diff --git a/Cargo.lock b/Cargo.lock index 39745f2d140..44d1600c1c3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -7081,8 +7081,8 @@ dependencies = [ "ic-crypto-node-key-validation", "ic-crypto-temp-crypto", "ic-crypto-test-utils", - "ic-crypto-test-utils-csp", "ic-crypto-test-utils-keys", + "ic-crypto-test-utils-local-csp-vault", "ic-crypto-tls-interfaces", "ic-crypto-utils-basic-sig", "ic-interfaces", diff --git a/rs/crypto/internal/crypto_service_provider/BUILD.bazel b/rs/crypto/internal/crypto_service_provider/BUILD.bazel index e735febd93f..3f6c1b47418 100644 --- a/rs/crypto/internal/crypto_service_provider/BUILD.bazel +++ b/rs/crypto/internal/crypto_service_provider/BUILD.bazel @@ -101,7 +101,7 @@ DEV_MACRO_DEPENDENCIES = [ rust_library( name = "crypto_service_provider", srcs = glob([ - "src/**", + "src/**/*.rs", ]), crate_name = "ic_crypto_internal_csp", proc_macro_deps = MACRO_DEPENDENCIES, diff --git a/rs/crypto/internal/crypto_service_provider/src/api/canister_threshold.rs b/rs/crypto/internal/crypto_service_provider/src/api/canister_threshold.rs index 8c4efa80e86..7345d5c72d2 100644 --- a/rs/crypto/internal/crypto_service_provider/src/api/canister_threshold.rs +++ b/rs/crypto/internal/crypto_service_provider/src/api/canister_threshold.rs @@ -1,31 +1,2 @@ -//! CSP canister threshold signature traits - -use ic_crypto_internal_threshold_sig_ecdsa::MEGaPublicKey; - pub mod errors; pub use errors::*; - -/// Crypto service provider (CSP) client for interactive distributed key -/// generation (IDkg) for canister threshold signatures. -pub trait CspIDkgProtocol { - /// Generate a MEGa public/private key pair for encrypting threshold key shares in transmission - /// from dealers to receivers. The generated public key will be stored in the node's public key store - /// while the private key will be stored in the node's secret key store. - /// - /// # Returns - /// Generated public key. - /// - /// # Errors - /// * [`CspCreateMEGaKeyError::SerializationError`] if serialization of public or private key - /// before storing it in their respective key store failed. - /// * [`CspCreateMEGaKeyError::TransientInternalError`] if there is a - /// transient internal error, e.g,. an IO error when writing a key to - /// disk, or an RPC error when calling a remote CSP vault. - /// * [`CspCreateMEGaKeyError::DuplicateKeyId`] if there already - /// exists a secret key in the store for the secret key ID derived from - /// the public part of the randomly generated key pair. This error - /// most likely indicates a bad randomness source. - /// * [`CspCreateMEGaKeyError::InternalError`]: if the key ID for the secret key cannot be - /// derived from the generated public key. - fn idkg_gen_dealing_encryption_key_pair(&self) -> Result; -} diff --git a/rs/crypto/internal/crypto_service_provider/src/api/keygen.rs b/rs/crypto/internal/crypto_service_provider/src/api/keygen.rs index e0b934f94b6..80d9acf5f7b 100644 --- a/rs/crypto/internal/crypto_service_provider/src/api/keygen.rs +++ b/rs/crypto/internal/crypto_service_provider/src/api/keygen.rs @@ -1,73 +1,8 @@ use ic_crypto_node_key_validation::ValidNodePublicKeys; -use super::super::types::{CspPop, CspPublicKey}; -use crate::vault::api::{ - CspBasicSignatureKeygenError, CspMultiSignatureKeygenError, CspPublicKeyStoreError, - CspTlsKeygenError, ValidatePksAndSksError, -}; +use crate::vault::api::{CspPublicKeyStoreError, ValidatePksAndSksError}; use crate::{ExternalPublicKeys, PksAndSksContainsErrors}; -use ic_crypto_tls_interfaces::TlsPublicKeyCert; use ic_types::crypto::CurrentNodePublicKeys; -use ic_types::NodeId; - -/// A trait that can be used to generate cryptographic key pairs -pub trait CspKeyGenerator { - /// Generate a node signing public/private key pair. - /// - /// # Returns - /// The public key of the keypair - /// # Errors - /// * [`CryptoError::InternalError`] if there is an internal - /// error (e.g., the public key in the public key store is already set). - /// * [`CryptoError::TransientInternalError`] if there is a transient - /// internal error, e.g., an IO error when writing a key to disk, or an - /// RPC error when calling the CSP vault. - /// # Panics - /// If there already exists a secret key in the store for the secret key ID - /// derived from the public key. This error most likely indicates a bad - /// randomness source. - fn gen_node_signing_key_pair(&self) -> Result; - - /// Generates a committee signing public/private key pair. - /// - /// # Returns - /// The public key and the proof of possession (PoP) of the keypair - /// - /// # Errors - /// * [`CryptoError::InternalError`] if there is an internal - /// error (e.g., the public key in the public key store is already set). - /// * [`CryptoError::TransientInternalError`] if there is a transient - /// internal error, e.g,. an IO error when writing a key to disk, or an - /// RPC error when calling the CSP vault. - /// - /// # Panics - /// If there already exists a secret key in the store for the secret key ID - /// derived from the public key. This error most likely indicates a bad - /// randomness source. - fn gen_committee_signing_key_pair( - &self, - ) -> Result<(CspPublicKey, CspPop), CspMultiSignatureKeygenError>; - - /// Generates TLS key material for node with ID `node_id`. - /// - /// The secret key is stored in the key store and used to create a - /// self-signed X.509 public key certificate with - /// * a random serial, - /// * the common name of both subject and issuer being the `ToString` form - /// of the given `node_id`, - /// * validity starting 2 minutes before the time of calling this method, and - /// * no well-defined certificate expiration date (a `notAfter` value set to the - /// `GeneralizedTime` value of `99991231235959Z` as specified according to - /// section 4.1.2.5 in RFC 5280). - /// - /// # Returns - /// The public key certificate. - /// - /// # Errors - /// * if a malformed X509 certificate is generated - /// * if this function is called more than once - fn gen_tls_key_pair(&self, node_id: NodeId) -> Result; -} /// A trait that allows simultaneously checking the public and secret key stores for the /// availability of a key. diff --git a/rs/crypto/internal/crypto_service_provider/src/api/mod.rs b/rs/crypto/internal/crypto_service_provider/src/api/mod.rs index 7efa48d3a49..80c361ded3a 100644 --- a/rs/crypto/internal/crypto_service_provider/src/api/mod.rs +++ b/rs/crypto/internal/crypto_service_provider/src/api/mod.rs @@ -6,8 +6,8 @@ mod sign; mod threshold; mod tls; -pub use canister_threshold::{CspCreateMEGaKeyError, CspIDkgProtocol}; -pub use keygen::{CspKeyGenerator, CspPublicAndSecretKeyStoreChecker, CspPublicKeyStore}; +pub use canister_threshold::CspCreateMEGaKeyError; +pub use keygen::{CspPublicAndSecretKeyStoreChecker, CspPublicKeyStore}; pub use sign::{CspSigVerifier, CspSigner}; pub use threshold::{ threshold_sign_error::CspThresholdSignError, NiDkgCspClient, ThresholdSignatureCspClient, diff --git a/rs/crypto/internal/crypto_service_provider/src/api/threshold.rs b/rs/crypto/internal/crypto_service_provider/src/api/threshold.rs index 8e3f385817c..3d933fc0034 100644 --- a/rs/crypto/internal/crypto_service_provider/src/api/threshold.rs +++ b/rs/crypto/internal/crypto_service_provider/src/api/threshold.rs @@ -4,12 +4,12 @@ use crate::api::CspThresholdSignError; use crate::types::{CspPublicCoefficients, CspSecretKeyConversionError, CspSignature}; use ic_crypto_internal_threshold_sig_bls12381::api::ni_dkg_errors; use ic_crypto_internal_types::sign::threshold_sig::ni_dkg::{ - CspFsEncryptionPop, CspFsEncryptionPublicKey, CspNiDkgDealing, CspNiDkgTranscript, Epoch, + CspFsEncryptionPublicKey, CspNiDkgDealing, CspNiDkgTranscript, Epoch, }; use ic_crypto_internal_types::sign::threshold_sig::public_key::CspThresholdSigPublicKey; use ic_types::crypto::threshold_sig::ni_dkg::NiDkgId; use ic_types::crypto::{AlgorithmId, CryptoResult}; -use ic_types::{NodeId, NodeIndex, NumberOfNodes}; +use ic_types::{NodeIndex, NumberOfNodes}; use serde::{Deserialize, Serialize}; use std::collections::BTreeMap; use std::collections::BTreeSet; @@ -154,35 +154,6 @@ pub trait ThresholdSignatureCspClient { /// /// TODO(CRP-564): Remove the csp_ prefix from argument names. pub trait NiDkgCspClient { - /// Generates a forward secure dealing encryption key pair used to encrypt threshold key shares - /// in transmission. - /// - /// Note: FS keys are NOT threshold keys. - /// - /// The secret key is stored in the secret key store. It is not returned by - /// the method as that would violate the principle that secret keys never - /// leave the CSP. The public key and the proof of possession are returned. - /// The public key can be used to verify signatures, it also needs to be - /// provided when signing as it is used to retrieve the secret key from the - /// key store. - /// - /// # Arguments - /// * `node_id` is the identity of the node generating the public key. - /// # Errors - /// * `CspDkgCreateFsKeyError::InternalError` if there is an internal - /// error (e.g., the public key in the public key store is already set). - /// * `CspDkgCreateFsKeyError::DuplicateKeyId` if there already - /// exists a secret key in the store for the secret key ID derived from - /// the public part of the randomly generated key pair. This error - /// most likely indicates a bad randomness source. - /// * `CspDkgCreateFsKeyError::TransientInternalError` if there is a transient - /// internal error, e.g., an IO error when writing a key to disk, or an - /// RPC error when calling a remote CSP vault. - fn gen_dealing_encryption_key_pair( - &self, - node_id: NodeId, - ) -> Result<(CspFsEncryptionPublicKey, CspFsEncryptionPop), ni_dkg_errors::CspDkgCreateFsKeyError>; - /// Updates the epoch of the (forward-secure) DKG dealing decryption key /// (i.e., the secret part of the DKG dealing encryption key) so that it /// cannot be used at epochs that are smaller than the given epoch. diff --git a/rs/crypto/internal/crypto_service_provider/src/canister_threshold/mod.rs b/rs/crypto/internal/crypto_service_provider/src/canister_threshold/mod.rs index 5f3f9854527..f8ceced1460 100644 --- a/rs/crypto/internal/crypto_service_provider/src/canister_threshold/mod.rs +++ b/rs/crypto/internal/crypto_service_provider/src/canister_threshold/mod.rs @@ -7,22 +7,7 @@ #[cfg(test)] mod tests; -use crate::api::{CspCreateMEGaKeyError, CspIDkgProtocol}; -use crate::Csp; -use ic_crypto_internal_threshold_sig_ecdsa::MEGaPublicKey; use ic_crypto_internal_types::scope::{ConstScope, Scope}; -use ic_logger::debug; pub const IDKG_MEGA_SCOPE: Scope = Scope::Const(ConstScope::IDkgMEGaEncryptionKeys); pub const IDKG_THRESHOLD_KEYS_SCOPE: Scope = Scope::Const(ConstScope::IDkgThresholdKeys); - -/// Interactive distributed key generation client -/// -/// Please see the trait definition for full documentation. -impl CspIDkgProtocol for Csp { - fn idkg_gen_dealing_encryption_key_pair(&self) -> Result { - debug!(self.logger; crypto.method_name => "idkg_gen_dealing_encryption_key_pair"); - - self.csp_vault.idkg_gen_dealing_encryption_key_pair() - } -} diff --git a/rs/crypto/internal/crypto_service_provider/src/keygen/mod.rs b/rs/crypto/internal/crypto_service_provider/src/keygen/mod.rs index 6b4d3ee3612..40466ce3232 100644 --- a/rs/crypto/internal/crypto_service_provider/src/keygen/mod.rs +++ b/rs/crypto/internal/crypto_service_provider/src/keygen/mod.rs @@ -1,35 +1,8 @@ -//! Utilities for key generation and key identifier generation - -use crate::api::CspKeyGenerator; -use crate::types::{CspPop, CspPublicKey}; -use crate::vault::api::{ - CspBasicSignatureKeygenError, CspMultiSignatureKeygenError, CspTlsKeygenError, -}; -use crate::Csp; -use ic_crypto_tls_interfaces::TlsPublicKeyCert; -use ic_types::NodeId; - #[cfg(test)] mod fixtures; #[cfg(test)] mod tests; -impl CspKeyGenerator for Csp { - fn gen_node_signing_key_pair(&self) -> Result { - self.csp_vault.gen_node_signing_key_pair() - } - - fn gen_committee_signing_key_pair( - &self, - ) -> Result<(CspPublicKey, CspPop), CspMultiSignatureKeygenError> { - self.csp_vault.gen_committee_signing_key_pair() - } - - fn gen_tls_key_pair(&self, node_id: NodeId) -> Result { - self.csp_vault.gen_tls_key_pair(node_id) - } -} - /// Some key related utils pub mod utils { use crate::types::{CspPop, CspPublicKey}; diff --git a/rs/crypto/internal/crypto_service_provider/src/keygen/tests.rs b/rs/crypto/internal/crypto_service_provider/src/keygen/tests.rs index 896b9a42b82..48e3e54d1d5 100644 --- a/rs/crypto/internal/crypto_service_provider/src/keygen/tests.rs +++ b/rs/crypto/internal/crypto_service_provider/src/keygen/tests.rs @@ -1,12 +1,14 @@ #![allow(clippy::unwrap_used)] -use super::*; use crate::keygen::fixtures::multi_bls_test_vector; use crate::keygen::utils::node_signing_pk_to_proto; use crate::vault::test_utils::sks::secret_key_store_with_duplicated_key_id_error_on_insert; +use crate::Csp; +use crate::CspPublicKey; use crate::KeyId; use crate::LocalCspVault; use assert_matches::assert_matches; use ic_crypto_internal_test_vectors::unhex::{hex_to_32_bytes, hex_to_byte_vec}; +use ic_crypto_tls_interfaces::TlsPublicKeyCert; use ic_types_test_utils::ids::node_test_id; use rand::SeedableRng; use rand_chacha::ChaCha20Rng; @@ -15,12 +17,13 @@ const FIXED_SEED: u64 = 42; mod gen_node_siging_key_pair_tests { use super::*; + use crate::vault::api::CspBasicSignatureKeygenError; use crate::CspPublicKeyStore; #[test] fn should_correctly_generate_node_signing_keys() { let csp = csp_with_fixed_seed(); - let public_key = csp.gen_node_signing_key_pair().unwrap(); + let public_key = csp.csp_vault.gen_node_signing_key_pair().unwrap(); let key_id = KeyId::try_from(&public_key).unwrap(); assert_eq!( @@ -48,15 +51,15 @@ mod gen_node_siging_key_pair_tests { fn should_fail_with_internal_error_if_node_signing_public_key_already_set() { let csp = Csp::builder_for_test().build(); - assert!(csp.gen_node_signing_key_pair().is_ok()); - let result = csp.gen_node_signing_key_pair(); + assert!(csp.csp_vault.gen_node_signing_key_pair().is_ok()); + let result = csp.csp_vault.gen_node_signing_key_pair(); assert_matches!(result, Err(CspBasicSignatureKeygenError::InternalError { internal_error }) if internal_error.contains("node signing public key already set") ); - assert_matches!(csp.gen_node_signing_key_pair(), + assert_matches!(csp.csp_vault.gen_node_signing_key_pair(), Err(CspBasicSignatureKeygenError::InternalError { internal_error }) if internal_error.contains("node signing public key already set") ); @@ -76,13 +79,14 @@ mod gen_node_siging_key_pair_tests { ) .build(); - let result = csp.gen_node_signing_key_pair(); + let result = csp.csp_vault.gen_node_signing_key_pair(); assert_matches!(result, Err(CspBasicSignatureKeygenError::DuplicateKeyId {key_id}) if key_id == duplicated_key_id) } } mod gen_key_pair_with_pop_tests { + use crate::vault::api::CspMultiSignatureKeygenError; use crate::{api::CspPublicKeyStore, keygen::utils::committee_signing_pk_to_proto}; use super::*; @@ -91,7 +95,7 @@ mod gen_key_pair_with_pop_tests { fn should_correctly_generate_committee_signing_keys() { let test_vector = multi_bls_test_vector(); let csp = csp_seeded_with(test_vector.seed); - let (public_key, pop) = csp.gen_committee_signing_key_pair().unwrap(); + let (public_key, pop) = csp.csp_vault.gen_committee_signing_key_pair().unwrap(); let key_id = KeyId::try_from(&public_key).unwrap(); assert_eq!(key_id, test_vector.key_id); @@ -121,7 +125,7 @@ mod gen_key_pair_with_pop_tests { ) .build(); - let result = csp.gen_committee_signing_key_pair(); + let result = csp.csp_vault.gen_committee_signing_key_pair(); assert_matches!(result, Err(CspMultiSignatureKeygenError::DuplicateKeyId {key_id}) if key_id == duplicated_key_id) } @@ -130,11 +134,11 @@ mod gen_key_pair_with_pop_tests { fn should_fail_with_internal_error_if_committee_signing_public_key_already_set() { let csp = Csp::builder_for_test().build(); - assert!(csp.gen_committee_signing_key_pair().is_ok()); + assert!(csp.csp_vault.gen_committee_signing_key_pair().is_ok()); // the attempts after the first one should fail for _ in 0..5 { - assert_matches!(csp.gen_committee_signing_key_pair(), + assert_matches!