Merge branch 'develop' into bug/SKALE-3374-leak-in-bls

a02e3018 · Oleh Nikolaiev · d3613375 · b4664d8e · a02e3018 · a02e3018
Unverified Commit a02e3018 authored Nov 05, 2020 by Oleh Nikolaiev
25 changed files
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@@ -8,9 +8,7 @@ jobs:
      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    steps:
      - name: Login to docker
-        env:
-          GITHUB_TOKEN: ${{ secrets.DOCKER_SECRET }}
-        run: docker login -u skalelabs -p ${GITHUB_TOKEN}
+        run: docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD}
      - uses: actions/checkout@v1
      - name: submodule update
        run: git submodule update --init --recursive

--- a/.github/workflows/dockerimagebase.yml
+++ b/.github/workflows/dockerimagebase.yml
@@ -11,14 +11,12 @@ jobs:
      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    steps:
    - name: Login to docker
-      env:
-        GITHUB_TOKEN: ${{ secrets.DOCKER_SECRET }}
-      run: docker login -u skalelabs -p ${GITHUB_TOKEN}
+      run: docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD}
    - uses: actions/checkout@v1
    - name: submodule update
      run: git submodule update --init --recursive
    - name: Build the Docker image
-      run: docker build . --file DockerfileBase --tag skalenetwork/sgxwallet_base:latest
+      run: docker build . --file DockerfileBase --tag skalenetwork/sgxwallet_base:latest && docker push skalenetwork/sgxwallet_base:latest
    - name: deploy docker image
      if: contains(github.ref, 'develop') || contains(github.ref, 'beta') || contains(github.ref, 'master') || contains(github.ref, 'stable')
      run : |

--- a/.github/workflows/dockerimagerelease.yml
+++ b/.github/workflows/dockerimagerelease.yml
@@ -8,9 +8,7 @@ jobs:
      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    steps:
      - name: Login to docker
-        env:
-          GITHUB_TOKEN: ${{ secrets.DOCKER_SECRET }}
-        run: docker login -u skalelabs -p ${GITHUB_TOKEN}
+        run: docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD}
      - uses: actions/checkout@v1
      - name: submodule update
        run: git submodule update --init --recursive

--- a/.github/workflows/dockerimagesim.yml
+++ b/.github/workflows/dockerimagesim.yml
@@ -10,9 +10,7 @@ jobs:
    - name: Check that /dev/urandom exists
      run: ls /dev/urandom
    - name: Login to docker
-      env:
-        GITHUB_TOKEN: ${{ secrets.DOCKER_SECRET }}
-      run: docker login -u skalelabs -p ${GITHUB_TOKEN}
+      run: docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD}
    - uses: actions/checkout@v1
    - name: submodule update
      run: git submodule update --init --recursive

--- a/BLSCrypto.cpp
+++ b/BLSCrypto.cpp
@@ -75,23 +75,22 @@ int char2int(char _input) {
    return -1;
 }

-void carray2Hex(const unsigned char *d, uint64_t _len, char *_hexArray,
-                uint64_t _hexArrayLen) {
+vector<char> carray2Hex(const unsigned char *d, uint64_t _len) {

    CHECK_STATE(d);
-    CHECK_STATE(_hexArray);
+    vector<char> _hexArray( 2 * _len + 1);

    char hexval[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
                       '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};

-    CHECK_STATE(_hexArrayLen > 2 * _len);
-
    for (uint64_t j = 0; j < _len; j++) {
        _hexArray[j * 2] = hexval[((d[j] >> 4) & 0xF)];
        _hexArray[j * 2 + 1] = hexval[(d[j]) & 0x0F];
    }

    _hexArray[_len * 2] = 0;
+
+    return _hexArray;
 }


@@ -264,9 +263,7 @@ string encryptBLSKeyShare2Hex(int *errStatus, char *err_string, const char *_key

    HANDLE_TRUSTED_FUNCTION_ERROR(status, *errStatus, errMsg.data());

-    SAFE_CHAR_BUF(resultBuf, 2 * BUF_LEN + 1);
-
-    carray2Hex(encryptedKey->data(), encryptedLen, resultBuf, 2 * BUF_LEN + 1);
+    vector<char> resultBuf = carray2Hex(encryptedKey->data(), encryptedLen);

