Skip to content

chore(crypto): CRP-2781 Make KeyId from MEGaPublicKey conversion infalliable #8180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
randombit merged 9 commits into from
Jan 5, 2026
Merged

chore(crypto): CRP-2781 Make KeyId from MEGaPublicKey conversion infalliable #8180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
525b739
chore(crypto): CRP-2781 Make KeyId from MEGaPublicKey conversion infa…
randombit Dec 22, 2025
9b63b08
Fix
randombit Dec 22, 2025
e3d4e0c
util
randombit Jan 4, 2026
80d7f36
Fix
randombit Jan 4, 2026
4ea7d31
Merge branch 'master' into jack/crp-2781
randombit Jan 4, 2026
c97597a
more
randombit Jan 4, 2026
053068b
Remove nasty util
randombit Jan 4, 2026
19a2b28
Fix imports
randombit Jan 4, 2026
2744df5
Merge branch 'master' into jack/crp-2781
randombit Jan 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 9 additions & 11 deletions rs/crypto/internal/crypto_service_provider/src/key_id/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,17 +110,15 @@ impl From<&CspPublicKey> for KeyId {
}
}

impl TryFrom<&MEGaPublicKey> for KeyId {
type Error = String;

fn try_from(public_key: &MEGaPublicKey) -> Result<Self, Self::Error> {
match public_key.curve_type() {
EccCurveType::K256 => Ok(KeyId::from((
AlgorithmId::ThresholdEcdsaSecp256k1,
&public_key.serialize(),
))),
c => Err(format!("unsupported curve: {c:?}")),
}
impl From<&MEGaPublicKey> for KeyId {
fn from(public_key: &MEGaPublicKey) -> Self {
let alg = match public_key.curve_type() {
EccCurveType::K256 => AlgorithmId::ThresholdEcdsaSecp256k1,
EccCurveType::P256 => AlgorithmId::ThresholdEcdsaSecp256r1,
EccCurveType::Ed25519 => AlgorithmId::ThresholdEd25519,
};

KeyId::from((alg, &public_key.serialize()))
}
}

Expand Down
27 changes: 17 additions & 10 deletions rs/crypto/internal/crypto_service_provider/src/key_id/tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,6 @@ use ic_crypto_internal_threshold_sig_canister_threshold_sig::{
};
use ic_crypto_internal_types::sign::threshold_sig::ni_dkg::ni_dkg_groth20_bls12_381::FsEncryptionPublicKey;

#[test]
fn should_fail_to_create_key_id_from_mega_key_with_unsupported_curve() {
let mega_public_key = MEGaPublicKey::new(EccPoint::identity(EccCurveType::P256));
assert_eq!(
KeyId::try_from(&mega_public_key),
Err("unsupported curve: P256".to_string())
);
}

mod stability_tests {
use super::*;
use crate::CspPublicKey;
Expand Down Expand Up @@ -216,10 +207,26 @@ mod stability_tests {
input: MEGaPublicKey::new(EccPoint::generator_h(EccCurveType::K256)),
expected: "502da182fa4451163418bb07073182ca280aa4fb1f652b70f5b3b8f1642579cb",
},
ParameterizedTest {
input: MEGaPublicKey::new(EccPoint::generator_g(EccCurveType::P256)),
expected: "2b0a2fc94df2c28de159aeaf65a8d37b4825d17ea9cefad30a7b0db0b99f9e3f",
},
ParameterizedTest {
input: MEGaPublicKey::new(EccPoint::generator_h(EccCurveType::P256)),
expected: "4cbcdf951ded1c9f8c8fa726677f9f8099f77813e7d6203ae63e1f3934833e52",
},
ParameterizedTest {
input: MEGaPublicKey::new(EccPoint::generator_g(EccCurveType::Ed25519)),
expected: "2ea594538d5f66037df2ad82f13678f6c09e4d7f1111696f954c8d3eb73bb08a",
},
ParameterizedTest {
input: MEGaPublicKey::new(EccPoint::generator_h(EccCurveType::Ed25519)),
expected: "1e4d044d7648d96ee5daea1464a0fa07c79b6d32d7d4e392d4c3bdafc5494b26",
},
];
for test in &tests {
assert_eq!(
KeyId::try_from(&test.input).expect("invalid KeyId"),
KeyId::from(&test.input),
test.expected_key_id(),
"Parameterized test {:?} failed",
&test
Expand Down
12 changes: 2 additions & 10 deletions rs/crypto/internal/crypto_service_provider/src/vault/local_csp_vault/idkg/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -765,13 +765,7 @@ fn generate_idkg_key_material_from_seed(
) -> Result<(MEGaPublicKey, CspSecretKey, KeyId), CspCreateMEGaKeyError> {
let (public_key, private_key) = gen_keypair(EccCurveType::K256, seed);

