Merge pull request #6563 from BitGo/WP-000000/pass-gpg-pubkey-verify-sigs

feat(core): enable hardcoded gpg keys for signature verification

Author: mohammadalfaiyazbitgo

modules/bitgo/test/v2/unit/internal/tssUtils/bitgoMpcGpgPubKeys.ts

@@ -166,4 +166,62 @@ describe('TSS MPC Pick BitGo GPG Pub Key Utils:', function () {
     );
     await assert.rejects(async () => await ecdsaMpcv2Util.testPickBitgoPubGpgKeyForSigning(true));
   });
+
+  it('should select the correct GPG key for verifyWalletSignatures with hardcoded options', async function () {
+    // Test environment setup
+    const env = 'test';
+    const bitgoInstance = TestBitGo.decorate(BitGo, { env });
+    bitgoInstance.initializeTestVars();
+    const coinInstance = bitgoInstance.coin(eddsaCoinName);
+    const eddsaMpcv1Util = new TestEddsaMpcv1Utils(
+      bitgoInstance,
+      coinInstance,
+      new Wallet(bitgoInstance, coinInstance, eddsaWalletData)
+    );
+
+    // Get the key that would be selected when using hardcoded BitGo keys
+    // mpcv1 and nitro are passed as options
+    const gpgKey = await eddsaMpcv1Util.testPickBitgoPubGpgKeyForSigning(false, undefined, undefined);
+
+    // Mock implementation of verifyWalletSignatures to capture the bitgoGpgKey that gets used
+    let capturedKey;
+    eddsaMpcv1Util.verifyWalletSignatures = async function (
+      userGpgPub,
+      backupGpgPub,
+      bitgoKeychain,
+      decryptedShare,
+      verifierIndex,
+      useHardcodedBitGoKeys
+    ) {
+      // Save the key that would be used when specifying hardcoded options
+      if (useHardcodedBitGoKeys) {
+        const hardcodedKey = await openpgp.readKey({
+          armoredKey: BitgoMpcGpgPubKeys.bitgoMpcGpgPubKeys['mpcv1']['nitro']['test'],
+        });
+        capturedKey = hardcodedKey.armor();
+      }
+      // Not actually verifying in this test
+      return;
+    };
+
+    // Call with hardcoded key options
+    await eddsaMpcv1Util.verifyWalletSignatures(
+      'mock-user-key',
+      'mock-backup-key',
+      {
+        commonKeychain: 'mock-keychain',
+        walletHSMGPGPublicKeySigs: '',
+        id: '',
+        type: 'tss',
+      },
+      'decrypted-share',
+      1,
+      { env: 'test', pubKeyType: 'nitro' }
+    );
+
+    // Verify the hardcoded key matches what we expect
+    capturedKey.should.equal(BitgoMpcGpgPubKeys.bitgoMpcGpgPubKeys['mpcv1']['nitro']['test']);
+    // Also verify it's the same as what's returned by testPickBitgoPubGpgKeyForSigning
+    gpgKey.armor().should.equal(capturedKey);
+  });
 });

modules/sdk-core/src/bitgo/utils/tss/eddsa/eddsa.ts

@@ -40,6 +40,9 @@ import { KeychainsTriplet } from '../../../baseCoin';
 import { exchangeEddsaCommitments } from '../../../tss/common';
 import { Ed25519Bip32HdTree } from '@bitgo/sdk-lib-mpc';
 import { IRequestTracer } from '../../../../api';
+import { getBitgoMpcGpgPubKey } from '../../../tss/bitgoPubKeys';
+import { EnvironmentName } from '../../../environments';
+import { readKey } from 'openpgp';
 
 /**
  * Utility functions for TSS work flows.
@@ -51,12 +54,20 @@ export class EddsaUtils extends baseTSSUtils<KeyShare> {
     backupGpgPub: string,
     bitgoKeychain: Keychain,
     decryptedShare: string,
-    verifierIndex: 1 | 2
+    verifierIndex: 1 | 2,
+    useHardcodedBitGoKeys?: {
+      env: EnvironmentName;
+      pubKeyType: 'nitro' | 'onprem';
+    }
   ): Promise<void> {
     assert(bitgoKeychain.commonKeychain);
     assert(bitgoKeychain.walletHSMGPGPublicKeySigs);
 
-    const bitgoGpgKey = (await getBitgoGpgPubKey(this.bitgo)).mpcV1;
+    const bitgoGpgKey = useHardcodedBitGoKeys
+      ? await readKey({
+          armoredKey: getBitgoMpcGpgPubKey(useHardcodedBitGoKeys.env, useHardcodedBitGoKeys.pubKeyType, 'mpcv1'),
+        })
+      : (await getBitgoGpgPubKey(this.bitgo)).mpcV1;
 
     const userKeyPub = await openpgp.readKey({ armoredKey: userGpgPub });
     const userKeyId = userKeyPub.keyPacket.getFingerprint();