-    return string(resultBuf);
+    return string(resultBuf.begin(), resultBuf.end());
 }
--- a/BLSCrypto.h
+++ b/BLSCrypto.h
@@ -33,13 +33,14 @@
 #include "stddef.h"
 #include "stdint.h"
 #include <string>
+#include <vector>

 EXTERNC bool bls_sign(const char* encryptedKeyHex, const char* hashHex, size_t t, size_t n, char* _sig);

 EXTERNC int char2int(char _input);

-EXTERNC void  carray2Hex(const unsigned char *d, uint64_t , char* _hexArray,
-                         uint64_t _hexArrayLen);
+EXTERNC std::vector<char> carray2Hex(const unsigned char *d, uint64_t _len);
+
 EXTERNC bool hex2carray(const char * _hex, uint64_t  *_bin_len,
                 uint8_t* _bin, uint64_t _max_length );


--- a/DKGCrypto.cpp
+++ b/DKGCrypto.cpp
@@ -144,9 +144,8 @@ string gen_dkg_poly(int _t) {

    uint64_t length = enc_len;;

-    vector<char> hexEncrPoly(BUF_LEN, 0);
    CHECK_STATE(encrypted_dkg_secret.size() >= length);
-    carray2Hex(encrypted_dkg_secret.data(), length, hexEncrPoly.data(), BUF_LEN);
+    vector<char> hexEncrPoly = carray2Hex(encrypted_dkg_secret.data(), length);
    string result(hexEncrPoly.data());

    return result;
@@ -237,7 +236,7 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve

    sgx_status_t status = SGX_SUCCESS;

-    READ_LOCK(initMutex);
+    READ_LOCK(sgxInitMutex);

    status = trustedSetEncryptedDkgPoly(eid, &errStatus, errMsg1.data(), encrDKGPoly.data(), encLen);

@@ -271,7 +270,7 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve
        result += string(currentShare.data());

        spdlog::debug("dec len is {}", decLen);
-        carray2Hex(encryptedSkey.data(), decLen, hexEncrKey.data(), BUF_LEN);
+        hexEncrKey = carray2Hex(encryptedSkey.data(), decLen);
        string dhKeyName = "DKG_DH_KEY_" + _polyName + "_" + to_string(i) + ":";

        spdlog::debug("hexEncr DH Key: { }", hexEncrKey.data());
@@ -351,11 +350,9 @@ bool createBLSShare(const string &blsKeyName, const char *s_shares, const char *

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());

-    SAFE_CHAR_BUF(hexBLSKey, 2 * BUF_LEN)
+    vector<char> hexBLSKey = carray2Hex(encr_bls_key, enc_bls_len);

-    carray2Hex(encr_bls_key, enc_bls_len, hexBLSKey, 2 * BUF_LEN);
-
-    SGXWalletServer::writeDataToDB(blsKeyName, hexBLSKey);
+    SGXWalletServer::writeDataToDB(blsKeyName, hexBLSKey.data());

    return true;

@@ -452,24 +449,25 @@ string decryptDHKey(const string &polyName, int ind) {
    shared_ptr <string> hexEncrKeyPtr = SGXWalletServer::readFromDb(DH_key_name, "DKG_DH_KEY_");

    spdlog::debug("encr DH key is {}", *hexEncrKeyPtr);
+    spdlog::debug("encr DH key length is {}", hexEncrKeyPtr->length());

    vector<char> hexEncrKey(2 * BUF_LEN, 0);

-    uint64_t dhEncLen = 0;SAFE_UINT8_BUF(encryptedDHKey, BUF_LEN);
+    uint64_t dhEncLen = 0;
+    SAFE_UINT8_BUF(encryptedDHKey, BUF_LEN)
    if (!hex2carray(hexEncrKeyPtr->c_str(), &dhEncLen, encryptedDHKey, BUF_LEN)) {
        throw SGXException(INVALID_HEX, "Invalid hexEncrKey");
    }
    spdlog::debug("encr DH key length is {}", dhEncLen);
-    spdlog::debug("hex encr DH key length is {}", hexEncrKeyPtr->length());

-    SAFE_CHAR_BUF(DHKey, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(DHKey, ECDSA_SKEY_LEN)

    sgx_status_t status = SGX_SUCCESS;

    RESTART_BEGIN
        status = trustedDecryptKey(eid, &errStatus, errMsg1.data(), encryptedDHKey, dhEncLen, DHKey);
    RESTART_END
-    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg1.data());
+    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg1.data())

    return DHKey;
 }

--- a/DockerfileSimulation
+++ b/DockerfileSimulation
 FROM skalenetwork/sgxwallet_base:latest


