feat(mbe): use local encipherment only

cpatino-intive · web-flow · commit 36eb362704eb · 2025-08-06T09:17:07.000-04:00
diff --git a/src/__tests__/api/advancedWalletManager/recoveryMpcV2.test.ts b/src/__tests__/api/advancedWalletManager/recoveryMpcV2.test.ts
@@ -86,12 +86,12 @@ describe('recoveryMpcV2', async () => {
     // nocks for KMS responses
     const userKmsNock = nock(kmsUrl)
       .get(`/key/${input.pub}`)
-      .query({ source: 'user', useLocalEncipherment: false })
+      .query({ source: 'user' })
       .reply(200, mockKmsUserResponse)
       .persist();
     const backupKmsNock = nock(kmsUrl)
       .get(`/key/${input.pub}`)
-      .query({ source: 'backup', useLocalEncipherment: false })
+      .query({ source: 'backup' })
       .reply(200, mockKmsBackupResponse)
       .persist();
 
@@ -139,13 +139,10 @@ describe('recoveryMpcV2', async () => {
     };
 
     // nocks for KMS responses
+    nock(kmsUrl).get(`/key/${input.pub}`).query({ source: 'user' }).reply(200, mockKmsUserResponse);
     nock(kmsUrl)
       .get(`/key/${input.pub}`)
-      .query({ source: 'user', useLocalEncipherment: false })
-      .reply(200, mockKmsUserResponse);
-    nock(kmsUrl)
-      .get(`/key/${input.pub}`)
-      .query({ source: 'backup', useLocalEncipherment: false })
+      .query({ source: 'backup' })
       .reply(200, mockKmsBackupResponse);
 
     const signatureResponse = await agent
diff --git a/src/__tests__/api/advancedWalletManager/recoveryMusigEth.test.ts b/src/__tests__/api/advancedWalletManager/recoveryMusigEth.test.ts
@@ -78,12 +78,12 @@ describe('recoveryMultisigTransaction', () => {
 
     const kmsNockUser = nock(kmsUrl)
       .get(`/key/${userPub}`)
-      .query({ source: 'user', useLocalEncipherment: false })
+      .query({ source: 'user' })
       .reply(200, mockKmsUserResponse);
 
     const kmsNockBackup = nock(kmsUrl)
       .get(`/key/${backupPub}`)
-      .query({ source: 'backup', useLocalEncipherment: false })
+      .query({ source: 'backup' })
       .reply(200, mockKmsBackupResponse);
 
     const response = await agent
@@ -129,12 +129,12 @@ describe('recoveryMultisigTransaction', () => {
 
     const kmsNockUser = nock(kmsUrl)
       .get(`/key/${userPub}`)
-      .query({ source: 'user', useLocalEncipherment: false })
+      .query({ source: 'user' })
       .reply(200, mockKmsUserResponse);
 
     const kmsNockBackup = nock(kmsUrl)
       .get(`/key/${backupPub}`)
-      .query({ source: 'backup', useLocalEncipherment: false })
+      .query({ source: 'backup' })
       .reply(200, mockKmsBackupResponse);
 
     const response = await agent
diff --git a/src/__tests__/api/advancedWalletManager/signMpcRecoveryTransaction.test.ts b/src/__tests__/api/advancedWalletManager/signMpcRecoveryTransaction.test.ts
@@ -100,7 +100,6 @@ describe('EdDSA Recovery Signing', () => {
         pub: commonKeychain,
         source: 'user',
         cfg: config,
-        options: { useLocalEncipherment: false },
       })
       .resolves(JSON.stringify(userPrvShare));
 
@@ -109,7 +108,6 @@ describe('EdDSA Recovery Signing', () => {
         pub: commonKeychain,
         source: 'backup',
         cfg: config,
-        options: { useLocalEncipherment: false },
       })
       .resolves(JSON.stringify(backupPrvShare));
 
@@ -136,7 +134,6 @@ describe('EdDSA Recovery Signing', () => {
         pub: commonKeychain,
         source: 'user',
         cfg: config,
-        options: { useLocalEncipherment: false },
       })
       .should.be.true();
 
