Skip to content

Feature: sui keystore #17618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 25 commits into
base: ccip-aptos-codec
Choose a base branch
from
Draft

Feature: sui keystore #17618

wants to merge 25 commits into from

Conversation

faisal-chainlink
Copy link

@faisal-chainlink faisal-chainlink commented May 7, 2025
edited
Loading

Adds the Sui keystore to core

Requires

JoaoVasques
JoaoVasques reviewed May 7, 2025
View reviewed changes
@faisal-chainlink faisal-chainlink requested a review from cfal May 9, 2025 07:11
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 9, 2025

I see you added a changeset file but it does not contain a tag. Please edit the text include at least one of the following tags:

  • #added For any new functionality added.
  • #breaking_change For any functionality that requires manual action for the node to boot.
  • #bugfix For bug fixes.
  • #changed For any change to the existing functionality.
  • #db_update For any feature that introduces updates to database schema.
  • #deprecation_notice For any upcoming deprecation functionality.
  • #internal For changesets that need to be excluded from the final changelog.
  • #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
  • #removed For any functionality/config that is removed.
  • #updated For any functionality that is updated.
  • #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

🎖️ No JIRA issue number found in: PR title, commit message, or branch name. Please include the issue ID in one of these.

@faisal-chainlink faisal-chainlink marked this pull request as ready for review May 9, 2025 12:25
@faisal-chainlink faisal-chainlink requested review from a team as code owners May 9, 2025 12:25
@faisal-chainlink faisal-chainlink force-pushed the feature/sui-keystore branch 2 times, most recently from ff72943 to 2515808 Compare May 15, 2025 17:19
@github-actions GitHub Actions
Copy link
Contributor

Flakeguard Summary

Ran new or updated tests between develop and 2515808 (feature/sui-keystore).

View Flaky Detector Details | Compare Changes

Found Flaky Tests ❌

12 Results
Name Pass Ratio Panicked? Timed Out? Race? Runs Successes Failures Skips Package Package Panicked? Avg Duration Code Owners
TestShell_SuiKeys 0% true false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/cmd true 0s Unknown
TestShell_SuiKeys/ListSuiKeys 0% true false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/cmd true 860ms Unknown
Test_SuiKeyStore_E2E/adds_an_externally_created_key_/_deletes_a_key 0% false false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/services/keystore true 0s @smartcontractkit/foundations, @smartcontractkit/core
Test_SuiKeyStore_E2E/imports_and_exports_a_key 0% false false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/services/keystore true 0s @smartcontractkit/foundations, @smartcontractkit/core
TestETHKeysController_ChainFailure_InvalidEnabled 66.6667% false false false 3 2 1 0 github.com/smartcontractkit/chainlink/v2/core/web false 1.47s Unknown
TestSuiKeysController_Create_HappyPath 0% false false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/web false 1.466666666s Unknown
TestSuiKeysController_Delete_HappyPath 0% false false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/web false 120ms Unknown
TestSuiKeysController_Delete_NonExistentSuiKeyID 0% false false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/web false 140ms Unknown
TestSuiKeysController_Index_HappyPath 0% false false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/web false 123.333333ms Unknown
TestResolver_SuiKeys/no_keys_returned_by_GetAll 0% false false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/web/resolver false 113.333333ms @smartcontractkit/deployment-automation, @smartcontractkit/foundations, @smartcontractkit/core
TestResolver_SuiKeys/not_authorized 0% false false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/web/resolver false 110ms @smartcontractkit/deployment-automation, @smartcontractkit/foundations, @smartcontractkit/core
TestResolver_SuiKeys/success 0% false false false 3 0 3 0 github.com/smartcontractkit/chainlink/v2/core/web/resolver false 83.333333ms @smartcontractkit/deployment-automation, @smartcontractkit/foundations, @smartcontractkit/core

Artifacts

For detailed logs of the failed tests, please refer to the artifact failed-test-results-with-logs.json.

@cfal cfal force-pushed the feature/sui-keystore branch from 2515808 to 48a5dfd Compare May 21, 2025 10:18
@cfal cfal requested review from a team as code owners May 21, 2025 10:18
@cfal cfal changed the base branch from develop to ccip-aptos-codec May 21, 2025 10:18
@cfal cfal marked this pull request as draft May 21, 2025 10:19
github-advanced-security[bot]
github-advanced-security bot found potential problems May 21, 2025
View reviewed changes
core/services/keystore/keys/suikey/key.go

// newFrom creates a new Account from a provided random reader
func newFrom(reader io.Reader) (Key, error) {
pub, priv, err := ed25519.GenerateKey(reader)

Check failure

Code scanning / CodeQL

Use of insufficient randomness as the key of a cryptographic algorithm High

This cryptographic algorithm depends on a
random number
Loading
generated with a cryptographically weak RNG.