-RUN apt update &&  apt install -y curl secure-delete
+RUN apt update && apt install -y curl secure-delete

 RUN ccache -sz


--- a/ECDSACrypto.cpp
+++ b/ECDSACrypto.cpp
@@ -69,19 +69,14 @@ vector <string> genECDSAKey() {

    vector <string> keys(3);

-    vector<char> hexEncrKey(BUF_LEN * 2, 0);
-
-    carray2Hex(encr_pr_key.data(), enc_len, hexEncrKey.data(),
-               BUF_LEN * 2);
+    vector<char> hexEncrKey = carray2Hex(encr_pr_key.data(), enc_len);
    keys.at(0) = hexEncrKey.data();
    keys.at(1) = string(pub_key_x.data()) + string(pub_key_y.data());

    vector<unsigned char> randBuffer(32, 0);
    fillRandomBuffer(randBuffer);

-    vector<char> rand_str(BUF_LEN, 0);
-
-    carray2Hex(randBuffer.data(), 32, rand_str.data(), BUF_LEN);
+    vector<char> rand_str = carray2Hex(randBuffer.data(), 32);

    keys.at(2) = rand_str.data();

@@ -233,3 +228,30 @@ vector <string> ecdsaSignHash(const std::string& encryptedKeyHex, const char *ha

    return signatureVector;
 }
+
+string encryptECDSAKey(const string& _key) {
+    vector<char> key(BUF_LEN, 0);
+    for (size_t i = 0; i < _key.size(); ++i) {
+        key[i] = _key[i];
+    }
+
+    vector<uint8_t> encryptedKey(BUF_LEN, 0);
+
+    int errStatus = 0;
+    vector<char> errString(BUF_LEN, 0);
+    uint64_t enc_len = 0;
+
+    sgx_status_t status = SGX_SUCCESS;
+    RESTART_BEGIN
+        status = trustedEncryptKey(eid, &errStatus, errString.data(), key.data(),
+                                   encryptedKey.data(), &enc_len);
+    RESTART_END
+
+    if (status != 0) {
+        throw SGXException(status, string("Could not encrypt ECDSA key: " + string(errString.begin(), errString.end())).c_str());
+    }
+
+    vector<char> hexEncrKey = carray2Hex(encryptedKey.data(), enc_len);
+
+    return string(hexEncrKey.begin(), hexEncrKey.end());
+}
--- a/ECDSACrypto.h
+++ b/ECDSACrypto.h
@@ -35,5 +35,7 @@ string getECDSAPubKey(const std::string& _encryptedKeyHex);

 vector<string> ecdsaSignHash(const std::string& encryptedKeyHex, const char* hashHex, int base);

+string encryptECDSAKey(const string& key);
+

 #endif //SGXD_ECDSACRYPTO_H
--- a/Makefile.am
+++ b/Makefile.am
@@ -103,7 +103,7 @@ sgxwallet_LDADD=-l$(SGX_URTS_LIB) -l$(SGX_UAE_SERVICE_LIB) -LlibBLS/deps/deps_in
   -l:libbls.a -l:libleveldb.a \
   -l:libff.a -lgmp -ldl -l:libsgx_capable.a -l:libsgx_tprotected_fs.a \
   -ljsonrpccpp-stub -ljsonrpccpp-server -ljsonrpccpp-client -ljsonrpccpp-common -ljsoncpp -lmicrohttpd \
-   -lboost_system -lboost_thread -lgnutls -lgcrypt -lcurl -lssl -lcrypto -lz -lpthread -lstdc++fs
+   -lboost_system -lboost_thread -lgnutls -lgcrypt -lidn2 -lcurl -lssl -lcrypto -lz -lpthread -lstdc++fs


