refactor(crypto): CRP-2499 remove key generation CSP APIs

rs/crypto/internal/crypto_service_provider/BUILD.bazel

@@ -101,7 +101,7 @@ DEV_MACRO_DEPENDENCIES = [
 rust_library(
     name = "crypto_service_provider",
     srcs = glob([
-        "src/**",
+        "src/**/*.rs",
     ]),
     crate_name = "ic_crypto_internal_csp",
     proc_macro_deps = MACRO_DEPENDENCIES,

rs/crypto/internal/crypto_service_provider/src/api/canister_threshold.rs

@@ -1,31 +1,2 @@
-//! CSP canister threshold signature traits
-
-use ic_crypto_internal_threshold_sig_ecdsa::MEGaPublicKey;
-
 pub mod errors;
 pub use errors::*;
-
-/// Crypto service provider (CSP) client for interactive distributed key
-/// generation (IDkg) for canister threshold signatures.
-pub trait CspIDkgProtocol {
-    /// Generate a MEGa public/private key pair for encrypting threshold key shares in transmission
-    /// from dealers to receivers. The generated public key will be stored in the node's public key store
-    /// while the private key will be stored in the node's secret key store.
-    ///
-    /// # Returns
-    /// Generated public key.
-    ///
-    /// # Errors
-    /// * [`CspCreateMEGaKeyError::SerializationError`] if serialization of public or private key
-    ///   before storing it in their respective key store failed.
-    /// * [`CspCreateMEGaKeyError::TransientInternalError`] if there is a
-    ///   transient internal error, e.g,. an IO error when writing a key to
-    ///   disk, or an RPC error when calling a remote CSP vault.
-    /// * [`CspCreateMEGaKeyError::DuplicateKeyId`] if there already
-    ///   exists a secret key in the store for the secret key ID derived from
-    ///   the public part of the randomly generated key pair. This error
-    ///   most likely indicates a bad randomness source.
-    /// * [`CspCreateMEGaKeyError::InternalError`]: if the key ID for the secret key cannot be
-    ///   derived from the generated public key.
-    fn idkg_gen_dealing_encryption_key_pair(&self) -> Result<MEGaPublicKey, CspCreateMEGaKeyError>;
-}

rs/crypto/internal/crypto_service_provider/src/api/keygen.rs

@@ -1,73 +1,8 @@
 use ic_crypto_node_key_validation::ValidNodePublicKeys;
 
-use super::super::types::{CspPop, CspPublicKey};
-use crate::vault::api::{
-    CspBasicSignatureKeygenError, CspMultiSignatureKeygenError, CspPublicKeyStoreError,
-    CspTlsKeygenError, ValidatePksAndSksError,
-};
+use crate::vault::api::{CspPublicKeyStoreError, ValidatePksAndSksError};
 use crate::{ExternalPublicKeys, PksAndSksContainsErrors};
-use ic_crypto_tls_interfaces::TlsPublicKeyCert;
 use ic_types::crypto::CurrentNodePublicKeys;
-use ic_types::NodeId;
-
-/// A trait that can be used to generate cryptographic key pairs
-pub trait CspKeyGenerator {
-    /// Generate a node signing public/private key pair.
-    ///
-    /// # Returns
-    /// The public key of the keypair
-    /// # Errors
-    /// * [`CryptoError::InternalError`] if there is an internal
-    ///   error (e.g., the public key in the public key store is already set).
-    /// * [`CryptoError::TransientInternalError`] if there is a transient
-    ///   internal error, e.g., an IO error when writing a key to disk, or an
-    ///   RPC error when calling the CSP vault.
-    /// # Panics
-    /// If there already exists a secret key in the store for the secret key ID
-    /// derived from the public key. This error most likely indicates a bad
-    /// randomness source.
-    fn gen_node_signing_key_pair(&self) -> Result<CspPublicKey, CspBasicSignatureKeygenError>;
-
-    /// Generates a committee signing public/private key pair.
-    ///
-    /// # Returns
-    /// The public key and the proof of possession (PoP) of the keypair
-    ///
-    /// # Errors
-    /// * [`CryptoError::InternalError`] if there is an internal
-    ///   error (e.g., the public key in the public key store is already set).
-    /// * [`CryptoError::TransientInternalError`] if there is a transient
-    ///   internal error, e.g,. an IO error when writing a key to disk, or an
-    ///   RPC error when calling the CSP vault.
-    ///
-    /// # Panics
-    /// If there already exists a secret key in the store for the secret key ID
-    /// derived from the public key. This error most likely indicates a bad
-    /// randomness source.
-    fn gen_committee_signing_key_pair(
-        &self,
-    ) -> Result<(CspPublicKey, CspPop), CspMultiSignatureKeygenError>;
-
-    /// Generates TLS key material for node with ID `node_id`.
-    ///
-    /// The secret key is stored in the key store and used to create a
-    /// self-signed X.509 public key certificate with
-    /// * a random serial,
-    /// * the common name of both subject and issuer being the `ToString` form
-    ///   of the given `node_id`,
-    /// * validity starting 2 minutes before the time of calling this method, and
-    /// * no well-defined certificate expiration date (a `notAfter` value set to the
-    ///   `GeneralizedTime` value of `99991231235959Z` as specified according to
-    ///   section 4.1.2.5 in RFC 5280).
-    ///
-    /// # Returns
-    /// The public key certificate.
-    ///
-    /// # Errors
-    /// * if a malformed X509 certificate is generated
-    /// * if this function is called more than once
-    fn gen_tls_key_pair(&self, node_id: NodeId) -> Result<TlsPublicKeyCert, CspTlsKeygenError>;
-}
 
