Merge pull-request #62

Makefile

@@ -6,7 +6,7 @@ KEYS := \
 	66039AA59D823C8BD68DB062D3EC673DF9843E7B \
 	DE050A451E6FAF94C677B58B9361DEC647A087BD
 
-LOCAL_BUILD_DIR := 'build'
+LOCAL_BUILD_DIR := build
 SRC_DIR := src
 KEY_DIR := fetch/keys
 OUT_DIR := out
@@ -194,9 +194,7 @@ $(OUT_DIR)/release.env: | $(OUT_DIR)
 
 .PHONY: build-local
 build-local:
-	pushd $(shell git rev-parse --show-toplevel)/src/cmd/turnkey; \
-	go build -o ../$(LOCAL_BUILD_DIR)/turnkey; \
-	popd;
+	go build -o ./$(LOCAL_BUILD_DIR)/turnkey ./src/cmd/turnkey
 
 .PHONY: reproduce
 reproduce: clean default digests.txt
@@ -208,4 +206,4 @@ reproduce: clean default digests.txt
 $(DIST_DIR): clean default
 	rm -rf $@/*
 	cp digests.txt digests-dist.txt
-	cp -R $(OUT_DIR)/* $@/
+	cp -R $(OUT_DIR)/* $@/

src/cmd/turnkey/pkg/auth.go

@@ -1,6 +1,8 @@
 package pkg
 
 import (
+	"regexp"
+
 	"github.com/rotisserie/eris"
 
 	"github.com/tkhq/go-sdk"
@@ -53,7 +55,11 @@ func LoadKeypair(name string) {
 
 // LoadClient creates an API client from the preloaded API keypair.
 func LoadClient() {
-	transportConfig := client.DefaultTransportConfig().WithHost(apiHost)
+	scheme := "https"
+	if pattern := regexp.MustCompile(`^localhost:\d+$`); pattern.MatchString(apiHost) {
+		scheme = "http"
+	}
+	transportConfig := client.DefaultTransportConfig().WithHost(apiHost).WithSchemes([]string{scheme})
 
 	APIClient = &sdk.Client{
 		Client:        client.NewHTTPClientWithConfig(nil, transportConfig),

src/cmd/turnkey/pkg/decrypt.go

@@ -1,14 +1,16 @@
 package pkg
 
 import (
+	"crypto/ecdsa"
+
 	"github.com/rotisserie/eris"
 	"github.com/spf13/cobra"
 	"github.com/tkhq/go-sdk/pkg/enclave_encrypt"
 	"github.com/tkhq/go-sdk/pkg/encryptionkey"
 )
 
 var (
-	// Filepath to write the export bundle to.
+	// Filepath to read the export bundle from.
 	exportBundlePath string
 
 	// EncryptionKeypair is the loaded Encryption Keypair.
@@ -18,6 +20,7 @@ var (
 func init() {
 	decryptCmd.Flags().StringVar(&exportBundlePath, "export-bundle-input", "", "filepath to read the export bundle from.")
 	decryptCmd.Flags().StringVar(&plaintextPath, "plaintext-output", "", "optional filepath to write the plaintext from that will be decrypted.")
+	decryptCmd.Flags().StringVar(&signerPublicKeyOverride, "signer-quorum-key", "", "optional override for the signer quorum key. This option should be used for testing only. Leave this value empty for production decryptions.")
 
 	rootCmd.AddCommand(decryptCmd)
 }
@@ -49,13 +52,18 @@ var decryptCmd = &cobra.Command{
 			OutputError(eris.Wrap(err, "failed to decode encryption private key"))
 		}
 
-		// set up enclave encrypt client
-		signerPublic, err := hexToPublicKey(signerPublicKey)
+		var signerKey *ecdsa.PublicKey
+		if signerPublicKeyOverride != "" {
+			signerKey, err = hexToPublicKey(signerPublicKeyOverride)
+		} else {
+			signerKey, err = hexToPublicKey(signerProductionPublicKey)
+		}
 		if err != nil {
 			OutputError(err)
 		}
 
