Commit has:-

* Review comments addressed.
* Openssl gtest cases added for generateEdDSAKeyPair() and EdDSAHexToPem().

bftengine/src/bftengine/KeyExchangeManager.cpp

@@ -25,6 +25,8 @@
 namespace bftEngine::impl {
 
 using concord::util::crypto::KeyFormat;
+using concord::crypto::cryptopp::Crypto;
+using concord::crypto::openssl::CertificateUtils;
 
 KeyExchangeManager::KeyExchangeManager(InitData* id)
     : repID_{ReplicaConfig::instance().getreplicaId()},
@@ -153,18 +155,16 @@ void KeyExchangeManager::loadClientPublicKeys() {
 }
 
 void KeyExchangeManager::exchangeTlsKeys(const std::string& type, const SeqNum& bft_sn) {
-  auto keys = concord::util::cryptopp_utils::Crypto::instance().generateECDSAKeyPair(
-      concord::util::crypto::KeyFormat::PemFormat, concord::util::crypto::CurveType::secp384r1);
+  auto keys = Crypto::instance().generateECDSAKeyPair(concord::util::crypto::KeyFormat::PemFormat,
+                                                      concord::util::crypto::CurveType::secp384r1);
   bool use_unified_certs = bftEngine::ReplicaConfig::instance().useUnifiedCertificates;
   const std::string base_path =
       bftEngine::ReplicaConfig::instance().certificatesRootPath + "/" + std::to_string(repID_);
   std::string root_path = (use_unified_certs) ? base_path : base_path + "/" + type;
   std::string cert_path = (use_unified_certs) ? root_path + "/node.cert" : root_path + "/" + type + ".cert";
-  std::string prev_key_pem = concord::util::cryptopp_utils::Crypto::instance()
-                                 .RsaHexToPem(std::make_pair(SigManager::instance()->getSelfPrivKey(), ""))
-                                 .first;
-  auto cert =
-      concord::util::openssl_utils::CertificateUtils::generateSelfSignedCert(cert_path, keys.second, prev_key_pem);
+  std::string prev_key_pem =
+      Crypto::instance().RsaHexToPem(std::make_pair(SigManager::instance()->getSelfPrivKey(), "")).first;
+  auto cert = CertificateUtils::generateSelfSignedCert(cert_path, keys.second, prev_key_pem);
   // Now that we have generated new key pair and certificate, lets do the actual exchange on this replica
   std::string pk_path = root_path + "/pk.pem";
   std::fstream nec_f(pk_path);

bftengine/src/bftengine/SigManager.cpp

@@ -25,8 +25,8 @@ using namespace std;
 namespace bftEngine {
 namespace impl {
 
-using concord::util::signerverifier::TransactionSigner;
-using concord::util::signerverifier::TransactionVerifier;
+using concord::signerverifier::TransactionSigner;
+using concord::signerverifier::TransactionVerifier;
 
 concord::messages::keys_and_signatures::ClientsPublicKeys clientsPublicKeys_;
 

bftengine/tests/SigManager/SigManager_test.cpp

@@ -34,8 +34,8 @@ constexpr size_t RANDOM_DATA_SIZE = 1000U;
 
 std::default_random_engine generator;
 
-using concord::util::signerverifier::TransactionSigner;
-using concord::util::signerverifier::TransactionVerifier;
+using concord::signerverifier::TransactionSigner;
+using concord::signerverifier::TransactionVerifier;
 
 #ifdef USE_CRYPTOPP
 constexpr char ALGO_NAME[] = "rsa";

bftengine/tests/clientsManager/ClientsManager_test.cpp

@@ -43,12 +43,12 @@ using std::unique_ptr;
 using std::vector;
 
 #ifdef USE_CRYPTOPP
-using concord::util::cryptopp_utils::Crypto;
+using concord::crypto::cryptopp::Crypto;
 #elif USE_EDDSA_OPENSSL
-using concord::util::openssl_utils::Crypto;
+using concord::crypto::openssl::Crypto;
 #endif
 
-using concord::util::signerverifier::TransactionSigner;
+using concord::signerverifier::TransactionSigner;
 
 // Testing values to be used for certain Concord-BFT configuration that ClientsManager and/or its dependencies may
 // reference.

