feat: Vincent Wrapped Keys

- Renamed `decryptVincentWrappedKey` -> `exportPrivateKey` to match existing wrapped keys SDK terminology
- Resolved `TS80009` errors by removing `@Typedef` from tsdocs
- Updated APIs for `evmContractConditions`
- Updated APIs for `delegatorAddress` both in inputs and returned outputs from storage backend
- Added explicit exported types for exportPrivateKey inputs and outputs (now matches our existing APIs structures)
- Removed unused sessionSigs helper code from the api layer
- Removed unused getDecryptedKeyToSingleNode
- Renamed `delegateeSessionSigs` arg in generate methods to `delegatorSessionSigs`, since only delegators are allowed to generate sessionSigs per current spec
- Paramaterized `evmContractConditions` in `getSolanaKeyPair()` -- this is now stored along with other wrapped key metadata and should _not_ be assumed to be static.
- Updated REST API paths and arguments in `service-client` to match current paths
- Removed unused devDependency on @lit-protocol/lit-node-client (we only use its type)
- Use `removeSaltFromDecryptedKey()` in all places where we need to remove salt from the decrypted key (both exporting and inside of helper for solana wrapped keypair composition)
- Updated `exportPrivateKey` API to match existing wrapped key behaviour patterns -- it now fetches the encrypted wrapped key from the storage backend using the `id` instead of expecting the consumer to use the service-client directly to fetch it

Author: MaximusHaximus

packages/libs/wrapped-keys/package.json

@@ -1,10 +1,11 @@
 {
   "name": "@lit-protocol/vincent-wrapped-keys",
-  "version": "0.1.0",
+  "version": "0.6.0",
   "publishConfig": {
     "access": "public"
   },
   "dependencies": {
+    "@lit-protocol/auth-helpers": "^8.0.2",
     "@lit-protocol/constants": "^7.3.0",
     "@lit-protocol/types": "^7.2.3",
     "@lit-protocol/vincent-contracts-sdk": "workspace:*",
@@ -25,6 +26,7 @@
     }
   },
   "devDependencies": {
+    "@lit-protocol/lit-node-client": "^7.2.3",
     "@types/semver": "^7.7.0",
     "chokidar-cli": "^3.0.0",
     "ipfs-only-hash": "^4.0.0",

packages/libs/wrapped-keys/src/index.ts

@@ -1,4 +1,8 @@
-import type { SupportedNetworks } from './lib/service-client/types';
+import type {
+  SupportedNetworks,
+  StoreKeyParams,
+  StoreKeyBatchParams,
+} from './lib/service-client/types';
 import type {
   GetEncryptedKeyDataParams,
   GeneratePrivateKeyParams,
@@ -16,6 +20,8 @@ import type {
   BatchGeneratePrivateKeysResult,
   Network,
   KeyType,
+  ExportPrivateKeyParams,
+  ExportPrivateKeyResult,
 } from './lib/types';
 
 import {
@@ -25,7 +31,7 @@ import {
   listEncryptedKeyMetadata,
   batchGeneratePrivateKeys,
   storeEncryptedKeyBatch,
-  getVincentRegistryAccessControlCondition,
+  exportPrivateKey,
 } from './lib/api';
 import { CHAIN_YELLOWSTONE, LIT_PREFIX, NETWORK_SOLANA, KEYTYPE_ED25519 } from './lib/constants';
 import { getSolanaKeyPairFromWrappedKey } from './lib/lit-actions-client';
@@ -44,7 +50,7 @@ export const api = {
   storeEncryptedKey,
   storeEncryptedKeyBatch,
   batchGeneratePrivateKeys,
-  getVincentRegistryAccessControlCondition,
+  exportPrivateKey,
   litActionHelpers: {
     getSolanaKeyPairFromWrappedKey,
   },
@@ -68,4 +74,8 @@ export {
   BatchGeneratePrivateKeysResult,
   Network,
   KeyType,
+  StoreKeyParams,
+  StoreKeyBatchParams,
+  ExportPrivateKeyParams,
+  ExportPrivateKeyResult,
 };

packages/libs/wrapped-keys/src/lib/api/batch-generate-private-keys.ts

@@ -1,3 +1,5 @@
+import { getVincentWrappedKeysAccs } from '@lit-protocol/vincent-contracts-sdk';
+
 import type {
   BatchGeneratePrivateKeysParams,
   BatchGeneratePrivateKeysResult,
@@ -7,7 +9,7 @@ import type {
 import { batchGenerateKeysWithLitAction } from '../lit-actions-client';
 import { getLitActionCommonCid } from '../lit-actions-client/utils';
 import { storePrivateKeyBatch } from '../service-client';
-import { getKeyTypeFromNetwork, getVincentRegistryAccessControlCondition } from './utils';
+import { getKeyTypeFromNetwork } from './utils';
 