 testw_SOURCES=testw.cpp $(COMMON_SRC)
@@ -115,4 +115,4 @@ cert_util_SOURCES= InvalidStateException.cpp  Exception.cpp InvalidArgumentExcep
 cert_util_LDADD=-LlibBLS/deps/deps_inst/x86_or_x64/lib -Lleveldb/build -LlibBLS/build \
                   -LlibBLS/build/libff/libff \
                   -l:libbls.a -l:libleveldb.a \
-                   -l:libff.a -lgmp  -ljsonrpccpp-stub -ljsonrpccpp-server -ljsonrpccpp-client -ljsonrpccpp-common -ljsoncpp -lmicrohttpd -lgnutls -lgcrypt -lcurl -lssl -lcrypto -lz -lpthread -ldl
+                   -l:libff.a -lgmp  -ljsonrpccpp-stub -ljsonrpccpp-server -ljsonrpccpp-client -ljsonrpccpp-common -ljsoncpp -lmicrohttpd -lgnutls -lgcrypt -lidn2 -lcurl -lssl -lcrypto -lz -lpthread -ldl
--- a/SEKManager.cpp
+++ b/SEKManager.cpp
@@ -65,15 +65,13 @@ void create_test_key() {
    sgx_status_t status =  SGX_SUCCESS;

    {
-        READ_LOCK(initMutex);
+        READ_LOCK(sgxInitMutex);
        status = trustedEncryptKey(eid, &errStatus, errMsg.data(), key.c_str(), encrypted_key, &enc_len);
    }

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());

-    vector<char> hexEncrKey(2 * enc_len + 1, 0);
-
-    carray2Hex(encrypted_key, enc_len, hexEncrKey.data(), 2 * enc_len + 1);
+    vector<char> hexEncrKey = carray2Hex(encrypted_key, enc_len);

    LevelDB::getLevelDb()->writeDataUnique("TEST_KEY", hexEncrKey.data());
 }
@@ -98,7 +96,7 @@ void validate_SEK() {
    sgx_status_t status = SGX_SUCCESS;

    {
-        READ_LOCK(initMutex);
+        READ_LOCK(sgxInitMutex);
        status = trustedDecryptKey(eid, &err_status, errMsg.data(), encr_test_key.data(), len, decr_key.data());
    }

@@ -128,7 +126,7 @@ shared_ptr <vector<uint8_t>> check_and_set_SEK(const string &SEK) {
    sgx_status_t status = SGX_SUCCESS;

    {
-        READ_LOCK(initMutex);
+        READ_LOCK(sgxInitMutex);
        status = trustedSetSEKBackup(eid, &err_status, errMsg.data(), encrypted_SEK->data(), &l,
                             SEK.c_str());
    }
@@ -167,9 +165,7 @@ void gen_SEK() {
        throw SGXException(-1, "strnlen(SEK,33) != 32");
    }

-    vector<char> hexEncrKey(2 * enc_len + 1, 0);
-
-    carray2Hex(encrypted_SEK.data(), enc_len, hexEncrKey.data(), 2 * enc_len + 1);
+    vector<char> hexEncrKey = carray2Hex(encrypted_SEK.data(), enc_len);

    spdlog::info(string("Encrypted storage encryption key:") + hexEncrKey.data());

@@ -281,10 +277,7 @@ void enter_SEK() {

    auto encrypted_SEK = check_and_set_SEK(sek);

-    vector<char> hexEncrKey(BUF_LEN, 0);
-
-    carray2Hex(encrypted_SEK->data(), encrypted_SEK->size(), hexEncrKey.data(),
-               BUF_LEN);
+    vector<char> hexEncrKey = carray2Hex(encrypted_SEK->data(), encrypted_SEK->size());

    spdlog::info("Got sealed storage encryption key.");


--- a/SGXWalletServer.cpp
+++ b/SGXWalletServer.cpp
@@ -54,7 +54,7 @@

 using namespace std;

-std::shared_timed_mutex initMutex;
+std::shared_timed_mutex sgxInitMutex;
 uint64_t initTime;

 void setFullOptions(uint64_t _logLevel, int _useHTTPS, int _autoconfirm, int _enterBackupKey) {
@@ -268,6 +268,37 @@ SGXWalletServer::blsSignMessageHashImpl(const string &_keyShareName, const strin

