feat(sdk-lib-mpc): support DKLS DKG primitives

Ticket: HSM-267 BREAKING CHANGE: moves and renames authenticated encryption utility functions to sdk-lib-mpc
BitGo · Feb 15, 2024 · 779b1e6 · 779b1e6
1 parent cabaec4
commit 779b1e6
Show file tree

Hide file tree

Showing 10 changed files with 825 additions and 134 deletions.
diff --git a/modules/bitgo/test/v2/unit/internal/opengpgUtils.ts b/modules/bitgo/test/v2/unit/internal/opengpgUtils.ts
@@ -215,70 +215,6 @@ describe('OpenGPG Utils Tests', function () {
         .should.be.rejectedWith('Error decrypting message: Session key decryption failed.');
     });
 
-    it('should succeed on encryption with detached signature and decryption with verification', async function () {
-      const text = 'original message';
-
-      const signedMessage = await openpgpUtils.encryptAndDetachSignText(
-        text,
-        recipientKey.publicKey,
-        senderKey.privateKey
-      );
-      (
-        await openpgpUtils.decryptAndVerifySignedText(signedMessage, senderKey.publicKey, recipientKey.privateKey)
-      ).should.equal(text);
-    });
-
-    it('should fail on encryption with detached signature and decryption with wrong private key', async function () {
-      const text = 'original message';
-
-      const signedMessage = await openpgpUtils.encryptAndDetachSignText(
-        text,
-        recipientKey.publicKey,
-        senderKey.privateKey
-      );
-      await openpgpUtils
-        .decryptAndVerifySignedText(signedMessage, senderKey.publicKey, otherKey.privateKey)
-        .should.be.rejectedWith('Error decrypting message: Session key decryption failed.');
-    });
-
-    it('should fail on encryption with detached signature and decryption verification with wrong sender public key', async function () {
-      const text = 'original message';
-
-      const signedMessage = await openpgpUtils.encryptAndDetachSignText(
-        text,
-        recipientKey.publicKey,
-        senderKey.privateKey
-      );
-      await openpgpUtils
-        .decryptAndVerifySignedText(signedMessage, otherKey.publicKey, recipientKey.privateKey)
-        .should.be.rejectedWith(
-          `Error decrypting message: Could not find signing key with key ID ${(
-            await openpgp.readKey({ armoredKey: senderKey.publicKey })
-          )
-            .getKeyID()
-            .toHex()}`
-        );
-    });
-
-    it('should fail on encryption with detached signature by unintended sender and decryption verification', async function () {
-      const text = 'original message';
-
-      const signedMessage = await openpgpUtils.encryptAndDetachSignText(
-        text,
-        recipientKey.publicKey,
-        otherKey.privateKey
-      );
-      await openpgpUtils
-        .decryptAndVerifySignedText(signedMessage, senderKey.publicKey, recipientKey.privateKey)
-        .should.be.rejectedWith(
-          `Error decrypting message: Could not find signing key with key ID ${(
-            await openpgp.readKey({ armoredKey: otherKey.publicKey })
-          )
-            .getKeyID()
-            .toHex()}`
-        );
-    });
-
     it('should encrypt, sign, and decrypt without previously clearing rejectedCurves', async function () {
       openpgp.config.rejectCurves = new Set([openpgp.enums.curve.secp256k1]);
 

diff --git a/modules/sdk-core/src/bitgo/utils/opengpgUtils.ts b/modules/sdk-core/src/bitgo/utils/opengpgUtils.ts
@@ -309,75 +309,6 @@ export async function encryptText(text: string, key: Key): Promise<string> {
   });
 }
 
-/**
- * Encrypts and detach signs a string
- * @param text string to encrypt and sign
- * @param publicArmor public key to encrypt with
- * @param privateArmor private key to sign with
- */
-export async function encryptAndDetachSignText(
-  text: string,
-  publicArmor: string,
-  privateArmor: string
-): Promise<AuthEncMessage> {
-  const publicKey = await readKey({ armoredKey: publicArmor });
-  const privateKey = await readPrivateKey({ armoredKey: privateArmor });
-  const message = await createMessage({ text });
-  const encryptedMessage = await encrypt({
-    message,
-    encryptionKeys: publicKey,
-    format: 'armored',
-    config: {
-      rejectCurves: new Set(),
-      showVersion: false,
-      showComment: false,
-    },
-  });
-  const signature = await sign({
-    message,
-    signingKeys: privateKey,
-    format: 'armored',
-    detached: true,
-    config: {
-      rejectCurves: new Set(),
-      showVersion: false,
-      showComment: false,
-    },
-  });
-  return {
-    encryptedMessage: encryptedMessage,
-    signature: signature,
-  };
-}
-
-/**
- * Encrypts and detach signs a string
- * @param text string to encrypt and sign
- * @param publicArmor public key to verify signature with
- * @param privateArmor private key to decrypt with
- */
-export async function decryptAndVerifySignedText(
-  encryptedAndSignedMessage: AuthEncMessage,
-  publicArmor: string,
-  privateArmor: string
-): Promise<string> {
-  const publicKey = await readKey({ armoredKey: publicArmor });
-  const privateKey = await readPrivateKey({ armoredKey: privateArmor });
-  const decryptedMessage = await decrypt({
-    message: await readMessage({ armoredMessage: encryptedAndSignedMessage.encryptedMessage }),
-    decryptionKeys: privateKey,
-    signature: await readSignature({ armoredSignature: encryptedAndSignedMessage.signature }),
-    verificationKeys: publicKey,
-    expectSigned: true,
-    config: {
-      rejectCurves: new Set(),
-      showVersion: false,
-      showComment: false,
-    },
-  });
-  return decryptedMessage.data;
-}
-
 /**
  * Encrypts and signs a string
  * @param text string to encrypt and sign