(csp.csp_vault.gen_committee_signing_key_pair(), Err(CspMultiSignatureKeygenError::InternalError { internal_error }) if internal_error.contains("committee signing public key already set") ); @@ -150,13 +154,13 @@ mod idkg_create_mega_key_pair_tests { secret_key_store_with_io_error_on_insert, secret_key_store_with_serialization_error_on_insert, }; - use crate::CspIDkgProtocol; #[test] fn should_correctly_create_mega_key_pair() { let test_vector = mega_test_vector(); let csp = csp_seeded_with(test_vector.seed); let public_key = csp + .csp_vault .idkg_gen_dealing_encryption_key_pair() .expect("failed creating MEGa key pair"); @@ -177,7 +181,7 @@ mod idkg_create_mega_key_pair_tests { ) .build(); - let result = csp.idkg_gen_dealing_encryption_key_pair(); + let result = csp.csp_vault.idkg_gen_dealing_encryption_key_pair(); assert_matches!( result, @@ -198,7 +202,7 @@ mod idkg_create_mega_key_pair_tests { ) .build(); - let result = csp.idkg_gen_dealing_encryption_key_pair(); + let result = csp.csp_vault.idkg_gen_dealing_encryption_key_pair(); assert_matches!( result, @@ -218,7 +222,7 @@ mod idkg_create_mega_key_pair_tests { ) .build(); - let result = csp.idkg_gen_dealing_encryption_key_pair(); + let result = csp.csp_vault.idkg_gen_dealing_encryption_key_pair(); assert_matches!( result, @@ -269,6 +273,7 @@ fn should_correctly_convert_tls_cert_hash_as_key_id() { mod tls { use super::*; + use crate::vault::api::CspTlsKeygenError; use crate::CspPublicKeyStore; const NODE_1: u64 = 4241; @@ -277,6 +282,7 @@ mod tls { fn should_correctly_generate_tls_certificate() { let csp = csp_with_fixed_seed(); let cert = csp + .csp_vault .gen_tls_key_pair(node_test_id(NODE_1)) .expect("Generation of TLS keys failed."); let key_id = KeyId::try_from(&cert).unwrap(); @@ -301,15 +307,15 @@ mod tls { fn should_fail_with_internal_error_if_node_signing_public_key_already_set() { let csp = Csp::builder_for_test().build(); - assert!(csp.gen_tls_key_pair(node_test_id(NODE_1)).is_ok()); - let result = csp.gen_tls_key_pair(node_test_id(NODE_1)); + assert!(csp.csp_vault.gen_tls_key_pair(node_test_id(NODE_1)).is_ok()); + let result = csp.csp_vault.gen_tls_key_pair(node_test_id(NODE_1)); assert_matches!(result, Err(CspTlsKeygenError::InternalError { internal_error }) if internal_error.contains("TLS certificate already set") ); - assert_matches!(csp.gen_tls_key_pair(node_test_id(NODE_1)), + assert_matches!(csp.csp_vault.gen_tls_key_pair(node_test_id(NODE_1)), Err(CspTlsKeygenError::InternalError { internal_error }) if internal_error.contains("TLS certificate already set") ); @@ -329,7 +335,7 @@ mod tls { ) .build(); - let result = csp.gen_tls_key_pair(node_test_id(NODE_1)); + let result = csp.csp_vault.gen_tls_key_pair(node_test_id(NODE_1)); assert_matches!(result, Err(CspTlsKeygenError::DuplicateKeyId {key_id}) if key_id == duplicated_key_id) } diff --git a/rs/crypto/internal/crypto_service_provider/src/lib.rs b/rs/crypto/internal/crypto_service_provider/src/lib.rs index cae196ce95e..2065e1662c0 100644 --- a/rs/crypto/internal/crypto_service_provider/src/lib.rs +++ b/rs/crypto/internal/crypto_service_provider/src/lib.rs @@ -26,9 +26,8 @@ pub use crate::vault::remote_csp_vault::run_csp_vault_server; pub use crate::vault::remote_csp_vault::RemoteCspVault; use crate::api::{ - CspIDkgProtocol, CspKeyGenerator, CspPublicAndSecretKeyStoreChecker, CspPublicKeyStore, - CspSigVerifier, CspSigner, CspTlsHandshakeSignerProvider, NiDkgCspClient, - ThresholdSignatureCspClient, + CspPublicAndSecretKeyStoreChecker, CspPublicKeyStore, CspSigVerifier, CspSigner, + CspTlsHandshakeSignerProvider, NiDkgCspClient, ThresholdSignatureCspClient, }; use crate::secret_key_store::SecretKeyStore; use crate::types::{CspPublicKey, ExternalPublicKeys}; @@ -53,10 +52,8 @@ mod tests; pub trait CryptoServiceProvider: CspSigner + CspSigVerifier - + CspKeyGenerator + ThresholdSignatureCspClient + NiDkgCspClient - + CspIDkgProtocol + CspPublicAndSecretKeyStoreChecker + CspTlsHandshakeSignerProvider + CspPublicKeyStore @@ -66,9 +63,7 @@ pub trait CryptoServiceProvider: impl CryptoServiceProvider for T where T: CspSigner + CspSigVerifier - + CspKeyGenerator + ThresholdSignatureCspClient - + CspIDkgProtocol + NiDkgCspClient + CspPublicAndSecretKeyStoreChecker + CspTlsHandshakeSignerProvider diff --git a/rs/crypto/internal/crypto_service_provider/src/signer/tests.rs b/rs/crypto/internal/crypto_service_provider/src/signer/tests.rs index b3421ad6af7..5b9fe8a6742 100644 --- a/rs/crypto/internal/crypto_service_provider/src/signer/tests.rs +++ b/rs/crypto/internal/crypto_service_provider/src/signer/tests.rs @@ -709,12 +709,12 @@ fn should_panic_when_panicking_secret_key_store_is_used() { mod multi { use super::*; - use crate::api::CspKeyGenerator; #[test] fn pop_verifies() { let csp0 = Csp::builder_for_test().build(); let (public_key0, pop0) = csp0 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); assert!(csp0 @@ -727,10 +727,12 @@ mod multi { // in other words, pop verification doesn't depend on the state of the CSP let [csp0, csp1] = csp_with_different_seeds(); let (public_key0, pop0) = csp0 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); let (public_key1, pop1) = csp1 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); @@ -746,10 +748,12 @@ mod multi { fn pop_verification_fails_for_mismatched_public_key_or_pop() { let [csp0, csp1] = csp_with_different_seeds(); let (public_key0, pop0) = csp0 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); let (public_key1, pop1) = csp1 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); @@ -779,9 +783,10 @@ mod multi { let [csp, verifier] = csp_and_verifier_with_different_seeds(); let algorithm = AlgorithmId::MultiBls12_381; let (_public_key, pop) = csp + .csp_vault .gen_committee_signing_key_pair() .expect("PoP creation failed"); - let incompatible_public_key = csp.gen_node_signing_key_pair().unwrap(); + let incompatible_public_key = csp.csp_vault.gen_node_signing_key_pair().unwrap(); let result = verifier.verify_pop(&pop, algorithm, incompatible_public_key); assert!(result.unwrap_err().is_pop_verification_error()); @@ -792,6 +797,7 @@ mod multi { let [csp, verifier] = csp_and_verifier_with_different_seeds(); let incompatible_algorithm = AlgorithmId::Ed25519; let (public_key, pop) = csp + .csp_vault .gen_committee_signing_key_pair() .expect("PoP creation failed"); let result = verifier.verify_pop(&pop, incompatible_algorithm, public_key); @@ -802,6 +808,7 @@ mod multi { fn individual_signatures_verify() { let [csp, verifier] = csp_and_verifier_with_different_seeds(); let (public_key, _pop) = csp + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); let message = b"Three turtle doves"; @@ -820,9 +827,9 @@ mod multi { let incompatible_algorithm = AlgorithmId::Ed25519; let message = b"Three turtle doves"; let [csp, verifier] = csp_and_verifier_with_different_seeds(); - let (public_key, _pop) = csp.gen_committee_signing_key_pair().unwrap(); + let (public_key, _pop) = csp.csp_vault.gen_committee_signing_key_pair().unwrap(); let incompatible_signature = { - let incompatible_public_key = csp.gen_node_signing_key_pair().unwrap(); + let incompatible_public_key = csp.csp_vault.gen_node_signing_key_pair().unwrap(); let incompatible_key_id = KeyId::try_from(&incompatible_public_key).unwrap(); csp.sign( incompatible_algorithm, @@ -841,9 +848,9 @@ mod multi { fn individual_signature_verification_fails_for_incompatible_public_key() { let algorithm = AlgorithmId::MultiBls12_381; let [csp, verifier] = csp_and_verifier_with_different_seeds(); - let (public_key, _pop) = csp.gen_committee_signing_key_pair().unwrap(); + let (public_key, _pop) = csp.csp_vault.gen_committee_signing_key_pair().unwrap(); let key_id = KeyId::try_from(&public_key).unwrap(); - let incompatible_public_key = csp.gen_node_signing_key_pair().unwrap(); + let incompatible_public_key = csp.csp_vault.gen_node_signing_key_pair().unwrap(); let message = b"Three turtle doves"; let signature = csp .sign(algorithm, message.to_vec(), key_id) @@ -861,10 +868,12 @@ mod multi { // The signatories need keys: let (public_key1, _pop1) = csp1 