fix: store private mpcv2 prv with local encryption

mohammadalfaiyazbitgo · mohammadalfaiyazbitgo · commit 3c86a09aa877 · 2025-07-07T23:19:46.000-04:00
Ticket: WP-5150
diff --git a/src/__tests__/api/enclaved/postMpcV2Key.test.ts b/src/__tests__/api/enclaved/postMpcV2Key.test.ts
@@ -73,6 +73,28 @@ describe('postMpcV2Key', () => {
       })
       .persist();
 
+    nock(kmsUrl)
+      .post(`/key`)
+      .reply(200, {
+        pub: 'test-pub-key',
+        coin,
+        source: 'user',
+        type: 'tss',
+      })
+      .persist();
+
+    nock(kmsUrl)
+      .post(`/key`)
+      .reply(200, {
+        pub: 'test-pub-key',
+        coin,
+        source: 'backup',
+        type: 'tss',
+      })
+      .persist();
+
+    nock(kmsUrl).post(`/postKey`).reply(200, {}).persist();
+
     // mocking bitgo's GPG key generation session
     const bitgoGpgKey = await bitgoSdk.generateGPGKeyPair('secp256k1');
     const bitgoGpgPub = {
diff --git a/src/__tests__/api/enclaved/recoveryMusigEth.test.ts b/src/__tests__/api/enclaved/recoveryMusigEth.test.ts
@@ -78,12 +78,12 @@ describe('recoveryMultisigTransaction', () => {
 
     const kmsNockUser = nock(kmsUrl)
       .get(`/key/${userPub}`)
-      .query({ source: 'user' })
+      .query({ source: 'user', useLocalEncipherment: false })
       .reply(200, mockKmsUserResponse);
 
     const kmsNockBackup = nock(kmsUrl)
       .get(`/key/${backupPub}`)
-      .query({ source: 'backup' })
+      .query({ source: 'backup', useLocalEncipherment: false })
       .reply(200, mockKmsBackupResponse);
 
     console.warn(nock.activeMocks());
@@ -132,12 +132,12 @@ describe('recoveryMultisigTransaction', () => {
 
     const kmsNockUser = nock(kmsUrl)
       .get(`/key/${userPub}`)
-      .query({ source: 'user' })
+      .query({ source: 'user', useLocalEncipherment: false })
       .reply(200, mockKmsUserResponse);
 
     const kmsNockBackup = nock(kmsUrl)
       .get(`/key/${backupPub}`)
-      .query({ source: 'backup' })
+      .query({ source: 'backup', useLocalEncipherment: false })
       .reply(200, mockKmsBackupResponse);
 
     const response = await agent
diff --git a/src/__tests__/api/enclaved/signMpcTransaction.test.ts b/src/__tests__/api/enclaved/signMpcTransaction.test.ts
@@ -133,7 +133,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: false })
         .reply(200, mockKmsResponse);
 
       const dataKeyNock = nock(kmsUrl).post('/generateDataKey').reply(200, mockDataKeyResponse);
@@ -171,7 +171,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses for R share
       const rKmsNock = nock(kmsUrl)
         .get(`/key/${rInput.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: false })
         .reply(200, mockKmsResponse);
 
       const decryptDataKeyNock = nock(kmsUrl)
@@ -233,7 +233,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS response for G share
       const gKmsNock = nock(kmsUrl)
         .get(`/key/${gInput.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: false })
         .reply(200, mockKmsResponse);
 
       const gResponse = await agent
@@ -261,7 +261,7 @@ describe('signMpcTransaction', () => {
 
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: false })
         .reply(404, { error: 'Key not found' });
 
       const response = await agent
@@ -300,7 +300,7 @@ describe('signMpcTransaction', () => {
 
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: false })
         .reply(200, mockKmsResponse);
 
       const response = await agent
@@ -400,7 +400,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses for Round 1
       const kmsNock = nock(kmsUrl)
         .get(`/key/${round1Input.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: true })
         .reply(200, mockKmsResponse);
 
       const dataKeyNock = nock(kmsUrl).post('/generateDataKey').reply(200, mockDataKeyResponse);
@@ -462,7 +462,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses for Round 2
       const r2KmsNock = nock(kmsUrl)
         .get(`/key/${round2Input.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: true })
         .reply(200, mockKmsResponse);
 
       const decryptDataKeyNock = nock(kmsUrl)
@@ -510,7 +510,7 @@ describe('signMpcTransaction', () => {
       // Mock KMS responses for Round 3
       const r3KmsNock = nock(kmsUrl)
         .get(`/key/${round3Input.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: true })
         .reply(200, mockKmsResponse);
 
       const r3DecryptDataKeyNock = nock(kmsUrl)
@@ -592,7 +592,7 @@ describe('signMpcTransaction', () => {
 
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: true })
         .reply(200, mockKmsResponse);
 
       const response = await agent
@@ -627,7 +627,7 @@ describe('signMpcTransaction', () => {
 
