Merge branch 'gdemay/CRP-2020-transient-internal-errors' into 'master'

refactor(crypto): CRP-2020 all CSP vault client operations return a `TransientInternalError` in case of an RPC error

Operations on the CSP vault client may always return a [`tarpc::client::RpcError`](https://github.com/google/tarpc/blob/bed85e282710a5d21444fd25a5c0f55796ffc889/tarpc/src/client.rs#L177) in case for example an RPC connection error occurs. For each operation, this low-level error from the [Tarpc framework](https://docs.rs/tarpc/latest/tarpc/) is mapped to some higher level error. This MR consolidates the error handling in such a case by always returning some variant named `TransientInternalError`, such that `ErrorReproduciblity::is_reproducibility` is always `false` on this variant whenever `ErrorReproduciblity` is implemented by the high level error.

This affects the following operations:
1. `BasicSignatureCspVault::sign`
2. `MultiSignatureCspVault::multi_sign`
3. `ThresholdSignatureCspVault::threshold_sign`. This also prevents `ThresholdSigner::sign_threshold` from panicking in case of transient error (solves [CRP-1291](https://dfinity.atlassian.net/browse/CRP-1291)).
4. `SecretKeyStoreCspVault::sks_contains`
5. `NiDkgCspVault::create_dealing`
6. `TlsHandshakeCspVault::tls_sign`
7. `IDkgProtocolCspVault::idkg_create_dealing`
8. `IDkgProtocolCspVault::idkg_verify_dealing_private`
9. `IDkgProtocolCspVault::idkg_load_transcript`
10. `IDkgProtocolCspVault::idkg_load_transcript_with_openings`
11. `IDkgProtocolCspVault::idkg_retain_active_keys`
12. `IDkgProtocolCspVault::idkg_open_dealing`
13. `ThresholdEcdsaSignerCspVault::ecdsa_sign_share` 

See merge request dfinity-lab/public/ic!12574

Author: gregorydemay

rs/crypto/internal/crypto_lib/threshold_sig/bls12_381/src/api/dkg_errors/imported_conversions.rs

@@ -81,8 +81,8 @@ mod create_dealing_error_conversions_v2 {
                         panic_prefix, error
                     );
                 }
-                CspDkgCreateReshareDealingError::InternalError(error) => {
-                    DkgCreateDealingError::InternalError(InternalError {
+                CspDkgCreateReshareDealingError::TransientInternalError(error) => {
+                    DkgCreateDealingError::TransientInternalError(InternalError {
                         internal_error: error.internal_error,
                     })
                 }

rs/crypto/internal/crypto_lib/threshold_sig/bls12_381/src/api/ni_dkg_errors.rs

@@ -134,8 +134,8 @@ pub enum CspDkgCreateDealingError {
     /// Hardware error: This machine cannot handle this request because some
     /// parameter was too large.
     SizeError(SizeError),
-    // An internal error, e.g. an RPC error.
-    InternalError(InternalError),
+    /// Transient internal error, e.g. an RPC error.
+    TransientInternalError(InternalError),
 }
 
 impl From<EncryptAndZKProveError> for CspDkgCreateDealingError {
@@ -183,8 +183,8 @@ pub enum CspDkgCreateReshareDealingError {
     /// Hardware error: This machine cannot handle this request because some
     /// parameter was too large.
     SizeError(SizeError),
-    // An internal error, e.g. an RPC error.
-    InternalError(InternalError),
+    /// Transient internal error, e.g. an RPC error.
+    TransientInternalError(InternalError),
 }
 
 impl From<EncryptAndZKProveError> for CspDkgCreateReshareDealingError {
@@ -230,8 +230,8 @@ impl From<CspDkgCreateDealingError> for CspDkgCreateReshareDealingError {
             CspDkgCreateDealingError::SizeError(error) => {
                 CspDkgCreateReshareDealingError::SizeError(error)
             }
-            CspDkgCreateDealingError::InternalError(error) => {
-                CspDkgCreateReshareDealingError::InternalError(error)
+            CspDkgCreateDealingError::TransientInternalError(error) => {
+                CspDkgCreateReshareDealingError::TransientInternalError(error)
             }
         }
     }
@@ -269,8 +269,8 @@ impl From<CspDkgCreateReshareDealingError> for CspDkgCreateDealingError {
             CspDkgCreateReshareDealingError::SizeError(error) => {
                 CspDkgCreateDealingError::SizeError(error)
             }
-            CspDkgCreateReshareDealingError::InternalError(error) => {
-                CspDkgCreateDealingError::InternalError(error)
+            CspDkgCreateReshareDealingError::TransientInternalError(error) => {
+                CspDkgCreateDealingError::TransientInternalError(error)
             }
         }
     }

