feat: add support for direct EdDSA signing key input

SwissBorg · Oct 1, 2024 · 7c9a20e · 7c9a20e
1 parent 9e275e1
commit 7c9a20e
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 4 deletions.
diff --git a/.sample.env b/.sample.env
@@ -1,2 +1,3 @@
 CONFIG_PATH=config/dev.yaml
-PRIVATE_KEY=key
+PRIVATE_KEY=key
+SIGNING_KEY=another-key
diff --git a/cmd/api/main.go b/cmd/api/main.go
@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"errors"
-	"gopkg.in/yaml.v3"
 	"io/fs"
 	"net/http"
 	"os"
@@ -13,6 +12,7 @@ import (
 	"github.com/dgraph-io/badger/v4"
 	"github.com/joho/godotenv"
 	log "github.com/sirupsen/logrus"
+	"gopkg.in/yaml.v3"
 
 	"github.com/swissborg/galactica-kyc-guardian/config"
 	"github.com/swissborg/galactica-kyc-guardian/internal/api"
@@ -39,6 +39,7 @@ func main() {
 
 	configPath := os.Getenv("CONFIG_PATH")
 	privKey := os.Getenv("PRIVATE_KEY")
+	signingKey := os.Getenv("SIGNING_KEY")
 
 	yamlFile, err := os.ReadFile(configPath)
 	if err != nil {
@@ -57,6 +58,7 @@ func main() {
 		cfg.Node,
 		cfg.MerkleProofService.URL,
 		cfg.MerkleProofService.TLS,
+		signingKey,
 	)
 	if err != nil {
 		log.Fatalf("failed to create cert generator %v", err)

diff --git a/internal/zkcert/generator.go b/internal/zkcert/generator.go
@@ -43,6 +43,7 @@ func NewService(
 	rpcURL string,
 	merkleProofURL string,
 	merkleProofTLS bool,
+	certSigningKey string,
 ) (*Service, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 	defer cancel()
@@ -67,7 +68,7 @@ func NewService(
 		return nil, fmt.Errorf("prepare provider key: %w", err)
 	}
 
-	signingKey, err := inferSigningKeyFromEthereumPrivateKey(ethereumPrivateKey)
+	signingKey, err := prepareBabyJubSigningKey(certSigningKey, ethereumPrivateKey)
 	if err != nil {
 		return nil, fmt.Errorf("prepare signing key: %w", err)
 	}
@@ -352,7 +353,7 @@ func generateRandomSalt() (int64, error) {
 	return randomSalt, nil
 }
 
-func inferSigningKeyFromEthereumPrivateKey(ethereumPrivateKey string) (babyjub.PrivateKey, error) {
+func inferBabyJubSigningKeyFromEthereumPrivateKey(ethereumPrivateKey string) (babyjub.PrivateKey, error) {
 	privateKey := []byte(ethereumPrivateKey)
 	res := make([]byte, hex.DecodedLen(len(privateKey)))
 
@@ -367,3 +368,24 @@ func inferSigningKeyFromEthereumPrivateKey(ethereumPrivateKey string) (babyjub.P
 
 	return signingKey, nil
 }
+
+func prepareBabyJubSigningKey(certSigningKey string, ethereumPrivateKey string) (babyjub.PrivateKey, error) {
+	var signingKey babyjub.PrivateKey
+	if certSigningKey != "" {
+		keyBytes, err := hex.DecodeString(certSigningKey)
+		if err != nil {
+			return signingKey, fmt.Errorf("invalid hex string: %w", err)
+		}
+		if len(keyBytes) != 32 {
+			return signingKey, fmt.Errorf("invalid key length: expected 32 bytes, got %d", len(keyBytes))
+		}
+		copy(signingKey[:], keyBytes)
+	} else {
+		var err error
+		signingKey, err = inferBabyJubSigningKeyFromEthereumPrivateKey(ethereumPrivateKey)
+		if err != nil {
+			return signingKey, fmt.Errorf("inferring signing key: %w", err)
+		}
+	}
+	return signingKey, nil
+}