diff --git a/modules/sdk-lib-mpc/package.json b/modules/sdk-lib-mpc/package.json
@@ -38,13 +38,17 @@
   "dependencies": {
     "@noble/secp256k1": "1.6.3",
     "@types/superagent": "4.1.15",
+    "@silencelaboratories/dkls-wasm-ll-node": "0.1.0",
     "@wasmer/wasi": "^1.2.2",
     "bigint-crypto-utils": "3.1.4",
     "bigint-mod-arith": "3.1.2",
     "libsodium-wrappers-sumo": "^0.7.9",
-    "paillier-bigint": "3.3.0"
+    "paillier-bigint": "3.3.0",
+    "cbor": "^9.0.1",
+    "openpgp": "5.10.1"
   },
   "devDependencies": {
+    "@types/node": "^20.11.19",
     "@types/lodash": "^4.14.151",
     "nyc": "^15.0.0"
   }

diff --git a/modules/sdk-lib-mpc/src/tss/ecdsa-dkls/commsLayer.ts b/modules/sdk-lib-mpc/src/tss/ecdsa-dkls/commsLayer.ts
@@ -0,0 +1,213 @@
+import { SerializedMessages, AuthEncMessage, AuthEncMessages, PartyGpgKey } from './types';
+import * as pgp from 'openpgp';
+
+/**
+ * Detach signs a binary and encodes it in base64
+ * @param data binary to encode in base64 and sign
+ * @param privateArmor private key to sign with
+ */
+export async function detachSignData(data: Buffer, privateArmor: string): Promise<AuthEncMessage> {
+  const message = await pgp.createMessage({ binary: data });
+  const privateKey = await pgp.readPrivateKey({ armoredKey: privateArmor });
+  const signature = await pgp.sign({
+    message,
+    signingKeys: privateKey,
+    format: 'armored',
+    detached: true,
+    config: {
+      rejectCurves: new Set(),
+      showVersion: false,
+      showComment: false,
+    },
+  });
+  return {
+    encryptedMessage: data.toString('base64'),
+    signature: signature,
+  };
+}
+
+/**
+ * Encrypts and detach signs a binary
+ * @param data binary to encrypt and sign
+ * @param publicArmor public key to encrypt with
+ * @param privateArmor private key to sign with
+ */
+export async function encryptAndDetachSignData(
+  data: Buffer,
+  publicArmor: string,
+  privateArmor: string
+): Promise<AuthEncMessage> {
+  const message = await pgp.createMessage({ binary: data });
+  const publicKey = await pgp.readKey({ armoredKey: publicArmor });
+  const privateKey = await pgp.readPrivateKey({ armoredKey: privateArmor });
+  const encryptedMessage = await pgp.encrypt({
+    message,
+    encryptionKeys: publicKey,
+    format: 'armored',
+    config: {
+      rejectCurves: new Set(),
+      showVersion: false,
+      showComment: false,
+    },
+  });
+  const signature = await pgp.sign({
+    message,
+    signingKeys: privateKey,
+    format: 'armored',
+    detached: true,
+    config: {
+      rejectCurves: new Set(),
+      showVersion: false,
+      showComment: false,
+    },
+  });
+  return {
+    encryptedMessage: encryptedMessage,
+    signature: signature,
+  };
+}
+
+/**
+ * Decrypts and verifies signature on a binary
+ * @param encryptedAndSignedMessage message to decrypt and verify
+ * @param publicArmor public key to verify signature with
+ * @param privateArmor private key to decrypt with
+ */
+export async function decryptAndVerifySignedData(
+  encryptedAndSignedMessage: AuthEncMessage,
+  publicArmor: string,
+  privateArmor: string
+): Promise<string> {
+  const publicKey = await pgp.readKey({ armoredKey: publicArmor });
+  const privateKey = await pgp.readPrivateKey({ armoredKey: privateArmor });
+  const decryptedMessage = await pgp.decrypt({
+    message: await pgp.readMessage({ armoredMessage: encryptedAndSignedMessage.encryptedMessage }),
+    decryptionKeys: [privateKey],
+    config: {
+      rejectCurves: new Set(),
+      showVersion: false,
+      showComment: false,
+    },
+    format: 'binary',
+  });
+  const verificationResult = await pgp.verify({
+    message: await pgp.createMessage({ binary: decryptedMessage.data }),
+    signature: await pgp.readSignature({ armoredSignature: encryptedAndSignedMessage.signature }),
+    verificationKeys: publicKey,
+  });
+  await verificationResult.signatures[0].verified;
+  return Buffer.from(decryptedMessage.data).toString('base64');
+}
+
+/**
+ * Verifies signature on a binary (message passed should be encoded in base64).
+ * @param signedMessage message to verify