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: true })
         .reply(200, mockKmsResponse);
 
       const response = await agent
@@ -658,7 +658,7 @@ describe('signMpcTransaction', () => {
 
       const kmsNock = nock(kmsUrl)
         .get(`/key/${input.pub}`)
-        .query({ source: 'user' })
+        .query({ source: 'user', useLocalEncipherment: true })
         .reply(200, mockKmsResponse);
 
       const response = await agent
diff --git a/src/__tests__/api/enclaved/signMultisigTransaction.test.ts b/src/__tests__/api/enclaved/signMultisigTransaction.test.ts
@@ -105,7 +105,7 @@ describe('signMultisigTransaction', () => {
 
     const kmsNock = nock(kmsUrl)
       .get(`/key/${input.pub}`)
-      .query({ source: 'user' })
+      .query({ source: 'user', useLocalEncipherment: false })
       .reply(200, mockKmsResponse);
 
     const response = await agent
diff --git a/src/api/enclaved/handlers/mpcV2Finalize.ts b/src/api/enclaved/handlers/mpcV2Finalize.ts
@@ -6,7 +6,6 @@ import {
 } from '../../../enclavedBitgoExpress/routers/enclavedApiSpec';
 import { KmsClient } from '../../../kms/kmsClient';
 import assert from 'assert';
-import { MPCv2PartiesEnum } from '@bitgo/sdk-core/dist/src/bitgo/utils/tss/ecdsa';
 
 export async function mpcV2Finalize(
   req: EnclavedApiSpecRouteRequest<'v1.mpcv2.finalize', 'post'>,
@@ -35,12 +34,7 @@ export async function mpcV2Finalize(
     throw new Error('Session data is missing for finalization');
   }
   sessionData.dkgSessionBytes = new Uint8Array(Object.values(sessionData.dkgSessionBytes));
-  const session = await DklsDkg.Dkg.restoreSession(
-    3,
-    2,
-    source === 'user' ? MPCv2PartiesEnum.USER : MPCv2PartiesEnum.BACKUP,
-    sessionData,
-  );
+  const session = await DklsDkg.Dkg.restoreSession(3, 2, source === 'user' ? 0 : 1, sessionData);
 
   // processing incoming messages
   const incomingMessages = await DklsComms.decryptAndVerifyIncomingMessages(
@@ -65,6 +59,17 @@ export async function mpcV2Finalize(
     'Source and Bitgo Common keychains do not match',
   );
 
+  await kms.postKey({
+    coin: req.decoded.coin,
+    source: req.decoded.source,
+    pub: commonKeychain,
+    prv: privateMaterial.toString('base64'),
+    type: 'tss',
+    options: {
+      useLocalEncipherment: true,
+    },
+  });
+
   return {
     source,
     commonKeychain,
diff --git a/src/api/enclaved/handlers/signMpcTransaction.ts b/src/api/enclaved/handlers/signMpcTransaction.ts
@@ -89,9 +89,15 @@ export async function signMpcTransaction(req: EnclavedApiSpecRouteRequest<'v1.mp
 
   const bitgo = req.bitgo;
   const coinInstance = bitgo.coin(coin);
+  const options =
+    coinInstance.getMPCAlgorithm() === 'ecdsa'
+      ? {
+          useLocalEncipherment: true,
+        }
+      : undefined;
 
   // Get private key from KMS
-  const prv = await retrieveKmsPrvKey({ pub, source, cfg: req.config });
+  const prv = await retrieveKmsPrvKey({ pub, source, cfg: req.config, options });
 
   if (!prv) {
     const errorMsg = `Error while MPC signing, missing prv key for pub=${pub}, source=${source}`;
diff --git a/src/api/enclaved/utils.ts b/src/api/enclaved/utils.ts
@@ -8,16 +8,20 @@ export async function retrieveKmsPrvKey({
   pub,
   source,
   cfg,
+  options,
 }: {
   pub: string;
   source: string;
   cfg: EnclavedConfig;
+  options?: {
+    useLocalEncipherment?: boolean;
+  };
 }): Promise<string> {
   const kms = new KmsClient(cfg);
   // Retrieve the private key from KMS
   let prv: string;
   try {
-    const res = await kms.getKey({ pub, source });
+    const res = await kms.getKey({ pub, source, options });
     prv = res.prv;
     return prv;
   } catch (error: any) {
diff --git a/src/kms/kmsClient.ts b/src/kms/kmsClient.ts
@@ -63,9 +63,10 @@ export class KmsClient {
     // Call KMS to get the key
     let kmsResponse: any;
     try {
-      kmsResponse = await superagent
-        .get(`${this.url}/key/${params.pub}`)
-        .query({ source: params.source });
+      kmsResponse = await superagent.get(`${this.url}/key/${params.pub}`).query({
+        source: params.source,
+        useLocalEncipherment: params.options?.useLocalEncipherment ?? false,
+      });
     } catch (error: any) {
       console.log('Error getting key from KMS', error);
       throw error;
diff --git a/src/kms/types/getKey.ts b/src/kms/types/getKey.ts
@@ -3,6 +3,9 @@ import * as z from 'zod';
 export interface GetKeyParams {
   pub: string;
   source: string;
+  options?: {
+    useLocalEncipherment?: boolean;
+  };
 }
 
 export interface GetKeyResponse {
diff --git a/src/kms/types/postKey.ts b/src/kms/types/postKey.ts
@@ -7,6 +7,9 @@ export interface PostKeyParams {
   source: string;
   type: 'independent' | 'tss';
   seed?: string; // Optional seed for key generation
+  options?: {
+    useLocalEncipherment?: boolean;
+  };
 }
 
 export interface PostKeyResponse {

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,9 @@ import * as z from 'zod';`
`3`	`3`	`export interface GetKeyParams {`
`4`	`4`	`pub: string;`
`5`	`5`	`source: string;`
	`6`	`+ options?: {`
	`7`	`+ useLocalEncipherment?: boolean;`
	`8`	`+ };`
`6`	`9`	`}`
`7`	`10`
`8`	`11`	`export interface GetKeyResponse {`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,9 @@ export interface PostKeyParams {`
`7`	`7`	`source: string;`
`8`	`8`	`type: 'independent' \| 'tss';`
`9`	`9`	`seed?: string; // Optional seed for key generation`
	`10`	`+ options?: {`
	`11`	`+ useLocalEncipherment?: boolean;`
	`12`	`+ };`
`10`	`13`	`}`
`11`	`14`
`12`	`15`	`export interface PostKeyResponse {`