feat: CRP-2641 CRP-2615 Add vetKeys related management canister endpo…

…ints (#2633) This PR defines names and arguments of the new functions: - ReshareChainKey - VetKdPublicKey - VetKdEncryptedKey A corresponding interface spec PR can be found [here](dfinity/portal#3763). For now, all functions remain unimplemented. In addition, we implement routing of these methods by calling `route_idkg_message` with the correct `MasterPublicKeyId`. This function will be renamed and tested for the vet KD case in a follow up PR.
dfinity · Nov 19, 2024 · caca44d · caca44d
1 parent 363e697
commit caca44d
Show file tree

Hide file tree

Showing 12 changed files with 345 additions and 4 deletions.
diff --git a/rs/execution_environment/src/canister_manager.rs b/rs/execution_environment/src/canister_manager.rs
@@ -465,8 +465,11 @@ impl CanisterManager {
             | Ok(Ic00Method::SetupInitialDKG)
             | Ok(Ic00Method::SignWithECDSA)
             | Ok(Ic00Method::ComputeInitialIDkgDealings)
+            | Ok(Ic00Method::ReshareChainKey)
             | Ok(Ic00Method::SchnorrPublicKey)
             | Ok(Ic00Method::SignWithSchnorr)
+            | Ok(Ic00Method::VetKdPublicKey)
+            | Ok(Ic00Method::VetKdDeriveEncryptedKey)
             // "DepositCycles" can be called by anyone however as ingress message
             // cannot carry cycles, it does not make sense to allow them from users.
             | Ok(Ic00Method::DepositCycles)

diff --git a/rs/execution_environment/src/execution_environment.rs b/rs/execution_environment/src/execution_environment.rs
@@ -1242,6 +1242,16 @@ impl ExecutionEnvironment {
                 }
             },
 
+            Ok(Ic00Method::ReshareChainKey)
+            | Ok(Ic00Method::VetKdPublicKey)
+            | Ok(Ic00Method::VetKdDeriveEncryptedKey) => ExecuteSubnetMessageResult::Finished {
+                response: Err(UserError::new(
+                    ErrorCode::CanisterRejectedMessage,
+                    format!("{} API is not yet implemented.", msg.method_name()),
+                )),
+                refund: msg.take_cycles(),
+            },
+
             Ok(Ic00Method::ProvisionalCreateCanisterWithCycles) => {
                 let res =
                     ProvisionalCreateCanisterWithCyclesArgs::decode(payload).and_then(|args| {

diff --git a/rs/execution_environment/src/execution_environment/tests.rs b/rs/execution_environment/src/execution_environment/tests.rs
@@ -7,7 +7,7 @@ use ic_management_canister_types::{
     DerivationPath, EcdsaKeyId, EmptyBlob, FetchCanisterLogsRequest, HttpMethod, LogVisibilityV2,
     MasterPublicKeyId, Method, Payload as Ic00Payload, ProvisionalCreateCanisterWithCyclesArgs,
     ProvisionalTopUpCanisterArgs, SchnorrAlgorithm, SchnorrKeyId, TakeCanisterSnapshotArgs,
-    TransformContext, TransformFunc, IC_00,
+    TransformContext, TransformFunc, VetKdCurve, VetKdKeyId, IC_00,
 };
 use ic_registry_routing_table::{canister_id_into_u64, CanisterIdRange, RoutingTable};
 use ic_registry_subnet_type::SubnetType;
@@ -173,6 +173,13 @@ fn sign_with_threshold_key_payload(method: Method, key_id: MasterPublicKeyId) ->
             key_id: into_inner_schnorr(key_id),
         }
         .encode(),
+        Method::VetKdDeriveEncryptedKey => ic00::VetKdDeriveEncryptedKeyArgs {
+            derivation_id: vec![],
+            encryption_public_key: vec![],
+            derivation_path: DerivationPath::new(vec![]),
+            key_id: into_inner_vetkd(key_id),
+        }
+        .encode(),
         _ => panic!("unexpected method"),
     }
 }
@@ -2284,6 +2291,13 @@ fn make_schnorr_key(name: &str) -> MasterPublicKeyId {
     })
 }
 