 /**
  * Generates multiple random private keys inside a Lit Action for Vincent delegators,
@@ -26,7 +28,7 @@ export async function batchGeneratePrivateKeys(
 ): Promise<BatchGeneratePrivateKeysResult> {
   const { jwtToken, delegatorAddress, litNodeClient } = params;
 
-  const allowDelegateeToDecrypt = await getVincentRegistryAccessControlCondition({
+  const vincentWrappedKeysAccs = await getVincentWrappedKeysAccs({
     delegatorAddress,
   });
 
@@ -35,14 +37,16 @@ export async function batchGeneratePrivateKeys(
   const actionResults = await batchGenerateKeysWithLitAction({
     ...params,
     litActionIpfsCid,
-    accessControlConditions: [allowDelegateeToDecrypt],
+    evmContractConditions: vincentWrappedKeysAccs,
   });
 
-  const keyParamsBatch = actionResults.map((keyData) => {
+  const keyParamsBatch = actionResults.map((keyData, index) => {
     const { generateEncryptedPrivateKey } = keyData;
     return {
       ...generateEncryptedPrivateKey,
       keyType: getKeyTypeFromNetwork('solana'),
+      delegatorAddress,
+      evmContractConditions: actionResults[index].generateEncryptedPrivateKey.evmContractConditions,
     };
   });
 
@@ -56,17 +60,17 @@ export async function batchGeneratePrivateKeys(
     const {
       generateEncryptedPrivateKey: { memo, publicKey },
     } = actionResult;
-    const id = ids[index]; // Result of writes is in same order as provided
+    const id = ids[index]; // Result of writes is returned in the same order as provided
 
     const signature = actionResult.signMessage?.signature;
 
     return {
       ...(signature ? { signMessage: { signature } } : {}),
       generateEncryptedPrivateKey: {
+        delegatorAddress,
         memo,
         id,
         generatedPublicKey: publicKey,
-        delegatorAddress,
       },
     };
   });

packages/libs/wrapped-keys/src/lib/api/export-private-key.ts

@@ -0,0 +1,47 @@
+import type { ExportPrivateKeyParams, ExportPrivateKeyResult } from '../types';
+
+import { fetchPrivateKey } from '../service-client';
+import { removeSaltFromDecryptedKey } from '../utils';
+
+export const exportPrivateKey = async ({
+  litNodeClient,
+  delegatorSessionSigs,
+  jwtToken,
+  id,
+  delegatorAddress,
+}: ExportPrivateKeyParams): Promise<ExportPrivateKeyResult> => {
+  const storedKeyMetadata = await fetchPrivateKey({
+    delegatorAddress,
+    id,
+    jwtToken,
+    litNetwork: litNodeClient.config.litNetwork,
+  });
+
+  const {
+    ciphertext,
+    dataToEncryptHash,
+    evmContractConditions,
+    publicKey,
+    keyType,
+    litNetwork,
+    memo,
+  } = storedKeyMetadata;
+
+  const { decryptedData } = await litNodeClient.decrypt({
+    sessionSigs: delegatorSessionSigs,
+    ciphertext: ciphertext,
+    dataToEncryptHash: dataToEncryptHash,
+    evmContractConditions: JSON.parse(evmContractConditions),
+    chain: 'ethereum',
+  });
+
+  return {
+    decryptedPrivateKey: removeSaltFromDecryptedKey(new TextDecoder().decode(decryptedData)),
+    delegatorAddress,
+    id,
+    publicKey,
+    keyType,
+    litNetwork,
+    memo,
+  };
+};

packages/libs/wrapped-keys/src/lib/api/generate-private-key.ts

@@ -1,9 +1,11 @@
+import { getVincentWrappedKeysAccs } from '@lit-protocol/vincent-contracts-sdk';
+
 import type { GeneratePrivateKeyParams, GeneratePrivateKeyResult } from '../types';
 
 import { generateKeyWithLitAction } from '../lit-actions-client';
 import { getLitActionCid } from '../lit-actions-client/utils';
 import { storePrivateKey } from '../service-client';
-import { getKeyTypeFromNetwork, getVincentRegistryAccessControlCondition } from './utils';
+import { getKeyTypeFromNetwork } from './utils';
 