rs/crypto/internal/crypto_service_provider/csp_proptest_utils/src/lib.rs

@@ -135,7 +135,7 @@ mod csp_basic_signature_error {
         UnsupportedAlgorithm => {algorithm in arb_algorithm_id()},
         WrongSecretKeyType => {algorithm in arb_algorithm_id(), secret_key_variant in ".*"},
         MalformedSecretKey => {algorithm in arb_algorithm_id()},
-        InternalError => {internal_error in ".*"}
+        TransientInternalError => {internal_error in ".*"}
     );
 }
 
@@ -245,7 +245,7 @@ mod csp_multi_signature_error {
         SecretKeyNotFound => {algorithm in arb_algorithm_id(), key_id in arb_key_id()},
         UnsupportedAlgorithm => {algorithm in arb_algorithm_id()},
         WrongSecretKeyType => {algorithm in arb_algorithm_id(), secret_key_variant in ".*"},
-        InternalError => {internal_error in ".*"}
+        TransientInternalError => {internal_error in ".*"}
     );
 }
 
@@ -270,7 +270,7 @@ mod csp_threshold_sign_error {
         UnsupportedAlgorithm => {algorithm in arb_algorithm_id()},
         WrongSecretKeyType => {},
         MalformedSecretKey => {algorithm in arb_algorithm_id()},
-        InternalError => {internal_error in ".*"}
+        TransientInternalError => {internal_error in ".*"}
     );
 }
 
@@ -279,6 +279,6 @@ mod csp_secret_key_store_contains_error {
     use ic_crypto_internal_csp::vault::api::CspSecretKeyStoreContainsError;
 
     proptest_strategy_for_enum!(CspSecretKeyStoreContainsError;
-        InternalError => {internal_error in ".*"}
+        TransientInternalError => {internal_error in ".*"}
     );
 }

rs/crypto/internal/crypto_service_provider/csp_proptest_utils/src/tests.rs

@@ -34,14 +34,14 @@ macro_rules! should_have_a_strategy_for_each_variant {
 use ic_crypto_internal_csp::vault::api::CspBasicSignatureError;
 should_have_a_strategy_for_each_variant!(
     CspBasicSignatureError,
-    CspBasicSignatureError::InternalError {
+    CspBasicSignatureError::TransientInternalError {
         internal_error: "dummy error to match upon".to_string(),
     },
     SecretKeyNotFound { .. },
     UnsupportedAlgorithm { .. },
     WrongSecretKeyType { .. },
     MalformedSecretKey { .. },
-    InternalError { .. }
+    TransientInternalError { .. }
 );
 
 use ic_crypto_internal_csp::types::CspSignature;
@@ -109,13 +109,13 @@ should_have_a_strategy_for_each_variant!(
 use ic_crypto_internal_csp::vault::api::CspMultiSignatureError;
 should_have_a_strategy_for_each_variant!(
     CspMultiSignatureError,
-    CspMultiSignatureError::InternalError {
+    CspMultiSignatureError::TransientInternalError {
         internal_error: "dummy error to match upon".to_string(),
     },
     SecretKeyNotFound { .. },
     UnsupportedAlgorithm { .. },
     WrongSecretKeyType { .. },
-    InternalError { .. }
+    TransientInternalError { .. }
 );
 
 use ic_crypto_internal_csp::vault::api::CspMultiSignatureKeygenError;
@@ -133,21 +133,21 @@ should_have_a_strategy_for_each_variant!(
 use ic_crypto_internal_csp::api::CspThresholdSignError;
 should_have_a_strategy_for_each_variant!(
     CspThresholdSignError,
-    CspThresholdSignError::InternalError {
+    CspThresholdSignError::TransientInternalError {
         internal_error: "dummy error to match upon".to_string(),
     },
     SecretKeyNotFound { .. },
     UnsupportedAlgorithm { .. },
     WrongSecretKeyType { .. },
     MalformedSecretKey { .. },
-    InternalError { .. }
+    TransientInternalError { .. }
 );
 
 use ic_crypto_internal_csp::vault::api::CspSecretKeyStoreContainsError;
 should_have_a_strategy_for_each_variant!(
     CspSecretKeyStoreContainsError,
-    CspSecretKeyStoreContainsError::InternalError {
+    CspSecretKeyStoreContainsError::TransientInternalError {
         internal_error: "dummy error to match upon".to_string(),
     },
-    InternalError { .. }
+    TransientInternalError { .. }
 );

rs/crypto/internal/crypto_service_provider/src/api/threshold/threshold_sign_error.rs