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); let key_id1 = KeyId::try_from(&public_key1).unwrap(); let (public_key2, _pop2) = csp2 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); let key_id2 = KeyId::try_from(&public_key2).unwrap(); @@ -904,10 +913,12 @@ mod multi { // The signatories need keys: let (public_key1, _pop1) = csp1 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); let key_id1 = KeyId::try_from(&public_key1).unwrap(); let (public_key2, _pop2) = csp2 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); let key_id2 = KeyId::try_from(&public_key2).unwrap(); @@ -946,6 +957,7 @@ mod multi { // The signatories need keys: let (public_key1, _pop1) = csp1 + .csp_vault .gen_committee_signing_key_pair() .expect("Failed to generate key pair with PoP"); let key_id1 = KeyId::try_from(&public_key1).unwrap(); diff --git a/rs/crypto/internal/crypto_service_provider/src/tests.rs b/rs/crypto/internal/crypto_service_provider/src/tests.rs index 782ce363ff8..611f8669c40 100644 --- a/rs/crypto/internal/crypto_service_provider/src/tests.rs +++ b/rs/crypto/internal/crypto_service_provider/src/tests.rs @@ -1,6 +1,5 @@ #![allow(clippy::unwrap_used)] mod csp_tests { - use crate::api::CspKeyGenerator; use crate::api::CspSigner; use crate::api::CspTlsHandshakeSignerProvider; use crate::vault::test_utils::ed25519_csp_pubkey_from_tls_pubkey_cert; @@ -83,6 +82,7 @@ mod csp_tests { fn csp_with_node_signing_key_pair() -> (Csp, CspPublicKey) { let csp = Csp::builder_for_test().build(); let public_key = csp + .csp_vault .gen_node_signing_key_pair() .expect("error generating public/private key pair"); (csp, public_key) @@ -92,6 +92,7 @@ mod csp_tests { const NODE_1: u64 = 4241; let csp = Csp::builder_for_test().build(); let cert = csp + .csp_vault .gen_tls_key_pair(node_test_id(NODE_1)) .expect("error generating TLS key pair"); (csp, cert) diff --git a/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/mod.rs b/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/mod.rs index 1f542383b62..efee2332ca5 100644 --- a/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/mod.rs +++ b/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/mod.rs @@ -28,7 +28,7 @@ use ic_logger::debug; use ic_types::crypto::error::{KeyNotFoundError, MalformedDataError}; use ic_types::crypto::threshold_sig::ni_dkg::NiDkgId; use ic_types::crypto::AlgorithmId; -use ic_types::{NodeId, NodeIndex, NumberOfNodes}; +use ic_types::{NodeIndex, NumberOfNodes}; use std::collections::{BTreeMap, BTreeSet}; #[cfg(test)] @@ -41,17 +41,6 @@ pub const NIDKG_FS_SCOPE: Scope = Scope::Const(ConstScope::NiDkgFsEncryptionKeys /// /// Please see the trait definition for full documentation. impl NiDkgCspClient for Csp { - /// Creates a key pair for encrypting threshold key shares in transmission - /// from dealers to receivers. - fn gen_dealing_encryption_key_pair( - &self, - node_id: NodeId, - ) -> Result<(CspFsEncryptionPublicKey, CspFsEncryptionPop), ni_dkg_errors::CspDkgCreateFsKeyError> - { - debug!(self.logger; crypto.method_name => "gen_dealing_encryption_key_pair"); - self.csp_vault.gen_dealing_encryption_key_pair(node_id) - } - /// Erases forward secure secret keys before a given epoch fn update_forward_secure_epoch( &self, diff --git a/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/tests.rs b/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/tests.rs index cc495edbe69..9bd84e709b6 100644 --- a/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/tests.rs +++ b/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/tests.rs @@ -33,6 +33,7 @@ mod gen_dealing_encryption_key_pair_tests { .with_vault(LocalCspVault::builder_for_test().with_rng(rng()).build()) .build(); let (public_key, pop) = csp + .csp_vault .gen_dealing_encryption_key_pair(NODE_1) .expect("error generating NI-DKG encryption dealing key pair"); let key_id = KeyId::from(&public_key); @@ -58,15 +59,18 @@ mod gen_dealing_encryption_key_pair_tests { let csp = Csp::builder_for_test().build(); let node_id = NODE_1; - assert!(csp.gen_dealing_encryption_key_pair(node_id).is_ok()); - let result = csp.gen_dealing_encryption_key_pair(node_id); + assert!(csp + .csp_vault + .gen_dealing_encryption_key_pair(node_id) + .is_ok()); + let result = csp.csp_vault.gen_dealing_encryption_key_pair(node_id); assert_matches!(result, Err(CspDkgCreateFsKeyError::InternalError(InternalError { internal_error })) if internal_error.contains("ni-dkg dealing encryption public key already set") ); - assert_matches!(csp.gen_dealing_encryption_key_pair(node_id), + assert_matches!(csp.csp_vault.gen_dealing_encryption_key_pair(node_id), Err(CspDkgCreateFsKeyError::InternalError(InternalError { internal_error })) if internal_error.contains("ni-dkg dealing encryption public key already set") ); @@ -86,7 +90,7 @@ mod gen_dealing_encryption_key_pair_tests { ) .build(); - let result = csp.gen_dealing_encryption_key_pair(NODE_1); + let result = csp.csp_vault.gen_dealing_encryption_key_pair(NODE_1); assert_matches!(result, Err(CspDkgCreateFsKeyError::DuplicateKeyId(error)) @@ -161,6 +165,7 @@ mod dkg_dealing_encryption_key_id { fn should_get_dkg_dealing_encryption_key_id() { let csp = Csp::builder_for_test().build(); let (generated_dkg_pk, _pop) = csp + .csp_vault .gen_dealing_encryption_key_pair(NODE_1) .expect("no dkg key"); diff --git a/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/tests/fixtures.rs b/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/tests/fixtures.rs index 48b119aae88..0e826889e36 100644 --- a/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/tests/fixtures.rs +++ b/rs/crypto/internal/crypto_service_provider/src/threshold/ni_dkg/tests/fixtures.rs @@ -123,6 +123,7 @@ impl MockNetwork { let (id, (pubkey, _pop)) = ( *node_id, node.csp + .csp_vault .gen_dealing_encryption_key_pair(*node_id) .unwrap_or_else(|_| { panic!( diff --git a/rs/crypto/node_key_generation/BUILD.bazel b/rs/crypto/node_key_generation/BUILD.bazel index 390a9c99019..8cd72a54673 100644 --- a/rs/crypto/node_key_generation/BUILD.bazel +++ b/rs/crypto/node_key_generation/BUILD.bazel @@ -12,6 +12,7 @@ DEPENDENCIES = [ "//rs/crypto/tls_interfaces", "//rs/crypto/utils/basic_sig", "//rs/interfaces", + "//rs/monitoring/logger", "//rs/protobuf", "//rs/types/types", "@crate_index//:tokio", @@ -24,9 +25,8 @@ DEV_DEPENDENCIES = [ "//rs/crypto/internal/csp_test_utils", "//rs/crypto/temp_crypto", "//rs/crypto/test_utils", - "//rs/crypto/test_utils/csp", "//rs/crypto/test_utils/keys", - "//rs/monitoring/logger", + "//rs/crypto/test_utils/local_csp_vault", "//rs/monitoring/metrics", "//rs/registry/fake", "//rs/registry/proto_data_provider", diff --git a/rs/crypto/node_key_generation/Cargo.toml b/rs/crypto/node_key_generation/Cargo.toml index 27e6e591d01..8b1caf9b86f 100644 --- a/rs/crypto/node_key_generation/Cargo.toml +++ b/rs/crypto/node_key_generation/Cargo.toml @@ -13,6 +13,7 @@ ic-crypto-node-key-validation = { path = "../node_key_validation" } ic-crypto-tls-interfaces = { path = "../tls_interfaces" } ic-crypto-utils-basic-sig = { path = "../utils/basic_sig" } ic-interfaces = { path = "../../interfaces" } +ic-logger = { path = "../../monitoring/logger" } ic-protobuf = { path = "../../protobuf" } ic-types = { path = "../../types/types" } tokio = { workspace = true } @@ -25,9 +26,8 @@ ic-crypto = { path = ".." } ic-crypto-internal-csp-test-utils = { path = "../internal/csp_test_utils" } ic-crypto-temp-crypto = { path = "../temp_crypto" } ic-crypto-test-utils = { path = "../test_utils" } -ic-crypto-test-utils-csp = { path = "../test_utils/csp" } ic-crypto-test-utils-keys = { path = "../test_utils/keys" } -ic-logger = { path = "../../monitoring/logger" } +ic-crypto-test-utils-local-csp-vault = { path = "../test_utils/local_csp_vault" } ic-metrics = { path = "../../monitoring/metrics" } ic-registry-client-fake = { path = "../../registry/fake" } ic-registry-proto-data-provider = { path = "../../registry/proto_data_provider" } diff --git a/rs/crypto/node_key_generation/src/lib.rs b/rs/crypto/node_key_generation/src/lib.rs index ab5ae6d9f61..5f24a039b53 100644 --- a/rs/crypto/node_key_generation/src/lib.rs +++ b/rs/crypto/node_key_generation/src/lib.rs @@ -1,14 +1,14 @@ //! Static crypto utility methods. use ic_config::crypto::CryptoConfig; use ic_crypto_internal_csp::api::CspCreateMEGaKeyError; -use ic_crypto_internal_csp::vault::api::ValidatePksAndSksError; -use ic_crypto_internal_csp::CryptoServiceProvider; -use ic_crypto_internal_csp::Csp; +use ic_crypto_internal_csp::vault::api::{CspVault, ValidatePksAndSksError}; +use ic_crypto_internal_csp::vault::vault_from_config; use ic_crypto_internal_logmon::metrics::CryptoMetrics; use ic_crypto_node_key_validation::ValidNodePublicKeys; use ic_crypto_tls_interfaces::TlsPublicKeyCert; use ic_crypto_utils_basic_sig::conversions as basicsig_conversions; use ic_interfaces::crypto::ErrorReproducibility; +use ic_logger::replica_logger::no_op_logger; use ic_protobuf::registry::crypto::v1::PublicKey as PublicKeyProto; use ic_types::NodeId; use std::sync::Arc; @@ -21,15 +21,15 @@ fn derive_node_id(node_signing_pk: &PublicKeyProto) -> NodeId { .expect("Node signing public key should be valid") } -pub fn generate_node_signing_keys(csp: &T) -> PublicKeyProto { - let generated = csp +pub fn generate_node_signing_keys(vault: &dyn CspVault) -> PublicKeyProto { + let generated = vault .gen_node_signing_key_pair() .expect("Could not generate node signing keys"); ic_crypto_internal_csp::keygen::utils::node_signing_pk_to_proto(generated) } -pub fn generate_committee_signing_keys(csp: &T) -> PublicKeyProto { - let generated = csp +pub fn generate_committee_signing_keys(vault: &dyn CspVault) -> PublicKeyProto { + let generated = vault .gen_committee_signing_key_pair() .expect("Could not generate committee signing keys"); ic_crypto_internal_csp::keygen::utils::committee_signing_pk_to_proto(generated) @@ -40,11 +40,11 @@ pub fn generate_committee_signing_keys(csp: &T) -> Pub /// /// The secret key is stored in the key store of the provided `csp`, while the corresponding /// public key is returned by this function. -pub fn generate_dkg_dealing_encryption_keys( - csp: &T, +pub fn generate_dkg_dealing_encryption_keys( + vault: &dyn CspVault, node_id: NodeId, ) -> PublicKeyProto { - let (pubkey, pop) = csp + let (pubkey, pop) = vault .gen_dealing_encryption_key_pair(node_id) .expect("Failed to generate DKG dealing encryption keys"); ic_crypto_internal_csp::keygen::utils::dkg_dealing_encryption_pk_to_proto(pubkey, pop) @@ -59,10 +59,10 @@ pub fn generate_dkg_dealing_encryption_keys( /// * `IDkgDealingEncryptionKeysGenerationError::InternalError` if an unrecoverable error occurs /// * `IDkgDealingEncryptionKeysGenerationError::TransientInternalError` if a transient error (e.g., /// an RPC timeout, or an error persisting the secret key store) occurs -pub fn generate_idkg_dealing_encryption_keys( - csp: &T, +pub fn generate_idkg_dealing_encryption_keys( + vault: &dyn CspVault, ) -> Result { - let pubkey = csp + let pubkey = vault .idkg_gen_dealing_encryption_key_pair() .map_err(|e| match e { CspCreateMEGaKeyError::TransientInternalError { internal_error } => { @@ -98,8 +98,9 @@ impl ErrorReproducibility for IDkgDealingEncryptionKeysGenerationError { /// The certificate's notAfter date will be set according to RFC5280 (section 4.1.2.5; see /// https://tools.ietf.org/html/rfc5280#section-4.1.2.5) to indicate that the certificate has no /// well-defined expiration date. -pub fn generate_tls_keys(csp: &T, node: NodeId) -> TlsPublicKeyCert { - csp.gen_tls_key_pair(node) +pub fn generate_tls_keys(vault: &dyn CspVault, node: NodeId) -> TlsPublicKeyCert { + vault + .gen_tls_key_pair(node) .expect("error generating TLS key pair") } @@ -137,18 +138,23 @@ pub fn generate_node_keys_once( config: &CryptoConfig, tokio_runtime_handle: Option, ) -> Result { - let csp = csp_for_config(config, tokio_runtime_handle); - generate_node_keys_once_internal(&csp) + let vault = vault_from_config( + config, + tokio_runtime_handle, + no_op_logger(), + Arc::new(CryptoMetrics::none()), + ); + generate_node_keys_once_internal(vault.as_ref()) } -fn generate_node_keys_once_internal( - csp: &T, +fn generate_node_keys_once_internal( + vault: &dyn CspVault, ) -> Result { - match csp.validate_pks_and_sks() { + match vault.validate_pks_and_sks() { Ok(valid_public_keys) => Ok(valid_public_keys), Err(ValidatePksAndSksError::EmptyPublicKeyStore) => { - generate_all_node_keys(csp); - csp.validate_pks_and_sks().map_err(|error| match error { + generate_all_node_keys(vault); + vault.validate_pks_and_sks().map_err(|error| match error { ValidatePksAndSksError::TransientInternalError(transient_error) => { NodeKeyGenerationError::TransientInternalError(transient_error) } @@ -162,13 +168,13 @@ fn generate_node_keys_once_internal( } } -fn generate_all_node_keys(csp: &T) { - let node_signing_public_key = generate_node_signing_keys(csp); +fn generate_all_node_keys(vault: &dyn CspVault) { + let node_signing_public_key = generate_node_signing_keys(vault); let node_id = derive_node_id(&node_signing_public_key); - let _committee_signing_public_key = generate_committee_signing_keys(csp); - let _tls_certificate = generate_tls_keys(csp, node_id); - let _dkg_dealing_encryption_public_key = generate_dkg_dealing_encryption_keys(csp, node_id); - let _idkg_dealing_encryption_public_key = generate_idkg_dealing_encryption_keys(csp) + let _committee_signing_public_key = generate_committee_signing_keys(vault); + let _tls_certificate = generate_tls_keys(vault, node_id); + let _dkg_dealing_encryption_public_key = generate_dkg_dealing_encryption_keys(vault, node_id); + let _idkg_dealing_encryption_public_key = generate_idkg_dealing_encryption_keys(vault) .unwrap_or_else(|e| panic!("Error generating I-DKG dealing encryption keys: {:?}", e)); } @@ -185,15 +191,3 @@ impl ErrorReproducibility for NodeKeyGenerationError { } } } - -fn csp_for_config( - config: &CryptoConfig, - tokio_runtime_handle: Option, -) -> Csp { - Csp::new_from_config( - config, - tokio_runtime_handle, - None, - Arc::new(CryptoMetrics::none()), - ) -} diff --git a/rs/crypto/node_key_generation/src/tests.rs b/rs/crypto/node_key_generation/src/tests.rs index 426606d7d5b..5f6a71bec06 100644 --- a/rs/crypto/node_key_generation/src/tests.rs +++ b/rs/crypto/node_key_generation/src/tests.rs @@ -9,11 +9,11 @@ use ic_crypto_internal_threshold_sig_ecdsa::{EccCurveType, MEGaPublicKey}; use ic_crypto_internal_types::sign::threshold_sig::ni_dkg::CspFsEncryptionPop; use ic_crypto_internal_types::sign::threshold_sig::ni_dkg::CspFsEncryptionPublicKey; use ic_crypto_node_key_validation::ValidNodeSigningPublicKey; -use ic_crypto_test_utils_csp::MockAllCryptoServiceProvider; use ic_crypto_test_utils_keys::public_keys::{ valid_committee_signing_public_key, valid_dkg_dealing_encryption_public_key, valid_idkg_dealing_encryption_public_key, valid_node_signing_public_key, }; +use ic_crypto_test_utils_local_csp_vault::MockLocalCspVault; use ic_protobuf::registry::crypto::v1::PublicKey; use ic_types::crypto::CurrentNodePublicKeys; use ic_types::time::Time; @@ -23,11 +23,11 @@ mod generate_node_signing_keys { use super::*; #[test] - fn should_delegate_to_csp() { - let mut csp = MockAllCryptoServiceProvider::new(); - let expected_node_signing_public_key = with_csp_gen_node_signing_key_pair(&mut csp); + fn should_delegate_to_vault() { + let mut vault = MockLocalCspVault::new(); + let expected_node_signing_public_key = with_vault_gen_node_signing_key_pair(&mut vault); - let actual_node_signing_public_key = generate_node_signing_keys(&csp); + let actual_node_signing_public_key = generate_node_signing_keys(&vault); assert_eq!( actual_node_signing_public_key, @@ -40,12 +40,12 @@ mod generate_committee_signing_keys { use super::*; #[test] - fn should_delegate_to_csp() { - let mut csp = MockAllCryptoServiceProvider::new(); + fn should_delegate_to_vault() { + let mut vault = MockLocalCspVault::new(); let expected_committee_signing_public_key = - with_csp_gen_committee_signing_key_pair(&mut csp); + with_vault_gen_committee_signing_key_pair(&mut vault); - let actual_committee_signing_public_key = generate_committee_signing_keys(&csp); + let actual_committee_signing_public_key = generate_committee_signing_keys(&vault); assert_eq!