feat(ebe): KMS client and post independent key API

added a KMS client for EBE to connect to

added API for EBE to post independent keys

TICKET: WP_4374

Author: alextse-bg

package.json

@@ -17,6 +17,7 @@
     "generate-test-ssl": "openssl req -x509 -newkey rsa:2048 -keyout test-ssl-key.pem -out test-ssl-cert.pem -days 365 -nodes -subj '/CN=localhost'"
   },
   "dependencies": {
+    "bitgo": "^46.0.1",
     "body-parser": "^1.20.3",
     "connect-timeout": "^1.9.0",
     "debug": "^3.1.0",
@@ -54,6 +55,6 @@
     "typescript": "^4.2.4"
   },
   "engines": {
-    "node": ">=14"
+    "node": ">=14 <21"
   }
 }

src/api/enclaved/postIndependentKey.ts

@@ -0,0 +1,32 @@
+import { BitGo, KeyPair } from 'bitgo'
+import * as express from 'express'
+import { KmsClient } from '../../kms/kmsClient';
+
+export async function postIndependentKey(req: express.Request): Promise<any> {
+
+    const { source, _seed } = req.body;      // TODO: typing and seed handling
+    if (!source) {
+        throw new Error('Source is required for key generation');
+    }
+
+    // setup clients
+    const bitgo: BitGo = req.body.bitgo;
+    const kms = new KmsClient();
+
+    // create public and private key pairs on BitGo SDK
+    const coin = bitgo.coin(req.params.coin);
+    const { pub, prv } = coin.keychains().create();
+
+    if (!pub) {
+        throw new Error('BitGo SDK failed to create public key');
+    }
+
+    // post key to KMS for encryption and storage
+    return await kms.postKey({
+        pub,
+        prv,
+        coin: req.params.coin,
+        source,
+        type: 'independent',
+    });
+}

src/config.ts

@@ -43,7 +43,7 @@ function determineAppMode(): AppMode {
 // ENCLAVED MODE CONFIGURATION
 // ============================================================================
 
-const defaultEnclavedConfig: EnclavedConfig = {
+const defaultEnclavedConfig: Partial<EnclavedConfig> = {
   appMode: AppMode.ENCLAVED,
   port: 3080,
   bind: 'localhost',
@@ -68,6 +68,12 @@ function determineTlsMode(): TlsMode {
 }
 
 function enclavedEnvConfig(): Partial<EnclavedConfig> {
+  const kmsUrl = readEnvVar('KMS_URL');
+
+  if (!kmsUrl) {
+    throw new Error('KMS_URL environment variable is required and cannot be empty');
+  }
+
   return {
     appMode: AppMode.ENCLAVED,
     port: Number(readEnvVar('MASTER_BITGO_EXPRESS_PORT')),
@@ -80,6 +86,8 @@ function enclavedEnvConfig(): Partial<EnclavedConfig> {
     timeout: Number(readEnvVar('MASTER_BITGO_EXPRESS_TIMEOUT')),
     keepAliveTimeout: Number(readEnvVar('MASTER_BITGO_EXPRESS_KEEP_ALIVE_TIMEOUT')),
     headersTimeout: Number(readEnvVar('MASTER_BITGO_EXPRESS_HEADERS_TIMEOUT')),
+    // KMS settings
+    kmsUrl,
     // TLS settings
     keyPath: readEnvVar('MASTER_BITGO_EXPRESS_KEYPATH'),
     crtPath: readEnvVar('MASTER_BITGO_EXPRESS_CRTPATH'),
@@ -95,7 +103,7 @@ function enclavedEnvConfig(): Partial<EnclavedConfig> {
 
 function mergeEnclavedConfigs(...configs: Partial<EnclavedConfig>[]): EnclavedConfig {
   function get<T extends keyof EnclavedConfig>(k: T): EnclavedConfig[T] {
-    return configs.reduce(
+    return (configs as unknown as any[]).reduce(
       (entry: EnclavedConfig[T], config) =>
         !isNilOrNaN(config[k]) ? (config[k] as EnclavedConfig[T]) : entry,
       defaultEnclavedConfig[k],
@@ -112,6 +120,7 @@ function mergeEnclavedConfigs(...configs: Partial<EnclavedConfig>[]): EnclavedCo
     timeout: get('timeout'),
     keepAliveTimeout: get('keepAliveTimeout'),
     headersTimeout: get('headersTimeout'),
+    kmsUrl: get('kmsUrl'),
     keyPath: get('keyPath'),
     crtPath: get('crtPath'),
     tlsKey: get('tlsKey'),