+fn make_vetkd_key(name: &str) -> MasterPublicKeyId {
+    MasterPublicKeyId::VetKd(VetKdKeyId {
+        curve: VetKdCurve::Bls12_381_G2,
+        name: name.to_string(),
+    })
+}
+
 fn into_inner_ecdsa(key_id: MasterPublicKeyId) -> EcdsaKeyId {
     match key_id {
         MasterPublicKeyId::Ecdsa(key) => key,
@@ -2298,6 +2312,13 @@ fn into_inner_schnorr(key_id: MasterPublicKeyId) -> SchnorrKeyId {
     }
 }
 
+fn into_inner_vetkd(key_id: MasterPublicKeyId) -> VetKdKeyId {
+    match key_id {
+        MasterPublicKeyId::VetKd(key) => key,
+        _ => panic!("unexpected key_id type"),
+    }
+}
+
 #[test]
 fn canister_output_queue_does_not_overflow_when_calling_ic00() {
     let own_subnet = subnet_test_id(1);
@@ -3147,3 +3168,87 @@ fn test_sign_with_schnorr_api_is_enabled() {
         1
     );
 }
+
+#[test]
+fn test_vetkd_public_key_api_is_disabled() {
+    let own_subnet = subnet_test_id(1);
+    let nns_subnet = subnet_test_id(2);
+    let nns_canister = canister_test_id(0x10);
+    let mut test = ExecutionTestBuilder::new()
+        .with_own_subnet_id(own_subnet)
+        .with_nns_subnet_id(nns_subnet)
+        .with_caller(nns_subnet, nns_canister)
+        .build();
+    test.inject_call_to_ic00(
+        Method::VetKdPublicKey,
+        ic00::VetKdPublicKeyArgs {
+            canister_id: None,
+            derivation_path: DerivationPath::new(vec![]),
+            key_id: into_inner_vetkd(make_vetkd_key("some_key")),
+        }
+        .encode(),
+        Cycles::new(0),
+    );
+    test.execute_all();
+    let response = test.xnet_messages()[0].clone();
+    assert_eq!(
+        get_reject_message(response),
+        "vetkd_public_key API is not yet implemented.",
+    )
+}
+
+#[test]
+fn test_vetkd_derive_encrypted_key_api_is_disabled() {
+    let own_subnet = subnet_test_id(1);
+    let nns_subnet = subnet_test_id(2);
+    let nns_canister = canister_test_id(0x10);
+    let mut test = ExecutionTestBuilder::new()
+        .with_own_subnet_id(own_subnet)
+        .with_nns_subnet_id(nns_subnet)
+        .with_caller(nns_subnet, nns_canister)
+        .build();
+    let method = Method::VetKdDeriveEncryptedKey;
+    test.inject_call_to_ic00(
+        method,
+        sign_with_threshold_key_payload(method, make_vetkd_key("some_key")),
+        Cycles::new(0),
+    );
+    test.execute_all();
+    let response = test.xnet_messages()[0].clone();
+    assert_eq!(
+        get_reject_message(response),
+        "vetkd_derive_encrypted_key API is not yet implemented.",
+    )
+}
+
+#[test]
+fn reshare_chain_key_api_is_disabled() {
+    let own_subnet = subnet_test_id(1);
+    let nns_subnet = subnet_test_id(2);
+    let nns_canister = canister_test_id(0x10);
+    let nodes = vec![node_test_id(1), node_test_id(2)].into_iter().collect();
+    let registry_version = RegistryVersion::from(100);
+    let mut test = ExecutionTestBuilder::new()
+        .with_own_subnet_id(own_subnet)
+        .with_nns_subnet_id(nns_subnet)
+        .with_caller(nns_subnet, nns_canister)
+        .build();
+    let method = Method::ReshareChainKey;
+    test.inject_call_to_ic00(
+        method,
+        ic00::ReshareChainKeyArgs::new(
+            make_vetkd_key("some_key"),
+            nns_subnet,
+            nodes,
+            registry_version,
+        )
+        .encode(),
+        Cycles::new(0),
+    );
+    test.execute_all();
+    let response = test.xnet_messages()[0].clone();
+    assert_eq!(
+        get_reject_message(response),
+        "reshare_chain_key API is not yet implemented.",
+    )
+}
diff --git a/rs/execution_environment/src/execution_environment_metrics.rs b/rs/execution_environment/src/execution_environment_metrics.rs
@@ -186,6 +186,7 @@ impl ExecutionEnvironmentMetrics {
                     | ic00::Method::UninstallCode
                     | ic00::Method::ECDSAPublicKey
                     | ic00::Method::SchnorrPublicKey
+                    | ic00::Method::VetKdPublicKey
                     | ic00::Method::UpdateSettings
                     | ic00::Method::BitcoinGetBalance
                     | ic00::Method::BitcoinGetUtxos
@@ -216,7 +217,9 @@ impl ExecutionEnvironmentMetrics {
                     | ic00::Method::HttpRequest
                     | ic00::Method::SignWithECDSA
                     | ic00::Method::SignWithSchnorr
+                    | ic00::Method::VetKdDeriveEncryptedKey
                     | ic00::Method::ComputeInitialIDkgDealings
+                    | ic00::Method::ReshareChainKey
                     | ic00::Method::BitcoinSendTransactionInternal
                     | ic00::Method::BitcoinGetSuccessors => String::from("slow"),
                 };