 /// A trait that allows simultaneously checking the public and secret key stores for the
 /// availability of a key.

rs/crypto/internal/crypto_service_provider/src/api/mod.rs

@@ -6,8 +6,8 @@ mod sign;
 mod threshold;
 mod tls;
 
-pub use canister_threshold::{CspCreateMEGaKeyError, CspIDkgProtocol};
-pub use keygen::{CspKeyGenerator, CspPublicAndSecretKeyStoreChecker, CspPublicKeyStore};
+pub use canister_threshold::CspCreateMEGaKeyError;
+pub use keygen::{CspPublicAndSecretKeyStoreChecker, CspPublicKeyStore};
 pub use sign::{CspSigVerifier, CspSigner};
 pub use threshold::{
     threshold_sign_error::CspThresholdSignError, NiDkgCspClient, ThresholdSignatureCspClient,

rs/crypto/internal/crypto_service_provider/src/api/threshold.rs

@@ -4,12 +4,12 @@ use crate::api::CspThresholdSignError;
 use crate::types::{CspPublicCoefficients, CspSecretKeyConversionError, CspSignature};
 use ic_crypto_internal_threshold_sig_bls12381::api::ni_dkg_errors;
 use ic_crypto_internal_types::sign::threshold_sig::ni_dkg::{
-    CspFsEncryptionPop, CspFsEncryptionPublicKey, CspNiDkgDealing, CspNiDkgTranscript, Epoch,
+    CspFsEncryptionPublicKey, CspNiDkgDealing, CspNiDkgTranscript, Epoch,
 };
 use ic_crypto_internal_types::sign::threshold_sig::public_key::CspThresholdSigPublicKey;
 use ic_types::crypto::threshold_sig::ni_dkg::NiDkgId;
 use ic_types::crypto::{AlgorithmId, CryptoResult};
-use ic_types::{NodeId, NodeIndex, NumberOfNodes};
+use ic_types::{NodeIndex, NumberOfNodes};
 use serde::{Deserialize, Serialize};
 use std::collections::BTreeMap;
 use std::collections::BTreeSet;
@@ -154,35 +154,6 @@ pub trait ThresholdSignatureCspClient {
 ///
 /// TODO(CRP-564): Remove the csp_ prefix from argument names.
 pub trait NiDkgCspClient {
-    /// Generates a forward secure dealing encryption key pair used to encrypt threshold key shares
-    /// in transmission.
-    ///
-    /// Note: FS keys are NOT threshold keys.
-    ///
-    /// The secret key is stored in the secret key store.  It is not returned by
-    /// the method as that would violate the principle that secret keys never
-    /// leave the CSP.  The public key and the proof of possession are returned.
-    /// The public key can be used to verify signatures, it also needs to be
-    /// provided when signing as it is used to retrieve the secret key from the
-    /// key store.
-    ///
-    /// # Arguments
-    /// * `node_id` is the identity of the node generating the public key.
-    /// # Errors
-    /// * `CspDkgCreateFsKeyError::InternalError` if there is an internal
-    ///   error (e.g., the public key in the public key store is already set).
-    /// * `CspDkgCreateFsKeyError::DuplicateKeyId` if there already
-    ///   exists a secret key in the store for the secret key ID derived from
-    ///   the public part of the randomly generated key pair. This error
-    ///   most likely indicates a bad randomness source.
-    /// * `CspDkgCreateFsKeyError::TransientInternalError` if there is a transient
-    ///   internal error, e.g., an IO error when writing a key to disk, or an
-    ///   RPC error when calling a remote CSP vault.
-    fn gen_dealing_encryption_key_pair(
-        &self,
-        node_id: NodeId,
-    ) -> Result<(CspFsEncryptionPublicKey, CspFsEncryptionPop), ni_dkg_errors::CspDkgCreateFsKeyError>;
-
     /// Updates the epoch of the (forward-secure) DKG dealing decryption key
     /// (i.e., the secret part of the DKG dealing encryption key) so that it
     /// cannot be used at epochs that are smaller than the given epoch.

