STR-728: Key Derivation Crate (#520)

* feat: add key-derivation crate

Signed-off-by: Jose Storopoli <[email protected]>

* chore(CODEOWNERS): add key-derivation

Signed-off-by: Jose Storopoli <[email protected]>

* feat: operator xprivs

Signed-off-by: Jose Storopoli <[email protected]>

* errors: better imports and impls

Signed-off-by: Jose Storopoli <[email protected]>

* operator: add master Xpriv

Signed-off-by: Jose Storopoli <[email protected]>

* chore: move away from miniscript

Signed-off-by: Jose Storopoli <[email protected]>

* test: right addresses

Signed-off-by: Jose Storopoli <[email protected]>

* fix: operator derivation path naming

Signed-off-by: Jose Storopoli <[email protected]>

* test: signatures are OK

Signed-off-by: Jose Storopoli <[email protected]>

* chore: move zeroize to workspace

Signed-off-by: Jose Storopoli <[email protected]>

* operator: zeroize impls for OperatorKeys

Signed-off-by: Jose Storopoli <[email protected]>

* fmt: sequencer

Signed-off-by: Jose Storopoli <[email protected]>

* fix: feature-gate on default the imports

Signed-off-by: Jose Storopoli <[email protected]>

* bridge-client: refactor to use key-derivation

Signed-off-by: Jose Storopoli <[email protected]>

* fix: don't need zeroize derive feature

Signed-off-by: Jose Storopoli <[email protected]>

* operator: fix derivation paths

Signed-off-by: Jose Storopoli <[email protected]>

* feat(bridge-client): parse xpriv from env or path

Signed-off-by: Jose Storopoli <[email protected]>

* chore: add secp256k1

Signed-off-by: Jose Storopoli <[email protected]>

* sequencer: SequencerKeys

Signed-off-by: Jose Storopoli <[email protected]>

* strata-client: use key-derivation crate

Signed-off-by: Jose Storopoli <[email protected]>

* fix: use &Xpriv instead of owned in OperatorKeys

* feat: really zeroize stuff

* refactor(datatool): modularization

* Look at me I’m the compiler now!

* key-derivation: Sequencer and Operator PubKeys

* datatool: refactor to use key-derivation crate

* doc: rugpulled by copy-pasta

* fix(key-derivation): deriving xpubs

* fix: tests

* doc(datatool): add a warning and description.

* fix: proper zeroizing of `as_mut`

* chore(deps): remove `derive` from zeroize

* chore: move constants to primitives

* chore: fix CODEOWNERS diff

* OH GOD DON’T AUTOFORMAT!

* chore(deps): add back `derive` for `zeroize`

* fix: rename genseed to genxpriv

* chore: fix formatting

* fix(datatool): clarifications on resolve Xpriv

* fix(datatool): MIB Flash tool on Xprivs

* fix(datatool): remove blacklist

* doc: clarifications on RNG for Xpriv generation

* doc: clarify abbreviated amounts

* doc: clarify high entropy on `OsRng`

* chore: move ZeroizableXpriv to primitives

* primitives: add Zeroize for Buf32 and Buf20

* doc: fixes

* chore: clippy lints

* strata-cli: zeroize Xpriv and String

* strata-client: zeroize Buf32 and Xprivs

* doc(primitives): fix examples

* doc(primitives): fix again

* chore: fix lints

* primitives: Zeroize Buf64

* chore: rebased on main

* bridge-client: don’t use a buffer

* bridge-client: zeroize again the buffer and the xpriv

* datatool: MIB Zeroize all possible secrets

* doc(bridge-client): clarify precedence order

* doc(datatool): clarify precedence order

* doc(primitives): fix Buf64 examples

* fix(datatool): zeroize secret data even if stuff fails

---------

Signed-off-by: Jose Storopoli <[email protected]>

.github/CODEOWNERS

@@ -23,6 +23,7 @@ tests/                 @alpenlabs/rust @alpenlabs/ci
 /crates/db/          @alpenlabs/database
 /crates/eectl/       @alpenlabs/evm
 /crates/evm*/        @alpenlabs/evm
+/crates/key-derivation/ @alpenlabs/crypto @alpenlabs/rust
 /crates/primitives/  @alpenlabs/crypto @alpenlabs/rust
 /crates/crypto/      @alpenlabs/crypto @alpenlabs/rust
 /crates/proof*/      @alpenlabs/prover

