feat: BLS Key Separation and ERC2335 Implementation

CHANGELOG.md

@@ -39,6 +39,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 ### Improvements
 
+- [#396](https://github.com/babylonlabs-io/babylon/pull/396) BLS Key Separation and ERC2335 Implementation
 - [#391](https://github.com/babylonlabs-io/babylon/pull/391) Fix e2e `TestBTCRewardsDistribution` flunky
 check of rewards
 

app/signer/private.go

@@ -1,12 +1,12 @@
 package signer
 
 import (
-	"path/filepath"
+	"fmt"
 
 	cmtconfig "github.com/cometbft/cometbft/config"
-	cmtos "github.com/cometbft/cometbft/libs/os"
 
 	"github.com/babylonlabs-io/babylon/privval"
+	cmtprivval "github.com/cometbft/cometbft/privval"
 )
 
 type PrivSigner struct {
@@ -15,17 +15,27 @@ type PrivSigner struct {
 
 func InitPrivSigner(nodeDir string) (*PrivSigner, error) {
 	nodeCfg := cmtconfig.DefaultConfig()
-	pvKeyFile := filepath.Join(nodeDir, nodeCfg.PrivValidatorKeyFile())
-	err := cmtos.EnsureDir(filepath.Dir(pvKeyFile), 0777)
-	if err != nil {
-		return nil, err
+	nodeCfg.SetRoot(nodeDir)
+
+	pvKeyFile := nodeCfg.PrivValidatorKeyFile()
+	pvStateFile := nodeCfg.PrivValidatorStateFile()
+	blsKeyFile := privval.DefaultBlsKeyFile(nodeDir)
+	blsPasswordFile := privval.DefaultBlsPasswordFile(nodeDir)
+
+	if err := privval.EnsureDirs(pvKeyFile, pvStateFile, blsKeyFile, blsPasswordFile); err != nil {
+		return nil, fmt.Errorf("failed to ensure dirs: %w", err)
 	}
-	pvStateFile := filepath.Join(nodeDir, nodeCfg.PrivValidatorStateFile())
-	err = cmtos.EnsureDir(filepath.Dir(pvStateFile), 0777)
-	if err != nil {
-		return nil, err
+
+	cometPV := cmtprivval.LoadFilePV(pvKeyFile, pvStateFile)
+	blsPV := privval.LoadBlsPV(blsKeyFile, blsPasswordFile)
+
+	wrappedPV := &privval.WrappedFilePV{
+		Key: privval.WrappedFilePVKey{
+			CometPVKey: cometPV.Key,
+			BlsPVKey:   blsPV.Key,
+		},
+		LastSignState: cometPV.LastSignState,
 	}
-	wrappedPV := privval.LoadOrGenWrappedFilePV(pvKeyFile, pvStateFile)
 
 	return &PrivSigner{
 		WrappedPV: wrappedPV,

app/test_helpers.go

@@ -239,14 +239,14 @@ func SetupWithBitcoinConf(t *testing.T, isCheckTx bool, btcConf bbn.SupportedBtc
 
 	ps, err := signer.SetupTestPrivSigner()
 	require.NoError(t, err)
-	valPubKey := ps.WrappedPV.Key.PubKey
+	valPubKey := ps.WrappedPV.Key.CometPVKey.PubKey
 	// generate genesis account
 	acc := authtypes.NewBaseAccount(valPubKey.Address().Bytes(), &cosmosed.PubKey{Key: valPubKey.Bytes()}, 0, 0)
 	balance := banktypes.Balance{
 		Address: acc.GetAddress().String(),
 		Coins:   sdk.NewCoins(sdk.NewCoin(appparams.DefaultBondDenom, math.NewInt(100000000000000))),
 	}
-	ps.WrappedPV.Key.DelegatorAddress = acc.GetAddress().String()
+	ps.WrappedPV.Key.BlsPVKey.DelegatorAddress = acc.GetAddress().String()
 	// create validator set with single validator
 	genesisKey, err := signer.GenesisKeyFromPrivSigner(ps)
 	require.NoError(t, err)

cmd/babylond/cmd/create_bls_key.go

@@ -1,23 +1,22 @@
 package cmd
 
 import (
-	"errors"
 	"fmt"
-	"path/filepath"
 	"strings"
 
-	cmtconfig "github.com/cometbft/cometbft/config"
-	cmtos "github.com/cometbft/cometbft/libs/os"
 	"github.com/cosmos/cosmos-sdk/client/flags"
 	sdk "github.com/cosmos/cosmos-sdk/types"
 	"github.com/spf13/cobra"
 