client/bftclient/src/bft_client.cpp

@@ -23,7 +23,7 @@ using namespace concord::secretsmanager;
 using namespace bftEngine;
 using namespace bftEngine::impl;
 using concord::util::crypto::KeyFormat;
-using concord::util::signerverifier::TransactionSigner;
+using concord::signerverifier::TransactionSigner;
 
 namespace bft::client {
 

client/bftclient/test/bft_client_api_tests.cpp

@@ -43,7 +43,7 @@ using namespace bftEngine;
 using namespace placeholders;
 using namespace concord::secretsmanager;
 using concord::util::crypto::KeyFormat;
-using concord::util::signerverifier::TransactionVerifier;
+using concord::signerverifier::TransactionVerifier;
 using namespace CryptoPP;
 
 using ReplicaId_t = bft::client::ReplicaId;

client/reconfiguration/src/default_handlers.cpp

@@ -23,6 +23,9 @@ namespace fs = std::experimental::filesystem;
 
 namespace concord::client::reconfiguration::handlers {
 
+using concord::crypto::cryptopp::Crypto;
+using concord::crypto::openssl::CertificateUtils;
+
 template <typename T>
 bool validateInputState(const State& state, std::optional<uint64_t> init_block = std::nullopt) {
   concord::messages::ClientStateReply crep;
@@ -65,14 +68,13 @@ void ClientTlsKeyExchangeHandler::exchangeTlsKeys(const std::string& pkey_path,
                                                   const std::string& cert_path,
                                                   const uint64_t blockid) {
   // Generate new key pair
-  auto new_cert_keys = concord::util::cryptopp_utils::Crypto::instance().generateECDSAKeyPair(
-      concord::util::crypto::KeyFormat::PemFormat, concord::util::crypto::CurveType::secp384r1);
+  auto new_cert_keys = Crypto::instance().generateECDSAKeyPair(concord::util::crypto::KeyFormat::PemFormat,
+                                                               concord::util::crypto::CurveType::secp384r1);
 
   std::string master_key = sm_->decryptFile(master_key_path_).value_or(std::string());
   if (master_key.empty()) master_key = psm_.decryptFile(master_key_path_).value_or(std::string());
   if (master_key.empty()) LOG_FATAL(getLogger(), "unable to read the node master key");
-  auto cert = concord::util::openssl_utils::CertificateUtils::generateSelfSignedCert(
-      cert_path, new_cert_keys.second, master_key);
+  auto cert = CertificateUtils::generateSelfSignedCert(cert_path, new_cert_keys.second, master_key);
 
   sm_->encryptFile(pkey_path, new_cert_keys.first);
   psm_.encryptFile(cert_path, cert);
@@ -152,9 +154,9 @@ bool ClientMasterKeyExchangeHandler::validate(const State& state) const {
 bool ClientMasterKeyExchangeHandler::execute(const State& state, WriteState& out) {
   LOG_INFO(getLogger(), "execute transaction signing key exchange request");
   // Generate new key pair
-  auto hex_keys = concord::util::cryptopp_utils::Crypto::instance().generateRsaKeyPair(
-      2048, concord::util::crypto::KeyFormat::HexaDecimalStrippedFormat);
-  auto pem_keys = concord::util::cryptopp_utils::Crypto::instance().RsaHexToPem(hex_keys);
+  auto hex_keys =
+      Crypto::instance().generateRsaKeyPair(2048, concord::util::crypto::KeyFormat::HexaDecimalStrippedFormat);
+  auto pem_keys = Crypto::instance().RsaHexToPem(hex_keys);
 
   concord::messages::ReconfigurationRequest rreq;
   concord::messages::ClientExchangePublicKey creq;