 /**
  * Generates a random private key inside a Lit Action for Vincent delegators,
@@ -22,17 +24,18 @@ export async function generatePrivateKey(
 ): Promise<GeneratePrivateKeyResult> {
   const { delegatorAddress, jwtToken, network, litNodeClient, memo } = params;
 
-  const allowDelegateeToDecrypt = await getVincentRegistryAccessControlCondition({
+  const vincentWrappedKeysAccs = await getVincentWrappedKeysAccs({
     delegatorAddress,
   });
 
   const litActionIpfsCid = getLitActionCid(network, 'generateEncryptedKey');
 
-  const { ciphertext, dataToEncryptHash, publicKey } = await generateKeyWithLitAction({
-    ...params,
-    litActionIpfsCid,
-    accessControlConditions: [allowDelegateeToDecrypt],
-  });
+  const { ciphertext, dataToEncryptHash, publicKey, evmContractConditions } =
+    await generateKeyWithLitAction({
+      ...params,
+      litActionIpfsCid,
+      evmContractConditions: vincentWrappedKeysAccs,
+    });
 
   const { id } = await storePrivateKey({
     jwtToken,
@@ -42,6 +45,8 @@ export async function generatePrivateKey(
       keyType: getKeyTypeFromNetwork(network),
       dataToEncryptHash,
       memo,
+      delegatorAddress,
+      evmContractConditions,
     },
     litNetwork: litNodeClient.config.litNetwork,
   });

packages/libs/wrapped-keys/src/lib/api/index.ts

@@ -4,8 +4,5 @@ export { listEncryptedKeyMetadata } from './list-encrypted-key-metadata';
 export { getEncryptedKey } from './get-encrypted-key';
 export { storeEncryptedKey } from './store-encrypted-key';
 export { storeEncryptedKeyBatch } from './store-encrypted-key-batch';
-export {
-  getKeyTypeFromNetwork,
-  getFirstSessionSig,
-  getVincentRegistryAccessControlCondition,
-} from './utils';
+export { getKeyTypeFromNetwork } from './utils';
+export { exportPrivateKey } from './export-private-key';

packages/libs/wrapped-keys/src/lib/api/store-encrypted-key-batch.ts

@@ -18,7 +18,7 @@ import { storePrivateKeyBatch } from '../service-client';
 export async function storeEncryptedKeyBatch(
   params: StoreEncryptedKeyBatchParams,
 ): Promise<StoreEncryptedKeyBatchResult> {
-  const { jwtToken, litNodeClient, keyBatch } = params;
+  const { jwtToken, litNodeClient, keyBatch, delegatorAddress } = params;
 
   const storedKeyMetadataBatch: StoreKeyBatchParams['storedKeyMetadataBatch'] = keyBatch.map(
     ({
@@ -27,15 +27,24 @@ export async function storeEncryptedKeyBatch(
       memo,
       dataToEncryptHash,
       ciphertext,
+      evmContractConditions,
     }): Pick<
       StoredKeyData,
-      'publicKey' | 'keyType' | 'dataToEncryptHash' | 'ciphertext' | 'memo'
+      | 'publicKey'
+      | 'keyType'
+      | 'dataToEncryptHash'
+      | 'ciphertext'
+      | 'memo'
+      | 'delegatorAddress'
+      | 'evmContractConditions'
     > => ({
       publicKey,
       memo,
       dataToEncryptHash,
       ciphertext,
       keyType,
+      delegatorAddress,
+      evmContractConditions,
     }),
   );
 

packages/libs/wrapped-keys/src/lib/api/store-encrypted-key.ts

@@ -15,7 +15,15 @@ export async function storeEncryptedKey(
 ): Promise<StoreEncryptedKeyResult> {
   const { jwtToken, litNodeClient } = params;
 