( actual_committee_signing_public_key, @@ -62,12 +62,12 @@ mod generate_tls_keys { const NODE_ID: u64 = 123; #[test] - fn should_delegate_to_csp() { - let mut csp = MockAllCryptoServiceProvider::new(); + fn should_delegate_to_vault() { + let mut vault = MockLocalCspVault::new(); let (expected_tls_certificate, _validation_time) = - with_csp_gen_tls_key_pair(&mut csp, node_test_id(NODE_ID)); + with_vault_gen_tls_key_pair(&mut vault, node_test_id(NODE_ID)); - let actual_tls_certificate = generate_tls_keys(&csp, node_test_id(NODE_ID)); + let actual_tls_certificate = generate_tls_keys(&vault, node_test_id(NODE_ID)); assert_eq!(actual_tls_certificate, expected_tls_certificate); } @@ -79,13 +79,13 @@ mod generate_dkg_dealing_encryption_keys { const NODE_ID: u64 = 123; #[test] - fn should_delegate_to_csp() { - let mut csp = MockAllCryptoServiceProvider::new(); + fn should_delegate_to_vault() { + let mut vault = MockLocalCspVault::new(); let expected_dkg_dealing_encryption_pk = - with_csp_dkg_gen_dealing_encryption_key_pair(&mut csp, node_test_id(NODE_ID)); + with_vault_dkg_gen_dealing_encryption_key_pair(&mut vault, node_test_id(NODE_ID)); let actual_dkg_dealing_encryption_pk = - generate_dkg_dealing_encryption_keys(&csp, node_test_id(NODE_ID)); + generate_dkg_dealing_encryption_keys(&vault, node_test_id(NODE_ID)); assert_eq!( actual_dkg_dealing_encryption_pk, @@ -100,12 +100,12 @@ mod generate_idkg_dealing_encryption_keys { use ic_crypto_internal_threshold_sig_ecdsa::ThresholdEcdsaSerializationError; #[test] - fn should_delegate_to_csp() { - let mut csp = MockAllCryptoServiceProvider::new(); + fn should_delegate_to_vault() { + let mut vault = MockLocalCspVault::new(); let expected_idkg_dealing_encryption_pk = - with_csp_idkg_gen_dealing_encryption_key_pair(&mut csp); + with_vault_idkg_gen_dealing_encryption_key_pair(&mut vault); - let actual_idkg_dealing_encryption_pk = generate_idkg_dealing_encryption_keys(&csp) + let actual_idkg_dealing_encryption_pk = generate_idkg_dealing_encryption_keys(&vault) .expect("error generation I-DKG dealing encryption keys"); assert_eq!( @@ -116,28 +116,30 @@ mod generate_idkg_dealing_encryption_keys { #[test] fn should_return_transient_error() { - let mut csp = MockAllCryptoServiceProvider::new(); - csp.expect_idkg_gen_dealing_encryption_key_pair() + let mut vault = MockLocalCspVault::new(); + vault + .expect_idkg_gen_dealing_encryption_key_pair() .times(1) .return_const(Err(CspCreateMEGaKeyError::TransientInternalError { internal_error: "RPC error".to_string(), })); - let public_key = generate_idkg_dealing_encryption_keys(&csp); + let public_key = generate_idkg_dealing_encryption_keys(&vault); assert_matches!(public_key, Err(IDkgDealingEncryptionKeysGenerationError::TransientInternalError(e)) if e == "RPC error") } #[test] fn should_return_internal_error() { - let mut csp = MockAllCryptoServiceProvider::new(); - csp.expect_idkg_gen_dealing_encryption_key_pair() + let mut vault = MockLocalCspVault::new(); + vault + .expect_idkg_gen_dealing_encryption_key_pair() .times(1) .return_const(Err(CspCreateMEGaKeyError::SerializationError( ThresholdEcdsaSerializationError("TEST".to_string()), ))); - let public_key = generate_idkg_dealing_encryption_keys(&csp); + let public_key = generate_idkg_dealing_encryption_keys(&vault); assert_matches!( public_key, @@ -153,24 +155,28 @@ mod generate_required_node_keys_once_internal { #[test] fn should_return_already_existing_keys() { let expected_keys = valid_node_public_keys(); - let mut csp = MockAllCryptoServiceProvider::new(); - csp.expect_validate_pks_and_sks() + let mut vault = MockLocalCspVault::new(); + vault + .expect_validate_pks_and_sks() .times(1) .return_const(Ok(expected_keys.clone())); - let result = generate_node_keys_once_internal(&csp); + let result = generate_node_keys_once_internal(&vault); assert_eq!(result, Ok(expected_keys)); } #[test] fn should_return_transient_error() { - let mut csp = MockAllCryptoServiceProvider::new(); - csp.expect_validate_pks_and_sks().times(1).return_const(Err( - ValidatePksAndSksError::TransientInternalError("RPC fails".to_string()), - )); + let mut vault = MockLocalCspVault::new(); + vault + .expect_validate_pks_and_sks() + .times(1) + .return_const(Err(ValidatePksAndSksError::TransientInternalError( + "RPC fails".to_string(), + ))); - let result = generate_node_keys_once_internal(&csp); + let result = generate_node_keys_once_internal(&vault); assert_matches!(result, Err( NodeKeyGenerationError::TransientInternalError(e)) if e == "RPC fails"); } @@ -178,25 +184,28 @@ mod generate_required_node_keys_once_internal { #[test] #[should_panic] fn should_panic_on_any_inconsistent_key_store_error() { - let mut csp = MockAllCryptoServiceProvider::new(); - csp.expect_validate_pks_and_sks().times(1).return_const(Err( - ValidatePksAndSksError::NodeSigningKeyError(PublicKeyNotFound), - )); + let mut vault = MockLocalCspVault::new(); + vault + .expect_validate_pks_and_sks() + .times(1) + .return_const(Err(ValidatePksAndSksError::NodeSigningKeyError( + PublicKeyNotFound, + ))); - let _result = generate_node_keys_once_internal(&csp); + let _result = generate_node_keys_once_internal(&vault); } #[test] fn should_generate_keys_when_keystore_empty() { - let mut csp = MockAllCryptoServiceProvider::new(); - let valid_node_public_keys = with_csp_generating_all_keys(&mut csp); + let mut vault = MockLocalCspVault::new(); + let valid_node_public_keys = with_vault_generating_all_keys(&mut vault); with_validate_pks_and_sks_returning( - &mut csp, + &mut vault, Err(ValidatePksAndSksError::EmptyPublicKeyStore), Ok(valid_node_public_keys.clone()), ); - let result = generate_node_keys_once_internal(&csp); + let result = generate_node_keys_once_internal(&vault); assert_eq!(result, Ok(valid_node_public_keys)); } @@ -204,58 +213,59 @@ mod generate_required_node_keys_once_internal { #[test] #[should_panic(expected = "EmptyPublicKeyStore")] fn should_panic_when_keystore_empty_on_second_call() { - let mut csp = MockAllCryptoServiceProvider::new(); - let _valid_node_public_keys = with_csp_generating_all_keys(&mut csp); + let mut vault = MockLocalCspVault::new(); + let _valid_node_public_keys = with_vault_generating_all_keys(&mut vault); with_validate_pks_and_sks_returning( - &mut csp, + &mut vault, Err(ValidatePksAndSksError::EmptyPublicKeyStore), Err(ValidatePksAndSksError::EmptyPublicKeyStore), ); - let _result = generate_node_keys_once_internal(&csp); + let _result = generate_node_keys_once_internal(&vault); } #[test] #[should_panic(expected = "NodeSigningKeyError(PublicKeyNotFound)")] fn should_panic_on_any_inconsistent_key_store_error_on_second_call() { - let mut csp = MockAllCryptoServiceProvider::new(); - let _valid_node_public_keys = with_csp_generating_all_keys(&mut csp); + let mut vault = MockLocalCspVault::new(); + let _valid_node_public_keys = with_vault_generating_all_keys(&mut vault); with_validate_pks_and_sks_returning( - &mut csp, + &mut vault, Err(ValidatePksAndSksError::EmptyPublicKeyStore), Err(ValidatePksAndSksError::NodeSigningKeyError( PublicKeyNotFound, )), ); - let _result = generate_node_keys_once_internal(&csp); + let _result = generate_node_keys_once_internal(&vault); } #[test] fn should_return_transient_error_on_second_call() { - let mut csp = MockAllCryptoServiceProvider::new(); - let _valid_node_public_keys = with_csp_generating_all_keys(&mut csp); + let mut vault = MockLocalCspVault::new(); + let _valid_node_public_keys = with_vault_generating_all_keys(&mut vault); with_validate_pks_and_sks_returning( - &mut csp, + &mut vault, Err(ValidatePksAndSksError::EmptyPublicKeyStore), Err(ValidatePksAndSksError::TransientInternalError( "RPC fails".to_string(), )), ); - let result = generate_node_keys_once_internal(&csp); + let result = generate_node_keys_once_internal(&vault); assert_matches!