CLI: add a command to generate an encrypted key file

dannywillems · dannywillems · commit b7947ea39107 · 2025-08-13T14:43:41.000+02:00
Mimicks secret_box in the Caml node
diff --git a/cli/src/commands/misc.rs b/cli/src/commands/misc.rs
@@ -10,16 +10,18 @@ pub struct Misc {
 impl Misc {
     pub fn run(self) -> anyhow::Result<()> {
         match self.command {
-            MiscCommand::P2PKeyPair(command) => command.run(),
+            MiscCommand::MinaEncryptedKey(command) => command.run(),
             MiscCommand::MinaKeyPair(command) => command.run(),
+            MiscCommand::P2PKeyPair(command) => command.run(),
         }
     }
 }
 
 #[derive(Clone, Debug, clap::Subcommand)]
 pub enum MiscCommand {
-    P2PKeyPair(P2PKeyPair),
+    MinaEncryptedKey(MinaEncryptedKey),
     MinaKeyPair(MinaKeyPair),
+    P2PKeyPair(P2PKeyPair),
 }
 
 #[derive(Debug, Clone, clap::Args)]
@@ -59,3 +61,260 @@ impl MinaKeyPair {
         Ok(())
     }
 }
+
+/// Generate a new Mina key pair and save it as an encrypted JSON file
+///
+/// This command generates a new random Mina key pair (or uses a provided secret key)
+/// and saves it to an encrypted JSON file format compatible with the Mina protocol.
+/// The encrypted file can be used as a producer key for block production.
+///
+/// This command replicates the secret box functionality from `src/lib/secret_box`
+/// in the OCaml implementation, providing compatible encrypted key storage.
+///
+/// # Examples
+///
+/// Generate a new encrypted key with password:
+/// ```bash
+/// openmina misc mina-encrypted-key --password mypassword --file producer-key
+/// ```
+///
+/// Generate a new encrypted key using environment variable for password:
+/// ```bash
+/// MINA_PRIVKEY_PASS=mypassword openmina misc mina-encrypted-key --file producer-key
+/// ```
+///
+/// Use an existing secret key:
+/// ```bash
+/// openmina misc mina-encrypted-key --secret-key EKE... --password mypassword
+/// ```
+#[derive(Debug, Clone, clap::Args)]
+pub struct MinaEncryptedKey {
+    /// Optional existing secret key to encrypt. If not provided, generates a new random key
+    #[arg(long, short = 's', env = "OPENMINA_ENC_KEY")]
+    secret_key: Option<AccountSecretKey>,
+
+    /// Password to encrypt the key file with. Can be provided via MINA_PRIVKEY_PASS environment variable
+    #[arg(env = "MINA_PRIVKEY_PASS", default_value = "")]
+    password: String,
+
+    /// Output file path for the encrypted key (default: mina_encrypted_key.json)
+    #[arg(long, short = 'f', default_value = "mina_encrypted_key.json")]
+    file: String,
+}
+
+impl MinaEncryptedKey {
+    /// Execute the mina-encrypted-key command
+    ///
+    /// Generates a new Mina key pair (or uses provided secret key) and saves it
+    /// as an encrypted JSON file that can be used for block production.
+    ///
+    /// # Returns
+    ///
+    /// * `Ok(())` - On successful key generation and file creation
+    /// * `Err(anyhow::Error)` - If key encryption or file writing fails
+    ///
+    /// # Output
+    ///
+    /// Prints the secret key and public key to stdout, and creates an encrypted
+    /// JSON file at the specified path.
+    pub fn run(self) -> anyhow::Result<()> {
+        let secret_key = self.secret_key.unwrap_or_else(AccountSecretKey::rand);
+        secret_key
+            .to_encrypted_file(&self.file, &self.password)
+            .map_err(|e| {
+                anyhow::anyhow!("Failed to encrypt key: {} into path '{}'", e, self.file,)
+            })?;
+        let public_key = secret_key.public_key();
+        println!("secret key: {secret_key}");
+        println!("public key: {public_key}");
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::fs;
+    use tempfile::TempDir;
+
+    #[test]
+    fn test_mina_encrypted_key_generates_random_key() {
+        let temp_dir = TempDir::new().unwrap();
+        let file_path = temp_dir.path().join("test_key.json");
+        let file_path_str = file_path.to_str().unwrap().to_string();
+
+        let cmd = MinaEncryptedKey {
+            secret_key: None,
+            password: "test_password".to_string(),
+            file: file_path_str.clone(),
+        };
+
+        let result = cmd.run();
+        assert!(result.is_ok());
+
+        // Verify the file was created
+        assert!(file_path.exists());
+
+        // Verify the file contains encrypted data (should be JSON)
+        let file_content = fs::read_to_string(&file_path).unwrap();
+        assert!(file_content.starts_with('{'));
+        assert!(file_content.ends_with('}'));
+    }
+
+    #[test]
+    fn test_mina_encrypted_key_with_provided_secret_key() {
+        let temp_dir = TempDir::new().unwrap();
+        let file_path = temp_dir.path().join("test_key_provided.json");
+        let file_path_str = file_path.to_str().unwrap().to_string();
+
+        let secret_key = AccountSecretKey::rand();
