feat(sdk-core): support hardcoding bitgo pgp keys in external signer

TICKET: HSM-432

Author: islamaminBitGo

modules/sdk-core/src/bitgo/utils/tss/baseTSSUtils.ts

@@ -69,29 +69,41 @@ export default class BaseTssUtils<KeyShare> extends MpcUtils implements ITssUtil
     this.bitgoPublicGpgKey = mpcV1;
     this.bitgoMPCv2PublicGpgKey = mpcV2;
   }
-  
-  protected async pickBitgoPubGpgKeyForSigning(isMpcv2: boolean, reqId: IRequestTracer, enterpriseId?: string): Promise<openpgp.Key> {
+
+  protected async pickBitgoPubGpgKeyForSigning(
+    isMpcv2: boolean,
+    reqId?: IRequestTracer,
+    enterpriseId?: string
+  ): Promise<openpgp.Key> {
     let bitgoGpgPubKey;
     try {
-      const bitgoKeyChain =  await this.baseCoin.keychains().get({ id: this.wallet.keyIds()[KeyIndices.BITGO], reqId });
+      const bitgoKeyChain = await this.baseCoin.keychains().get({ id: this.wallet.keyIds()[KeyIndices.BITGO], reqId });
       if (!bitgoKeyChain || !bitgoKeyChain.hsmType) {
         throw new Error('Missing Bitgo GPG Pub Key Type.');
       }
       bitgoGpgPubKey = await openpgp.readKey({
-        armoredKey: getBitgoMpcGpgPubKey(this.bitgo.getEnv(), bitgoKeyChain.hsmType === 'nitro' ? 'nitro' : 'onprem', isMpcv2 ? 'mpcv2' : 'mpcv1'),
+        armoredKey: getBitgoMpcGpgPubKey(
+          this.bitgo.getEnv(),
+          bitgoKeyChain.hsmType === 'nitro' ? 'nitro' : 'onprem',
+          isMpcv2 ? 'mpcv2' : 'mpcv1'
+        ),
       });
     } catch (e) {
       if (!envRequiresBitgoPubGpgKeyConfig(this.bitgo.getEnv())) {
         console.warn(
           `Unable to get BitGo GPG key based on key data with error: ${e}. Fetching BitGo GPG key based on feature flags.`
         );
-        bitgoGpgPubKey = await this.getBitgoGpgPubkeyBasedOnFeatureFlags(
-          enterpriseId,
-          isMpcv2,
-          reqId
-        ).then(async (pubKey) => pubKey ?? (isMpcv2 ? await this.getBitgoMpcv2PublicGpgKey() : await this.getBitgoPublicGpgKey()));
+        // First try to get the key based on feature flags, if that fails, fallback to the default key from constants api.
+        bitgoGpgPubKey = await this.getBitgoGpgPubkeyBasedOnFeatureFlags(enterpriseId, isMpcv2, reqId)
+          .then(
+            async (pubKey) =>
+              pubKey ?? (isMpcv2 ? await this.getBitgoMpcv2PublicGpgKey() : await this.getBitgoPublicGpgKey())
+          )
+          .catch(async (e) => (isMpcv2 ? await this.getBitgoMpcv2PublicGpgKey() : await this.getBitgoPublicGpgKey()));
       } else {
-        throw new Error(`Environment "${this.bitgo.getEnv()}" requires a BitGo GPG Pub Key Config in BitGoJS for TSS. Error thrown while getting the key from config: ${e}`);
+        throw new Error(
+          `Environment "${this.bitgo.getEnv()}" requires a BitGo GPG Pub Key Config in BitGoJS for TSS. Error thrown while getting the key from config: ${e}`
+        );
       }
     }
     return bitgoGpgPubKey;
@@ -119,7 +131,7 @@ export default class BaseTssUtils<KeyShare> extends MpcUtils implements ITssUtil
     }
 
     return this.bitgoMPCv2PublicGpgKey;
-  }  
+  }
 
   async createBitgoHeldBackupKeyShare(
     userGpgKey: SerializedKeyPair<string>,
@@ -251,7 +263,12 @@ export default class BaseTssUtils<KeyShare> extends MpcUtils implements ITssUtil
    *
    * @returns {Promise<{ userToBitgoCommitment: CommitmentShareRecor, encryptedSignerShare: EncryptedSignerShareRecord }>} - Commitment Share and the Encrypted Signer Share to BitGo
    */
-  createCommitmentShareFromTxRequest(params: { txRequest: TxRequest; prv: string; walletPassphrase: string }): Promise<{
+  createCommitmentShareFromTxRequest(params: {
+    txRequest: TxRequest;
+    prv: string;
+    walletPassphrase: string;
+    bitgoGpgPubKey: string;
+  }): Promise<{
     userToBitgoCommitment: CommitmentShareRecord;
     encryptedSignerShare: EncryptedSignerShareRecord;
     encryptedUserToBitgoRShare: EncryptedSignerShareRecord;