 }

+Json::Value SGXWalletServer::importECDSAKeyImpl(const string &_keyShare,
+                                                const string &_keyShareName) {
+    spdlog::info("Entering {}", __FUNCTION__);
+    INIT_RESULT(result)
+    result["encryptedKey"] = "";
+
+    try {
+      if (!checkECDSAKeyName(_keyShareName)) {
+          throw SGXException(INVALID_ECDSA_KEY_NAME, "Invalid ECDSA key name");
+      }
+
+      string hashTmp = _keyShare;
+      if (hashTmp[0] == '0' && (hashTmp[1] == 'x' || hashTmp[1] == 'X')) {
+          hashTmp.erase(hashTmp.begin(), hashTmp.begin() + 2);
+      }
+
+      if (!checkHex(hashTmp)) {
+          throw SGXException(INVALID_HEX, "Invalid ECDSA key share, please use hex");
+      }
+
+      string encryptedKey = encryptECDSAKey(hashTmp);
+
+      writeDataToDB(_keyShareName, encryptedKey);
+
+      result["encryptedKey"] = encryptedKey;
+      result["publicKey"] = getECDSAPubKey(encryptedKey);
+    } HANDLE_SGX_EXCEPTION(result)
+
+    RETURN_SUCCESS(result);
+}
+
 Json::Value SGXWalletServer::generateECDSAKeyImpl() {
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)
@@ -735,6 +766,10 @@ Json::Value SGXWalletServer::calculateAllBLSPublicKeys(const Json::Value& public
    return calculateAllBLSPublicKeysImpl(publicShares, t, n);
 }

+Json::Value SGXWalletServer::importECDSAKey(const std::string& keyShare, const std::string& keyShareName) {
+    return importECDSAKeyImpl(keyShare, keyShareName);
+}
+
 Json::Value SGXWalletServer::generateECDSAKey() {
    return generateECDSAKeyImpl();
 }

--- a/SGXWalletServer.hpp
+++ b/SGXWalletServer.hpp
@@ -51,6 +51,9 @@ public:
    virtual Json::Value
    blsSignMessageHash(const string &_keyShareName, const string &_messageHash, int _t, int _n);

+    virtual Json::Value importECDSAKey(const std::string& keyShare,
+                                       const std::string& keyShareName);
+
    virtual Json::Value generateECDSAKey();

    virtual Json::Value
@@ -102,6 +105,8 @@ public:
    static Json::Value
    blsSignMessageHashImpl(const string &_keyShareName, const string &_messageHash, int t, int n);

+    static Json::Value importECDSAKeyImpl(const string &_keyShare, const string &_keyShareName);
+
    static Json::Value generateECDSAKeyImpl();

    static Json::Value ecdsaSignMessageHashImpl(int _base, const string &keyName, const string &_messageHash);

--- a/ServerInit.cpp
+++ b/ServerInit.cpp
@@ -86,7 +86,7 @@ uint64_t initEnclave() {

    {

-        WRITE_LOCK(initMutex);
+        WRITE_LOCK(sgxInitMutex);