let key_id =
KeyId::try_from(&public_key).map_err(|e| CspCreateMEGaKeyError::InternalError {
internal_error: format!(
"Failed to create key ID from MEGa public key {:?}: {e}",
&public_key
),
})?;
let key_id = KeyId::from(&public_key);
let csp_secret_key = CspSecretKey::MEGaEncryptionK256(MEGaKeySetK256Bytes {
public_key: MEGaPublicKeyK256Bytes::try_from(&public_key)
.map_err(CspCreateMEGaKeyError::SerializationError)?,
Expand Down Expand Up @@ -799,9 +793,7 @@ fn idkg_public_key_proto_to_key_id(
internal_error: format!("Error deserializing IDKG public key: {err:?}"),
})?;

KeyId::try_from(&mega_public_key).map_err(|error| IDkgRetainKeysError::InternalError {
internal_error: format!("Invalid key ID {error:?}"),
})
Ok(KeyId::from(&mega_public_key))
})
.collect()
}
Expand Down
27 changes: 10 additions & 17 deletions rs/crypto/internal/crypto_service_provider/src/vault/local_csp_vault/idkg/tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,7 @@ mod idkg_gen_dealing_encryption_key_pair {
.expect("error retrieving public keys")
.idkg_dealing_encryption_public_key
.expect("missing I-DKG public key");
let key_id = KeyId::try_from(&generated_public_key)
.expect("valid key ID");
let key_id = KeyId::from(&generated_public_key);

prop_assert_eq!(generated_public_key.curve_type(), EccCurveType::K256);
prop_assert_eq!(idkg_dealing_encryption_pk_to_proto(generated_public_key), stored_public_key);
Expand Down Expand Up @@ -381,7 +380,7 @@ mod idkg_retain_active_keys {
);
assert!(
vault
.sks_contains(KeyId::try_from(&public_key).expect("invalid key ID"))
.sks_contains(KeyId::from(&public_key))
.expect("error reading SKS")
);
}
Expand Down Expand Up @@ -434,7 +433,7 @@ mod idkg_retain_active_keys {
.expect("error retaining active IDKG keys");

for (i, public_key) in rotated_public_keys.iter().enumerate() {
let key_id = KeyId::try_from(public_key).expect("invalid key id");
let key_id = KeyId::from(public_key);
if i < oldest_public_key_index {
assert!(!vault.sks_contains(key_id).expect("error reading SKS"));
} else {
Expand Down Expand Up @@ -1328,9 +1327,7 @@ mod idkg_load_transcript {
let pk = vault
.idkg_gen_dealing_encryption_key_pair()
.expect("failed to generate key pair");
let key_id = self.key_id.unwrap_or_else(|| {
KeyId::try_from(&pk).expect("failed to generate the key id for the MEGA pubkey")
});
let key_id = self.key_id.unwrap_or_else(|| KeyId::from(&pk));
let pk_proto = idkg_dealing_encryption_pk_to_proto(pk.clone());
let (dealing_bytes, internal_transcript) =
self.dealing_bytes_and_internal_transcript(pk_proto, &vault);
Expand Down Expand Up @@ -1714,9 +1711,7 @@ mod idkg_load_transcript_with_openings {
let pk = vault
.idkg_gen_dealing_encryption_key_pair()
.expect("failed to generate key pair");
let key_id = self.key_id.unwrap_or_else(|| {
KeyId::try_from(&pk).expect("failed to generate the key id for the MEGA pubkey")
});
let key_id = self.key_id.unwrap_or_else(|| KeyId::from(&pk));
let pk_proto = idkg_dealing_encryption_pk_to_proto(pk.clone());
let (dealing_bytes, internal_transcript) =
self.dealing_bytes_and_internal_transcript(pk_proto, &vault);
Expand Down Expand Up @@ -1995,11 +1990,10 @@ mod idkg_open_dealing {
.expect("failed to generate key pair");