-		encryptClient, err := enclave_encrypt.NewEnclaveEncryptClientFromTargetKey(signerPublic, *kemPrivateKey)
+		// set up enclave encrypt client
+		encryptClient, err := enclave_encrypt.NewEnclaveEncryptClientFromTargetKey(signerKey, *kemPrivateKey)
 		if err != nil {
 			OutputError(err)
 		}
@@ -81,7 +89,7 @@ var decryptCmd = &cobra.Command{
 	},
 }
 
-// LoadEncryptionKeypair require-loads the keypair referenced by the given name or as referenced form the global KeyName variable, if name is empty.
+// LoadEncryptionKeypair require-loads the keypair referenced by the given name or as referenced from the global EncryptionKeyName variable, if name is empty.
 func LoadEncryptionKeypair(name string) {
 	if name == "" {
 		name = EncryptionKeyName
@@ -117,8 +125,6 @@ func LoadEncryptionKeypair(name string) {
 		User = encryptionKey.User
 	}
 
-	// If user is _still_ empty, the encryption key is not usable.
-	if User == "" {
-		OutputError(eris.New("failed to associate the encryption key with a user; please manually specify the user ID"))
-	}
+	// If user is _still_ empty, the encryption key is still usable in some cases where user ID isn't needed (export)
+	// Hence we do not error out here if encryptionKey.User is empty.
 }

src/cmd/turnkey/pkg/encrypt.go

@@ -1,6 +1,7 @@
 package pkg
 
 import (
+	"crypto/ecdsa"
 	"encoding/hex"
 	"encoding/json"
 
@@ -26,14 +27,18 @@ var (
 
 	// Format to apply to the plaintext key before it's encrypted: `mnemonic`, `hexadecimal`, `solana`. Defaults to `mnemonic`.
 	keyFormat string
+
+	// Signer quorum key in hex, uncompressed format
+	signerPublicKeyOverride string
 )
 
 func init() {
-	encryptCmd.Flags().StringVar(&importBundlePath, "import-bundle-input", "", "filepath to write the import bundle to.")
-	encryptCmd.Flags().StringVar(&encryptedBundlePath, "encrypted-bundle-output", "", "filepath to read the encrypted bundle from.")
+	encryptCmd.Flags().StringVar(&importBundlePath, "import-bundle-input", "", "filepath to read the import bundle from (result of init-import).")
+	encryptCmd.Flags().StringVar(&encryptedBundlePath, "encrypted-bundle-output", "", "filepath to write the encrypted bundle to. This encrypted bundle will be part of the final import activity params (--encrypted-bundle-input option in wallet or private key import commands).")
 	encryptCmd.Flags().StringVar(&plaintextPath, "plaintext-input", "", "filepath to read the plaintext from that will be encrypted.")
 	encryptCmd.Flags().StringVar(&keyFormat, "key-format", "mnemonic", "optional formatting to apply to the plaintext before it is encrypted.")
 	encryptCmd.Flags().StringVar(&User, "user", "", "ID of user to encrypting the plaintext.")
+	encryptCmd.Flags().StringVar(&signerPublicKeyOverride, "signer-quorum-key", "", "optional override for the signer quorum key. This option should be used for testing only. Leave this value empty for production encryptions.")
 
 	rootCmd.AddCommand(encryptCmd)
 }
@@ -67,12 +72,17 @@ var encryptCmd = &cobra.Command{
 		}
 
 		// set up enclave encrypt client
-		signerPublic, err := hexToPublicKey(signerPublicKey)
+		var signerKey *ecdsa.PublicKey
+		if signerPublicKeyOverride != "" {
+			signerKey, err = hexToPublicKey(signerPublicKeyOverride)
+		} else {
+			signerKey, err = hexToPublicKey(signerProductionPublicKey)
+		}
 		if err != nil {
 			OutputError(err)
 		}
 
