BitGo
diff --git a/‎src/api/enclaved/handlers/mpcV2Finalize.ts‎
Lines changed: 72 additions & 0 deletions b/‎src/api/enclaved/handlers/mpcV2Finalize.ts‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎src/api/enclaved/handlers/mpcV2Initialize.ts‎
Lines changed: 49 additions & 0 deletions b/‎src/api/enclaved/handlers/mpcV2Initialize.ts‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎src/api/enclaved/handlers/mpcV2Round.ts‎
Lines changed: 170 additions & 0 deletions b/‎src/api/enclaved/handlers/mpcV2Round.ts‎
Lines changed: 170 additions & 0 deletions
@@ -0,0 +1,72 @@
+import { DklsComms, DklsDkg, DklsTypes } from '@bitgo-beta/sdk-lib-mpc';
+import {
+  EnclavedApiSpecRouteRequest,
+  MpcV2FinalizeResponseType,
+  MpcV2RoundState,
+} from '../../../enclavedBitgoExpress/routers/enclavedApiSpec';
+import { KmsClient } from '../../../kms/kmsClient';
+import assert from 'assert';
+import { MPCv2PartiesEnum } from '@bitgo/sdk-core/dist/src/bitgo/utils/tss/ecdsa';
+
+export async function mpcV2Finalize(
+  req: EnclavedApiSpecRouteRequest<'v1.mpcv2.finalize', 'post'>,
+): Promise<MpcV2FinalizeResponseType> {
+  const { source, encryptedData, encryptedDataKey, broadcastMessages, bitgoCommonKeychain } =
+    req.decoded;
+
+  // setup clients
+  const kms = new KmsClient(req.config);
+
+  // fetch previous state of execution
+  const { plaintextKey } = await kms.decryptDataKey({ encryptedKey: encryptedDataKey });
+  const state: MpcV2RoundState = JSON.parse(
+    req.bitgo.decrypt({
+      input: encryptedData,
+      password: plaintextKey,
+    }),
+  );
+  if (!state.bitgoGpgPub || !state.counterPartyGpgPub) {
+    throw new Error('BitGo GPG public key or counterparty GPG public key is missing in state');
+  }
+  const { sessionData, sourceGpgPrv, bitgoGpgPub, counterPartyGpgPub } = state;
+
+  // restore session data and cast necessary fields into Uint8Array
+  if (!sessionData) {
+    throw new Error('Session data is missing for finalization');
+  }
+  sessionData.dkgSessionBytes = new Uint8Array(Object.values(sessionData.dkgSessionBytes));
+  const session = await DklsDkg.Dkg.restoreSession(
+    3,
+    2,
+    source === 'user' ? MPCv2PartiesEnum.USER : MPCv2PartiesEnum.BACKUP,
+    sessionData,
+  );
+
+  // processing incoming messages
+  const incomingMessages = await DklsComms.decryptAndVerifyIncomingMessages(
+    {
+      broadcastMessages: Object.values(broadcastMessages),
+      p2pMessages: [],
+    },
+    [bitgoGpgPub, counterPartyGpgPub],
+    [sourceGpgPrv],
+  );
+  const deserializedIncomingMessages = DklsTypes.deserializeMessages(incomingMessages);
+  session.handleIncomingMessages(deserializedIncomingMessages);
+
+  // get the common keychain
+  const privateMaterial = session.getKeyShare();
+  const commonKeychain = DklsTypes.getCommonKeychain(privateMaterial);
+
+  // verify the common keychain matches the Bitgo Common keychain
+  assert.equal(
+    bitgoCommonKeychain,
+    commonKeychain,
+    'Source and Bitgo Common keychains do not match',
+  );
+
+  return {
+    source,
+    commonKeychain,
+  };
+}
@@ -0,0 +1,49 @@
+import {
+  EnclavedApiSpecRouteRequest,
+  MpcV2InitializeResponseType,
+  MpcV2RoundState,
+} from '../../../enclavedBitgoExpress/routers/enclavedApiSpec';
+import { KmsClient } from '../../../kms/kmsClient';
+import * as bitgoSdk from '@bitgo/sdk-core';
+import logger from '../../../logger';
+import { MPCv2PartiesEnum } from '@bitgo/sdk-core/dist/src/bitgo/utils/tss/ecdsa';
+
+export async function mpcV2Initialize(
+  req: EnclavedApiSpecRouteRequest<'v1.mpcv2.initialize', 'post'>,
+): Promise<MpcV2InitializeResponseType> {