diff --git a/rs/execution_environment/src/ic00_permissions.rs b/rs/execution_environment/src/ic00_permissions.rs
@@ -103,6 +103,11 @@ impl Ic00MethodPermissions {
                 allow_remote_subnet_sender: true,
                 allow_only_nns_subnet_sender: true,
             },
+            Ic00Method::ReshareChainKey => Self {
+                method,
+                allow_remote_subnet_sender: true,
+                allow_only_nns_subnet_sender: true,
+            },
             Ic00Method::SchnorrPublicKey => Self {
                 method,
                 allow_remote_subnet_sender: true,
@@ -113,6 +118,16 @@ impl Ic00MethodPermissions {
                 allow_remote_subnet_sender: true,
                 allow_only_nns_subnet_sender: false,
             },
+            Ic00Method::VetKdPublicKey => Self {
+                method,
+                allow_remote_subnet_sender: true,
+                allow_only_nns_subnet_sender: false,
+            },
+            Ic00Method::VetKdDeriveEncryptedKey => Self {
+                method,
+                allow_remote_subnet_sender: true,
+                allow_only_nns_subnet_sender: false,
+            },
             Ic00Method::BitcoinGetBalance => Self {
                 method,
                 allow_remote_subnet_sender: true,

diff --git a/rs/execution_environment/src/scheduler.rs b/rs/execution_environment/src/scheduler.rs
@@ -2203,8 +2203,11 @@ fn can_execute_subnet_msg(
         | Ic00Method::UninstallCode
         | Ic00Method::UpdateSettings
         | Ic00Method::ComputeInitialIDkgDealings
+        | Ic00Method::ReshareChainKey
         | Ic00Method::SchnorrPublicKey
         | Ic00Method::SignWithSchnorr
+        | Ic00Method::VetKdPublicKey
+        | Ic00Method::VetKdDeriveEncryptedKey
         | Ic00Method::BitcoinGetBalance
         | Ic00Method::BitcoinGetUtxos
         | Ic00Method::BitcoinGetBlockHeaders
@@ -2263,8 +2266,11 @@ fn get_instructions_limits_for_subnet_message(
             | SetupInitialDKG
             | SignWithECDSA
             | ComputeInitialIDkgDealings
+            | ReshareChainKey
             | SchnorrPublicKey
             | SignWithSchnorr
+            | VetKdPublicKey
+            | VetKdDeriveEncryptedKey
             | StartCanister
             | StopCanister
             | UninstallCode

diff --git a/rs/execution_environment/tests/dts.rs b/rs/execution_environment/tests/dts.rs
@@ -1154,8 +1154,11 @@ fn dts_aborted_execution_does_not_block_subnet_messages() {
             | Method::SetupInitialDKG
             | Method::SignWithECDSA
             | Method::ComputeInitialIDkgDealings
+            | Method::ReshareChainKey
             | Method::SchnorrPublicKey
             | Method::SignWithSchnorr
+            | Method::VetKdPublicKey
+            | Method::VetKdDeriveEncryptedKey
             | Method::BitcoinGetBalance
             | Method::BitcoinGetUtxos
             | Method::BitcoinGetBlockHeaders

