WIP: generate eddsa tss wallet

Author: mohammadalfaiyazbitgo

src/api/enclaved/mpcFinalize.ts

@@ -1,5 +1,4 @@
 import * as bitgoSdk from '@bitgo/sdk-core';
-import * as crypto from 'crypto';
 import * as openpgp from 'openpgp';
 import {
   EnclavedApiSpecRouteRequest,
@@ -32,7 +31,10 @@ export async function eddsaFinalize(req: EnclavedApiSpecRouteRequest<'v1.mpc.fin
   // Decrypt the encrypted payload using encryptedDataKey to retrieve the previous state of computation
   const decryptedDataKey = await kms.decryptDataKey(encryptedDataKey);
   const previousState = JSON.parse(
-    crypto.publicDecrypt(Buffer.from(decryptedDataKey), Buffer.from(encryptedData)).toString(),
+    req.bitgo.decrypt({
+      input: encryptedData,
+      password: decryptedDataKey,
+    }),
   );
   console.log('Decrypted previous state:', previousState);
   const { sourceGpgPub, sourceGpgPrv, sourcePrivateShare } = previousState;
@@ -51,8 +53,8 @@ export async function eddsaFinalize(req: EnclavedApiSpecRouteRequest<'v1.mpc.fin
   );
 
   await eddsaUtils.verifyWalletSignatures(
-    sourceGpgPub,
-    counterPartyGpgPub,
+    source === 'user' ? sourceGpgPub : counterPartyGpgPub,
+    source === 'user' ? counterPartyGpgPub : sourceGpgPub,
     bitgoKeyChain,
     bitgoToSourcePrivateShare,
     sourceIndex,
@@ -111,7 +113,7 @@ export async function eddsaFinalize(req: EnclavedApiSpecRouteRequest<'v1.mpc.fin
     console.log('Common keychain:', commonKeychain);
 
     // if counterPartyGpgPub is provided, encrypt the private key share to be sent to the counter party
-    if (!sourceToCounterPartyKeyShare) {
+    if (sourceToCounterPartyKeyShare) {
       sourceToCounterPartyKeyShare = {
         ...sourceToCounterPartyKeyShare,
         privateShare: counterPartyGpgPub
@@ -137,16 +139,18 @@ export async function eddsaFinalize(req: EnclavedApiSpecRouteRequest<'v1.mpc.fin
  * Helper function to encrypt text using OpenPGP
  */
 async function gpgEncrypt(text: string, key: string): Promise<string> {
-  return await openpgp.encrypt({
-    message: await openpgp.createMessage({ text }),
-    encryptionKeys: await openpgp.readKey({ armoredKey: key }),
-    format: 'armored',
-    config: {
-      rejectCurves: new Set(),
-      showVersion: false,
-      showComment: false,
-    },
-  });
+  return (
+    await openpgp.encrypt({
+      message: await openpgp.createMessage({ text }),
+      encryptionKeys: await openpgp.readKey({ armoredKey: key }),
+      format: 'armored',
+      config: {
+        rejectCurves: new Set(),
+        showVersion: false,
+        showComment: false,
+      },
+    })
+  ).toString();
 }
 
 /**
@@ -166,7 +170,7 @@ async function gpgDecrypt(text: string, key: string): Promise<string> {
     })
   ).data;
 
-  return decryptedPrivateShare;
+  return decryptedPrivateShare.toString();
 }
 
 // /**

src/api/enclaved/mpcInitialize.ts

@@ -1,6 +1,5 @@
 import * as bitgoSdk from '@bitgo/sdk-core';
 import { KmsClient } from '../../kms/kmsClient';
-import * as crypto from 'crypto';
 import {
   EnclavedApiSpecRouteRequest,
   KeyShareType,
@@ -97,30 +96,38 @@ export async function eddsaInitialize(
     counterPartyKeyShare: counterPartyGpgPub ? undefined : counterPartyKeyShare, // if counterPartyGpgPub is NOT gpg encrypted, store in payload to be encrypted in finalize
   };
   const { plaintextKey, encryptedKey } = await kms.generateDataKey({ keyType: 'AES-256' });
-  const encryptedPayload = crypto
-    .publicEncrypt(Buffer.from(plaintextKey), Buffer.from(JSON.stringify(payload)))
-    .toString();
-
-  return {
-    encryptedDataKey: encryptedKey,
-    encryptedData: encryptedPayload,
-    bitgoKeyShare,
-    counterPartyKeyShare: counterPartyGpgPub ? counterPartyKeyShare : undefined, // if counterPartyGpgPub is encrypted, send the key share unecrypted
-  };
+  console.log({ plaintextKey, source });
+  try {
+    const encryptedPayload = req.bitgo.encrypt({
+      input: JSON.stringify(payload),
+      password: plaintextKey,
+    });
+    return {
+      encryptedDataKey: encryptedKey,
+      encryptedData: encryptedPayload,
+      bitgoPayload: bitgoKeyShare,
+      counterPartyKeyShare: counterPartyGpgPub ? counterPartyKeyShare : undefined, // if counterPartyGpgPub is encrypted, send the key share unecrypted
+    };
+  } catch (error) {
+    console.error('Encryption error details:', error);
+    throw error;
+  }
 }
 