 	"github.com/babylonlabs-io/babylon/app"
 	appparams "github.com/babylonlabs-io/babylon/app/params"
-	"github.com/babylonlabs-io/babylon/crypto/bls12381"
 	"github.com/babylonlabs-io/babylon/privval"
 )
 
+const (
+	FlagPassword = "bls-password"
+)
+
 func CreateBlsKeyCmd() *cobra.Command {
 	bech32PrefixAccAddr := appparams.Bech32PrefixAccAddr
 
@@ -47,38 +46,26 @@ $ babylond create-bls-key %s1f5tnl46mk4dfp4nx3n2vnrvyw2h2ydz6ykhk3r --home ./
 				return err
 			}
 
-			return CreateBlsKey(homeDir, addr)
+			var password string
+			password, _ = cmd.Flags().GetString(FlagPassword)
+			if password == "" {
+				password = privval.NewBlsPassword()
+			}
+			return CreateBlsKey(homeDir, password, addr)
 		},
 	}
 
 	cmd.Flags().String(flags.FlagHome, app.DefaultNodeHome, "The node home directory")
-
+	cmd.Flags().String(FlagPassword, "", "The password for the BLS key. If a flag is set, the non-empty password should be provided. If a flag is not set, the password will be read from the prompt.")
 	return cmd
 }
 
-func CreateBlsKey(home string, addr sdk.AccAddress) error {
-	nodeCfg := cmtconfig.DefaultConfig()
-	keyPath := filepath.Join(home, nodeCfg.PrivValidatorKeyFile())
-	statePath := filepath.Join(home, nodeCfg.PrivValidatorStateFile())
-
-	pv, err := LoadWrappedFilePV(keyPath, statePath)
-	if err != nil {
-		return err
-	}
-
-	wrappedPV := privval.NewWrappedFilePV(pv.GetValPrivKey(), bls12381.GenPrivKey(), keyPath, statePath)
-	wrappedPV.SetAccAddress(addr)
-
+func CreateBlsKey(home, password string, addr sdk.AccAddress) error {
+	privval.GenBlsPV(
+		privval.DefaultBlsKeyFile(home),
+		privval.DefaultBlsPasswordFile(home),
+		password,
+		addr.String(),
+	)
 	return nil
 }
-
-// LoadWrappedFilePV loads the wrapped file private key from the file path.
-func LoadWrappedFilePV(keyPath, statePath string) (*privval.WrappedFilePV, error) {
-	if !cmtos.FileExists(keyPath) {
-		return nil, errors.New("validator key file does not exist")
-	}
-	if !cmtos.FileExists(statePath) {
-		return nil, errors.New("validator state file does not exist")
-	}
-	return privval.LoadWrappedFilePV(keyPath, statePath), nil
-}

cmd/babylond/cmd/genhelpers/bls_add_test.go

@@ -3,6 +3,7 @@ package genhelpers_test
 import (
 	"context"
 	"fmt"
+	"os"
 	"path/filepath"
 	"testing"
 
@@ -20,6 +21,7 @@ import (
 	cmtconfig "github.com/cometbft/cometbft/config"
 	tmjson "github.com/cometbft/cometbft/libs/json"
 	"github.com/cometbft/cometbft/libs/tempfile"
+	cmtprivval "github.com/cometbft/cometbft/privval"
 	"github.com/cosmos/cosmos-sdk/client"
 	"github.com/cosmos/cosmos-sdk/client/flags"
 	"github.com/cosmos/cosmos-sdk/server"
@@ -147,13 +149,24 @@ func Test_CmdAddBlsWithGentx(t *testing.T) {
 		v := testNetwork.Validators[i]
 		// build and create genesis BLS key
 		genBlsCmd := genhelpers.CmdCreateBls()
-		nodeCfg := cmtconfig.DefaultConfig()
 		homeDir := filepath.Join(v.Dir, "simd")
+
+		nodeCfg := cmtconfig.DefaultConfig()
 		nodeCfg.SetRoot(homeDir)
+
 		keyPath := nodeCfg.PrivValidatorKeyFile()
 		statePath := nodeCfg.PrivValidatorStateFile()
-		filePV := privval.GenWrappedFilePV(keyPath, statePath)
-		filePV.SetAccAddress(v.Address)
+		blsKeyFile := privval.DefaultBlsKeyFile(homeDir)
+		blsPasswordFile := privval.DefaultBlsPasswordFile(homeDir)
+
+		err := privval.EnsureDirs(keyPath, statePath, blsKeyFile, blsPasswordFile)
+		require.NoError(t, err)
+
+		filePV := cmtprivval.GenFilePV(keyPath, statePath)
+		filePV.Key.Save()
+		filePV.LastSignState.Save()
+		privval.GenBlsPV(blsKeyFile, blsPasswordFile, "password", v.Address.String())
+
 		_, err = cli.ExecTestCLICmd(v.ClientCtx, genBlsCmd, []string{fmt.Sprintf("--%s=%s", flags.FlagHome, homeDir)})
 		require.NoError(t, err)
 		genKeyFileName := filepath.Join(filepath.Dir(keyPath), fmt.Sprintf("gen-bls-%s.json", v.ValAddress))
@@ -175,6 +188,13 @@ func Test_CmdAddBlsWithGentx(t *testing.T) {
 		require.NotEmpty(t, checkpointingGenState.GenesisKeys)
 		gks := checkpointingGenState.GetGenesisKeys()
 		require.Equal(t, genKey, gks[i])
-		filePV.Clean(keyPath, statePath)
+		Clean(keyPath, statePath, blsKeyFile, blsPasswordFile)
+	}
+}
+
+// Clean removes PVKey file and PVState file
+func Clean(paths ...string) {
+	for _, path := range paths {
+		_ = os.RemoveAll(filepath.Dir(path))
 	}
 }