+ * @param publicArmor public key to verify signature with
+ */
+export async function verifySignedData(signedMessage: AuthEncMessage, publicArmor: string): Promise<boolean> {
+  const publicKey = await pgp.readKey({ armoredKey: publicArmor });
+  const verificationResult = await pgp.verify({
+    message: await pgp.createMessage({ binary: Buffer.from(signedMessage.encryptedMessage, 'base64') }),
+    signature: await pgp.readSignature({ armoredSignature: signedMessage.signature }),
+    verificationKeys: publicKey,
+  });
+  try {
+    await verificationResult.signatures[0].verified;
+    return true;
+  } catch (e) {
+    return false;
+  }
+}
+
+/**
+ * Decrypts and verifies p2p messages + verifies broadcast messages
+ * @param messages message to decrypt and verify
+ * @param pubVerificationGpgKeys public keys to verify signatures with
+ * @param prvDecryptionGpgKeys private keys to decrypt with
+ */
+export async function decryptAndVerifyIncomingMessages(
+  messages: AuthEncMessages,
+  pubVerificationGpgKeys: PartyGpgKey[],
+  prvDecryptionGpgKeys: PartyGpgKey[]
+): Promise<SerializedMessages> {
+  return {
+    p2pMessages: await Promise.all(
+      messages.p2pMessages.map(async (m) => {
+        const pubGpgKey = pubVerificationGpgKeys.find((k) => k.partyId === m.from);
+        const prvGpgKey = prvDecryptionGpgKeys.find((k) => k.partyId === m.to);
+        if (!pubGpgKey) {
+          throw Error(`No public key provided for sender with ID: ${m.from}`);
+        }
+        if (!prvGpgKey) {
+          throw Error(`No private key provided for recepient with ID: ${m.to}`);
+        }
+        return {
+          to: m.to,
+          from: m.from,
+          payload: await decryptAndVerifySignedData(m.payload, pubGpgKey.gpgKey, prvGpgKey.gpgKey),
+          commitment: m.commitment,
+        };
+      })
+    ),
+    broadcastMessages: await Promise.all(
+      messages.broadcastMessages.map(async (m) => {
+        const pubGpgKey = pubVerificationGpgKeys.find((k) => k.partyId === m.from);
+        if (!pubGpgKey) {
+          throw Error(`No public key provided for sender with ID: ${m.from}`);
+        }
+        if (!(await verifySignedData(m.payload, pubGpgKey.gpgKey))) {
+          throw Error(`Failed to authenticate broadcast message from party: ${m.from}`);
+        }
+        return {
+          from: m.from,
+          payload: m.payload.encryptedMessage,
+        };
+      })
+    ),
+  };
+}
+
+/**
+ * Encrypts and signs p2p messages + signs broadcast messages
+ * @param messages messages to encrypt and sign
+ * @param pubEncryptionGpgKey public keys to encrypt data to
+ * @param prvAuthenticationGpgKey private keys to sign with
+ */
+export async function encryptAndAuthOutgoingMessages(
+  messages: SerializedMessages,
+  pubEncryptionGpgKeys: PartyGpgKey[],
+  prvAuthenticationGpgKeys: PartyGpgKey[]
+): Promise<AuthEncMessages> {
+  return {
+    p2pMessages: await Promise.all(
+      messages.p2pMessages.map(async (m) => {
+        const pubGpgKey = pubEncryptionGpgKeys.find((k) => k.partyId === m.to);
+        const prvGpgKey = prvAuthenticationGpgKeys.find((k) => k.partyId === m.from);
+        if (!pubGpgKey) {
+          throw Error(`No public key provided for recipient with ID: ${m.to}`);
+        }
+        if (!prvGpgKey) {
+          throw Error(`No private key provided for sender with ID: ${m.from}`);
+        }
+        return {
+          to: m.to,
+          from: m.from,
+          payload: await encryptAndDetachSignData(Buffer.from(m.payload, 'base64'), pubGpgKey.gpgKey, prvGpgKey.gpgKey),
+          commitment: m.commitment,
+        };
+      })
+    ),
+    broadcastMessages: await Promise.all(
+      messages.broadcastMessages.map(async (m) => {
+        const prvGpgKey = prvAuthenticationGpgKeys.find((k) => k.partyId === m.from);
+        if (!prvGpgKey) {
+          throw Error(`No private key provided for sender with ID: ${m.from}`);
+        }
+        return {
+          from: m.from,
+          payload: await detachSignData(Buffer.from(m.payload, 'base64'), prvGpgKey.gpgKey),
+        };
+      })
+    ),
+  };
+}