+  const { source } = req.decoded;
+
+  // setup clients
+  const kms = new KmsClient(req.config);
+
+  // generate keys required
+  const sourceGpgKey = await bitgoSdk.generateGPGKeyPair('secp256k1');
+  const { plaintextKey, encryptedKey } = await kms.generateDataKey({ keyType: 'AES-256' });
+
+  // store the state of execution
+  const state: MpcV2RoundState = {
+    round: 1,
+    sourceGpgPrv: {
+      gpgKey: sourceGpgKey.privateKey,
+      partyId: source === 'user' ? MPCv2PartiesEnum.USER : MPCv2PartiesEnum.BACKUP,
+    },
+  };
+
+  try {
+    // Encrypt the state with the plaintext key
+    const encryptedData = req.bitgo.encrypt({
+      input: JSON.stringify(state),
+      password: plaintextKey,
+    });
+
+    return {
+      gpgPub: sourceGpgKey.publicKey,
+      encryptedDataKey: encryptedKey,
+      encryptedData,
+    };
+  } catch (error) {
+    logger.debug('Failed to initialize mpc key generation', error);
+    console.error('Encryption error details:', error);
+    throw error;
+  }
+}
@@ -0,0 +1,170 @@
+import { DklsComms, DklsDkg, DklsTypes } from '@bitgo-beta/sdk-lib-mpc';
+import {
+  EnclavedApiSpecRouteRequest,
+  MpcV2RoundResponseType,
+  MpcV2RoundState,
+} from '../../../enclavedBitgoExpress/routers/enclavedApiSpec';
+import { MPCv2PartiesEnum } from '@bitgo/sdk-core/dist/src/bitgo/utils/tss/ecdsa';
+import { KmsClient } from '../../../kms/kmsClient';
+
+export async function mpcV2Round(
+  req: EnclavedApiSpecRouteRequest<'v1.mpcv2.round', 'post'>,
+): Promise<MpcV2RoundResponseType> {
+  const { source, encryptedData, encryptedDataKey, round, broadcastMessages, p2pMessages } =
+    req.decoded;
+  const bitgoGpgPubInput = req.body.bitgoGpgPub;
+  const counterPartyGpgPubInput = req.body.counterPartyGpgPub;
+
+  // setup clients
+  const kms = new KmsClient(req.config);
+
+  // sanity checks
+  if (round < 1 || round > 4) {
+    throw new Error('Round must be between 1 and 4');
+  }
+
+  if (!broadcastMessages && !p2pMessages && round > 1) {
+    throw new Error('At least one of broadcastMessages or p2pMessages must be provided');
+  }
+
+  if (broadcastMessages && Object.keys(broadcastMessages).length === 0) {
+    throw new Error('broadcastMessages did not contain all required messages');
+  }
+
+  if (p2pMessages && Object.keys(p2pMessages).length === 0) {
+    throw new Error('p2pMessages did not contain all required messages');
+  }
+
+  // fetch previous state of execution
+  const { plaintextKey } = await kms.decryptDataKey({ encryptedKey: encryptedDataKey });
+  const state: MpcV2RoundState = JSON.parse(
+    req.bitgo.decrypt({
+      input: encryptedData,
+      password: plaintextKey,
+    }),
+  );
+
+  // sanity checks against previous state and set GPG pub keys in state
+  if (!state.bitgoGpgPub) {
+    state.bitgoGpgPub = {
+      gpgKey: bitgoGpgPubInput,
+      partyId: MPCv2PartiesEnum.BITGO,
+    };
+  } else if (bitgoGpgPubInput && state.bitgoGpgPub.gpgKey !== bitgoGpgPubInput) {
+    throw new Error(
+      `BitGo GPG public key mismatch: expected ${state.bitgoGpgPub}, got ${bitgoGpgPubInput}`,
+    );
+  }
+
+  if (!state.counterPartyGpgPub) {
+    state.counterPartyGpgPub = {
+      gpgKey: counterPartyGpgPubInput,
+      partyId: source === 'user' ? MPCv2PartiesEnum.BACKUP : MPCv2PartiesEnum.USER,
+    };
+  } else if (
+    counterPartyGpgPubInput &&
+    state.counterPartyGpgPub.gpgKey !== counterPartyGpgPubInput
+  ) {
+    throw new Error(
+      `Counterparty GPG public key mismatch: expected ${state.counterPartyGpgPub}, got ${counterPartyGpgPubInput}`,
+    );
+  }
+
+  if (state.round !== round) {
