners);
+    }
+
+    /**
+     * @dev Removes the `oldSigners` from the authorized signers. Internal version without access control.
+     *
+     * Requirements:
+     *
+     * * Each of `oldSigners` must be authorized. See {isSigner}. Otherwise {MultiSignerERC7913NonexistentSigner} is thrown.
+     * * See {_validateReachableThreshold} for the threshold validation.
+     */
+    function _removeSigners(bytes[] memory oldSigners) internal virtual {
+        uint256 oldSignersLength = oldSigners.length;
+        for (uint256 i = 0; i < oldSignersLength; i++) {
+            bytes memory signer = oldSigners[i];
+            require(_signers().remove(signer), MultiSignerERC7913NonexistentSigner(signer));
+        }
+        _validateReachableThreshold();
+        emit ERC7913SignersRemoved(oldSigners);
+    }
+
+    /**
+     * @dev Sets the signatures `threshold` required to approve a multisignature operation.
+     * Internal version without access control.
+     *
+     * Requirements:
+     *
+     * * See {_validateReachableThreshold} for the threshold validation.
+     */
+    function _setThreshold(uint256 newThreshold) internal virtual {
+        _threshold = newThreshold.toUint128();
+        _validateReachableThreshold();
+        emit ERC7913ThresholdSet(newThreshold);
+    }
+
+    /**
+     * @dev Validates the current threshold is reachable.
+     *
+     * Requirements:
+     *
+     * * The {signers}'s length must be `>=` to the {threshold}. Throws {MultiSignerERC7913UnreachableThreshold} if not.
+     */
+    function _validateReachableThreshold() internal view virtual {
+        uint256 totalSigners = _signers().length();
+        uint256 currentThreshold = threshold();
+        require(
+            totalSigners >= currentThreshold,
+            MultiSignerERC7913UnreachableThreshold(totalSigners, currentThreshold)
+        );
+    }
+
+    /**
+     * @dev Decodes, validates the signature and checks the signers are authorized.
+     * See {_validateSignatures} and {_validateThreshold} for more details.
+     *
+     * Example of signature encoding:
+     *
+     * ```solidity
+     * // Encode signers (verifier || key)
+     * bytes memory signer1 = abi.encodePacked(verifier1, key1);
+     * bytes memory signer2 = abi.encodePacked(verifier2, key2);
+     *
+     * // Order signers by their id
+     * if (keccak256(signer1) > keccak256(signer2)) {
+     *     (signer1, signer2) = (signer2, signer1);
+     *     (signature1, signature2) = (signature2, signature1);
+     * }
+     *
+     * // Assign ordered signers and signatures
+     * bytes[] memory signers = new bytes[](2);
+     * bytes[] memory signatures = new bytes[](2);
+     * signers[0] = signer1;
+     * signatures[0] = signature1;
+     * signers[1] = signer2;
+     * signatures[1] = signature2;
+     *
+     * // Encode the multi signature
+     * bytes memory signature = abi.encode(signers, signatures);
+     * ```
+     *
+     * Requirements:
+     *
+     * * The `signature` must be encoded as `abi.encode(signers, signatures)`.
+     */
+    function _rawSignatureValidation(
+        bytes32 hash,
+        bytes calldata signature
+    ) internal view virtual override returns (bool) {
+        if (signature.length == 0) return false; // For ERC-7739 compatibility
+        (bytes[] memory signingSigners, bytes[] memory signatures) = abi.decode(signature, (bytes[], bytes[]));
+        if (signingSigners.length != signatures.length) return false;
+        return _validateThreshold(signingSigners) && _validateSignatures(hash, signingSigners, signatures);
+    }
+
+    /**
+     * @dev Validates the signatures using the signers and their corresponding signatures.
+     * Returns whether whether the signers are authorized and the signatures are valid for the given hash.
+     *
+     * IMPORTANT: For simplicity, this contract assumes that the signers are ordered by their `keccak256` hash
+     * to avoid duplication when iterating through the signers (i.e. `keccak256(signer1) < keccak256(signer2)`).
+     * The function will return false if the signers are not ordered.
+     *
+     * Requirements:
+     *
+     * * The `signatures` arrays must be at least as large as the `signingSigners` arrays. Panics otherwise.
+     */
+    function _validateSignatures(
+        bytes32 hash,
+        bytes[] memory signingSigners,
+        bytes[] memory signatures
+    ) internal view virtual returns (bool valid) {
+        uint256 signersLength = signingSigners.length;
+        for (uint256 i = 0; i < signersLength; i++) {
+            if (!isSigner(signingSigners[i])) {
+                return false;
+            }
+        }
+        return hash.areValidSignaturesNow(signingSigners, signatures);
+    }
+
+    /**
+     * @dev Validates that the number of signers meets the {threshold} requirement.
+     * Assumes the signers were already validated. See {_validateSignatures} for more details.
+     */
+    function _validateThreshold(bytes[] memory validatingSigners) internal view virtual returns (bool) {
+        return validatingSigners.length >= threshold();
+    }
+}