(result, Err( NodeKeyGenerationError::TransientInternalError(e)) if e == "RPC fails"); } } fn with_validate_pks_and_sks_returning( - csp: &mut MockAllCryptoServiceProvider, + vault: &mut MockLocalCspVault, result_on_first_call: Result, result_on_second_call: Result, ) { let mut counter = 0_u8; - csp.expect_validate_pks_and_sks() + vault + .expect_validate_pks_and_sks() .times(2) .returning(move || match counter { 0 => { @@ -270,9 +280,10 @@ fn with_validate_pks_and_sks_returning( }); } -fn with_csp_gen_node_signing_key_pair(csp: &mut MockAllCryptoServiceProvider) -> PublicKey { +fn with_vault_gen_node_signing_key_pair(vault: &mut MockLocalCspVault) -> PublicKey { let node_signing_public_key = valid_node_signing_public_key(); - csp.expect_gen_node_signing_key_pair() + vault + .expect_gen_node_signing_key_pair() .times(1) .return_const(Ok(csp_pk_ed25519_from_hex(&hex::encode( node_signing_public_key.key_value.clone(), @@ -280,9 +291,10 @@ fn with_csp_gen_node_signing_key_pair(csp: &mut MockAllCryptoServiceProvider) -> node_signing_public_key } -fn with_csp_gen_committee_signing_key_pair(csp: &mut MockAllCryptoServiceProvider) -> PublicKey { +fn with_vault_gen_committee_signing_key_pair(vault: &mut MockLocalCspVault) -> PublicKey { let committee_signing_public_key = valid_committee_signing_public_key(); - csp.expect_gen_committee_signing_key_pair() + vault + .expect_gen_committee_signing_key_pair() .times(1) .return_const(Ok(( csp_pk_multi_bls12381_from_hex(&hex::encode( @@ -298,25 +310,27 @@ fn with_csp_gen_committee_signing_key_pair(csp: &mut MockAllCryptoServiceProvide committee_signing_public_key } -fn with_csp_gen_tls_key_pair( - csp: &mut MockAllCryptoServiceProvider, +fn with_vault_gen_tls_key_pair( + vault: &mut MockLocalCspVault, node_id: NodeId, ) -> (TlsPublicKeyCert, Time) { let (tls_certificate, validation_time) = valid_tls_certificate(); - csp.expect_gen_tls_key_pair() + vault + .expect_gen_tls_key_pair() .times(1) .withf(move |node_id_| *node_id_ == node_id) .return_const(Ok(tls_certificate.clone())); (tls_certificate, validation_time) } -fn with_csp_dkg_gen_dealing_encryption_key_pair( - csp: &mut MockAllCryptoServiceProvider, +fn with_vault_dkg_gen_dealing_encryption_key_pair( + vault: &mut MockLocalCspVault, node_id: NodeId, ) -> PublicKeyProto { let dkg_dealing_encryption_pk = valid_dkg_dealing_encryption_public_key(); - csp.expect_gen_dealing_encryption_key_pair() + vault + .expect_gen_dealing_encryption_key_pair() .times(1) .withf(move |_node_id| *_node_id == node_id) .return_const(Ok(( @@ -327,11 +341,12 @@ fn with_csp_dkg_gen_dealing_encryption_key_pair( dkg_dealing_encryption_pk } -fn with_csp_idkg_gen_dealing_encryption_key_pair( - csp: &mut MockAllCryptoServiceProvider, +fn with_vault_idkg_gen_dealing_encryption_key_pair( + vault: &mut MockLocalCspVault, ) -> PublicKeyProto { let idkg_dealing_encryption_pk = valid_idkg_dealing_encryption_public_key(); - csp.expect_idkg_gen_dealing_encryption_key_pair() + vault + .expect_idkg_gen_dealing_encryption_key_pair() .times(1) .return_const(Ok(MEGaPublicKey::deserialize( EccCurveType::K256, @@ -341,15 +356,15 @@ fn with_csp_idkg_gen_dealing_encryption_key_pair( idkg_dealing_encryption_pk } -fn with_csp_generating_all_keys(csp: &mut MockAllCryptoServiceProvider) -> ValidNodePublicKeys { - let node_signing_pk = with_csp_gen_node_signing_key_pair(csp); +fn with_vault_generating_all_keys(vault: &mut MockLocalCspVault) -> ValidNodePublicKeys { + let node_signing_pk = with_vault_gen_node_signing_key_pair(vault); let node_id = *ValidNodeSigningPublicKey::try_from(node_signing_pk.clone()) .expect("invalid node signing public key") .derived_node_id(); - let committee_signing_pk = with_csp_gen_committee_signing_key_pair(csp); - let (tls_certificate, validation_time) = with_csp_gen_tls_key_pair(csp, node_id); - let dkg_dealing_encryption_pk = with_csp_dkg_gen_dealing_encryption_key_pair(csp, node_id); - let idkg_dealing_encryption_pk = with_csp_idkg_gen_dealing_encryption_key_pair(csp); + let committee_signing_pk = with_vault_gen_committee_signing_key_pair(vault); + let (tls_certificate, validation_time) = with_vault_gen_tls_key_pair(vault, node_id); + let dkg_dealing_encryption_pk = with_vault_dkg_gen_dealing_encryption_key_pair(vault, node_id); + let idkg_dealing_encryption_pk = with_vault_idkg_gen_dealing_encryption_key_pair(vault); ValidNodePublicKeys::try_from( CurrentNodePublicKeys { diff --git a/rs/crypto/src/common/test_utils/crypto_component.rs b/rs/crypto/src/common/test_utils/crypto_component.rs index 83baa79925e..8cf0608c41d 100644 --- a/rs/crypto/src/common/test_utils/crypto_component.rs +++ b/rs/crypto/src/common/test_utils/crypto_component.rs @@ -23,3 +23,19 @@ pub fn crypto_component_with_csp( None, ) } + +pub fn crypto_component_with_csp_and_vault( + csp: MockAllCryptoServiceProvider, + vault: MockLocalCspVault, + registry_client: Arc, +) -> CryptoComponentImpl { + CryptoComponentImpl::new_for_test( + csp, + Arc::new(vault), + no_op_logger(), + registry_client, + node_test_id(NODE_ID), + Arc::new(CryptoMetrics::none()), + None, + ) +} diff --git a/rs/crypto/src/keygen/mod.rs b/rs/crypto/src/keygen/mod.rs index 9a3cf4d20b1..ded6936dfee 100644 --- a/rs/crypto/src/keygen/mod.rs +++ b/rs/crypto/src/keygen/mod.rs @@ -238,7 +238,7 @@ impl CryptoComponentImpl { IDkgKeyRotationResult::IDkgDealingEncPubkeyNeedsRegistration( KeyRotationOutcome::KeyRotated { new_key: idkg_dealing_encryption_pk_to_proto( - self.csp.idkg_gen_dealing_encryption_key_pair()?, + self.vault.idkg_gen_dealing_encryption_key_pair()?, ), }, ), @@ -254,7 +254,7 @@ impl CryptoComponentImpl { IDkgKeyRotationResult::IDkgDealingEncPubkeyNeedsRegistration( KeyRotationOutcome::KeyRotated { new_key: idkg_dealing_encryption_pk_to_proto( - self.csp.idkg_gen_dealing_encryption_key_pair()?, + self.vault.idkg_gen_dealing_encryption_key_pair()?, ), }, ), diff --git a/rs/crypto/src/keygen/tests.rs b/rs/crypto/src/keygen/tests.rs index 014ffaee20a..68d99320c63 100644 --- a/rs/crypto/src/keygen/tests.rs +++ b/rs/crypto/src/keygen/tests.rs @@ -1,7 +1,7 @@ #![allow(clippy::unwrap_used)] use super::*; -use crate::common::test_utils::crypto_component::crypto_component_with_csp; +use crate::common::test_utils::crypto_component::crypto_component_with_csp_and_vault; use assert_matches::assert_matches; use ic_base_types::SubnetId; use ic_base_types::{NodeId, PrincipalId}; @@ -1374,6 +1374,7 @@ mod rotate_idkg_dealing_encryption_keys { use ic_registry_keys::{make_subnet_list_record_key, make_subnet_record_key}; let mut csp = MockAllCryptoServiceProvider::new(); + let mut vault = MockLocalCspVault::new(); let mut counter = 0_u8; csp.expect_current_node_public_keys() .times(2) @@ -1396,7 +1397,8 @@ mod rotate_idkg_dealing_encryption_keys { csp.expect_current_node_public_keys_with_timestamps() .times(2) .return_const(Ok(valid_current_node_public_keys_with_timestamps())); - csp.expect_idkg_gen_dealing_encryption_key_pair() + vault + .expect_idkg_gen_dealing_encryption_key_pair() .times(1) .return_const(Ok(MEGaPublicKey::deserialize( EccCurveType::K256, @@ -1439,7 +1441,9 @@ mod rotate_idkg_dealing_encryption_keys { ) .expect("Failed to add subnet list record key"); - let crypto_component = crypto_component_with_csp(csp, registry_client.clone()); + let crypto_component = + crypto_component_with_csp_and_vault(csp, vault, registry_client.clone()); + registry_client.reload(); let result = crypto_component.rotate_idkg_dealing_encryption_keys(REGISTRY_VERSION_1); @@ -1852,6 +1856,7 @@ impl SetupBuilder { fn build(self) -> Setup { let mut mock_csp = MockAllCryptoServiceProvider::new(); + let mut mock_vault = MockLocalCspVault::new(); if let Some(csp_pks_and_sks_contains_result) = self.csp_pks_and_sks_contains_result { mock_csp @@ -1885,7 +1890,7 @@ impl SetupBuilder { if let Some(csp_idkg_gen_dealing_encryption_key_pair_result) = self.csp_idkg_gen_dealing_encryption_key_pair_result { - mock_csp + mock_vault .expect_idkg_gen_dealing_encryption_key_pair() .times(1) .return_const(csp_idkg_gen_dealing_encryption_key_pair_result); @@ -1954,7 +1959,7 @@ impl SetupBuilder { let time_source = FastForwardTimeSource::new(); let crypto = CryptoComponentImpl::new_for_test( mock_csp, - Arc::new(MockLocalCspVault::new()), + Arc::new(mock_vault), self.logger.unwrap_or_else(no_op_logger), Arc::clone(®istry_client), node_id(), diff --git a/rs/crypto/temp_crypto/src/lib.rs b/rs/crypto/temp_crypto/src/lib.rs index 20312cada92..c8fe3420cf8 100644 --- a/rs/crypto/temp_crypto/src/lib.rs +++ b/rs/crypto/temp_crypto/src/lib.rs @@ -310,7 +310,7 @@ pub mod internal { .unwrap_or_else(NodeKeysToGenerate::none); let node_signing_pk = node_keys_to_generate .generate_node_signing_keys - .then(|| generate_node_signing_keys(&csp)); + .then(|| generate_node_signing_keys(local_vault.as_ref())); let node_id = self .node_id .unwrap_or_else(|| match node_signing_pk.as_ref() { @@ -320,20 +320,20 @@ pub mod internal { }); let committee_signing_pk = node_keys_to_generate .generate_committee_signing_keys - .then(|| generate_committee_signing_keys(&csp)); + .then(|| generate_committee_signing_keys(local_vault.as_ref())); let dkg_dealing_encryption_pk = node_keys_to_generate .generate_dkg_dealing_encryption_keys - .then(|| generate_dkg_dealing_encryption_keys(&csp, node_id)); + .then(|| generate_dkg_dealing_encryption_keys(local_vault.as_ref(), node_id)); let idkg_dealing_encryption_pk = node_keys_to_generate .generate_idkg_dealing_encryption_keys .then(|| { - generate_idkg_dealing_encryption_keys(&csp).unwrap_or_else(|e| { - panic!("Error generating I-DKG dealing encryption keys: {:?}", e) - }) + generate_idkg_dealing_encryption_keys(local_vault.as_ref()).unwrap_or_else( + |e| panic!("Error generating I-DKG dealing encryption keys: {:?}", e), + ) }); let tls_certificate = node_keys_to_generate .generate_tls_keys_and_certificate - .then(|| generate_tls_keys(&csp, node_id).to_proto()); + .then(|| generate_tls_keys(local_vault.as_ref(), node_id).to_proto()); let is_registry_data_provided = self.registry_data.is_some(); let registry_data = self diff --git a/rs/crypto/test_utils/csp/src/lib.rs b/rs/crypto/test_utils/csp/src/lib.rs index 2d5194db24c..1d64993be32 100644 --- a/rs/crypto/test_utils/csp/src/lib.rs +++ b/rs/crypto/test_utils/csp/src/lib.rs @@ -1,34 +1,28 @@ use ic_crypto_internal_csp::api::{ - CspCreateMEGaKeyError, CspIDkgProtocol, CspKeyGenerator, CspPublicAndSecretKeyStoreChecker, - CspPublicKeyStore, CspSigVerifier, CspSigner, CspThresholdSignError, - CspTlsHandshakeSignerProvider, NiDkgCspClient, ThresholdSignatureCspClient, + CspPublicAndSecretKeyStoreChecker, CspPublicKeyStore, CspSigVerifier, CspSigner, + CspThresholdSignError, CspTlsHandshakeSignerProvider, NiDkgCspClient, + ThresholdSignatureCspClient, }; use ic_crypto_internal_csp::key_id::KeyId; use ic_crypto_internal_csp::types::ExternalPublicKeys; use ic_crypto_internal_csp::types::{CspPop, CspPublicCoefficients, CspPublicKey, CspSignature}; -use ic_crypto_internal_csp::vault::api::CspBasicSignatureKeygenError; -use ic_crypto_internal_csp::vault::api::CspMultiSignatureKeygenError; use ic_crypto_internal_csp::vault::api::CspPublicKeyStoreError; -use ic_crypto_internal_csp::vault::api::CspTlsKeygenError; use ic_crypto_internal_csp::vault::api::PksAndSksContainsErrors; use ic_crypto_internal_csp::vault::api::ValidatePksAndSksError; use ic_crypto_internal_csp::TlsHandshakeCspVault; use ic_crypto_internal_threshold_sig_bls12381::api::ni_dkg_errors::{ - CspDkgCreateDealingError, CspDkgCreateFsKeyError, CspDkgCreateReshareDealingError, - CspDkgCreateReshareTranscriptError, CspDkgCreateTranscriptError, CspDkgLoadPrivateKeyError, - CspDkgRetainThresholdKeysError, CspDkgUpdateFsEpochError, CspDkgVerifyDealingError, - CspDkgVerifyReshareDealingError, + CspDkgCreateDealingError, CspDkgCreateReshareDealingError, CspDkgCreateReshareTranscriptError, + CspDkgCreateTranscriptError, CspDkgLoadPrivateKeyError, CspDkgRetainThresholdKeysError, + CspDkgUpdateFsEpochError, CspDkgVerifyDealingError, CspDkgVerifyReshareDealingError, }; -use ic_crypto_internal_threshold_sig_ecdsa::MEGaPublicKey; use ic_crypto_internal_types::sign::threshold_sig::ni_dkg::{ - CspFsEncryptionPop, CspFsEncryptionPublicKey, CspNiDkgDealing, CspNiDkgTranscript, Epoch, + CspFsEncryptionPublicKey, CspNiDkgDealing, CspNiDkgTranscript, Epoch, }; use ic_crypto_internal_types::sign::threshold_sig::public_key::CspThresholdSigPublicKey; use ic_crypto_node_key_validation::ValidNodePublicKeys; -use ic_crypto_tls_interfaces::TlsPublicKeyCert; use ic_types::crypto::threshold_sig::ni_dkg::NiDkgId; use ic_types::crypto::{AlgorithmId, CryptoResult, CurrentNodePublicKeys}; -use ic_types::{NodeId, NodeIndex, NumberOfNodes}; +use ic_types::{NodeIndex, NumberOfNodes}; use mockall::predicate::*; use mockall::*; use std::collections::{BTreeMap, BTreeSet}; @@ -84,19 +78,6 @@ mock! { ) -> CryptoResult<()>; } - impl CspKeyGenerator for AllCryptoServiceProvider { - fn gen_node_signing_key_pair(&self) -> Result; - - fn gen_committee_signing_key_pair( - &self, - ) -> Result<(CspPublicKey, CspPop), CspMultiSignatureKeygenError>; - - fn gen_tls_key_pair( - &self, - node_id: NodeId, - ) -> Result; - } - impl ThresholdSignatureCspClient for AllCryptoServiceProvider { fn threshold_sign( &self, @@ -137,11 +118,6 @@ mock! { } impl NiDkgCspClient for AllCryptoServiceProvider { - fn gen_dealing_encryption_key_pair( - &self, - _node_id: NodeId, - ) -> Result<(CspFsEncryptionPublicKey, CspFsEncryptionPop), CspDkgCreateFsKeyError>; - /// Erases forward secure secret keys at and before a given epoch fn update_forward_secure_epoch( &self, @@ -247,8 +223,4 @@ mock! { impl CspTlsHandshakeSignerProvider for AllCryptoServiceProvider { fn handshake_signer(&self) -> Arc; } - - impl CspIDkgProtocol for AllCryptoServiceProvider { - fn idkg_gen_dealing_encryption_key_pair(&self) -> Result; - } } diff --git a/rs/crypto/tests/request_id_signatures.rs b/rs/crypto/tests/request_id_signatures.rs index 87594bfeda7..987aa1505f1 100644 --- a/rs/crypto/tests/request_id_signatures.rs +++ b/rs/crypto/tests/request_id_signatures.rs @@ -3,7 +3,7 @@ use assert_matches::assert_matches; use ic_config::crypto::CryptoConfig; use ic_crypto::CryptoComponent; use ic_crypto_interfaces_sig_verification::BasicSigVerifierByPublicKey; -use ic_crypto_internal_csp::Csp; +use ic_crypto_internal_csp::vault::vault_from_config; use ic_crypto_internal_logmon::metrics::CryptoMetrics; use ic_crypto_internal_test_vectors::test_data; use ic_crypto_standalone_sig_verifier::{ @@ -409,8 +409,13 @@ fn ecdsa_secp256k1_signature_and_public_key( fn crypto_component(config: &CryptoConfig) -> CryptoComponent { let dummy_registry = FakeRegistryClient::new(Arc::new(ProtoRegistryDataProvider::new())); - let csp = Csp::new_from_config(config, None, None, Arc::new(CryptoMetrics::none())); - ic_crypto_node_key_generation::generate_node_signing_keys(&csp); + let vault = vault_from_config( + config, + None, + no_op_logger(), + Arc::new(CryptoMetrics::none()), + ); + ic_crypto_node_key_generation::generate_node_signing_keys(vault.as_ref()); CryptoComponent::new(config, None, Arc::new(dummy_registry), no_op_logger(), None) } diff --git a/rs/crypto/tests/webauthn_signatures.rs b/rs/crypto/tests/webauthn_signatures.rs index 7cb48157e0d..4f103bed455 100644 --- a/rs/crypto/tests/webauthn_signatures.rs +++ b/rs/crypto/tests/webauthn_signatures.rs @@ -2,7 +2,7 @@ use ic_config::crypto::CryptoConfig; use ic_crypto::CryptoComponent; use ic_crypto_interfaces_sig_verification::BasicSigVerifierByPublicKey; -use ic_crypto_internal_csp::Csp; +use ic_crypto_internal_csp::vault::vault_from_config; use ic_crypto_internal_logmon::metrics::CryptoMetrics; use ic_crypto_internal_test_vectors::test_data; use ic_crypto_standalone_sig_verifier::{ @@ -151,8 +151,13 @@ fn rsa_verification_data( fn crypto_component(config: &CryptoConfig) -> CryptoComponent { let dummy_registry = FakeRegistryClient::new(Arc::new(ProtoRegistryDataProvider::new())); - let csp = Csp::new_from_config(config, None, None, Arc::new(CryptoMetrics::none())); - ic_crypto_node_key_generation::generate_node_signing_keys(&csp); + let vault = vault_from_config( + config, + None, + no_op_logger(), + Arc::new(CryptoMetrics::none()), + ); + ic_crypto_node_key_generation::generate_node_signing_keys(vault.as_ref()); CryptoComponent::new(config, None, Arc::new(dummy_registry), no_op_logger(), None) }