Copilot Autofix

AI 5 days ago

To address the issue, we need to ensure that cryptographic key generation always uses a cryptographically secure random number generator, even in testing scenarios. The MustNewInsecure function should be modified to reject insecure random number generators or be clearly restricted to testing environments. Additionally, the keystest.NewRandReaderFromSeed function should be updated to make its insecure nature explicit and prevent its accidental use in production.

  1. Modify MustNewInsecure to enforce the use of a secure random number generator or restrict its usage to testing environments by adding a build tag or runtime check.
  2. Update keystest.NewRandReaderFromSeed to include a warning or runtime check to ensure it is only used in test builds.
  3. Ensure that all cryptographic key generation paths use crypto/rand.Reader or an equivalent secure source of randomness.
Suggested changeset 2
core/services/keystore/keys/suikey/key.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/core/services/keystore/keys/suikey/key.go b/core/services/keystore/keys/suikey/key.go
--- a/core/services/keystore/keys/suikey/key.go
+++ b/core/services/keystore/keys/suikey/key.go
@@ -41,4 +41,7 @@
 
-// MustNewInsecure returns an Account if no error
+// MustNewInsecure returns an Account if no error. This function is intended for testing only.
 func MustNewInsecure(reader io.Reader) Key {
+	if !isTestEnvironment() {
+		panic("MustNewInsecure is intended for testing only and cannot be used in production")
+	}
 	key, err := newFrom(reader)
@@ -49,2 +52,7 @@
 }
+
+// isTestEnvironment checks if the code is running in a test environment.
+func isTestEnvironment() bool {
+	return os.Getenv("GO_ENV") == "test"
+}
 
EOF
@@ -41,4 +41,7 @@

// MustNewInsecure returns an Account if no error
// MustNewInsecure returns an Account if no error. This function is intended for testing only.
func MustNewInsecure(reader io.Reader) Key {
if !isTestEnvironment() {
panic("MustNewInsecure is intended for testing only and cannot be used in production")
}
key, err := newFrom(reader)
@@ -49,2 +52,7 @@
}

// isTestEnvironment checks if the code is running in a test environment.
func isTestEnvironment() bool {
return os.Getenv("GO_ENV") == "test"
}

core/internal/testutils/keystest/seedable_rand_reader.go
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/core/internal/testutils/keystest/seedable_rand_reader.go b/core/internal/testutils/keystest/seedable_rand_reader.go
--- a/core/internal/testutils/keystest/seedable_rand_reader.go
+++ b/core/internal/testutils/keystest/seedable_rand_reader.go
@@ -11,3 +11,11 @@
 func NewRandReaderFromSeed(seed int64) io.Reader {
+	if !isTestEnvironment() {
+		panic("NewRandReaderFromSeed is intended for testing only and cannot be used in production")
+	}
 	return rand.New(rand.NewSource(seed))
 }
+
+// isTestEnvironment checks if the code is running in a test environment.
+func isTestEnvironment() bool {
+	return os.Getenv("GO_ENV") == "test"
+}
EOF
@@ -11,3 +11,11 @@
func NewRandReaderFromSeed(seed int64) io.Reader {
if !isTestEnvironment() {
panic("NewRandReaderFromSeed is intended for testing only and cannot be used in production")
}
return rand.New(rand.NewSource(seed))
}

// isTestEnvironment checks if the code is running in a test environment.
func isTestEnvironment() bool {
return os.Getenv("GO_ENV") == "test"
}
Copilot is powered by AI and may make mistakes. Always verify output.
@cfal cfal force-pushed the ccip-aptos-codec branch from 4d771b7 to 3104873 Compare May 21, 2025 12:02
@cl-sonarqube-production
Copy link

Quality Gate passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
4.1% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoaoVasques JoaoVasques JoaoVasques left review comments

@cfal cfal Awaiting requested review from cfal

@chudilka1 chudilka1 Awaiting requested review from chudilka1 chudilka1 is a code owner automatically assigned from smartcontractkit/foundations

@RensR RensR Awaiting requested review from RensR

@winder winder Awaiting requested review from winder winder is a code owner automatically assigned from smartcontractkit/ccip-offchain

@asoliman92 asoliman92 Awaiting requested review from asoliman92 asoliman92 is a code owner automatically assigned from smartcontractkit/ccip-offchain

@matYang matYang Awaiting requested review from matYang matYang is a code owner automatically assigned from smartcontractkit/ccip-offchain

@makramkd makramkd Awaiting requested review from makramkd makramkd is a code owner automatically assigned from smartcontractkit/ccip-offchain

@AmrMohamedRezk AmrMohamedRezk Awaiting requested review from AmrMohamedRezk AmrMohamedRezk is a code owner automatically assigned from smartcontractkit/ccip-offchain

@0xAustinWang 0xAustinWang Awaiting requested review from 0xAustinWang 0xAustinWang is a code owner automatically assigned from smartcontractkit/ccip-offchain

@b-gopalswami b-gopalswami Awaiting requested review from b-gopalswami b-gopalswami is a code owner automatically assigned from smartcontractkit/ccip-offchain

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@faisal-chainlink @JoaoVasques @cfal