communication/src/AsyncTlsConnection.cpp

@@ -31,6 +31,9 @@
 
 namespace bft::communication::tls {
 
+using concord::crypto::cryptopp::Crypto;
+using concord::crypto::openssl::CertificateUtils;
+
 void AsyncTlsConnection::startReading() {
   auto self = shared_from_this();
   asio::post(strand_, [this, self] { readMsgSizeHeader(); });
@@ -430,7 +433,7 @@ std::pair<bool, NodeNum> AsyncTlsConnection::checkCertificate(X509* received_cer
   uint32_t peerId = UINT32_MAX;
   std::string conn_type;
   // (1) First, try to verify the certificate against the latest saved certificate
-  bool res = concord::util::openssl_utils::CertificateUtils::verifyCertificate(
+  bool res = CertificateUtils::verifyCertificate(
       received_cert, config_.certificatesRootPath_, peerId, conn_type, config_.useUnifiedCertificates_);
   if (expected_peer_id.has_value() && peerId != expected_peer_id.value()) return std::make_pair(false, peerId);
   if (res) return std::make_pair(res, peerId);
@@ -439,14 +442,12 @@ std::pair<bool, NodeNum> AsyncTlsConnection::checkCertificate(X509* received_cer
            "public key");
   std::string pem_pub_key = StateControl::instance().getPeerPubKey(peerId);
   if (pem_pub_key.empty()) return std::make_pair(false, peerId);
-  if (concord::util::cryptopp_utils::Crypto::instance().getFormat(pem_pub_key) !=
-      concord::util::crypto::KeyFormat::PemFormat) {
-    pem_pub_key = concord::util::cryptopp_utils::Crypto::instance()
-                      .RsaHexToPem(std::make_pair("", StateControl::instance().getPeerPubKey(peerId)))
-                      .second;
+  if (Crypto::instance().getFormat(pem_pub_key) != concord::util::crypto::KeyFormat::PemFormat) {
+    pem_pub_key =
+        Crypto::instance().RsaHexToPem(std::make_pair("", StateControl::instance().getPeerPubKey(peerId))).second;
   }
   // (2) Try to validate the certificate against the peer's public key
-  res = concord::util::openssl_utils::CertificateUtils::verifyCertificate(received_cert, pem_pub_key);
+  res = CertificateUtils::verifyCertificate(received_cert, pem_pub_key);
   if (!res) return std::make_pair(false, peerId);
 
   // (3) If valid, exchange the stored certificate

kvbc/src/pruning_handler.cpp

@@ -21,8 +21,8 @@
 namespace concord::kvbc::pruning {
 
 using concord::util::crypto::KeyFormat;
-using concord::util::signerverifier::TransactionSigner;
-using concord::util::signerverifier::TransactionVerifier;
+using concord::signerverifier::TransactionSigner;
+using concord::signerverifier::TransactionVerifier;
 
 void PruningSigner::sign(concord::messages::LatestPrunableBlock& block) {
   std::ostringstream oss;

kvbc/src/reconfiguration_kvbc_handler.cpp

@@ -34,6 +34,7 @@
 
 namespace concord::kvbc::reconfiguration {
 
+using concord::crypto::cryptopp::Crypto;
 using bftEngine::impl::DbCheckpointManager;
 using bftEngine::impl::SigManager;
 using concord::kvbc::KvbAppFilter;
@@ -1247,7 +1248,7 @@ bool InternalPostKvReconfigurationHandler::handle(const concord::messages::Clien
   }
   std::string path = bftEngine::ReplicaConfig::instance().clientsKeysPrefix + "/" + std::to_string(group_id) +
                      "/transaction_signing_pub.pem";
-  auto pem_key = concord::util::cryptopp_utils::Crypto::instance().RsaHexToPem(std::make_pair("", command.pub_key));
+  auto pem_key = Crypto::instance().RsaHexToPem(std::make_pair("", command.pub_key));
   concord::secretsmanager::SecretsManagerPlain sm;
   sm.encryptFile(path, pem_key.second);
   LOG_INFO(getLogger(), KVLOG(path, pem_key.second, sender_id));

kvbc/tools/db_editor/include/kv_blockchain_db_editor.hpp

@@ -30,7 +30,7 @@
 #include "bcstatetransfer/SimpleBCStateTransfer.hpp"
 #include "bftengine/PersistentStorageImp.hpp"
 #include "bftengine/DbMetadataStorage.hpp"
-#include "cryptopp_utils.hpp"
+#include "sign_verify_utils.hpp"
 #include "json_output.hpp"
 #include "bftengine/ReplicaSpecificInfoManager.hpp"
 
@@ -44,6 +44,7 @@
 namespace concord::kvbc::tools::db_editor {
 
 using namespace categorization;
+using concord::signerverifier::TransactionVerifier;
 
 inline const auto kToolName = "kv_blockchain_db_editor"s;
 inline KeyValueBlockchain getAdapter(const std::string &path, const bool read_only = false) {
@@ -353,7 +354,7 @@ struct VerifyBlockRequests {
       out << "\t\t\"signature_digest\": \"" << hex_digest << "\",\n";
       out << "\t\t\"persistency_type\": \"" << persistencyType(req.requestPersistencyType) << "\",\n";
       std::string verification_result;
-      auto verifier = std::make_unique<concord::util::cryptopp_utils::RSAVerifier>(
+      auto verifier = std::make_unique<TransactionVerifier>(
           client_keys.ids_to_keys[req.clientId].key,
           (concord::util::crypto::KeyFormat)client_keys.ids_to_keys[req.clientId].format);
 