let mut mnsks = MockSecretKeyStore::new();
mnsks.expect_get().times(1).return_once(move |_key_id| {
tmp_vault.sks_read_lock().get(
&KeyId::try_from(&pk).expect("failed to convert a public key to the KeyId"),
)
});
mnsks
.expect_get()
.times(1)
.return_once(move |_key_id| tmp_vault.sks_read_lock().get(&KeyId::from(&pk)));

Box::new(
LocalCspVault::builder_for_test()
Expand Down Expand Up @@ -2043,8 +2037,7 @@ mod idkg_open_dealing {
let pk = vault
.idkg_gen_dealing_encryption_key_pair()
.expect("failed to generate key pair");
let key_id =
KeyId::try_from(&pk).expect("failed to generate the key id for the MEGA pubkey");
let key_id = KeyId::from(&pk);
let pk_proto = idkg_dealing_encryption_pk_to_proto(pk.clone());
let dealing_bytes = self.dealing_bytes(pk_proto, &vault);

Expand Down
7 changes: 1 addition & 6 deletions ...rnal/crypto_service_provider/src/vault/local_csp_vault/public_and_secret_key_store/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,12 +230,7 @@ fn compute_idkg_dealing_encryption_key_id(
}
})?;

let key_id = KeyId::try_from(&idkg_dealing_encryption_pk).map_err(|error| {
ExternalPublicKeyError(Box::new(format!(
"Malformed public key: failed to derive key ID from MEGa public key: {error}"
)))
})?;
Ok(key_id)
Ok(KeyId::from(&idkg_dealing_encryption_pk))
}

fn compute_tls_certificate_key_id(
Expand Down
3 changes: 1 addition & 2 deletions ...al/crypto_service_provider/src/vault/local_csp_vault/public_and_secret_key_store/tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1512,8 +1512,7 @@ mod validate_pks_and_sks {
}

fn idkg_dealing_encryption_key_id_from(idkg_pk: &PublicKey) -> KeyId {
KeyId::try_from(&mega_public_key_from_proto(idkg_pk).expect("invalid public key"))
.expect("invalid public key")
KeyId::from(&mega_public_key_from_proto(idkg_pk).expect("invalid public key"))
}

fn invalid_public_key() -> PublicKey {
Expand Down
2 changes: 1 addition & 1 deletion rs/crypto/internal/crypto_service_provider/src/vault/test_utils/idkg.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ pub fn should_generate_and_store_dealing_encryption_key_pair_multiple_times(
.expect("missing IDKG public key"),
idkg_dealing_encryption_pk_to_proto(public_key.clone())
);
let key_id = KeyId::try_from(&public_key).expect("invalid key ID");
let key_id = KeyId::from(&public_key);
assert!(csp_vault.sks_contains(key_id).expect("error reading SKS"));