@@ -145,7 +142,6 @@ describe('EdDSA Recovery Signing', () => {
         pub: commonKeychain,
         source: 'backup',
         cfg: config,
-        options: { useLocalEncipherment: false },
       })
       .should.be.true();
   });
@@ -157,7 +153,6 @@ describe('EdDSA Recovery Signing', () => {
         pub: commonKeychain,
         source: 'user',
         cfg: config,
-        options: { useLocalEncipherment: false },
       })
       .resolves(undefined);
 
@@ -185,7 +180,6 @@ describe('EdDSA Recovery Signing', () => {
         pub: commonKeychain,
         source: 'user',
         cfg: config,
-        options: { useLocalEncipherment: false },
       })
       .resolves(JSON.stringify(userPrvShare));
 
@@ -194,7 +188,6 @@ describe('EdDSA Recovery Signing', () => {
         pub: commonKeychain,
         source: 'backup',
         cfg: config,
-        options: { useLocalEncipherment: false },
       })
       .resolves(undefined);
 
diff --git a/src/__tests__/api/advancedWalletManager/signMpcTransaction.test.ts b/src/__tests__/api/advancedWalletManager/signMpcTransaction.test.ts
@@ -132,7 +132,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user', useLocalEncipherment: false })
+        .query({ source: 'user' })
         .reply(200, mockKmsResponse);
 
       const dataKeyNock = nock(kmsUrl).post('/generateDataKey').reply(200, mockDataKeyResponse);
@@ -170,7 +170,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses for R share
       const rKmsNock = nock(kmsUrl)
         .get(`/key/${rInput.pub}`)
-        .query({ source: 'user', useLocalEncipherment: false })
+        .query({ source: 'user' })
         .reply(200, mockKmsResponse);
 
       const decryptDataKeyNock = nock(kmsUrl)
@@ -232,7 +232,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS response for G share
       const gKmsNock = nock(kmsUrl)
         .get(`/key/${gInput.pub}`)
-        .query({ source: 'user', useLocalEncipherment: false })
+        .query({ source: 'user' })
         .reply(200, mockKmsResponse);
 
       const gResponse = await agent
@@ -260,7 +260,7 @@ describe('signMpcTransaction', () => {
 
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user', useLocalEncipherment: false })
+        .query({ source: 'user' })
         .reply(404, { error: 'Key not found' });
 
       const response = await agent
@@ -372,7 +372,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses for Round 1
       const kmsNock = nock(kmsUrl)
         .get(`/key/${round1Input.pub}`)
-        .query({ source: 'user', useLocalEncipherment: true })
+        .query({ source: 'user' })
         .reply(200, mockKmsResponse);
 
       const dataKeyNock = nock(kmsUrl).post('/generateDataKey').reply(200, mockDataKeyResponse);
@@ -434,7 +434,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses for Round 2
       const r2KmsNock = nock(kmsUrl)
         .get(`/key/${round2Input.pub}`)
-        .query({ source: 'user', useLocalEncipherment: true })
+        .query({ source: 'user' })
         .reply(200, mockKmsResponse);
 
       const decryptDataKeyNock = nock(kmsUrl)
@@ -482,7 +482,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses for Round 3
       const r3KmsNock = nock(kmsUrl)
         .get(`/key/${round3Input.pub}`)
-        .query({ source: 'user', useLocalEncipherment: true })
+        .query({ source: 'user' })
         .reply(200, mockKmsResponse);
 
       const r3DecryptDataKeyNock = nock(kmsUrl)
@@ -564,7 +564,7 @@ describe('signMpcTransaction', () => {
 
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user', useLocalEncipherment: true })
+        .query({ source: 'user' })
         .reply(200, mockKmsResponse);
 
       const response = await agent
@@ -599,7 +599,7 @@ describe('signMpcTransaction', () => {
 