-  const { publicKey, keyType, dataToEncryptHash, ciphertext, memo } = params;
+  const {
+    publicKey,
+    keyType,
+    dataToEncryptHash,
+    ciphertext,
+    memo,
+    delegatorAddress,
+    evmContractConditions,
+  } = params;
 
   return storePrivateKey({
     storedKeyMetadata: {
@@ -24,6 +32,8 @@ export async function storeEncryptedKey(
       dataToEncryptHash,
       ciphertext,
       memo,
+      delegatorAddress,
+      evmContractConditions,
     },
     jwtToken,
     litNetwork: litNodeClient.config.litNetwork,

packages/libs/wrapped-keys/src/lib/api/utils.ts

@@ -1,17 +1,6 @@
-import { ethers } from 'ethers';
-
-import type { AuthSig, SessionSigsMap, AccsEVMParams } from '@lit-protocol/types';
-
-import { LIT_RPC } from '@lit-protocol/constants';
-import {
-  VINCENT_DIAMOND_CONTRACT_ADDRESS_PROD,
-  getPkpTokenId,
-  COMBINED_ABI,
-} from '@lit-protocol/vincent-contracts-sdk';
-
 import type { KeyType, Network } from '../types';
 
-import { CHAIN_YELLOWSTONE, NETWORK_SOLANA } from '../constants';
+import { NETWORK_SOLANA } from '../constants';
 
 /**
  * Returns the key type for the given network
@@ -27,80 +16,3 @@ export function getKeyTypeFromNetwork(network: Network): KeyType {
       throw new Error(`Network not implemented ${network}`);
   }
 }
-
-/**
- *
- * Extracts the first SessionSig from the SessionSigsMap since we only pass a single SessionSig to the AWS endpoint
- *
- * @param pkpSessionSigs - The PKP sessionSigs (map) used to associate the PKP with the generated private key
- *
- * @returns { AuthSig } - The first SessionSig from the map
- */
-export function getFirstSessionSig(pkpSessionSigs: SessionSigsMap): AuthSig {
-  const sessionSigsEntries = Object.entries(pkpSessionSigs);
-
-  if (sessionSigsEntries.length === 0) {
-    throw new Error(`Invalid pkpSessionSigs, length zero: ${JSON.stringify(pkpSessionSigs)}`);
-  }
-
-  const [[, sessionSig]] = sessionSigsEntries;
-  return sessionSig;
-}
-
-/**
- * Creates access control condition to validate Vincent delegatee authorization
- * via the Vincent registry contract's isDelegateePermitted method
- *
- * This function creates an ACC utilize the Vincent Delegatee's address derived from the inner Auth Sig of the provided Session Signatures,
- * the delegator's PKP token ID derived from the provided delegator's address, and the IPFS CID of the executing Lit Action.
- *
- * @returns AccsEVMParams - Access control condition for Vincent registry validation
- */
-export async function getVincentRegistryAccessControlCondition({
-  delegatorAddress,
-}: {
-  delegatorAddress: string;
-}): Promise<AccsEVMParams> {
-  if (!ethers.utils.isAddress(delegatorAddress)) {
-    throw new Error(`delegatorAddress is not a valid Ethereum Address: ${delegatorAddress}`);
-  }
-
-  const delegatorPkpTokenId = (
-    await getPkpTokenId({
-      pkpEthAddress: delegatorAddress,
-      signer: ethers.Wallet.createRandom().connect(
-        new ethers.providers.StaticJsonRpcProvider(LIT_RPC.CHRONICLE_YELLOWSTONE),
-      ),
-    })
-  ).toString();
-
-  const contractInterface = new ethers.utils.Interface(COMBINED_ABI.fragments);
-  const fragment = contractInterface.getFunction('isDelegateePermitted');
-
-  const functionAbi = {
-    type: 'function',
-    name: fragment.name,
-    inputs: fragment.inputs.map((input) => ({
-      name: input.name,
-      type: input.type,
-    })),
-    outputs: fragment.outputs?.map((output) => ({
-      name: output.name,
-      type: output.type,
-    })),
-    stateMutability: fragment.stateMutability,
-  };
-
-  return {
-    contractAddress: VINCENT_DIAMOND_CONTRACT_ADDRESS_PROD,
-    functionAbi,
-    chain: CHAIN_YELLOWSTONE,
-    functionName: 'isDelegateePermitted',
-    functionParams: [':userAddress', delegatorPkpTokenId, ':currentActionIpfsId'],
-    returnValueTest: {
-      key: 'isPermitted',
-      comparator: '=',
-      value: 'true',
-    },
-  };
-}