Rsa keygen

Cargo.toml

@@ -13,6 +13,7 @@ members = [
     "anchor/eth",
     "anchor/http_api",
     "anchor/http_metrics",
+    "anchor/keygen",
     "anchor/keysplit",
     "anchor/message_receiver",
     "anchor/message_sender",
@@ -39,6 +40,7 @@ database = { path = "anchor/database" }
 eth = { path = "anchor/eth" }
 http_api = { path = "anchor/http_api" }
 http_metrics = { path = "anchor/http_metrics" }
+keygen = { path = "anchor/keygen" }
 keysplit = { path = "anchor/keysplit" }
 message_receiver = { path = "anchor/message_receiver" }
 message_sender = { path = "anchor/message_sender" }

anchor/Cargo.toml

@@ -13,6 +13,7 @@ client = { workspace = true }
 dirs = { workspace = true }
 eth2_network_config = { workspace = true }
 futures = { workspace = true }
+keygen = { workspace = true }
 keysplit = { workspace = true }
 sensitive_url = { workspace = true }
 serde = { workspace = true }

anchor/client/Cargo.toml

@@ -22,6 +22,7 @@ fdlimit = "0.3"
 http_api = { workspace = true }
 http_metrics = { workspace = true }
 hyper = { workspace = true }
+keygen = { workspace = true }
 message_receiver = { workspace = true }
 message_sender = { workspace = true }
 message_validator = { workspace = true }

anchor/client/src/lib.rs

@@ -13,6 +13,7 @@ use config::Config;
 use database::{NetworkDatabase, WatchableNetworkState};
 use eth2::reqwest::{Certificate, ClientBuilder};
 use eth2::{BeaconNodeHttpClient, Timeouts};
+use keygen::{run_keygen, Keygen};
 use message_receiver::ManagerMessageReceiver;
 use message_sender::NetworkMessageSender;
 use message_validator::Validator;
@@ -27,7 +28,7 @@ use slashing_protection::SlashingDatabase;
 use slot_clock::{SlotClock, SystemTimeSlotClock};
 use ssv_types::OperatorId;
 use std::fs::File;
-use std::io::{ErrorKind, Read, Write};
+use std::io::{ErrorKind, Read};
 use std::net::SocketAddr;
 use std::path::Path;
 use std::sync::Arc;
@@ -759,15 +760,10 @@ fn read_or_generate_private_key(path: &Path) -> Result<Rsa<Private>, String> {
 
             info!(path = %path.as_os_str().to_string_lossy(), "Creating private key");
 
-            let mut file = File::create(path)
-                .map_err(|e| format!("Unable create private key file at {path:?}: {e:?}"))?;
-
-            let key = Rsa::generate(2048).map_err(|e| format!("Unable to generate key: {e:?}"))?;
-
-            file.write_all(&Zeroizing::new(
-                key.private_key_to_pem()
-                    .map_err(|e| format!("Unable serialize private key: {e:?}"))?,
-            ))
+            let key = run_keygen(Keygen {
+                output_path: Some(path.to_string_lossy().to_string()),
+                force: false,
+            })
             .map_err(|e| format!("Unable to write private key: {e:?}"))?;
 
             Ok(key)

anchor/keygen/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "keygen"
+version = "0.1.0"
+edition = { workspace = true }
+authors = ["Sigma Prime <contact@sigmaprime.io>"]
+
+[dependencies]
+base64 = { workspace = true }
+clap = { workspace = true }
+openssl = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }
+thiserror = { workspace = true }
+tracing = { workspace = true }
+zeroize = { workspace = true }

