test(crypto): CRP-2599 add smoke test for VetKdProtocol impl

rs/crypto/BUILD.bazel

@@ -17,6 +17,7 @@ DEPENDENCIES = [
     "//rs/crypto/ed25519",
     "//rs/crypto/interfaces/sig_verification",
     "//rs/crypto/internal/crypto_lib/basic_sig/ed25519",
+    "//rs/crypto/internal/crypto_lib/bls12_381/vetkd",
     "//rs/crypto/internal/crypto_lib/seed",
     "//rs/crypto/internal/crypto_lib/threshold_sig/bls12_381",
     "//rs/crypto/internal/crypto_lib/threshold_sig/canister_threshold_sig",
@@ -58,6 +59,7 @@ MACRO_DEPENDENCIES = [
 
 DEV_DEPENDENCIES = [
     # Keep sorted.
+    "//packages/ic-vetkd-utils",
     "//rs/certification/test-utils",
     "//rs/crypto/ecdsa_secp256r1",
     "//rs/crypto/for_verification_only",

rs/crypto/Cargo.toml

@@ -25,6 +25,7 @@ ic-crypto-internal-logmon = { path = "internal/logmon" }
 ic-crypto-internal-seed = { path = "internal/crypto_lib/seed" }
 ic-crypto-internal-threshold-sig-bls12381 = { path = "internal/crypto_lib/threshold_sig/bls12_381" }
 ic-crypto-internal-threshold-sig-canister-threshold-sig = { path = "internal/crypto_lib/threshold_sig/canister_threshold_sig" }
+ic-crypto-internal-bls12-381-vetkd = { path = "internal/crypto_lib/bls12_381/vetkd" }
 ic-crypto-internal-types = { path = "internal/crypto_lib/types" }
 ic-crypto-standalone-sig-verifier = { path = "standalone-sig-verifier" }
 ic-crypto-tls-cert-validation = { path = "node_key_validation/tls_cert_validation" }
@@ -40,6 +41,7 @@ ic-protobuf = { path = "../protobuf" }
 ic-registry-client-helpers = { path = "../registry/helpers" }
 ic-registry-keys = { path = "../registry/keys" }
 ic-types = { path = "../types/types" }
+ic-vetkd-utils = { path = "../../packages/ic-vetkd-utils" }
 parking_lot = { workspace = true }
 rustls = { workspace = true }
 serde = { workspace = true }

rs/crypto/internal/crypto_service_provider/src/vault/api.rs

@@ -974,10 +974,14 @@ pub trait VetKdCspVault {
 /// Vault-level error for vetKD key share creation.
 #[derive(Clone, Eq, PartialEq, Debug, Deserialize, Serialize)]
 pub enum VetKdEncryptedKeyShareCreationVaultError {
-    /// If some arguments are invalid
-    InvalidArgument(String),
+    /// If the secret key is missing in the key store of if it has the wrong type
+    SecretKeyMissingOrWrongType(String),
     /// If a transient internal error occurs, e.g., an RPC error communicating with the remote vault
     TransientInternalError(String),
+    /// If the given master public key is invalid
+    InvalidArgumentMasterPublicKey,
+    /// If the given encryption public key is invalid
+    InvalidArgumentEncryptionPublicKey,
 }
 
 /// An error returned by failing to generate a public seed from [`CspVault`].

rs/crypto/internal/crypto_service_provider/src/vault/local_csp_vault/vetkd/mod.rs

@@ -60,40 +60,35 @@ impl<R: Rng + CryptoRng, S: SecretKeyStore, C: SecretKeyStore, P: PublicKeyStore
     ) -> Result<VetKdEncryptedKeyShareContent, VetKdEncryptedKeyShareCreationVaultError> {
         let master_public_key =
             G2Affine::deserialize(&master_public_key).map_err(|_: PairingInvalidPoint| {
-                VetKdEncryptedKeyShareCreationVaultError::InvalidArgument(format!(
-                    "invalid master public key: 0x{}",
-                    hex::encode(&master_public_key)
-                ))
+                VetKdEncryptedKeyShareCreationVaultError::InvalidArgumentMasterPublicKey
             })?;
 
         let transport_public_key = TransportPublicKey::deserialize(&encryption_public_key)
             .map_err(|e| match e {
                 TransportPublicKeyDeserializationError::InvalidPublicKey => {
-                    VetKdEncryptedKeyShareCreationVaultError::InvalidArgument(format!(
-                        "invalid encryption public key: 0x{}",
-                        hex::encode(&encryption_public_key)
-                    ))
+                    VetKdEncryptedKeyShareCreationVaultError::InvalidArgumentEncryptionPublicKey
                 }
             })?;
 