@@ -16,7 +16,7 @@ pub enum CspThresholdSignError {
     MalformedSecretKey {
         algorithm: AlgorithmId,
     },
-    InternalError {
+    TransientInternalError {
         internal_error: String,
     },
 }
@@ -64,8 +64,8 @@ impl fmt::Display for CspThresholdSignError {
                 "Unable to parse the secret key with algorithm id {:?}",
                 algorithm
             ),
-            CspThresholdSignError::InternalError { internal_error } => {
-                write!(f, "Internal error: {}", internal_error)
+            CspThresholdSignError::TransientInternalError { internal_error } => {
+                write!(f, "Transient internal error: {}", internal_error)
             }
         }
     }

rs/crypto/internal/crypto_service_provider/src/vault/api.rs

@@ -47,7 +47,7 @@ pub enum CspBasicSignatureError {
     MalformedSecretKey {
         algorithm: AlgorithmId,
     },
-    InternalError {
+    TransientInternalError {
         internal_error: String,
     },
 }
@@ -72,7 +72,7 @@ pub enum CspMultiSignatureError {
         algorithm: AlgorithmId,
         secret_key_variant: String,
     },
-    InternalError {
+    TransientInternalError {
         internal_error: String,
     },
 }
@@ -104,7 +104,7 @@ pub enum CspThresholdSignatureKeygenError {
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
 pub enum CspSecretKeyStoreContainsError {
-    InternalError { internal_error: String },
+    TransientInternalError { internal_error: String },
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
@@ -157,7 +157,7 @@ pub enum CspTlsSignError {
     SigningFailed {
         error: String,
     },
-    InternalError {
+    TransientInternalError {
         internal_error: String,
     },
 }

rs/crypto/internal/crypto_service_provider/src/vault/mod.rs

@@ -40,11 +40,8 @@ impl From<CspBasicSignatureError> for CryptoError {
                     internal_error: "Malformed secret key".to_string(),
                 }
             }
-            // TODO(CRP-1262): using InvalidArgument here is not ideal.
-            CspBasicSignatureError::InternalError { internal_error } => {
-                CryptoError::InvalidArgument {
-                    message: format!("Internal error: {}", internal_error),
-                }
+            CspBasicSignatureError::TransientInternalError { internal_error } => {
+                CryptoError::TransientInternalError { internal_error }
             }
         }
     }
@@ -73,10 +70,8 @@ impl From<CspMultiSignatureError> for CryptoError {
                     "Wrong secret key type: expected {algorithm:?} but found {secret_key_variant}"
                 ),
             },
-            CspMultiSignatureError::InternalError { internal_error } => {
-                CryptoError::InvalidArgument {
-                    message: internal_error,
-                }
+            CspMultiSignatureError::TransientInternalError { internal_error } => {
+                CryptoError::TransientInternalError { internal_error }
             }
         }
     }
@@ -85,8 +80,8 @@ impl From<CspMultiSignatureError> for CryptoError {
 impl From<CspSecretKeyStoreContainsError> for CryptoError {
     fn from(e: CspSecretKeyStoreContainsError) -> Self {
         match e {
-            CspSecretKeyStoreContainsError::InternalError { internal_error } => {
-                CryptoError::InternalError { internal_error }
+            CspSecretKeyStoreContainsError::TransientInternalError { internal_error } => {
+                CryptoError::TransientInternalError { internal_error }
             }
         }
     }

rs/crypto/internal/crypto_service_provider/src/vault/remote_csp_vault/tarpc_csp_vault_client.rs