diff --git a/rs/system_api/src/routing.rs b/rs/system_api/src/routing.rs
@@ -10,9 +10,10 @@ use ic_management_canister_types::{
     ClearChunkStoreArgs, ComputeInitialIDkgDealingsArgs, DeleteCanisterSnapshotArgs,
     ECDSAPublicKeyArgs, InstallChunkedCodeArgs, InstallCodeArgsV2, ListCanisterSnapshotArgs,
     LoadCanisterSnapshotArgs, MasterPublicKeyId, Method as Ic00Method, NodeMetricsHistoryArgs,
-    Payload, ProvisionalTopUpCanisterArgs, SchnorrPublicKeyArgs, SignWithECDSAArgs,
-    SignWithSchnorrArgs, StoredChunksArgs, SubnetInfoArgs, TakeCanisterSnapshotArgs,
-    UninstallCodeArgs, UpdateSettingsArgs, UploadChunkArgs,
+    Payload, ProvisionalTopUpCanisterArgs, ReshareChainKeyArgs, SchnorrPublicKeyArgs,
+    SignWithECDSAArgs, SignWithSchnorrArgs, StoredChunksArgs, SubnetInfoArgs,
+    TakeCanisterSnapshotArgs, UninstallCodeArgs, UpdateSettingsArgs, UploadChunkArgs,
+    VetKdDeriveEncryptedKeyArgs, VetKdPublicKeyArgs,
 };
 use ic_replicated_state::NetworkTopology;
 use itertools::Itertools;
@@ -205,6 +206,15 @@ pub(super) fn resolve_destination(
                 IDkgSubnetKind::OnlyHoldsKey,
             )
         }
+        Ok(Ic00Method::ReshareChainKey) => {
+            let args = ReshareChainKeyArgs::decode(payload)?;
+            route_idkg_message(
+                &args.key_id,
+                network_topology,
+                &Some(args.subnet_id),
+                IDkgSubnetKind::OnlyHoldsKey,
+            )
+        }
         Ok(Ic00Method::SchnorrPublicKey) => {
             let args = SchnorrPublicKeyArgs::decode(payload)?;
             route_idkg_message(
@@ -223,6 +233,24 @@ pub(super) fn resolve_destination(
                 IDkgSubnetKind::HoldsAndSignWithKey,
             )
         }
+        Ok(Ic00Method::VetKdPublicKey) => {
+            let args = VetKdPublicKeyArgs::decode(payload)?;
+            route_idkg_message(
+                &MasterPublicKeyId::VetKd(args.key_id),
+                network_topology,
+                &None,
+                IDkgSubnetKind::OnlyHoldsKey,
+            )
+        }
+        Ok(Ic00Method::VetKdDeriveEncryptedKey) => {
+            let args = VetKdDeriveEncryptedKeyArgs::decode(payload)?;
+            route_idkg_message(
+                &MasterPublicKeyId::VetKd(args.key_id),
+                network_topology,
+                &None,
+                IDkgSubnetKind::HoldsAndSignWithKey,
+            )
+        }
         Ok(Ic00Method::UploadChunk) => {
             let args = UploadChunkArgs::decode(payload)?;
             let canister_id = args.get_canister_id();
@@ -279,11 +307,15 @@ pub(super) fn resolve_destination(
         )),
     }
 }
+
+/// TODO(CRP-2614): Rename to include VetKD
 enum IDkgSubnetKind {
     OnlyHoldsKey,
     HoldsAndSignWithKey,
 }
 
+/// TODO(CRP-2614): Rename to include VetKD
+/// TODO(CRP-2615): Unit tests for VetKD routing
 /// Routes to the `requested_subnet` if it holds the key (and fails if that
 /// subnet doesn't hold the key).  If a `requested_subnet` is not provided,
 /// route to the first subnet enabled to sign with the given key.

diff --git a/rs/system_api/src/sandbox_safe_system_state.rs b/rs/system_api/src/sandbox_safe_system_state.rs
@@ -249,8 +249,11 @@ impl SystemStateChanges {
             | Ok(Ic00Method::SetupInitialDKG)
             | Ok(Ic00Method::ECDSAPublicKey)
             | Ok(Ic00Method::ComputeInitialIDkgDealings)
+            | Ok(Ic00Method::ReshareChainKey)
             | Ok(Ic00Method::SchnorrPublicKey)
             | Ok(Ic00Method::SignWithSchnorr)
+            | Ok(Ic00Method::VetKdPublicKey)
+            | Ok(Ic00Method::VetKdDeriveEncryptedKey)
             | Ok(Ic00Method::ProvisionalTopUpCanister)
             | Ok(Ic00Method::BitcoinSendTransactionInternal)
             | Ok(Ic00Method::BitcoinGetSuccessors)