cmd/babylond/cmd/genhelpers/bls_create.go

@@ -1,7 +1,7 @@
 package genhelpers
 
 import (
-	"errors"
+	"fmt"
 	"path/filepath"
 	"strings"
 
@@ -12,6 +12,7 @@ import (
 
 	"github.com/babylonlabs-io/babylon/app"
 	"github.com/babylonlabs-io/babylon/privval"
+	cmtprivval "github.com/cometbft/cometbft/privval"
 )
 
 // CmdCreateBls CLI command to create BLS file with proof of possession.
@@ -35,15 +36,35 @@ $ babylond genbls --home ./
 			homeDir, _ := cmd.Flags().GetString(flags.FlagHome)
 
 			nodeCfg := cmtconfig.DefaultConfig()
-			keyPath := filepath.Join(homeDir, nodeCfg.PrivValidatorKeyFile())
-			statePath := filepath.Join(homeDir, nodeCfg.PrivValidatorStateFile())
-			if !cmtos.FileExists(keyPath) {
-				return errors.New("validator key file does not exist")
+			nodeCfg.SetRoot(homeDir)
+			cmtPvKeyFile := nodeCfg.PrivValidatorKeyFile()
+			cmtPvStateFile := nodeCfg.PrivValidatorStateFile()
+			blsKeyFile := privval.DefaultBlsKeyFile(homeDir)
+			blsPasswordFile := privval.DefaultBlsPasswordFile(homeDir)
+
+			if err := func(paths ...string) error {
+				for _, path := range paths {
+					if !cmtos.FileExists(path) {
+						return fmt.Errorf("file does not exist in %s", path)
+					}
+				}
+				return nil
+			}(cmtPvKeyFile, cmtPvStateFile, blsKeyFile, blsPasswordFile); err != nil {
+				return err
 			}
 
-			wrappedPV := privval.LoadWrappedFilePV(keyPath, statePath)
+			cmtPV := cmtprivval.LoadFilePV(cmtPvKeyFile, cmtPvStateFile)
+			blsPV := privval.LoadBlsPV(blsKeyFile, blsPasswordFile)
+
+			wrappedPV := &privval.WrappedFilePV{
+				Key: privval.WrappedFilePVKey{
+					CometPVKey: cmtPV.Key,
+					BlsPVKey:   blsPV.Key,
+				},
+				LastSignState: cmtPV.LastSignState,
+			}
 
-			outputFileName, err := wrappedPV.ExportGenBls(filepath.Dir(keyPath))
+			outputFileName, err := wrappedPV.ExportGenBls(filepath.Dir(cmtPvKeyFile))
 			if err != nil {
 				return err
 			}

cmd/babylond/cmd/genhelpers/bls_create_test.go

@@ -27,6 +27,7 @@ import (
 	"github.com/babylonlabs-io/babylon/privval"
 	"github.com/babylonlabs-io/babylon/testutil/signer"
 	"github.com/babylonlabs-io/babylon/x/checkpointing/types"
+	cmtprivval "github.com/cometbft/cometbft/privval"
 )
 
 func Test_CmdCreateBls(t *testing.T) {
@@ -70,21 +71,33 @@ func Test_CmdCreateBls(t *testing.T) {
 