        if (eid != 0) {
            if (sgx_destroy_enclave(eid) != SGX_SUCCESS) {

--- a/TestUtils.cpp
+++ b/TestUtils.cpp
@@ -21,12 +21,9 @@
    @date 2020
 */

-#include <libff/algebra/fields/fp.hpp>
 #include <dkg/dkg.h>
 #include <jsonrpccpp/server/connectors/httpserver.h>
 #include <libff/algebra/curves/alt_bn128/alt_bn128_pp.hpp>
-#include <libff/algebra/exponentiation/exponentiation.hpp>
-#include <libff/algebra/fields/fp.hpp>
 #include <dkg/dkg.h>
 #include "sgxwallet_common.h"
 #include "third_party/intel/create_enclave.h"
@@ -412,3 +409,126 @@ void TestUtils::doDKG(StubClient &c, int n, int t,
    for (auto&& i : _blsKeyNames)
        cerr << i << endl;
 }
+
+int sessionKeyRecoverDH(const char *skey_str, const char *sshare, char *common_key) {
+
+    int ret = -1;
+
+    SAFE_CHAR_BUF(pb_keyB_x, 65);
+    SAFE_CHAR_BUF(pb_keyB_y, 65);
+
+    mpz_t skey;
+    mpz_init(skey);
+    point pub_keyB = point_init();
+    point session_key = point_init();
+
+    pb_keyB_x[64] = 0;
+    strncpy(pb_keyB_x, sshare, 64);
+    strncpy(pb_keyB_y, sshare + 64, 64);
+    pb_keyB_y[64] = 0;
+
+
+    if (!common_key) {
+        mpz_clear(skey);
+        point_clear(pub_keyB);
+        point_clear(session_key);
+
+        return  ret;
+    }
+
+    common_key[0] = 0;
+
+    if (!skey_str) {
+        mpz_clear(skey);
+        point_clear(pub_keyB);
+        point_clear(session_key);
+
+        return  ret;
+    }
+
+    if (!sshare) {
+        mpz_clear(skey);
+        point_clear(pub_keyB);
+        point_clear(session_key);
+
+        return  ret;
+    }
+
+    if (mpz_set_str(skey, skey_str, 16) == -1) {
+        mpz_clear(skey);
+        point_clear(pub_keyB);
+        point_clear(session_key);
+
+        return  ret;
+    }
+
+    domain_parameters curve;
+    curve = domain_parameters_init();
+    domain_parameters_load_curve(curve, secp256k1);
+
+    if (point_set_hex(pub_keyB, pb_keyB_x, pb_keyB_y) != 0) {
+        return ret;
+    }
+
+    point_multiplication(session_key, skey, pub_keyB, curve);
+
+    SAFE_CHAR_BUF(arr_x, BUF_LEN);
+
+    mpz_get_str(arr_x, 16, session_key->x);
+    int n_zeroes = 64 - strlen(arr_x);
+    for (int i = 0; i < n_zeroes; i++) {
+        common_key[i] = '0';
+    }
+    strncpy(common_key + n_zeroes, arr_x, strlen(arr_x));
+
+    ret = 0;
+
+    mpz_clear(skey);
+    point_clear(pub_keyB);
+    point_clear(session_key);
+
+    return  ret;
+}
+
+int xorDecryptDH(char *key, const char *cypher, vector<char>& message) {
+
+    int ret = -1;
+
+    if (!cypher) {
+        return ret;
+    }
+
+    if (!key) {
+        return ret;
+    }
+
+    if (!message.data()) {
+        return ret;
+    }
+
+    SAFE_CHAR_BUF(msg_bin,33)
+
+    SAFE_CHAR_BUF(key_bin,33)
+
+    uint64_t key_length;
+    if (!hex2carray(key, &key_length, (uint8_t*) key_bin, 33)) {
+        return ret;
+    }
+
+    uint64_t cypher_length;
+
+    SAFE_CHAR_BUF(cypher_bin, 33);
+    if (!hex2carray(cypher, &cypher_length, (uint8_t *) cypher_bin, 33)) {
+        return ret;
+    }
+
+    for (int i = 0; i < 32; i++) {
+        msg_bin[i] = cypher_bin[i] ^ key_bin[i];
+    }
+
+    message = carray2Hex((unsigned char*) msg_bin, 32);
+
+    ret = 0;
+
+    return ret;
+}
--- a/TestUtils.h
+++ b/TestUtils.h
@@ -24,12 +24,11 @@
 #ifndef SGXWALLET_TESTUTILS_H
 #define SGXWALLET_TESTUTILS_H

-#include <libff/algebra/fields/fp.hpp>
 #include <dkg/dkg.h>
 #include <jsonrpccpp/server/connectors/httpserver.h>
 #include <libff/algebra/curves/alt_bn128/alt_bn128_pp.hpp>
-#include <libff/algebra/exponentiation/exponentiation.hpp>
-#include <libff/algebra/fields/fp.hpp>
+// #include <libff/algebra/exponentiation/exponentiation.hpp>
+// #include <libff/algebra/fields/fp.hpp>
 #include <dkg/dkg.h>
 #include "sgxwallet_common.h"
 #include "third_party/intel/create_enclave.h"
@@ -78,4 +77,8 @@ public:
                                 int schainID, int dkgID);
 };

+int sessionKeyRecoverDH(const char *skey_str, const char *sshare, char *common_key);
+
+int xorDecryptDH(char *key, const char *cypher, vector<char>& message);
+
 #endif //SGXWALLET_TESTW_H
--- a/VERSION
+++ b/VERSION
-1.58.5
\ No newline at end of file
+1.58.6
\ No newline at end of file
--- a/abstractstubserver.h
+++ b/abstractstubserver.h
@@ -39,6 +39,7 @@ class AbstractStubServer : public jsonrpc::AbstractServer<AbstractStubServer>
          this->bindAndAddMethod(jsonrpc::Procedure("importBLSKeyShare", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT,"keyShare",jsonrpc::JSON_STRING,"keyShareName",jsonrpc::JSON_STRING, NULL), &AbstractStubServer::importBLSKeyShareI);
          this->bindAndAddMethod(jsonrpc::Procedure("blsSignMessageHash", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT, "keyShareName",jsonrpc::JSON_STRING,"messageHash",jsonrpc::JSON_STRING,"t",jsonrpc::JSON_INTEGER, "n",jsonrpc::JSON_INTEGER, NULL), &AbstractStubServer::blsSignMessageHashI);