src/kms/kmsClient.ts

@@ -0,0 +1,41 @@
+import debug from "debug";
+import * as superagent from "superagent";
+import { config, isMasterExpressConfig } from "../config";
+import { PostKeyParams, PostKeyResponse } from "./types/postKey";
+
+const debugLogger = debug('bitgo:express:kmsClient');
+
+export class KmsClient {
+    private readonly url: string;
+
+    constructor() {
+        const cfg = config();
+        if (isMasterExpressConfig(cfg)) {
+            throw new Error('Configuration is not in enclaved express mode');
+        }
+
+        if (!cfg.kmsUrl) {
+            throw new Error('KMS URL not configured. Please set KMS_URL in your environment.');
+        }
+
+        this.url = cfg.kmsUrl;
+        debugLogger('kmsClient initialized with URL: %s', this.url);
+    }
+
+    async postKey(params: PostKeyParams): Promise<PostKeyResponse> {
+        debugLogger('Posting key to KMS: %O', params);
+
+        try {
+            const kmsResponse = await superagent.post(`${this.url}/key`)
+                .set("x-api-key", "abc")
+                .send(params);
+                
+            const { pub, coin, source, type } = kmsResponse.body;
+            return { pub, coin, source } as PostKeyResponse;
+        } catch (error) {           // TODO: better error handling
+            const err = error as Error;
+            debugLogger('Error posting key to KMS: %O', err);
+            throw new Error(`Failed to post key to KMS: ${err.message}`);
+        }
+    }
+}

src/kms/types/postKey.ts

@@ -0,0 +1,15 @@
+export interface PostKeyParams {
+    prv: string;
+    pub: string;
+    coin: string;
+    source: string;
+    type: 'independent' | 'enclaved';
+    seed?: string; // Optional seed for key generation
+}
+
+export interface PostKeyResponse {
+    pub: string;
+    coin: string;
+    source: string;
+    type: 'independent' | 'enclaved';
+}

src/routes.ts

@@ -4,6 +4,8 @@
 import express from 'express';
 import debug from 'debug';
 import pjson from '../package.json';
+import { BitGo, BitGoOptions } from 'bitgo';
+import { postIndependentKey } from './api/enclaved/postIndependentKey';
 
 const debugLogger = debug('enclaved:routes');
 
@@ -37,8 +39,16 @@ function setupPingRoutes(app: express.Application) {
   app.get('/version', promiseWrapper(handleVersionInfo));
 }
 
-function setupKeyGenRoutes() {
+function prepBitGo(req: express.Request, res: express.Response, next: express.NextFunction) {
+  const bitgoConstructorParams: BitGoOptions = {};
+  req.body.bitgo = new BitGo(bitgoConstructorParams);
+
+  next();
+};
+
+function setupKeyGenRoutes(app: express.Application) {
   // Register additional routes here as needed
+  app.post('/:coin/independentKey', prepBitGo, promiseWrapper(postIndependentKey));
   debugLogger('KeyGen routes configured');
 }
 
@@ -51,7 +61,7 @@ export function setupRoutes(app: express.Application): void {
   setupPingRoutes(app);
 
   // Register keygen routes
-  setupKeyGenRoutes();
+  setupKeyGenRoutes(app);
 
   // Add a catch-all for unsupported routes
   app.use('*', (_req, res) => {

src/types.ts

@@ -30,6 +30,8 @@ interface BaseConfig {
 // Enclaved mode specific configuration
 export interface EnclavedConfig extends BaseConfig {
   appMode: AppMode.ENCLAVED;
+  // KMS settings
+  kmsUrl: string;
   // TLS settings
   keyPath?: string;
   crtPath?: string;