feat: Update cryptography tools to support tssEncryptionKey loading and generation
#16780
Conversation
Signed-off-by: Derek Riley <derek.riley@swirldslabs.com>
…rate-tssEncryptionKey
Signed-off-by: Derek Riley <derek.riley@swirldslabs.com>
Signed-off-by: Derek Riley <derek.riley@swirldslabs.com>
Signed-off-by: Derek Riley <derek.riley@swirldslabs.com>
Signed-off-by: Derek Riley <derek.riley@swirldslabs.com>
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesCodacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #16780 +/- ##
==========================================
Coverage 63.53% 63.54%
- Complexity 20370 20381 +11
==========================================
Files 2537 2537
Lines 94746 94813 +67
Branches 9902 9910 +8
==========================================
+ Hits 60198 60250 +52
- Misses 30941 30955 +14
- Partials 3607 3608 +1
... and 11 files with indirect coverage changes |
…rate-tssEncryptionKey
Signed-off-by: Derek Riley <derek.riley@swirldslabs.com>
| final SignatureSchema SIGNATURE_SCHEMA = | ||
| SignatureSchema.create(Curve.ALT_BN128, GroupAssignment.SHORT_SIGNATURES); | ||
| if (secureRandom == null) { | ||
| return BlsKeyPair.generate(SIGNATURE_SCHEMA); |
There was a problem hiding this comment.
Nit: might be beneficial to add a debug log that the default secure random generator is being used here ?
| @@ -171,6 +179,11 @@ public static KeysAndCerts generate( | |||
| agrDetRandom.setSeed(AGR_SEED); | |||
| agrKeyGen.initialize(CryptoConstants.AGR_KEY_SIZE_BITS, agrDetRandom); | |||
|
|
|||
| tssEncryptionKeyRandom.setSeed(masterKey); | |||
There was a problem hiding this comment.
Repeated code for setting seeds for different key generators. Could be refactored/extracted into separate methods (but not required 😄 ).
| @@ -0,0 +1,3 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
| AVS7ccxMt5screfvBWYJkUhm3SRhdkNxvsk8KcDMEXgl | |||
| -----END PRIVATE KEY----- | |||
There was a problem hiding this comment.
Would add newlines for consistency, compatibility etc.
Signed-off-by: Derek Riley <derek.riley@swirldslabs.com>
| @@ -238,16 +238,16 @@ dependencies.constraints { | |||
| api("com.google.protobuf:protoc:3.25.4") | |||
| api("io.grpc:protoc-gen-grpc-java:1.66.0") | |||
|
|
|||
| api("com.hedera.cryptography:hedera-cryptography-pairings-api:0.1.0-SNAPSHOT") { | |||
| api("com.hedera.cryptography:hedera-cryptography-pairings-api:0.1.1-SNAPSHOT") { | |||
There was a problem hiding this comment.
You can merge back develop. This change should be merged
…rate-tssEncryptionKey
Signed-off-by: Derek Riley <derek.riley@swirldslabs.com>
| @Test | ||
| @DisplayName("KeyStore Loader Corrupt TSS Key Test") | ||
| void keyStoreLoaderNegativeCorruptTssKey() throws IOException { | ||
| final Path keyDirectory = testDataDirectory.resolve("enhanced-invalid-case-3"); |
There was a problem hiding this comment.
nit: could pass in directoryName as a parameter for testing multiple versions
|
|
||
| assertThat(loader).isNotNull(); | ||
| assertThatCode(loader::migrate).doesNotThrowAnyException(); | ||
| assertThatCode(loader::scan).isInstanceOf(KeyLoadingException.class); |
There was a problem hiding this comment.
optional: add custom assertion messages e.g.
assertThatCode(loader::scan)
.as("Scan operation should throw KeyLoadingException when processing a corrupt TSS key in '%s'", keyDirectory)
.isInstanceOf(KeyLoadingException.class);
| Objects.requireNonNull(nodeId, MSG_NODE_ID_NON_NULL); | ||
| Objects.requireNonNull(nodeAlias, MSG_NODE_ALIAS_NON_NULL); | ||
|
|
||
| Path keyLocation = keyStoreDirectory.resolve(String.format("t-private-%s.tss", nodeAlias)); |
There was a problem hiding this comment.
could validate or sanitize nodeAlias to ensure it is always safe for filenames before using it to construct the path.
| */ | ||
| public static BlsKeyPair generateBlsKeyPair(@Nullable final SecureRandom secureRandom) | ||
| throws NoSuchAlgorithmException { | ||
| final SignatureSchema SIGNATURE_SCHEMA = |
There was a problem hiding this comment.
Signature_Schema is constant and could be made static for re-use to avoid recreating it for every call
Description:
This pull request addresses the need for the cryptography code to load a
tssEncryptionKeyfrom disk or generate it and write the private key to disk.Enhancements to TSS key handling:
platform-sdk/swirlds-platform-core/src/main/java/com/swirlds/platform/crypto/CryptoStatic.java: Added a new methodgenerateBlsKeyPairto generate aBlsKeyPairusing aSignatureSchemaand an optionalSecureRandominstance.platform-sdk/swirlds-platform-core/src/main/java/com/swirlds/platform/crypto/EnhancedKeyStoreLoader.java:tssPrivateKeysandtssPublicKeysto store TSS encryption keys as they are being read from disk or generated.scan,generate, andverifymethods to handle TSS keys. [1] [2] [3]resolveTssPrivateKeyto load TSS private keys from disk.platform-sdk/swirlds-platform-core/src/main/java/com/swirlds/platform/crypto/KeysAndCerts.java:KeysAndCertsrecord to include TSS encryption keys.generateandloadExistingAndCreateAgrKeyIfMissingmethods to handle TSS keys. [1] [2]Updates to dependencies and tests:
platform-sdk/swirlds-platform-core/src/main/java/module-info.java: Added a dependency oncom.hedera.cryptography.bls.platform-sdk/swirlds-platform-core/src/test/java/com/swirlds/platform/crypto/EnhancedKeyStoreLoaderTest.java:keyStoreLoaderPositiveTestto include a new test case for TSS keys.Added TSS private key files for new test cases. [1] [2] [3]
Related issue(s):
Fixes #14767
Notes for reviewer:
Checklist