+          this->bindAndAddMethod(jsonrpc::Procedure("importECDSAKey", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT,"key",jsonrpc::JSON_STRING,"keyName",jsonrpc::JSON_STRING, NULL), &AbstractStubServer::importECDSAKeyI);
          this->bindAndAddMethod(jsonrpc::Procedure("generateECDSAKey", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT,  NULL), &AbstractStubServer::generateECDSAKeyI);
          this->bindAndAddMethod(jsonrpc::Procedure("getPublicECDSAKey", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT, "keyName",jsonrpc::JSON_STRING, NULL), &AbstractStubServer::getPublicECDSAKeyI);
          this->bindAndAddMethod(jsonrpc::Procedure("ecdsaSignMessageHash", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT, "base",jsonrpc::JSON_INTEGER,"keyName",jsonrpc::JSON_STRING,"messageHash",jsonrpc::JSON_STRING, NULL), &AbstractStubServer::ecdsaSignMessageHashI);
@@ -68,6 +69,10 @@ class AbstractStubServer : public jsonrpc::AbstractServer<AbstractStubServer>
            response = this->blsSignMessageHash(request["keyShareName"].asString(), request["messageHash"].asString(), request["t"].asInt(), request["n"].asInt());
        }

+        inline virtual void importECDSAKeyI(const Json::Value &request, Json::Value &response)
+        {
+            response = this->importECDSAKey( request["key"].asString(), request["keyName"].asString());
+        }
        inline virtual void generateECDSAKeyI(const Json::Value &request, Json::Value &response)
        {
          (void)request;
@@ -141,6 +146,7 @@ class AbstractStubServer : public jsonrpc::AbstractServer<AbstractStubServer>

        virtual Json::Value importBLSKeyShare(const std::string& keyShare, const std::string& keyShareName) = 0;
        virtual Json::Value blsSignMessageHash(const std::string& keyShareName, const std::string& messageHash, int t, int n ) = 0;
+        virtual Json::Value importECDSAKey(const std::string& keyShare, const std::string& keyShareName) = 0;
        virtual Json::Value generateECDSAKey() = 0;
        virtual Json::Value getPublicECDSAKey(const std::string& keyName) = 0;
        virtual Json::Value ecdsaSignMessageHash(int base, const std::string& keyName, const std::string& messageHash) = 0;

--- a/common.h
+++ b/common.h
@@ -98,7 +98,7 @@ BOOST_THROW_EXCEPTION(runtime_error(__ERR_STRING__)); \

 #include <shared_mutex>

-extern std::shared_timed_mutex initMutex;
+extern std::shared_timed_mutex sgxInitMutex;
 extern uint64_t initTime;

 #if SGX_MODE == SIM

--- a/libBLS @ adf9682b
+++ b/libBLS @ adf9682b
-Subproject commit 78ea56c3b5251e9d840ef65705bb2c5f8f193662
+Subproject commit adf9682b69694ca2c64b5997e04ee1bb885c511c
--- a/sgxwallet_common.h
+++ b/sgxwallet_common.h
@@ -115,7 +115,7 @@ int __ATTEMPTS__ = 0; \
 do {\
 __ATTEMPTS__++; \
 {\
-READ_LOCK(initMutex);
+READ_LOCK(sgxInitMutex);

 #define RESTART_END \
 } \

--- a/stubclient.h
+++ b/stubclient.h
@@ -39,6 +39,18 @@ class StubClient : public jsonrpc::Client
                throw jsonrpc::JsonRpcException(jsonrpc::Errors::ERROR_CLIENT_INVALID_RESPONSE, result.toStyledString());
        }

+        Json::Value importECDSAKey(const std::string& keyShare, const std::string& keyShareName)
+        {
+            Json::Value p;
+            p["key"] = keyShare;
+            p["keyName"] = keyShareName;
+            Json::Value result = this->CallMethod("importECDSAKey",p);
+            if (result.isObject())
+                return result;
+            else
+                throw jsonrpc::JsonRpcException(jsonrpc::Errors::ERROR_CLIENT_INVALID_RESPONSE, result.toStyledString());
+        }
+
        Json::Value generateECDSAKey() 
        {
          Json::Value p;