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user', useLocalEncipherment: true })
+        .query({ source: 'user' })
         .reply(200, mockKmsResponse);
 
       const response = await agent
diff --git a/src/__tests__/api/advancedWalletManager/signMultisigTransaction.test.ts b/src/__tests__/api/advancedWalletManager/signMultisigTransaction.test.ts
@@ -104,7 +104,7 @@ describe('signMultisigTransaction', () => {
 
     const kmsNock = nock(kmsUrl)
       .get(`/key/${input.pub}`)
-      .query({ source: 'user', useLocalEncipherment: false })
+      .query({ source: 'user' })
       .reply(200, mockKmsResponse);
 
     const response = await agent
diff --git a/src/api/advancedWalletManager/handlers/ecdsaMPCv2Finalize.ts b/src/api/advancedWalletManager/handlers/ecdsaMPCv2Finalize.ts
@@ -65,9 +65,6 @@ export async function ecdsaMPCv2Finalize(
     pub: commonKeychain,
     prv: privateMaterial.toString('base64'),
     type: 'tss',
-    options: {
-      useLocalEncipherment: true,
-    },
   });
 
   return {
diff --git a/src/api/advancedWalletManager/handlers/signEddsaRecoveryTransaction.ts b/src/api/advancedWalletManager/handlers/signEddsaRecoveryTransaction.ts
@@ -111,14 +111,12 @@ export async function signEddsaRecoveryTransaction({
     pub: request.commonKeychain.toString(),
     source: 'user',
     cfg,
-    options: { useLocalEncipherment: false },
   });
 
   const backupPrv = await retrieveKmsPrvKey({
     pub: request.commonKeychain.toString(),
     source: 'backup',
     cfg,
-    options: { useLocalEncipherment: false },
   });
 
   if (!userPrv || !backupPrv) {
diff --git a/src/api/advancedWalletManager/handlers/signMpcTransaction.ts b/src/api/advancedWalletManager/handlers/signMpcTransaction.ts
@@ -91,15 +91,9 @@ export async function signMpcTransaction(req: AwmApiSpecRouteRequest<'v1.mpc.sig
 
   const bitgo = req.bitgo;
   const coinInstance = await coinFactory.getCoin(coin, bitgo);
-  const options =
-    coinInstance.getMPCAlgorithm() === 'ecdsa'
-      ? {
-          useLocalEncipherment: true,
-        }
-      : undefined;
 
   // Get private key from KMS
-  const prv = await retrieveKmsPrvKey({ pub, source, cfg: req.config, options });
+  const prv = await retrieveKmsPrvKey({ pub, source, cfg: req.config });
 
   if (!prv) {
     const errorMsg = `Error while MPC signing, missing prv key for pub=${pub}, source=${source}`;
diff --git a/src/api/advancedWalletManager/utils.ts b/src/api/advancedWalletManager/utils.ts
@@ -8,20 +8,16 @@ export async function retrieveKmsPrvKey({
   pub,
   source,
   cfg,
-  options,
 }: {
   pub: string;
   source: string;
   cfg: AdvancedWalletManagerConfig;
-  options?: {
-    useLocalEncipherment?: boolean;
-  };
 }): Promise<string> {
   const kms = new KmsClient(cfg);
   // Retrieve the private key from KMS
   let prv: string;
   try {
-    const res = await kms.getKey({ pub, source, options });
+    const res = await kms.getKey({ pub, source });
     prv = res.prv;
     return prv;
   } catch (error: any) {
diff --git a/src/kms/kmsClient.ts b/src/kms/kmsClient.ts
@@ -108,7 +108,6 @@ export class KmsClient {
     try {
       let req = superagent.get(`${this.url}/key/${params.pub}`).query({
         source: params.source,
-        useLocalEncipherment: params.options?.useLocalEncipherment ?? false,
       });
       if (this.agent) req = req.agent(this.agent);
       kmsResponse = await req;
diff --git a/src/kms/types/getKey.ts b/src/kms/types/getKey.ts
@@ -3,9 +3,6 @@ import * as z from 'zod';
 export interface GetKeyParams {
   pub: string;
   source: string;
-  options?: {
-    useLocalEncipherment?: boolean;
-  };
 }
 
 export interface GetKeyResponse {
diff --git a/src/kms/types/postKey.ts b/src/kms/types/postKey.ts
@@ -7,9 +7,6 @@ export interface PostKeyParams {
   source: string;
   type: 'independent' | 'tss';
   seed?: string; // Optional seed for key generation
-  options?: {
-    useLocalEncipherment?: boolean;
-  };
 }
 
 export interface PostKeyResponse {