 /**
  * Helper function to encrypt text using OpenPGP
  */
 async function gpgEncrypt(text: string, key: string): Promise<string> {
-  return await openpgp.encrypt({
-    message: await openpgp.createMessage({ text }),
-    encryptionKeys: await openpgp.readKey({ armoredKey: key }),
-    format: 'armored',
-    config: {
-      rejectCurves: new Set(),
-      showVersion: false,
-      showComment: false,
-    },
-  });
+  return (
+    await openpgp.encrypt({
+      message: await openpgp.createMessage({ text }),
+      encryptionKeys: await openpgp.readKey({ armoredKey: key }),
+      format: 'armored',
+      config: {
+        rejectCurves: new Set(),
+        showVersion: false,
+        showComment: false,
+      },
+    })
+  ).toString();
 }

src/enclavedBitgoExpress/routers/enclavedApiSpec.ts

@@ -92,6 +92,7 @@ const KeyShare = {
   vssProof: t.string,
   gpgKey: t.string,
 };
+
 const KeyShareType = t.type(KeyShare);
 export type KeyShareType = t.TypeOf<typeof KeyShareType>;
 
@@ -118,7 +119,8 @@ const BitGoKeychainType = t.type({
   type: t.literal('tss'),
   commonKeychain: t.string,
   verifiedVssProof: t.boolean,
-  keyShares: t.array(KeyShareType),
+  // TODO: api-ts does not like optionalized gpgKey
+  keyShares: t.array(t.any),
 });
 
 const MpcFinalizeRequest = {
@@ -274,6 +276,7 @@ export function createKeyGenRouter(config: EnclavedConfig): WrappedRouter<typeof
       try {
         const typedReq = _req as EnclavedApiSpecRouteRequest<'v1.mpc.initialize', 'post'>;
         const response = await eddsaInitialize(typedReq);
+        console.log(response);
         return Response.ok(response);
       } catch (error) {
         const err = error as Error;

src/kms/kmsClient.ts

@@ -103,12 +103,12 @@ export class KmsClient {
     }
 
     return {
-      plaintextKey: kmsResponse.plaintextKey.split(',').map((x: any) => parseInt(x, 10)),
-      encryptedKey: kmsResponse.encryptedKey,
+      plaintextKey: kmsResponse.body.plaintextKey,
+      encryptedKey: kmsResponse.body.encryptedKey,
     };
   }
 
-  async decryptDataKey(encryptedKey: string): Promise<Uint8Array> {
+  async decryptDataKey(encryptedKey: string): Promise<string> {
     debugLogger('Decrypting data key: %s', encryptedKey);
 
     // Call KMS to decrypt the data key
@@ -127,6 +127,8 @@ export class KmsClient {
       throw new Error('KMS did not return a valid plaintext key');
     }
 
-    return kmsResponse.body.plaintextKey;
+    console.log(kmsResponse.body);
+    console.log(`PlaintextKey: ${kmsResponse.body.plaintextKey.toString()}`);
+    return kmsResponse.body.plaintextKey.toString();
   }
 }

src/kms/types/generateDataKey.ts

@@ -5,7 +5,7 @@ export interface GenerateDataKeyParams {
 }
 
 export interface GenerateDataKeyResponse {
-  plaintextKey: Uint8Array;
+  plaintextKey: string;
   encryptedKey: string;
 }
 

src/masterBitgoExpress/enclavedExpressClient.ts

@@ -2,7 +2,7 @@ import https from 'https';
 import debug from 'debug';
 import superagent from 'superagent';
 
