Conversation
product-security-plaid-production
bot
requested review from
krehermann and
michelemin
There was a problem hiding this comment.
Pull request overview
This PR adds support for DKG (Distributed Key Generation) and Workflow keys to the corekeys keystore. The implementation enables generation, encryption, and decryption of these key types compatible with the core node.
Changes:
- Added DKG key generation and import functionality with ECDH P256 encryption
- Added Workflow key generation and import functionality with X25519 encryption
- Implemented comprehensive test coverage for both key types including round-trip, wrong password, and invalid format scenarios
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| keystore/corekeys/dkg.go | Implements DKG key generation, encryption, and decryption using ECDH P256 |
| keystore/corekeys/dkg_test.go | Test suite for DKG key operations including round-trip, authentication, and validation |
| keystore/corekeys/workflowkey.go | Implements Workflow key generation, encryption, and decryption using X25519 |
| keystore/corekeys/workflowkey_test.go | Test suite for Workflow key operations including round-trip, authentication, and validation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
👋 Tofel, thanks for creating this pull request! To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team. Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks! |
✅ API Diff Results - No breaking changes |
…dcre-1800-prodcre-1801-dkg-workflow-keys-keystore
…01-dkg-workflow-keys-keystore
Tofel
changed the title
Tofel
force-pushed
the
prodcre-1800-prodcre-1801-dkg-workflow-keys-keystore
branch
from
d66f74c to
87f084b
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sorry, on a high level I first want to understand the proposed solution for https://smartcontract-it.atlassian.net/browse/PRODCRE-1747 The keystore library https://github.com/smartcontractkit/chainlink-common/tree/main/keystore is not supposed to give private keys. In particular, the intended use case is to wrap existing interface around the keystore to call the underlying sign/encrypt functions. This is an example - https://github.com/smartcontractkit/chainlink-common/tree/main/keystore/ragep2p, notice that we don't export ed25519 private key, but we wrap the keystore to provide the Sign function needed to implement ragetypes.PeerKeyring. This PR (and its ancestor #1793) looks like a very weird way of generating a key using this library: 1. you generate a key. 2 encrypt it. 3. decrypt it to raw bytes, where the last step works just because you "guessed" the decryption function (otherwise you won't be able to read the private keys and you are only able to import them). So, currently using the keystore library in such a way looks very weird. If indeed you truly need to read private keys, then we can just make a standalone API for key generation without the need for serialization/deserialization and other excessive steps. |
3 participants
PRODCRE-1800, PRODCRE-1801, PRODCRE-1802, PRODCRE-1803, PRODCRE-1825
added generation of following keys to the keystore: