lkg init

node/pkg/tss/implementation_test.go

@@ -2,10 +2,14 @@ package tss
 
 import (
 	"context"
+	crand "crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"errors"
 	"fmt"
 	"math/big"
 	"math/rand"
+	"net"
 	"sync"
 	"testing"
 	"time"
@@ -493,6 +497,29 @@ func TestBadInputs(t *testing.T) {
 	})
 }
 
+func createX509Cert(dnsName string) *x509.Certificate {
+	// using random serial number
+	var serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128)
+
+	serialNumber, err := crand.Int(crand.Reader, serialNumberLimit)
+	if err != nil {
+		panic(err)
+	}
+
+	tmpl := x509.Certificate{
+		SerialNumber:          serialNumber,
+		Subject:               pkix.Name{Organization: []string{"tsscomm"}},
+		SignatureAlgorithm:    x509.ECDSAWithSHA256,
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(time.Hour * 24 * 366 * 40), // valid for > 40 years used for tests...
+		BasicConstraintsValid: true,
+
+		DNSNames:    []string{"localhost", dnsName},
+		IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1)},
+	}
+	return &tmpl
+}
+
 func TestFetchPartyId(t *testing.T) {
 	a := assert.New(t)
 	engines := load5GuardiansSetupForBroadcastChecks(a)
@@ -1132,6 +1159,8 @@ func TestFT(t *testing.T) {
 	})
 
 	t.Run("server crashes on a single chain, shouldn't affect signatures on other chain", func(t *testing.T) {
+		/* expects 2 sigs to be created. one with the server that has an issue in chain 0
+		and one on chain 0 without that server. */
 		a := assert.New(t)
 
 		ctx, cancel := context.WithTimeout(context.Background(), time.Minute*1)
@@ -1151,8 +1180,8 @@ func TestFT(t *testing.T) {
 
 		fmt.Println("engines started, requesting sigs")
 
-		tsks := make([]party.SigningTask, 2)
-		for i := range tsks {
+		var tsks []party.SigningTask
+		for i := range 2 {
 			tsks = append(tsks, party.SigningTask{
 				Digest:       party.Digest{1, 2, 3, 4, 5, 6, 7, 8, 9},
 				Faulties:     []*tss.PartyID{},

node/pkg/tss/internal/cmd/README.md

@@ -0,0 +1,71 @@
+Please read the entire document before running the protocol.
+
+# Running 'local' Key Generation
+
+The following binary runs a localised version of a DKG protocol (denote lkg) to
+generate secrets for guardians to use by the threshold signing scheme (TSS).
+
+The script expects a config file (similar to the cnfg.json) provided
+in this package.
+The config file contains a few key fields:
+
+```
+"NumParticipants": int,
+"WantedThreshold": int,
+"GuardianSpecifics" : array
+```
+
+
+Where `NumParticipants` is the number of guardians in the system,
+`WantedThreshold` is the wanted threshold (For instance, `NumParticipants=19` and `WantedThreshold=13`).
+
+The following is an example of the `GuardianSpecifics` array (for a working example, 
+please see *`lkg/cnfg.example.json`*):
+
+
+```
+   "GuardianSpecifics": [
+        {
+            "Identifier": {
+                "TlsX509": PEM X509 CERT in byte format
+            },
+            "WhereToSaveSecrets": "/Path/To/folder/that/will/contain/the/result"
+        },
+        {
+            "Identifier": {...},
+            "WhereToSaveSecrets": "..."
+        },
+        {...},
+        .
+        .
+        .
+   ]
+```
+
+The LocalKG protocol is used to generate secrets to TSS, 
+and it assumes a public key infrastructure. 
+These public keys are x509 certificates (and stored inside `GuardianSpecifics[i].Identifier.TlsX509`), 
+and are used later by the TSS to establish TLS channels between the participants.
+As a result, the x509 certificate provided by you should be self-signed root-level certificates. 
+In addition, you should safely store the signing key you've used to sign your certificate in a known location
+since it is still needed by the TSS protocol ([see after running the protocol for further details](#after-running-the-local-key-generation-protocol)).
+
+
+When creating the X509 certificates, be aware that the DNS name you set 
+in the certificate will be used as the hostname of
+servers participating in the TSS protocol.
+As a result, please refrain from using hostnames that are
+unreachable.
+
+# After running the local key generation protocol.
+
+Once you run the protocol, it will generate for each guardian a single directory (as specified in the `WhereToSaveSecrets` field), each such directory should contain a `secret.json` upon lkg completion. 
+Each guardian operator should take the `secret.json` file saved to the directory they
+provided in the config.
+The resulting `secret.json` file should be guarded with care, and out of reach by untrusted entities, and 
+out of reach from other guardians (each guardian should have only one `secret.json` file).
+
+Before using the `secret.json` file with the TSS engine, it needs to be set with the private key 
+that was used to sign the x509 certificate (the same signed certificate that each guardian operator set in the lkg config file):
+Run the `setkey` command, it expects a secrets file generated from running the lkg protocol, and a file for 
+a private key in PEM format (see `setkey/lkg.example.json` and `setkey/key.example.pem`).

node/pkg/tss/internal/cmd/lkg/cnfg.example.json

@@ -0,0 +1,38 @@
+{
+    "NumParticipants": 5,
+	"WantedThreshold": 3,
+
+    "GuardianSpecifics": [
+        {
+            "Identifier": {
+                "TlsX509":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJvakNDQVVlZ0F3SUJBZ0lRUXg2NUhRRjB0Q3I2VmxVWXo2VWEzekFLQmdncWhrak9QUVFEQWpBU01SQXcKRGdZRFZRUUtFd2QwYzNOamIyMXRNQ0FYRFRJME1Ea3lNakEzTVRjeU1sb1lEekl3TmpReE1ESXlNRGN4TnpJeQpXakFTTVJBd0RnWURWUVFLRXdkMGMzTmpiMjF0TUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFCit5ZlV2ZVBvMG1zZGxLS0FwcDM4TzR4ckJzRGN2cEFRblhmSUFDQk1ycjIzU056QnhFWVYwOGZYZ1Z2dXVGSkQKRTRRc29CRzdSb2lBZ3ZGWk5Rb055cU45TUhzd0RnWURWUjBQQVFIL0JBUURBZ0tFTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlJMCnByNHdWZ0FEeVVNZXNiVVJFWWJ3N215bDB6QWFCZ05WSFJFRUV6QVJnZ2xzYjJOaGJHaHZjM1NIQkg4QUFBRXcKQ2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQVBVejY3Q3lKb0lLclNDSlJQcCtNQktFWkkvUTFtK3JlS0RqYzNBVQpXZkhBQWlFQWxIOXpJZjNoZ2hBS3dCcCt1MlB6L05TLzZYSm96UGQ5ZFpnR1dqeHdSM2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+            },
+            "WhereToSaveSecrets": "./save0"
+        },
+        {
+            "Identifier": {
+                "TlsX509":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJvVENDQVVlZ0F3SUJBZ0lRVkNTcndsY1hnWnJrTWRzbFYwamk1VEFLQmdncWhrak9QUVFEQWpBU01SQXcKRGdZRFZRUUtFd2QwYzNOamIyMXRNQ0FYRFRJME1Ea3lNakEzTVRjeU1sb1lEekl3TmpReE1ESXlNRGN4TnpJeQpXakFTTVJBd0RnWURWUVFLRXdkMGMzTmpiMjF0TUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFCkhXd3B0YWk2WGRidW5JSmR2cUc2QTZMU3pTSFZRSkNoYWU3ZkNLNnR3ZlhvSFdMVE1jeklaa2RzMTZHZnh3Sy8KY1JFbUM4Y2JsYytsREFFcVIzR0UzcU45TUhzd0RnWURWUjBQQVFIL0JBUURBZ0tFTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlRMCmtJSU95R2p4bGNIaHRnbWFxNm9PZS92WmhEQWFCZ05WSFJFRUV6QVJnZ2xzYjJOaGJHaHZjM1NIQkg4QUFBRXcKQ2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnUkVUSEhyZXNhRndoOW1udm9UZWNlNGFoWGJBWnFnSmFwVWdDSTF0YgovTXNDSVFDTVM4M25hRGNTL2lNVkc2Y3pqT3JiQnkyT3ZITnc5YUhDSm04V29MUWhDZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+            },
+            "WhereToSaveSecrets": "./save1"
+        },
+        {
+            "Identifier": {
+                "TlsX509":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJvVENDQVVpZ0F3SUJBZ0lSQUlxZ2NqN29zeWg3Y0VZb1RtdTB4cTB3Q2dZSUtvWkl6ajBFQXdJd0VqRVEKTUE0R0ExVUVDaE1IZEhOelkyOXRiVEFnRncweU5EQTVNakl3TnpFM01qSmFHQTh5TURZME1UQXlNakEzTVRjeQpNbG93RWpFUU1BNEdBMVVFQ2hNSGRITnpZMjl0YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBCkJFOFQvanhieEVHZHFDQnFDNUQ4RDBPa0NXeSthMHJqQVUxRHJaYmxyWVFlUktYbHdLWXdGa2pOVjZNVlBROUIKbjFtcG9hNitIMmhJRnZudnNEdjAyVFdqZlRCN01BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVQpCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVCkpya1E4ZzA4WDVFcGI4T1JsalUyb2l0WTJMd3dHZ1lEVlIwUkJCTXdFWUlKYkc5allXeG9iM04waHdSL0FBQUIKTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDSUJ1VnA3VE9xZXBlOEpvSnZxQTk2bnFIYzVHME9ucHZQa0t6dzJucgo2d3ExQWlCSXlJaHlpL0xVK1RWUDd3Z2JJVXpjMlJXeXZpSklDL0h0YW1ua3FxYWQ2QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+            },
+            "WhereToSaveSecrets": "./save2"
+
+        },
+        {
+            "Identifier": {
+                "TlsX509":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJvakNDQVVpZ0F3SUJBZ0lSQUxieVduSHQ2aHpRaDZMb2Q5bzBQemt3Q2dZSUtvWkl6ajBFQXdJd0VqRVEKTUE0R0ExVUVDaE1IZEhOelkyOXRiVEFnRncweU5EQTVNakl3TnpFM01qSmFHQTh5TURZME1UQXlNakEzTVRjeQpNbG93RWpFUU1BNEdBMVVFQ2hNSGRITnpZMjl0YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBCkJGTk9sRHkvRS8wOERtRHdzMVVwaVh5TGV3UkJBUEYvUXRQbm5GR0dvcS9aeFNtZDM2U08vNGs0TnRkWFFKdkEKS05SOVpZNklmclRYUDloNTZOWVlLSTJqZlRCN01BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVQpCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVClF4R3ZBOHVNTjF5NUFRRGMweTc2QjMrQ256OHdHZ1lEVlIwUkJCTXdFWUlKYkc5allXeG9iM04waHdSL0FBQUIKTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUdSUS9UdTRFQWtZRFhtWW5LeHRnR0JlQjhYT2ZIa2dOWGhGM1NXTApyRzQ2QWlFQXpHTzJlWklmenVlQytFQ05XWXBzdkFwK2F0emxXQlNkNmVUdDdKZGMwczQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+            },
+            "WhereToSaveSecrets": "./save3"
+        },
+        {
+            "Identifier": {
+                "TlsX509":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJvRENDQVVlZ0F3SUJBZ0lRSkVGQ2RBN3ZDZE5mbHExUzZQTmJzVEFLQmdncWhrak9QUVFEQWpBU01SQXcKRGdZRFZRUUtFd2QwYzNOamIyMXRNQ0FYRFRJME1Ea3lNakEzTVRjeU1sb1lEekl3TmpReE1ESXlNRGN4TnpJeQpXakFTTVJBd0RnWURWUVFLRXdkMGMzTmpiMjF0TUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFCmJENWdUSmtLayszT2FaRE5XQi9ORHFqeHZONmRET0lvL3lBMms0NkxKbXJSakVacEJDcDFhYVZpSzk5Sm1IWG0KOWIrOWpFWndDRy9NS2ZVaVJmMjBFS045TUhzd0RnWURWUjBQQVFIL0JBUURBZ0tFTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlRKCnRnMGZzeU45NmN3THhzdWZONjJRUnRZWHpqQWFCZ05WSFJFRUV6QVJnZ2xzYjJOaGJHaHZjM1NIQkg4QUFBRXcKQ2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnWlhqelBYeTRsaklsY0swMFFxQ3p3dXROUkN3Wk1kWXNPZ2Q0RHFhQQozK1lDSUdvL2I1ZkEzWmViYmJJclJic3YzWVpOLzlsTXJFbSt1M1JQYmJsSk96L1UKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
+            },
+            "WhereToSaveSecrets": "./save4"
+        }
+    ]
+}