anchor/keygen/src/lib.rs

@@ -0,0 +1,116 @@
+use base64::prelude::*;
+use clap::Parser;
+use openssl::{error::ErrorStack, pkey::Private, rsa::Rsa};
+use serde::Serialize;
+use std::{fs, io, path::PathBuf, string::FromUtf8Error};
+use thiserror::Error;
+use tracing::info;
+use zeroize::{Zeroize, ZeroizeOnDrop, Zeroizing};
+
+#[derive(Error, Debug)]
+pub enum KeygenError {
+    #[error("Failed to generate new private key: {0}")]
+    Generate(#[source] ErrorStack),
+
+    #[error("Failed to convert key to PEM: {0}")]
+    Pem(#[source] ErrorStack),
+
+    #[error("Failed to write output: {0}")]
+    Output(#[from] io::Error),
+
+    #[error("Failed to convert to UTF8: {0}")]
+    Utf8(#[from] FromUtf8Error),
+
+    #[error("Failed to convert output data to JSON: {0}")]
+    Json(#[from] serde_json::Error),
+
+    #[error("{0}")]
+    Custom(String),
+}
+
+#[derive(Parser, Clone, Debug)]
+#[clap(name = "keygen", about = "RSA key generation tool")]
+pub struct Keygen {
+    #[clap(long, help = "Path to output keys to", value_name = "OUTPUT_PATH")]
+    pub output_path: Option<String>,
+
+    #[clap(
+        long,
+        help = "Force file overwrite",
+        value_name = "FORCE",
+        default_value = "false"
+    )]
+    pub force: bool,
+    // TODO: add prompt for password
+}
+
+#[derive(Debug, Serialize, Zeroize, ZeroizeOnDrop)]
+struct PrettyOutput {
+    #[zeroize(skip)]
+    public: String,
+    private: String,
+}
+// TODO: add encryption and get password functions
+
+// Run RSA keygeneration
+pub fn run_keygen(keygen: Keygen) -> Result<Rsa<Private>, KeygenError> {
+    // Generate the new rsa private key
+    let private_key = Rsa::generate(2048).map_err(KeygenError::Generate)?;
+
+    // Extract the PEM of the public and private keys
+    let private_pem = Zeroizing::new(private_key.private_key_to_pem().map_err(KeygenError::Pem)?);
+
+    let public_pem = private_key.public_key_to_pem().map_err(KeygenError::Pem)?;
+
+    let public_pem_string = String::from_utf8(public_pem)?;
+    // TODO: Fix RSA headers and implement legacy support
+    let public_pem = public_pem_string
+        .replace(
+            "-----BEGIN PUBLIC KEY-----",
+            "-----BEGIN RSA PUBLIC KEY-----",
+        )
+        .replace("-----END PUBLIC KEY-----", "-----END RSA PUBLIC KEY-----");
+
+    // Encode them to onchain format
+    let private_pem_encoded = Zeroizing::new(BASE64_STANDARD.encode(&private_pem));
+    let public_pem_encoded = BASE64_STANDARD.encode(&public_pem);
+
+    // Determine the output directory
+    let output_dir = if let Some(output_path) = keygen.output_path {
+        PathBuf::from(output_path)
+    } else {
+        PathBuf::from(".") // Current working directory
+    };
+
+    // Create output paths for both files
+    let pem_file = output_dir.join("key.pem");
+    let json_file = output_dir.join("keys.json");
+
+    // Create JSON data structure
+    let data = PrettyOutput {
+        public: public_pem_encoded,
+        private: private_pem_encoded.to_string(),
+    };
+
+    // Convert to pretty JSON
+    let pretty_json = Zeroizing::new(serde_json::to_string_pretty(&data)?);
+    // TODO: Encrypt and password protect the private key
+    if keygen.force || (!pem_file.exists() && !json_file.exists()) {
+        // Write the PEM file
+        fs::write(&pem_file, &private_pem)?;
+
+        info!("Private key written to: {}", pem_file.display());
+
+        // Write the JSON file
+        fs::write(&json_file, pretty_json)?;
+
+        info!("JSON keys written to: {}", json_file.display());
+    } else {
+        return Err(KeygenError::Custom(format!(
+            "PEM file or JSON file already exist in {}",
+            output_dir.display()
+        )));
+    }
+
+    Ok(private_key)
+}

anchor/keysplit/src/util.rs

@@ -27,7 +27,7 @@ where
     let serialized_key = key.public_key_to_pem().map_err(serde::ser::Error::custom)?;
 
     // Convert the decoded data to a string
-    let mut pem_string = String::from_utf8(serialized_key).unwrap();
+    let mut pem_string = String::from_utf8(serialized_key).map_err(serde::ser::Error::custom)?;
 
     // Fix the header - replace PKCS8 header with PKCS1 header
     pem_string = pem_string

anchor/src/main.rs

@@ -4,6 +4,7 @@ use tracing::{error, info};
 mod environment;
 use client::{config, Client, Node};
 use environment::Environment;
+use keygen::Keygen;
 use keysplit::Keysplit;
 use task_executor::ShutdownReason;
 use types::EthSpecId;
@@ -18,6 +19,7 @@ struct Cli {
 pub enum AnchorSubcommands {
     Node(Node),
     Keysplit(Keysplit),
+    Keygen(Keygen),
 }
 
 fn main() {
@@ -38,6 +40,11 @@ fn main() {
                 error!("Keysplit error: {:?}", e);
             }
         }
+        AnchorSubcommands::Keygen(keygen) => {
+            if let Err(e) = keygen::run_keygen(keygen) {
+                error!("Keygen error: {:?}", e);
+            }
+        }
     }
 }