From 2a47a4d58f86b0ff84dd0dafd89e131055005735 Mon Sep 17 00:00:00 2001 From: krehermann <16602512+krehermann@users.noreply.github.com> Date: Mon, 14 Oct 2024 13:36:17 -0600 Subject: [PATCH] use csa key as default encryption key when registering nodes in cap reg (#14758) --- .../deployment/keystone/deploy.go | 2 +- .../deployment/keystone/ocr3config.go | 1 + .../deployment/keystone/types.go | 52 ++++++++++++++----- 3 files changed, 41 insertions(+), 14 deletions(-) diff --git a/integration-tests/deployment/keystone/deploy.go b/integration-tests/deployment/keystone/deploy.go index 67613a67919..204247fd721 100644 --- a/integration-tests/deployment/keystone/deploy.go +++ b/integration-tests/deployment/keystone/deploy.go @@ -577,7 +577,7 @@ func registerNodes(lggr logger.Logger, req *registerNodesRequest) (*registerNode NodeOperatorId: nop.NodeOperatorId, Signer: n.Signer, P2pId: n.P2PKey, - EncryptionPublicKey: [32]byte{0x01}, // unused in tests + EncryptionPublicKey: n.EncryptionPublicKey, HashedCapabilityIds: hashedCapabilityIds, } } else { diff --git a/integration-tests/deployment/keystone/ocr3config.go b/integration-tests/deployment/keystone/ocr3config.go index 721e85e8cd5..343ddae696f 100644 --- a/integration-tests/deployment/keystone/ocr3config.go +++ b/integration-tests/deployment/keystone/ocr3config.go @@ -61,6 +61,7 @@ type NodeKeys struct { OCR2OffchainPublicKey string `json:"OCR2OffchainPublicKey"` // ocr2off_evm_ OCR2ConfigPublicKey string `json:"OCR2ConfigPublicKey"` // ocr2cfg_evm_ CSAPublicKey string `json:"CSAPublicKey"` + EncryptionPublicKey string `json:"EncryptionPublicKey"` } type Orc2drOracleConfig struct { diff --git a/integration-tests/deployment/keystone/types.go b/integration-tests/deployment/keystone/types.go index dc0ccea75f8..d49d2180436 100644 --- a/integration-tests/deployment/keystone/types.go +++ b/integration-tests/deployment/keystone/types.go @@ -55,13 +55,15 @@ type Nop struct { // with the capabilities registry. Signer and P2PKey are chain agnostic. // TODO: KS-466 when we migrate fully to the JD offchain client, we should be able remove this shim and use environment.Node directly type ocr2Node struct { - ID string - Signer [32]byte // note that in capabilities registry we need a [32]byte, but in the forwarder we need a common.Address [20]byte - P2PKey p2pkey.PeerID - IsBoostrap bool + ID string + Signer [32]byte // note that in capabilities registry we need a [32]byte, but in the forwarder we need a common.Address [20]byte + P2PKey p2pkey.PeerID + EncryptionPublicKey [32]byte + IsBoostrap bool // useful when have to register the ocr3 contract config p2pKeyBundle *v1.OCR2Config_P2PKeyBundle ocrKeyBundle *v1.OCR2Config_OCRKeyBundle + csaKey string // *v1.Node.PublicKey accountAddress string } @@ -77,14 +79,32 @@ func (o *ocr2Node) toNodeKeys() NodeKeys { OCR2OnchainPublicKey: o.ocrKeyBundle.OnchainSigningAddress, OCR2OffchainPublicKey: o.ocrKeyBundle.OffchainPublicKey, OCR2ConfigPublicKey: o.ocrKeyBundle.ConfigPublicKey, + CSAPublicKey: o.csaKey, + // default value of encryption public key is the CSA public key + // TODO: DEVSVCS-760 + EncryptionPublicKey: o.csaKey, // TODO Aptos support. How will that be modeled in clo data? } } -func newOcr2Node(id string, ccfg *v1.ChainConfig) (*ocr2Node, error) { +func newOcr2Node(id string, ccfg *v1.ChainConfig, csaPubKey string) (*ocr2Node, error) { if ccfg == nil { return nil, errors.New("nil ocr2config") } + if csaPubKey == "" { + return nil, errors.New("empty csa public key") + } + // parse csapublic key to + csaKey, err := hex.DecodeString(csaPubKey) + if err != nil { + return nil, fmt.Errorf("failed to decode csa public key %s: %w", csaPubKey, err) + } + if len(csaKey) != 32 { + return nil, fmt.Errorf("invalid csa public key '%s'. expected len 32 got %d", csaPubKey, len(csaKey)) + } + var csaKeyb [32]byte + copy(csaKeyb[:], csaKey) + ocfg := ccfg.Ocr2Config p := p2pkey.PeerID{} if err := p.UnmarshalString(ocfg.P2PKeyBundle.PeerId); err != nil { @@ -104,13 +124,15 @@ func newOcr2Node(id string, ccfg *v1.ChainConfig) (*ocr2Node, error) { copy(sigb[:], signerB) return &ocr2Node{ - ID: id, - Signer: sigb, - P2PKey: p, - IsBoostrap: ocfg.IsBootstrap, - p2pKeyBundle: ocfg.P2PKeyBundle, - ocrKeyBundle: ocfg.OcrKeyBundle, - accountAddress: ccfg.AccountAddress, + ID: id, + Signer: sigb, + P2PKey: p, + EncryptionPublicKey: csaKeyb, + IsBoostrap: ocfg.IsBootstrap, + p2pKeyBundle: ocfg.P2PKeyBundle, + ocrKeyBundle: ocfg.OcrKeyBundle, + accountAddress: ccfg.AccountAddress, + csaKey: csaPubKey, }, nil } @@ -196,13 +218,17 @@ func mapDonsToNodes(dons []DonCapabilities, excludeBootstraps bool) (map[string] for _, don := range dons { for _, nop := range don.Nops { for _, node := range nop.Nodes { + csaPubKey := node.PublicKey + if csaPubKey == nil { + return nil, fmt.Errorf("no public key for node %s", node.ID) + } // the chain configs are equivalent as far as the ocr2 config is concerned so take the first one if len(node.ChainConfigs) == 0 { return nil, fmt.Errorf("no chain configs for node %s. cannot obtain keys", node.ID) } chain := node.ChainConfigs[0] ccfg := chainConfigFromClo(chain) - ocr2n, err := newOcr2Node(node.ID, ccfg) + ocr2n, err := newOcr2Node(node.ID, ccfg, *csaPubKey) if err != nil { return nil, fmt.Errorf("failed to create ocr2 node for node %s: %w", node.ID, err) }