+    throw new Error(`Round mismatch: expected ${state.round}, got ${round}`);
+  }
+  const { sourceGpgPrv, bitgoGpgPub, counterPartyGpgPub, sessionData } = state;
+
+  // restore session data and cast necessary fields into Uint8Array
+  if (!sessionData && round > 1) {
+    throw new Error('Session data is missing for round greater than 1');
+  } else if (sessionData) {
+    sessionData.dkgSessionBytes = new Uint8Array(Object.values(sessionData.dkgSessionBytes));
+    sessionData.chainCodeCommitment = new Uint8Array(
+      Object.values(sessionData.chainCodeCommitment || {}),
+    );
+  }
+  const session =
+    round === 1
+      ? new DklsDkg.Dkg(3, 2, source === 'user' ? MPCv2PartiesEnum.USER : MPCv2PartiesEnum.BACKUP)
+      : await DklsDkg.Dkg.restoreSession(
+          3,
+          2,
+          source === 'user' ? MPCv2PartiesEnum.USER : MPCv2PartiesEnum.BACKUP,
+          sessionData as DklsDkg.DkgSessionData,
+        );
+
+  // decrypt incoming messages and handle them to form outgoing messages
+  let outgoingMessages: DklsTypes.DeserializedMessages = { broadcastMessages: [], p2pMessages: [] };
+  if (round === 1) {
+    outgoingMessages.broadcastMessages = [await session.initDkg()];
+  } else {
+    // decrypt messages, they should be auth by bitgoGpgPub, counterPartyGpgPub; and decrypt by sourceGpgPrv
+    const incomingMessages = await DklsComms.decryptAndVerifyIncomingMessages(
+      {
+        p2pMessages: Object.values(p2pMessages || {}),
+        broadcastMessages: Object.values(broadcastMessages || {}),
+      },
+      [bitgoGpgPub, counterPartyGpgPub],
+      [sourceGpgPrv],
+    );
+
+    const deserializedIncomingMessages = DklsTypes.deserializeMessages(incomingMessages);
+
+    // generate outgoing messages based on incoming messages
+    try {
+      outgoingMessages = session.handleIncomingMessages(deserializedIncomingMessages);
+    } catch (error: any) {
+      console.error('Error handling incoming messages:', error);
+      throw new Error(`Failed to handle incoming messages: ${error.message}`);
+    }
+  }
+
+  // cast outgoing messages commitment to Uint8Array if not already
+  outgoingMessages.p2pMessages = outgoingMessages.p2pMessages.map((msg) => {
+    if (!(msg.commitment instanceof Uint8Array))
+      return { ...msg, commitment: new Uint8Array(Object.values(msg.commitment as any)) };
+    return msg;
+  });
+
+  // sign and encrypt outgoing messages
+  const serializedOutgoingMessages = DklsTypes.serializeMessages(outgoingMessages);
+  const signedMessages = await DklsComms.encryptAndAuthOutgoingMessages(
+    serializedOutgoingMessages,
+    [bitgoGpgPub, counterPartyGpgPub],
+    [sourceGpgPrv],
+  );
+
+  // re-encrypt state
+  let newEncryptedData;
+  try {
+    newEncryptedData = req.bitgo.encrypt({
+      input: JSON.stringify({
+        ...state,
+        round: state.round + 1,
+        sessionData: session.getSessionData(),
+      }),
+      password: plaintextKey,
+    });
+  } catch (error) {
+    console.error('Encryption error details:', error);
+    throw error;
+  }
+
+  return {
+    round: state.round + 1,
+    encryptedDataKey,
+    encryptedData: newEncryptedData,
+    p2pMessages:
+      signedMessages.p2pMessages.length > 0
+        ? {
+            bitgo: signedMessages.p2pMessages.find((msg) => msg.to === MPCv2PartiesEnum.BITGO),
+            counterParty: signedMessages.p2pMessages.find(
+              (msg) => msg.to !== MPCv2PartiesEnum.BITGO,
+            ),
+          }
+        : undefined,
+    broadcastMessage:
+      signedMessages.broadcastMessages.length > 0 ? signedMessages.broadcastMessages[0] : undefined,
+  };
+}