-import { Keychain, SignedTransaction, TransactionPrebuild } from '@bitgo/sdk-core';
+import { ApiKeyShare, Keychain, SignedTransaction, TransactionPrebuild } from '@bitgo/sdk-core';
 import { superagentRequestFactory, buildApiClient, ApiClient } from '@api-ts/superagent-wrapper';
 import { OfflineVaultTxInfo, RecoveryInfo, UnsignedSweepTxMPCv2 } from '@bitgo/sdk-coin-eth';
 
@@ -34,6 +34,7 @@ export type FinalizeMpcKeyGenerationParams = {
     verifiedVssProof: boolean;
     isBitGo?: boolean;
     isTrust?: boolean;
+    keyShares: ApiKeyShare[];
   };
   counterPartyGPGKey: string;
   counterPartyKeyShare: KeyShareType;
@@ -315,7 +316,7 @@ export class EnclavedExpressClient {
           source: 'bitgo',
           type: 'tss',
           commonKeychain: bitgoKeychain.commonKeychain ?? '',
-          keyShares: bitgoKeychain.keyShares as any[],
+          keyShares: bitgoKeychain.keyShares,
         },
         counterPartyGpgPub: params.counterPartyGPGKey,
         counterPartyKeyShare: params.counterPartyKeyShare,

src/masterBitgoExpress/generateWallet.ts

@@ -139,13 +139,12 @@ export async function handleGenerateOnPremMpcWallet(
   const { label, enterprise } = req.decoded;
 
   // Create wallet parameters with type assertion to allow 'tss' subtype
-  const walletParams = {
+  const walletParams: SupplementGenerateWalletOptions = {
     label: label,
     m: 2,
     n: 3,
     keys: [],
-    type: 'hot',
-    subType: 'tss',
+    type: 'cold',
     multisigType: 'tss',
   } as unknown as SupplementGenerateWalletOptions;
 
@@ -206,7 +205,9 @@ export async function handleGenerateOnPremMpcWallet(
     reqId,
   });
 
-  console.log('BitGo keychain created:', bitgoKeychain);
+  console.log('User BitGo payload:', JSON.stringify(userInitResponse.bitgoPayload, null, 2));
+  console.log('Backup BitGo payload:', JSON.stringify(backupInitResponse.bitgoPayload, null, 2));
+  console.log('BitGo keychain keyShares:', JSON.stringify(bitgoKeychain.keyShares, null, 2));
 
   // TODO Create proper type guard for bitgoKeychain
   assert(bitgoKeychain.type === 'tss', 'BitGo keychain must be of type tss');
@@ -229,7 +230,7 @@ export async function handleGenerateOnPremMpcWallet(
       verifiedVssProof: true,
       isBitGo: true, // Ensure BitGo keychain is marked as BitGo
       isTrust: false,
-      keyShares: bitgoKeychain.keyShares,
+      keyShares: bitgoKeychain.keyShares as KeyShareType[], // Ensure keyShares are included
     },
     counterPartyGPGKey: backupGPGKey,
     counterPartyKeyShare: backupInitResponse.counterPartyKeyShare,
@@ -245,6 +246,7 @@ export async function handleGenerateOnPremMpcWallet(
   });
 
   console.log('User keychain finalized:', userMpcKey);
+  console.log(userKeychainPromise.counterpartyKeyShare);
 
   const backupKeychainPromise = await enclavedExpressClient.finalizeMpcKeyGeneration({
     source: 'backup',
@@ -256,12 +258,13 @@ export async function handleGenerateOnPremMpcWallet(
       commonKeychain: bitgoKeychain.commonKeychain ?? '',
       hsmType: bitgoKeychain.hsmType,
       type: 'tss',
-      source: 'bitgo', // Ensure BitGo keychain is marked as BitGo
+      source: 'bitgo',
       verifiedVssProof: true,
-      isBitGo: true, // Ensure BitGo keychain is marked as BitGo
+      isBitGo: true,
       isTrust: false,
+      keyShares: bitgoKeychain.keyShares as any, // Ensure keyShares are included
     },
-    counterPartyGPGKey: userGPGKey as string, // not sure why I have to cast this here
+    counterPartyGPGKey: userGPGKey,
     counterPartyKeyShare: userKeychainPromise.counterpartyKeyShare as KeyShareType, // also not sure why I have to cast this here
   });