@@ -1036,7 +1037,6 @@ struct VerifyDbCheckpoint {
   using CheckpointDesc = bftEngine::bcst::impl::DataStore::CheckpointDesc;
   using BlockHashData = std::tuple<uint64_t, BlockDigest, BlockDigest>;  //<blockId, parentHash, blockHash>
   using IVerifier = concord::util::cryptointerface::IVerifier;
-  using RSAVerifier = concord::util::cryptopp_utils::RSAVerifier;
   using KeyFormat = concord::util::crypto::KeyFormat;
   using ReplicaId = uint16_t;
   const bool read_only = true;
@@ -1084,7 +1084,7 @@ struct VerifyDbCheckpoint {
               auto format = cmd.format;
               transform(format.begin(), format.end(), format.begin(), ::tolower);
               auto key_format = ((format == "hex") ? KeyFormat::HexaDecimalStrippedFormat : KeyFormat::PemFormat);
-              replica_keys.emplace(repId, std::make_unique<RSAVerifier>(cmd.key, key_format));
+              replica_keys.emplace(repId, std::make_unique<TransactionVerifier>(cmd.key, key_format));
             },
             *val);
       }

kvbc/tools/object_store_utility/integrity_checker.cpp

@@ -37,13 +37,18 @@ void IntegrityChecker::initKeysConfig(const fs::path& keys_file) {
   config.fVal = parser.get_value<std::uint16_t>("f_val");
   config.cVal = parser.get_value<std::uint16_t>("c_val");
   config.publicKeysOfReplicas.clear();
-  auto rsaPublicKeys = parser.get_values<std::string>("rsa_public_keys");
 
-  if (rsaPublicKeys.size() < config.numReplicas)
+#ifdef USE_CRYPTOPP
+  auto txnSignerPublicKeys = parser.get_values<std::string>("rsa_public_keys");
+#elif USE_EDDSA_OPENSSL
+  auto txnSignerPublicKeys = parser.get_values<std::string>("eddsa_public_keys");
+#endif
+
+  if (txnSignerPublicKeys.size() < config.numReplicas)
     throw std::runtime_error("number of replicas and number of replicas don't match: " + keys_file.string());
 
   for (size_t i = 0; i < config.numReplicas; ++i)
-    config.publicKeysOfReplicas.insert(std::pair<uint16_t, std::string>(i, rsaPublicKeys[i]));
+    config.publicKeysOfReplicas.insert(std::pair<uint16_t, std::string>(i, txnSignerPublicKeys[i]));
 
   config.replicaId = config.numReplicas;  // "my" replica id shouldn't match one of the regular replicas
 

reconfiguration/src/reconfiguration_handler.cpp

@@ -28,11 +28,11 @@ using namespace concord::messages;
 using concord::util::crypto::KeyFormat;
 
 #if USE_CRYPTOPP
-using concord::util::cryptopp_utils::ECDSAVerifier;
+using concord::crypto::cryptopp::ECDSAVerifier;
 #else
 #include "openssl_utils.hpp"
 
-using concord::util::openssl_utils::EdDSAVerifier;
+using concord::crypto::openssl::EdDSAVerifier;
 #endif
 
 namespace concord::reconfiguration {

tests/apollo/util/bft.py

@@ -503,16 +503,30 @@ def _generate_operator_keys(self):
         if self.builddir is None:
             return
         with open(self.builddir + "/operator_pub.pem", 'w') as f:
+            # EdDSA public key.
+            f.write("-----BEGIN PUBLIC KEY-----\n"
+                    "MCowBQYDK2VwAyEAq6x6mTckhvzscZmDtRAwgneYpIE3sqkdLdaZ4B5JBbw=\n"
+                    "-----END PUBLIC KEY-----")
+            """
+            # ECDSA public key.
             f.write("-----BEGIN PUBLIC KEY-----\n"
                     "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENEMHcbJgnnYxfa1zDlIF7lzp/Ioa"
                     "NfwGuJpAg84an5FdPALwZwBp/m/X3d8kwmfZEytqt2PGMNhHMkovIaRI1A==\n"
                     "-----END PUBLIC KEY-----")
+            """
         with open(self.builddir + "/operator_priv.pem", 'w') as f:
+            # EdDSA private key.
+            f.write("-----BEGIN PRIVATE KEY-----\n"
+                    "MC4CAQAwBQYDK2VwBCIEIIIyaCtHzqPqMdvvcTIp+ZtOGccurc7e8qMPs8+jt0xo\n"
+                    "-----END PRIVATE KEY-----")
+            """
+            # ECDSA private key.
             f.write("-----BEGIN EC PRIVATE KEY-----\n"
                     "MHcCAQEEIEWf8ZTkCWbdA9WrMSNGCC7GQxvSXiDlU6dlZAi6JaCboAoGCCqGSM49"
                     "AwEHoUQDQgAENEMHcbJgnnYxfa1zDlIF7lzp/IoaNfwGuJpAg84an5FdPALwZwBp"
                     "/m/X3d8kwmfZEytqt2PGMNhHMkovIaRI1A==\n"
                     "-----END EC PRIVATE KEY-----")
+            """
 