         let secret_key_from_store = self.sks_read_lock().get(&key_id).ok_or(
-            VetKdEncryptedKeyShareCreationVaultError::InvalidArgument(format!(
-                "missing key with ID {key_id:?}",
+            VetKdEncryptedKeyShareCreationVaultError::SecretKeyMissingOrWrongType(format!(
+                "missing key with ID {key_id}"
             )),
         )?;
-        let secret_bls_scalar = if let CspSecretKey::ThresBls12_381(secret_key_bytes) =
-            &secret_key_from_store
-        {
-            // We use the unchecked deserialization here because it is slighly cheaper, but mainly because
-            // it cannot fail, and the data is anyway trusted as it comes from the secret key store.
-            Ok(Scalar::deserialize_unchecked(
-                secret_key_bytes.inner_secret().expose_secret(),
-            ))
-        } else {
-            Err(VetKdEncryptedKeyShareCreationVaultError::InvalidArgument(
-                format!("wrong secret key type for key with ID {key_id}: expected ThresBls12_381"),
-            ))
-        }?;
+        let secret_bls_scalar =
+            if let CspSecretKey::ThresBls12_381(secret_key_bytes) = &secret_key_from_store {
+                // We use the unchecked deserialization here because it is slighly cheaper, but mainly because
+                // it cannot fail, and the data is anyway trusted as it comes from the secret key store.
+                Ok(Scalar::deserialize_unchecked(
+                    secret_key_bytes.inner_secret().expose_secret(),
+                ))
+            } else {
+                Err(
+                    VetKdEncryptedKeyShareCreationVaultError::SecretKeyMissingOrWrongType(format!(
+                        "wrong secret key type for key with ID {key_id}: expected ThresBls12_381"
+                    )),
+                )
+            }?;
 
         // Create encrypted key share using our library
         let encrypted_key_share = EncryptedKeyShare::create(

rs/crypto/internal/crypto_service_provider/src/vault/local_csp_vault/vetkd/tests.rs

@@ -63,8 +63,8 @@ fn should_fail_to_create_key_share_with_invalid_master_public_key() {
     let result = test_env.create_encrypted_vetkd_key_share();
 
     assert_matches!(
-        result, Err(VetKdEncryptedKeyShareCreationVaultError::InvalidArgument(error))
-        if error.contains("invalid master public key")
+        result,
+        Err(VetKdEncryptedKeyShareCreationVaultError::InvalidArgumentMasterPublicKey)
     );
 }
 
@@ -79,8 +79,8 @@ fn should_fail_to_create_key_share_with_invalid_encryption_public_key() {
     let result = test_env.create_encrypted_vetkd_key_share();
 
     assert_matches!(
-        result, Err(VetKdEncryptedKeyShareCreationVaultError::InvalidArgument(error))
-        if error.contains("invalid encryption public key")
+        result,
+        Err(VetKdEncryptedKeyShareCreationVaultError::InvalidArgumentEncryptionPublicKey)
     );
 }
 
@@ -94,7 +94,7 @@ fn should_fail_to_create_key_share_if_key_is_missing_in_secret_key_store() {
     let result = test_env.create_encrypted_vetkd_key_share();
 
     assert_matches!(
-        result, Err(VetKdEncryptedKeyShareCreationVaultError::InvalidArgument(error))
+        result, Err(VetKdEncryptedKeyShareCreationVaultError::SecretKeyMissingOrWrongType(error))
         if error.contains("missing key with ID")
     );
 }
@@ -111,7 +111,7 @@ fn should_fail_to_create_key_share_if_key_in_secret_key_store_has_wrong_type() {
     let result = test_env.create_encrypted_vetkd_key_share();
 
     assert_matches!(
-        result, Err(VetKdEncryptedKeyShareCreationVaultError::InvalidArgument(error))
+        result, Err(VetKdEncryptedKeyShareCreationVaultError::SecretKeyMissingOrWrongType(error))
         if error.contains("wrong secret key type")
     );
 }

rs/crypto/src/lib.rs

@@ -16,6 +16,7 @@ mod common;
 mod keygen;
 mod sign;
 mod tls;
+mod vetkd;
 
 use ic_crypto_internal_csp::vault::api::CspVault;
 pub use sign::{

rs/crypto/src/sign/mod.rs

@@ -1,7 +1,5 @@
 use super::*;
 
-use crate::sign::basic_sig::BasicSigVerifierInternal;
-use crate::sign::basic_sig::BasicSignerInternal;
 use crate::sign::multi_sig::MultiSigVerifierInternal;
 use crate::sign::multi_sig::MultiSignerInternal;
 use crate::sign::threshold_sig::{ThresholdSigVerifierInternal, ThresholdSignerInternal};
@@ -37,7 +35,9 @@ use ic_types::{NodeId, RegistryVersion, SubnetId};
 use std::collections::{BTreeMap, BTreeSet};
 use std::convert::TryFrom;
 
-pub use threshold_sig::ThresholdSigDataStoreImpl;
+pub(crate) use basic_sig::{BasicSigVerifierInternal, BasicSignerInternal};
+pub(crate) use threshold_sig::lazily_calculated_public_key_from_store;
+pub use threshold_sig::{ThresholdSigDataStore, ThresholdSigDataStoreImpl};
 
 mod basic_sig;
 mod canister_threshold_sig;

rs/crypto/src/sign/threshold_sig.rs

@@ -192,7 +192,7 @@ impl ThresholdSigVerifierInternal {
 /// Given that both cases indicate that the implementations of DKG and threshold
 /// signatures are not aligned and also a caller could not recover from this, we
 /// panic.
-fn lazily_calculated_public_key_from_store<C: ThresholdSignatureCspClient>(
+pub(crate) fn lazily_calculated_public_key_from_store<C: ThresholdSignatureCspClient>(
     lockable_threshold_sig_data_store: &LockableThresholdSigDataStore,
     threshold_sig_csp_client: &C,
     dkg_id: &NiDkgId,