+        let expected_public_key = secret_key.public_key();
+
+        let cmd = MinaEncryptedKey {
+            secret_key: Some(secret_key),
+            password: "test_password".to_string(),
+            file: file_path_str.clone(),
+        };
+
+        let result = cmd.run();
+        assert!(result.is_ok());
+
+        // Verify the file was created
+        assert!(file_path.exists());
+
+        // Verify we can load the key back and it matches
+        let loaded_key = AccountSecretKey::from_encrypted_file(&file_path_str, "test_password");
+        assert!(loaded_key.is_ok());
+        let loaded_key = loaded_key.unwrap();
+        assert_eq!(loaded_key.public_key(), expected_public_key);
+    }
+
+    #[test]
+    fn test_mina_encrypted_key_with_empty_password() {
+        let temp_dir = TempDir::new().unwrap();
+        let file_path = temp_dir.path().join("test_key_no_pass.json");
+        let file_path_str = file_path.to_str().unwrap().to_string();
+
+        let cmd = MinaEncryptedKey {
+            secret_key: None,
+            password: "".to_string(),
+            file: file_path_str.clone(),
+        };
+
+        let result = cmd.run();
+        assert!(result.is_ok());
+
+        // Verify the file was created
+        assert!(file_path.exists());
+
+        // Verify we can load the key back with empty password
+        let loaded_key = AccountSecretKey::from_encrypted_file(&file_path_str, "");
+        assert!(loaded_key.is_ok());
+    }
+
+    #[test]
+    fn test_mina_encrypted_key_wrong_password_fails() {
+        let temp_dir = TempDir::new().unwrap();
+        let file_path = temp_dir.path().join("test_key_wrong_pass.json");
+        let file_path_str = file_path.to_str().unwrap().to_string();
+
+        let cmd = MinaEncryptedKey {
+            secret_key: None,
+            password: "correct_password".to_string(),
+            file: file_path_str.clone(),
+        };
+
+        let result = cmd.run();
+        assert!(result.is_ok());
+
+        // Verify loading with wrong password fails
+        let loaded_key = AccountSecretKey::from_encrypted_file(&file_path_str, "wrong_password");
+        assert!(loaded_key.is_err());
+    }
+
+    #[test]
+    fn test_mina_encrypted_key_invalid_file_path_fails() {
+        let cmd = MinaEncryptedKey {
+            secret_key: None,
+            password: "test_password".to_string(),
+            file: "/invalid/path/that/does/not/exist/key.json".to_string(),
+        };
+
+        let result = cmd.run();
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_mina_encrypted_key_roundtrip_compatibility() {
+        let temp_dir = TempDir::new().unwrap();
+        let file_path = temp_dir.path().join("test_roundtrip.json");
+        let file_path_str = file_path.to_str().unwrap().to_string();
+
+        // Generate a key with our command
+        let original_secret_key = AccountSecretKey::rand();
+        let original_public_key = original_secret_key.public_key();
+        let password = "roundtrip_test_password";
+
+        let cmd = MinaEncryptedKey {
+            secret_key: Some(original_secret_key.clone()),
+            password: password.to_string(),
+            file: file_path_str.clone(),
+        };
+
+        let result = cmd.run();
+        assert!(result.is_ok());
+
+        // Load the key back using the secret key methods directly
+        let loaded_secret_key = AccountSecretKey::from_encrypted_file(&file_path_str, password);
+        assert!(loaded_secret_key.is_ok());
+        let loaded_secret_key = loaded_secret_key.unwrap();
+        let loaded_public_key = loaded_secret_key.public_key();
+
+        // Verify the keys match exactly
+        assert_eq!(original_public_key, loaded_public_key);
+        assert_eq!(
+            original_secret_key.to_string(),
+            loaded_secret_key.to_string()
+        );
+    }
+
+    #[test]
+    fn test_mina_key_pair_generates_random_key() {
+        let cmd = MinaKeyPair { secret_key: None };
+
+        let result = cmd.run();
+        assert!(result.is_ok());
+    }
+
+    #[test]
+    fn test_mina_key_pair_with_provided_secret_key() {
+        let secret_key = AccountSecretKey::rand();
+        let cmd = MinaKeyPair {
+            secret_key: Some(secret_key),
+        };
+
+        let result = cmd.run();
+        assert!(result.is_ok());
+    }
+
+    #[test]
+    fn test_p2p_key_pair_generates_random_key() {
+        let cmd = P2PKeyPair {
+            p2p_secret_key: None,
+        };
+
+        let result = cmd.run();
+        assert!(result.is_ok());
+    }
+
+    #[test]
+    fn test_p2p_key_pair_with_provided_secret_key() {
+        let secret_key = SecretKey::rand();
+        let cmd = P2PKeyPair {
+            p2p_secret_key: Some(secret_key),
+        };
+
+        let result = cmd.run();
+        assert!(result.is_ok());
+    }
+}