 	// create BLS keys
 	nodeCfg := cmtconfig.DefaultConfig()
-	keyPath := filepath.Join(home, nodeCfg.PrivValidatorKeyFile())
-	statePath := filepath.Join(home, nodeCfg.PrivValidatorStateFile())
-	filePV := privval.GenWrappedFilePV(keyPath, statePath)
-	defer filePV.Clean(keyPath, statePath)
-	filePV.SetAccAddress(addr)
+	nodeCfg.SetRoot(home)
+
+	keyPath := nodeCfg.PrivValidatorKeyFile()
+	statePath := nodeCfg.PrivValidatorStateFile()
+	blsKeyFile := privval.DefaultBlsKeyFile(home)
+	blsPasswordFile := privval.DefaultBlsPasswordFile(home)
+
+	err = privval.EnsureDirs(keyPath, statePath, blsKeyFile, blsPasswordFile)
+	require.NoError(t, err)
+
+	filePV := cmtprivval.GenFilePV(keyPath, statePath)
+	filePV.Key.Save()
+
+	blsPV := privval.GenBlsPV(blsKeyFile, blsPasswordFile, "password", addr.String())
+	defer Clean(keyPath, statePath, blsKeyFile, blsPasswordFile)
 
 	// execute the gen-bls cmd
 	err = genBlsCmd.ExecuteContext(ctx)
 	require.NoError(t, err)
 	outputFilePath := filepath.Join(filepath.Dir(keyPath), fmt.Sprintf("gen-bls-%s.json", sdk.ValAddress(addr).String()))
 	require.NoError(t, err)
 	genKey, err := types.LoadGenesisKeyFromFile(outputFilePath)
+
 	require.NoError(t, err)
 	require.Equal(t, sdk.ValAddress(addr).String(), genKey.ValidatorAddress)
-	require.True(t, filePV.Key.BlsPubKey.Equal(*genKey.BlsKey.Pubkey))
 	require.Equal(t, filePV.Key.PubKey.Bytes(), genKey.ValPubkey.Bytes())
+	require.True(t, blsPV.Key.PubKey.Equal(*genKey.BlsKey.Pubkey))
+
 	require.True(t, genKey.BlsKey.Pop.IsValid(*genKey.BlsKey.Pubkey, genKey.ValPubkey))
 }

crypto/erc2335/erc2335.go

@@ -0,0 +1,62 @@
+package erc2335
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	keystorev4 "github.com/wealdtech/go-eth2-wallet-encryptor-keystorev4"
+)
+
+// Erc2335KeyStore represents an ERC-2335 compatible keystore used in keystorev4.
+type Erc2335KeyStore struct {
+	Crypto      map[string]interface{} `json:"crypto"`      // Map containing the encryption details for the keystore such as checksum, cipher, and kdf.
+	Version     uint                   `json:"version"`     // Version of the keystore format (e.g., 4 for keystorev4).
+	UUID        string                 `json:"uuid"`        // Unique identifier for the keystore.
+	Path        string                 `json:"path"`        // File path where the keystore is stored.
+	Pubkey      string                 `json:"pubkey"`      // Public key associated with the keystore, stored as a hexadecimal string.
+	Description string                 `json:"description"` // Optional description of the keystore, currently used to store the delegator address.
+}
+
+// Encrypt encrypts the private key using the keystorev4 encryptor.
+func Encrypt(privKey, pubKey []byte, password string) ([]byte, error) {
+	if privKey == nil {
+		return nil, fmt.Errorf("private key cannot be nil")
+	}
+
+	encryptor := keystorev4.New()
+	cryptoFields, err := encryptor.Encrypt(privKey, password)
+	if err != nil {
+		return nil, fmt.Errorf("failed to encrypt private key: %w", err)
+	}
+
+	keystoreJSON := Erc2335KeyStore{
+		Crypto:  cryptoFields,
+		Version: 4,
+		Pubkey:  fmt.Sprintf("%x", pubKey),
+	}
+
+	return json.Marshal(keystoreJSON)
+}
+
+// Decrypt decrypts the private key from the keystore using the given password.
+func Decrypt(keystore Erc2335KeyStore, password string) ([]byte, error) {
+	encryptor := keystorev4.New()
+	return encryptor.Decrypt(keystore.Crypto, password)
+}
+
+// LoadKeyStore loads a keystore from a file.
+func LoadKeyStore(filePath string) (Erc2335KeyStore, error) {
+	var keystore Erc2335KeyStore
+
+	keyJSONBytes, err := os.ReadFile(filePath)
+	if err != nil {
+		return Erc2335KeyStore{}, fmt.Errorf("failed to read keystore file: %w", err)
+	}
+
+	if err := json.Unmarshal(keyJSONBytes, &keystore); err != nil {
+		return Erc2335KeyStore{}, fmt.Errorf("failed to unmarshal keystore: %w", err)
+	}
+
+	return keystore, nil
+}