rs/crypto/internal/crypto_service_provider/src/canister_threshold/mod.rs

@@ -7,22 +7,7 @@
 #[cfg(test)]
 mod tests;
 
-use crate::api::{CspCreateMEGaKeyError, CspIDkgProtocol};
-use crate::Csp;
-use ic_crypto_internal_threshold_sig_ecdsa::MEGaPublicKey;
 use ic_crypto_internal_types::scope::{ConstScope, Scope};
-use ic_logger::debug;
 
 pub const IDKG_MEGA_SCOPE: Scope = Scope::Const(ConstScope::IDkgMEGaEncryptionKeys);
 pub const IDKG_THRESHOLD_KEYS_SCOPE: Scope = Scope::Const(ConstScope::IDkgThresholdKeys);
-
-/// Interactive distributed key generation client
-///
-/// Please see the trait definition for full documentation.
-impl CspIDkgProtocol for Csp {
-    fn idkg_gen_dealing_encryption_key_pair(&self) -> Result<MEGaPublicKey, CspCreateMEGaKeyError> {
-        debug!(self.logger; crypto.method_name => "idkg_gen_dealing_encryption_key_pair");
-
-        self.csp_vault.idkg_gen_dealing_encryption_key_pair()
-    }
-}

rs/crypto/internal/crypto_service_provider/src/keygen/mod.rs

@@ -1,35 +1,8 @@
-//! Utilities for key generation and key identifier generation
-
-use crate::api::CspKeyGenerator;
-use crate::types::{CspPop, CspPublicKey};
-use crate::vault::api::{
-    CspBasicSignatureKeygenError, CspMultiSignatureKeygenError, CspTlsKeygenError,
-};
-use crate::Csp;
-use ic_crypto_tls_interfaces::TlsPublicKeyCert;
-use ic_types::NodeId;
-
 #[cfg(test)]
 mod fixtures;
 #[cfg(test)]
 mod tests;
 
-impl CspKeyGenerator for Csp {
-    fn gen_node_signing_key_pair(&self) -> Result<CspPublicKey, CspBasicSignatureKeygenError> {
-        self.csp_vault.gen_node_signing_key_pair()
-    }
-
-    fn gen_committee_signing_key_pair(
-        &self,
-    ) -> Result<(CspPublicKey, CspPop), CspMultiSignatureKeygenError> {
-        self.csp_vault.gen_committee_signing_key_pair()
-    }
-
-    fn gen_tls_key_pair(&self, node_id: NodeId) -> Result<TlsPublicKeyCert, CspTlsKeygenError> {
-        self.csp_vault.gen_tls_key_pair(node_id)
-    }
-}
-
 /// Some key related utils
 pub mod utils {
     use crate::types::{CspPop, CspPublicKey};