assert!(key_ids.insert(key_id));
Expand Down
5 changes: 3 additions & 2 deletions rs/crypto/src/sign/canister_threshold_sig/idkg/dealing.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@
use crate::sign::basic_sig::{self, BasicSigVerifierInternal};
use crate::sign::canister_threshold_sig::idkg::utils::{
MegaKeyFromRegistryError, fetch_idkg_dealing_encryption_public_key_from_registry,
key_id_from_mega_public_key_or_panic, retrieve_mega_public_key_from_registry,
retrieve_mega_public_key_from_registry,
};
use ic_crypto_internal_csp::api::CspSigner;
use ic_crypto_internal_csp::key_id::KeyId;
use ic_crypto_internal_csp::vault::api::{
BasicSignatureCspVault, CspVault, IDkgCreateDealingVaultError, IDkgDealingInternalBytes,
IDkgTranscriptOperationInternalBytes,
Expand Down Expand Up @@ -129,7 +130,7 @@ pub fn verify_dealing_private(
IDkgDealingInternalBytes::from(signed_dealing.idkg_dealing().dealing_to_bytes()),
dealer_index,
self_receiver_index,
key_id_from_mega_public_key_or_panic(&self_mega_pubkey),
KeyId::from(&self_mega_pubkey),
params.context_data(),
)
}
Expand Down
9 changes: 5 additions & 4 deletions rs/crypto/src/sign/canister_threshold_sig/idkg/transcript.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@ use crate::sign::basic_sig::BasicSigVerifierInternal;
use crate::sign::canister_threshold_sig::idkg::complaint::verify_complaint;
use crate::sign::canister_threshold_sig::idkg::utils::{
index_and_batch_signed_dealing_of_dealer, index_and_dealing_of_dealer,
key_id_from_mega_public_key_or_panic, retrieve_mega_public_key_from_registry,
retrieve_mega_public_key_from_registry,
};
use ic_crypto_internal_csp::api::CspSigner;
use ic_crypto_internal_csp::key_id::KeyId;
use ic_crypto_internal_csp::vault::api::{
CspVault, IDkgDealingInternalBytes, IDkgTranscriptInternalBytes,
};
Expand Down Expand Up @@ -180,7 +181,7 @@ pub fn load_transcript(
internal_dealings_bytes,
transcript.context_data(),
self_index,
key_id_from_mega_public_key_or_panic(&self_mega_pubkey),
KeyId::from(&self_mega_pubkey),
IDkgTranscriptInternalBytes::from(transcript.transcript_to_bytes()),
)?;
let complaints = complaints_from_internal_complaints(&internal_complaints, transcript)?;
Expand Down Expand Up @@ -246,7 +247,7 @@ pub fn load_transcript_with_openings(
internal_openings,
transcript.context_data(),
self_index,
key_id_from_mega_public_key_or_panic(&self_mega_pubkey),
KeyId::from(&self_mega_pubkey),
IDkgTranscriptInternalBytes::from(transcript.transcript_to_bytes()),
)
}
Expand Down Expand Up @@ -292,7 +293,7 @@ pub fn open_transcript(
dealer_index,
context_data,
opener_index,
key_id_from_mega_public_key_or_panic(&opener_public_key),
KeyId::from(&opener_public_key),
)?;
let internal_opening_raw =
internal_opening
Expand Down
5 changes: 0 additions & 5 deletions rs/crypto/src/sign/canister_threshold_sig/idkg/utils.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
mod errors;
pub use errors::*;

use ic_crypto_internal_csp::key_id::KeyId;
use ic_crypto_internal_csp::keygen::utils::{
MEGaPublicKeyFromProtoError, mega_public_key_from_proto,
};
Expand All @@ -22,10 +21,6 @@ use std::convert::TryFrom;
#[cfg(test)]
mod tests;

pub fn key_id_from_mega_public_key_or_panic(public_key: &MEGaPublicKey) -> KeyId {
KeyId::try_from(public_key).unwrap_or_else(|err| panic!("{}", err))
}

/// Query the registry for the MEGa public key of `node_id` receiver.
pub fn retrieve_mega_public_key_from_registry(
node_id: &NodeId,
Expand Down
Loading