modules/sdk-core/src/bitgo/utils/tss/baseTypes.ts

@@ -89,7 +89,7 @@ export interface CustomSShareGeneratingFunction {
 }
 
 export interface CustomCommitmentGeneratingFunction {
-  (params: { txRequest: TxRequest }): Promise<{
+  (params: { txRequest: TxRequest; bitgoGpgPubKey?: string }): Promise<{
     userToBitgoCommitment: CommitmentShareRecord;
     encryptedSignerShare: EncryptedSignerShareRecord;
     encryptedUserToBitgoRShare: EncryptedSignerShareRecord;
@@ -592,7 +592,12 @@ export interface ITssUtils<KeyShare = EDDSA.KeyShare> {
     externalSignerMuDeltaShareGenerator: CustomMuDeltaShareGeneratingFunction,
     externalSignerSShareGenerator: CustomSShareGeneratingFunction
   ): Promise<TxRequest>;
-  createCommitmentShareFromTxRequest(params: { txRequest: TxRequest; prv: string; walletPassphrase: string }): Promise<{
+  createCommitmentShareFromTxRequest(params: {
+    txRequest: TxRequest;
+    prv: string;
+    walletPassphrase: string;
+    bitgoGpgPubKey: string;
+  }): Promise<{
     userToBitgoCommitment: CommitmentShareRecord;
     encryptedSignerShare: EncryptedSignerShareRecord;
     encryptedUserToBitgoRShare: EncryptedSignerShareRecord;

modules/sdk-core/src/bitgo/utils/tss/ecdsa/ecdsaMPCv2.ts

@@ -67,7 +67,7 @@ export class EcdsaMPCv2Utils extends BaseEcdsaUtils {
     const bitgoPublicGpgKey = (
       (await this.getBitgoGpgPubkeyBasedOnFeatureFlags(params.enterprise, true)) ?? this.bitgoMPCv2PublicGpgKey
     ).armor();
-    
+
     if (envRequiresBitgoPubGpgKeyConfig(this.bitgo.getEnv())) {
       // Ensure the public key is one of the expected BitGo public keys when in test or prod.
       assert(isBitgoMpcPubKey(bitgoPublicGpgKey, 'mpcv2'), 'Invalid BitGo GPG public key');
@@ -1010,9 +1010,12 @@ export class EcdsaMPCv2Utils extends BaseEcdsaUtils {
       txRequestResolved = txRequest;
     }
 
-    const bitgoPublicGpgKey =
-      (await this.getBitgoGpgPubkeyBasedOnFeatureFlags(txRequestResolved.enterpriseId, true, reqId)) ??
-      this.bitgoMPCv2PublicGpgKey;
+    const bitgoPublicGpgKey = await this.pickBitgoPubGpgKeyForSigning(
+      true,
+      params.reqId,
+      txRequestResolved.enterpriseId
+    );
+
     if (!bitgoPublicGpgKey) {
       throw new Error('Missing BitGo GPG key for MPCv2');
     }

modules/sdk-core/src/bitgo/utils/tss/eddsa/eddsa.ts

@@ -371,6 +371,7 @@ export class EddsaUtils extends baseTSSUtils<KeyShare> {
     txRequest: TxRequest;
     prv: string;
     walletPassphrase: string;
+    bitgoGpgPubKey: string;
   }): Promise<{
     userToBitgoCommitment: CommitmentShareRecord;
     encryptedSignerShare: EncryptedSignerShareRecord;
@@ -408,8 +409,11 @@ export class EddsaUtils extends baseTSSUtils<KeyShare> {
     const userToBitgoCommitment = this.createUserToBitgoCommitmentShare(commitment);
 
     const signerShare = signingKey.yShares[bitgoIndex].u + signingKey.yShares[bitgoIndex].chaincode;
-    const bitgoGpgKey = (await getBitgoGpgPubKey(this.bitgo)).mpcV1;
-    const userToBitgoEncryptedSignerShare = await encryptText(signerShare, bitgoGpgKey);
+
+    const userToBitgoEncryptedSignerShare = await encryptText(
+      signerShare,
+      await openpgp.readKey({ armoredKey: params.bitgoGpgPubKey })
+    );
 
     const encryptedSignerShare = this.createUserToBitgoEncryptedSignerShare(userToBitgoEncryptedSignerShare);
     const stringifiedRShare = JSON.stringify(userSignShare);
@@ -496,9 +500,10 @@ export class EddsaUtils extends baseTSSUtils<KeyShare> {
     }
 
     const { apiVersion } = txRequestResolved;
+    const bitgoGpgKey = await this.pickBitgoPubGpgKeyForSigning(false, reqId, txRequestResolved.enterpriseId);
 
     const { userToBitgoCommitment, encryptedSignerShare, encryptedUserToBitgoRShare } =
-      await externalSignerCommitmentGenerator({ txRequest: txRequestResolved });
+      await externalSignerCommitmentGenerator({ txRequest: txRequestResolved, bitgoGpgPubKey: bitgoGpgKey.armor() });
 
     const { commitmentShare: bitgoToUserCommitment } = await exchangeEddsaCommitments(
       this.bitgo,