Cargo.toml

@@ -12,6 +12,7 @@ members = [
   "crates/db",
   "crates/eectl",
   "crates/evmexec",
+  "crates/key-derivation",
   "crates/primitives",
   "crates/zkvm/adapters/risc0",
   "crates/zkvm/adapters/sp1",
@@ -84,6 +85,7 @@ strata-crypto = { path = "crates/crypto", default-features = false }
 strata-db = { path = "crates/db" }
 strata-eectl = { path = "crates/eectl" }
 strata-evmexec = { path = "crates/evmexec" }
+strata-key-derivation = { path = "crates/key-derivation" }
 strata-mmr = { path = "crates/util/mmr" }
 strata-native-zkvm-adapter = { path = "crates/zkvm/adapters/native" }
 strata-primitives = { path = "crates/primitives" }
@@ -238,6 +240,7 @@ tracing = "0.1"
 tracing-opentelemetry = "0.27"
 tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
 uuid = { version = "1.0", features = ["v4", "serde"] }
+zeroize = { version = "1.8.1", features = ["derive"] }
 
 # This is needed for custom build of SP1
 [profile.release.build-override]

bin/bridge-client/Cargo.toml

@@ -19,6 +19,7 @@ strata-bridge-sig-manager.workspace = true
 strata-bridge-tx-builder.workspace = true
 strata-btcio.workspace = true
 strata-common.workspace = true
+strata-key-derivation.workspace = true
 strata-primitives.workspace = true
 strata-rocksdb.workspace = true
 strata-rpc-api = { workspace = true, features = ["client"] }
@@ -33,12 +34,9 @@ bitcoin.workspace = true
 chrono.workspace = true
 directories = "5.0.1"
 jsonrpsee.workspace = true
-miniscript.workspace = true
 rockbound.workspace = true
 thiserror.workspace = true
 threadpool.workspace = true
 tokio.workspace = true
 tracing.workspace = true
-
-[dev-dependencies]
-corepc-node = { version = "0.4.0", features = ["28_0"] }
+zeroize.workspace = true

bin/bridge-client/src/args.rs

@@ -23,9 +23,15 @@ pub(crate) struct Cli {
 
     #[argh(
         option,
-        description = "xpriv to be loaded into the bitcoin wallet using the RPC client (default: envvar STRATA_OP_ROOT_XPRIV)"
+        description = "xpriv to be used as the master operator's key (default: envvar STRATA_OP_MASTER_XPRIV)"
     )]
-    pub root_xpriv: Option<String>,
+    pub master_xpriv: Option<String>,
+
+    #[argh(
+        option,
+        description = "path to the file containing the master operator's xpriv (don't use with --master-xpriv or the envvar STRATA_OP_MASTER_XPRIV)"
+    )]
+    pub master_xpriv_path: Option<String>,
 
     #[argh(
         option,

bin/bridge-client/src/main.rs

@@ -6,10 +6,10 @@
 mod args;
 pub(crate) mod constants;
 pub(crate) mod db;
-mod descriptor;
 mod errors;
 mod modes;
 pub(crate) mod rpc_server;
+pub(crate) mod xpriv;
 
 use args::{Cli, OperationMode};
 use modes::{challenger, operator};

bin/bridge-client/src/modes/operator/bootstrap.rs

@@ -29,15 +29,15 @@ use crate::{
     args::Cli,
     constants::{DEFAULT_RPC_HOST, DEFAULT_RPC_PORT, ROCKSDB_RETRY_COUNT},
     db::open_rocksdb_database,
-    descriptor::{derive_op_purpose_xprivs, resolve_xpriv},
     rpc_server::{self, BridgeRpc},
+    xpriv::resolve_xpriv,
 };
 
 /// Bootstraps the bridge client in Operator mode by hooking up all the required auxiliary services
 /// including database, rpc server, etc. Logging needs to be initialized at the call
 /// site (main function) itself.
 pub(crate) async fn bootstrap(args: Cli) -> anyhow::Result<()> {
-    // Parse the data_dir
+    // Parse dirs
     let data_dir = args.datadir.map(PathBuf::from);
 
     // Initialize a rocksdb instance with the required column families.
@@ -68,8 +68,8 @@ pub(crate) async fn bootstrap(args: Cli) -> anyhow::Result<()> {
         .expect("failed to connect to the rollup RPC server");
 
     // Get the keypair after deriving the wallet xpriv.
-    let root_xpriv = resolve_xpriv(args.root_xpriv)?;
-    let (_, wallet_xpriv) = derive_op_purpose_xprivs(&root_xpriv)?;
+    let operator_keys = resolve_xpriv(args.master_xpriv, args.master_xpriv_path)?;
+    let wallet_xpriv = operator_keys.wallet_xpriv();
 
     let mut keypair = wallet_xpriv.to_keypair(SECP256K1);
     let mut sk = SecretKey::from_keypair(&keypair);