     def generate_tls_certs(self, num_to_generate, start_index=0):
         """

tests/apollo/util/operator.py

@@ -20,24 +20,37 @@
 
 sys.path.append(os.path.abspath("../../util/pyclient"))
 
+from cryptography.hazmat.primitives import serialization
+
 import bft_client
-from ecdsa import SigningKey
-from ecdsa import SECP256k1
-import hashlib
+#from ecdsa import SigningKey
+#from ecdsa import SECP256k1
+#import hashlib
 
 import util.eliot_logging as log
 
-
 class Operator:
     def __init__(self, config, client, priv_key_dir):
         self.config = config
         self.client = client
-        with open(priv_key_dir + "/operator_priv.pem") as f:
-            self.private_key = SigningKey.from_pem(f.read(), hashlib.sha256)
 
-    def _sign_reconf_msg(self, msg):
-        return self.private_key.sign_deterministic(msg.serialize())
+        # Read ECDSA signing key.
+        # with open(priv_key_dir + "/operator_priv.pem") as f:
+        #    self.private_key = SigningKey.from_pem(f.read(), hashlib.sha256)
 
+        # Read EdDSA signing key.
+        txn_signing_key_path = priv_key_dir + "/operator_priv.pem"
+        if txn_signing_key_path:
+            with open(txn_signing_key_path, 'rb') as f:
+                self.private_key = serialization.load_pem_private_key(f.read(), password=None)
+
+    def _sign_reconf_msg(self, msg):
+        signature = b''
+        if self.private_key:
+            signature = self.private_key.sign(bytes(msg.serialize()))
+        return signature
+        # Return ECDSA signature.
+        # return self.private_key.sign_deterministic(msg.serialize())
 
     def  _construct_basic_reconfiguration_request(self, command):
         reconf_msg = cmf_msgs.ReconfigurationRequest()
@@ -49,10 +62,10 @@ def  _construct_basic_reconfiguration_request(self, command):
         return reconf_msg
 
     def _construct_reconfiguration_wedge_command(self):
-            wedge_cmd = cmf_msgs.WedgeCommand()
-            wedge_cmd.sender = 1000
-            wedge_cmd.noop = False
-            return self._construct_basic_reconfiguration_request(wedge_cmd)
+        wedge_cmd = cmf_msgs.WedgeCommand()
+        wedge_cmd.sender = 1000
+        wedge_cmd.noop = False
+        return self._construct_basic_reconfiguration_request(wedge_cmd)
 
     def _construct_reconfiguration_latest_prunebale_block_command(self):
         lpab_cmd = cmf_msgs.LatestPrunableBlockRequest()

tools/GenerateConcordKeys.cpp

@@ -24,7 +24,7 @@
 #include "KeyfileIOUtils.hpp"
 #include "openssl_utils.hpp"
 
-using concord::util::openssl_utils::Crypto;
+using concord::crypto::openssl::Crypto;
 
 // Helper functions and static state to this executable's main function.
 

tools/TestGeneratedKeys.cpp

@@ -21,8 +21,8 @@
 #include "KeyfileIOUtils.hpp"
 #include "sign_verify_utils.hpp"
 
-using concord::util::signerverifier::TransactionSigner;
-using concord::util::signerverifier::TransactionVerifier;
+using concord::signerverifier::TransactionSigner;
+using concord::signerverifier::TransactionVerifier;
 using concord::util::crypto::KeyFormat;
 
 // How often to output status when testing cryptosystems, measured as an