-		encryptClient, err := enclave_encrypt.NewEnclaveEncryptClient(signerPublic)
+		encryptClient, err := enclave_encrypt.NewEnclaveEncryptClient(signerKey)
 		if err != nil {
 			OutputError(err)
 		}

src/cmd/turnkey/pkg/root.go

@@ -46,7 +46,7 @@ var (
 )
 
 // Turnkey Signer enclave's quorum public key.
-const signerPublicKey = "04ca7c0d624c75de6f34af342e87a21e0d8c83efd1bd5b5da0c0177c147f744fba6f01f9f37356f9c617659aafa55f6e0af8d169a8f054d153ab3201901fb63ecb04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569"
+const signerProductionPublicKey = "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569"
 
 func init() {
 	rootCmd.PersistentFlags().StringVarP(&apiKeysDirectory, "keys-folder", "d", local.DefaultAPIKeysDir(), "directory in which to locate API keys")
@@ -253,10 +253,9 @@ func hexToPublicKey(hexString string) (*ecdsa.PublicKey, error) {
 	}
 
 	// second half is the public key bytes for the enclave quorum encryption key
-	if len(publicKeyBytes) != 130 {
-		return nil, eris.New("invalid public key length")
+	if len(publicKeyBytes) != 65 {
+		return nil, eris.Errorf("invalid public key length. Expected 65 bytes but got %d (hex string: \"%s\")", len(publicKeyBytes), publicKeyBytes)
 	}
-	encryptionPublicKeyBytes := publicKeyBytes[65:130]
 
 	// init curve instance
 	curve := elliptic.P256()
@@ -265,14 +264,14 @@ func hexToPublicKey(hexString string) (*ecdsa.PublicKey, error) {
 	byteLen := (curve.Params().BitSize + 7) / 8
 
 	// ensure the public key bytes have the correct length
-	if len(encryptionPublicKeyBytes) != 1+2*byteLen {
+	if len(publicKeyBytes) != 1+2*byteLen {
 		return nil, eris.New("invalid encryption public key length")
 	}
 
 	// extract X and Y coordinates from the public key bytes
 	// ignore first byte (prefix)
-	x := new(big.Int).SetBytes(encryptionPublicKeyBytes[1 : 1+byteLen])
-	y := new(big.Int).SetBytes(encryptionPublicKeyBytes[1+byteLen:])
+	x := new(big.Int).SetBytes(publicKeyBytes[1 : 1+byteLen])
+	y := new(big.Int).SetBytes(publicKeyBytes[1+byteLen:])
 
 	return &ecdsa.PublicKey{
 		Curve: curve,

src/cmd/turnkey/pkg/wallets.go

@@ -60,8 +60,8 @@ var walletsCmd = &cobra.Command{
 	PersistentPreRun: func(cmd *cobra.Command, args []string) {
 		basicSetup(cmd)
 		LoadKeypair("")
-		LoadEncryptionKeypair("")
 		LoadClient()
+		LoadEncryptionKeypair("")
 	},
 	Aliases: []string{},
 }
@@ -145,7 +145,7 @@ var walletExportCmd = &cobra.Command{
 		}
 
 		if exportBundlePath == "" {
-			OutputError(eris.New("export bundle path must be specified"))
+			OutputError(eris.New("--export-bundle-output must be specified"))
 		}
 	},
 	Run: func(cmd *cobra.Command, args []string) {

src/go.mod

@@ -10,8 +10,8 @@ require (
 	github.com/rotisserie/eris v0.5.4
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
-	github.com/tkhq/go-sdk v0.0.0-20240429154636-0a294ff69070
-	github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240429154636-0a294ff69070
+	github.com/tkhq/go-sdk v0.0.0-20240513225018-5ebfb539ec1e
+	github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240513225018-5ebfb539ec1e
 	gopkg.in/yaml.v3 v3.0.1
 )
 

src/go.sum

@@ -184,22 +184,10 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/tkhq/go-sdk v0.0.0-20240424182346-feb92f1d2f52 h1:MlWRZNlA+FjE7C58NDkSD8mfMjNvLIjSSkPVrhGro2E=
-github.com/tkhq/go-sdk v0.0.0-20240424182346-feb92f1d2f52/go.mod h1:NgCPbnpGdhx+31NLwmK3iC6UftT7I70dbKXVbblVpjk=
-github.com/tkhq/go-sdk v0.0.0-20240424191015-ed73b2a6714d h1:Fks0r/TtnnhXD2TxP7tduVvcsRPMNRXzFK4fS+fFa1Y=
-github.com/tkhq/go-sdk v0.0.0-20240424191015-ed73b2a6714d/go.mod h1:NgCPbnpGdhx+31NLwmK3iC6UftT7I70dbKXVbblVpjk=
-github.com/tkhq/go-sdk v0.0.0-20240429152307-ed3619757dc3 h1:/UyUO4gDCJkEU41x75El3duhQ/7nRuOfHEPakjjpDK0=
-github.com/tkhq/go-sdk v0.0.0-20240429152307-ed3619757dc3/go.mod h1:NgCPbnpGdhx+31NLwmK3iC6UftT7I70dbKXVbblVpjk=
-github.com/tkhq/go-sdk v0.0.0-20240429154636-0a294ff69070 h1:33+OwgULLDluJDxdxjnL6zyJgg3wWZbr6//8kjqb3Q4=
-github.com/tkhq/go-sdk v0.0.0-20240429154636-0a294ff69070/go.mod h1:NgCPbnpGdhx+31NLwmK3iC6UftT7I70dbKXVbblVpjk=
-github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240424182346-feb92f1d2f52 h1:XQaUYa/l3SVVykk7gV9+xihmzbp+VDwAZng0BQ2QaW8=
-github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240424182346-feb92f1d2f52/go.mod h1:BvoxNhFz61TSwjbULvHYdeV0aS68qkcHXpGkJFVkzrw=
-github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240424191015-ed73b2a6714d h1:bb6SnXl819EqBv5QhEn5wUZHTIdsLYdx9v04KcsCXho=
-github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240424191015-ed73b2a6714d/go.mod h1:BvoxNhFz61TSwjbULvHYdeV0aS68qkcHXpGkJFVkzrw=
-github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240429152307-ed3619757dc3 h1:faQ1L5IoSYsCnUDJMGse40eo6/VloMoAzeIyPs5vcb0=
-github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240429152307-ed3619757dc3/go.mod h1:BvoxNhFz61TSwjbULvHYdeV0aS68qkcHXpGkJFVkzrw=
-github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240429154636-0a294ff69070 h1:0t804AkowFXHPAEkr2WsDCOvShPzIe61Q0EYebSdmNw=
-github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240429154636-0a294ff69070/go.mod h1:BvoxNhFz61TSwjbULvHYdeV0aS68qkcHXpGkJFVkzrw=
+github.com/tkhq/go-sdk v0.0.0-20240513225018-5ebfb539ec1e h1:sO/sz9Jsmdbh9VEpil3KLE3DfJzHBKiRPVQy4koZH9A=
+github.com/tkhq/go-sdk v0.0.0-20240513225018-5ebfb539ec1e/go.mod h1:NgCPbnpGdhx+31NLwmK3iC6UftT7I70dbKXVbblVpjk=
+github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240513225018-5ebfb539ec1e h1:6TQn08QGF615Bt2LRNv1MwlI5qL9NlpO2A/DIKX8MUo=
+github.com/tkhq/go-sdk/pkg/enclave_encrypt v0.0.0-20240513225018-5ebfb539ec1e/go.mod h1:BvoxNhFz61TSwjbULvHYdeV0aS68qkcHXpGkJFVkzrw=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
 github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=