@@ -255,7 +255,7 @@ impl BasicSignatureCspVault for RemoteCspVault {
             key_id,
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(CspBasicSignatureError::InternalError {
+            Err(CspBasicSignatureError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })
@@ -288,7 +288,7 @@ impl MultiSignatureCspVault for RemoteCspVault {
             key_id,
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(CspMultiSignatureError::InternalError {
+            Err(CspMultiSignatureError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })
@@ -323,7 +323,7 @@ impl ThresholdSignatureCspVault for RemoteCspVault {
             key_id,
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(CspThresholdSignError::InternalError {
+            Err(CspThresholdSignError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })
@@ -337,7 +337,7 @@ impl SecretKeyStoreCspVault for RemoteCspVault {
                 .sks_contains(context_with_timeout(self.rpc_timeout), *key_id),
         )
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(CspSecretKeyStoreContainsError::InternalError {
+            Err(CspSecretKeyStoreContainsError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })
@@ -469,7 +469,7 @@ impl NiDkgCspVault for RemoteCspVault {
             maybe_resharing_secret,
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(CspDkgCreateReshareDealingError::InternalError(
+            Err(CspDkgCreateReshareDealingError::TransientInternalError(
                 InternalError {
                     internal_error: rpc_error.to_string(),
                 },
@@ -553,7 +553,7 @@ impl TlsHandshakeCspVault for RemoteCspVault {
                 *key_id,
             ))
             .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-                Err(CspTlsSignError::InternalError {
+                Err(CspTlsSignError::TransientInternalError {
                     internal_error: rpc_error.to_string(),
                 })
             })
@@ -581,7 +581,7 @@ impl IDkgProtocolCspVault for RemoteCspVault {
             transcript_operation.clone(),
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(IDkgCreateDealingError::InternalError {
+            Err(IDkgCreateDealingError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })
@@ -606,9 +606,9 @@ impl IDkgProtocolCspVault for RemoteCspVault {
             context_data.to_vec(),
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(IDkgVerifyDealingPrivateError::CspVaultRpcError(
-                rpc_error.to_string(),
-            ))
+            Err(IDkgVerifyDealingPrivateError::TransientInternalError {
+                internal_error: rpc_error.to_string(),
+            })
         })
     }
 
@@ -629,7 +629,7 @@ impl IDkgProtocolCspVault for RemoteCspVault {
             transcript.clone(),
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(IDkgLoadTranscriptError::InternalError {
+            Err(IDkgLoadTranscriptError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })
@@ -654,7 +654,7 @@ impl IDkgProtocolCspVault for RemoteCspVault {
             transcript.clone(),
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(IDkgLoadTranscriptError::InternalError {
+            Err(IDkgLoadTranscriptError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })
@@ -671,7 +671,7 @@ impl IDkgProtocolCspVault for RemoteCspVault {
             oldest_public_key,
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(IDkgRetainKeysError::InternalError {
+            Err(IDkgRetainKeysError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })
@@ -706,7 +706,7 @@ impl IDkgProtocolCspVault for RemoteCspVault {
             *opener_key_id,
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(IDkgOpenTranscriptError::InternalError {
+            Err(IDkgOpenTranscriptError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })
@@ -739,7 +739,7 @@ impl ThresholdEcdsaSignerCspVault for RemoteCspVault {
             algorithm_id,
         ))
         .unwrap_or_else(|rpc_error: tarpc::client::RpcError| {
-            Err(ThresholdEcdsaSignShareError::InternalError {
+            Err(ThresholdEcdsaSignShareError::TransientInternalError {
                 internal_error: rpc_error.to_string(),
             })
         })

rs/crypto/internal/crypto_service_provider/tests/remote_csp_vault.rs

@@ -24,7 +24,7 @@ mod rpc_connection {
     use ic_config::logger::Config as LoggerConfig;
     use ic_crypto_internal_csp::api::CspCreateMEGaKeyError;
     use ic_crypto_internal_csp::types::CspSignature;
-    use ic_crypto_internal_csp::vault::api::CspBasicSignatureError::InternalError;
+    use ic_crypto_internal_csp::vault::api::CspBasicSignatureError::TransientInternalError;
     use ic_crypto_internal_csp::vault::api::{
         BasicSignatureCspVault, CspBasicSignatureError, CspPublicKeyStoreError,
         IDkgProtocolCspVault, PublicKeyStoreCspVault,
@@ -60,7 +60,7 @@ mod rpc_connection {
         assert_matches!(signature, Ok(_));
 
         let signature = sign_message(TooLarge, key_id, &client_cannot_send_large_request);
-        assert_matches!(signature, Err(InternalError {internal_error}) if internal_error.contains("the client failed to send the request"));
+        assert_matches!(signature, Err(TransientInternalError {internal_error}) if internal_error.contains("the client failed to send the request"));
 
         let signature = sign_message(Small, key_id, &client_cannot_send_large_request);
         assert_matches!(signature, Ok(_));
@@ -87,7 +87,7 @@ mod rpc_connection {
         assert_matches!(signature_before_error, Ok(_));
 
         let signature = sign_message(TooLarge, key_id, &client);
-        assert_matches!(signature, Err(InternalError {internal_error}) if internal_error.contains("the request exceeded its deadline"));
+        assert_matches!(signature, Err(TransientInternalError {internal_error}) if internal_error.contains("the request exceeded its deadline"));
 
         let signature_after_error = sign_message(Small, key_id, &client);
         assert_eq!(signature_before_error, signature_after_error);