--- a/testw.cpp
+++ b/testw.cpp
@@ -21,16 +21,14 @@
    @date 2020
 */

-#include <libff/algebra/fields/fp.hpp>
 #include <dkg/dkg.h>
 #include <jsonrpccpp/server/connectors/httpserver.h>
 #include <libff/algebra/curves/alt_bn128/alt_bn128_pp.hpp>
-#include <libff/algebra/exponentiation/exponentiation.hpp>
-#include <libff/algebra/fields/fp.hpp>
 #include <dkg/dkg.h>
 #include "sgxwallet_common.h"
 #include "third_party/intel/create_enclave.h"
 #include "secure_enclave_u.h"
+#include "secure_enclave/DHDkg.h"
 #include "third_party/intel/sgx_detect.h"
 #include <gmp.h>
 #include <sgx_urts.h>
@@ -456,6 +454,21 @@ TEST_CASE_METHOD(TestFixture, "Delete Bls Key", "[delete-bls-key]") {
    REQUIRE(c.deleteBlsKey(name)["deleted"] == true);
 }

+TEST_CASE_METHOD(TestFixture, "Import ECDSA Key", "[import-ecdsa-key]") {
+    HttpClient client(RPC_ENDPOINT);
+    StubClient c(client, JSONRPC_CLIENT_V2);
+
+    std::string name = "NEK:abcdef";
+    auto response = c.importECDSAKey("6507625568967977077291849236396320012317305261598035438182864059942098934847", name);
+    REQUIRE(response["status"] != 0);
+
+    string key_str = "0xe632f7fde2c90a073ec43eaa90dca7b82476bf28815450a11191484934b9c3f";
+    response = c.importECDSAKey(key_str, name);
+    REQUIRE(response["status"] == 0);
+
+    REQUIRE(c.ecdsaSignMessageHash(16, name, SAMPLE_HASH)["status"] == 0);
+}
+
 TEST_CASE_METHOD(TestFixture, "Backup Key", "[backup-key]") {
    HttpClient client(RPC_ENDPOINT);
    StubClient c(client, JSONRPC_CLIENT_V2);
@@ -653,11 +666,55 @@ TEST_CASE_METHOD(TestFixture, "AES_DKG test", "[aes-dkg]") {
    Json::Value complaintResponse = c.complaintResponse(polyNames[1], t, n, 0);
    REQUIRE(complaintResponse["status"] == 0);

+    string dhKey = complaintResponse["dhKey"].asString();
+    string shareG2 = complaintResponse["share*G2"].asString();
+    string secretShare = secretShares[1]["secretShare"].asString().substr(0, 192);
+
+    vector<char> message (65, 0);
+
+    SAFE_CHAR_BUF(encr_sshare, BUF_LEN)
+    strncpy(encr_sshare, pubEthKeys[0].asString().c_str(), 128);
+
+    SAFE_CHAR_BUF(common_key, BUF_LEN);
+    REQUIRE(sessionKeyRecoverDH(dhKey.c_str(), encr_sshare, common_key) == 0);
+
+    SAFE_CHAR_BUF(encr_sshare_check, BUF_LEN)
+    strncpy(encr_sshare_check, secretShare.c_str(), ECDSA_SKEY_LEN - 1);
+
+    REQUIRE(xorDecryptDH(common_key, encr_sshare_check, message) == 0);
+
+    mpz_t hex_share;
+    mpz_init(hex_share);
+    mpz_set_str(hex_share, message.data(), 16);
+
+    libff::alt_bn128_Fr share(hex_share);
+    libff::alt_bn128_G2 decrypted_share_G2 = share * libff::alt_bn128_G2::one();
+    decrypted_share_G2.to_affine_coordinates();
+
+    mpz_clear(hex_share);
+
+    REQUIRE( convertG2ToString(decrypted_share_G2) == shareG2 );
+
+    Json::Value verificationVectorMult = complaintResponse["verificationVectorMult"];
+
+    libff::alt_bn128_G2 verificationValue = libff::alt_bn128_G2::zero();
+    for (int i = 0; i < t; ++i) {
+        libff::alt_bn128_G2 value;
+        value.Z = libff::alt_bn128_Fq2::one();
+        value.X.c0 = libff::alt_bn128_Fq(verificationVectorMult[i][0].asCString());
+        value.X.c1 = libff::alt_bn128_Fq(verificationVectorMult[i][1].asCString());
+        value.Y.c0 = libff::alt_bn128_Fq(verificationVectorMult[i][2].asCString());
+        value.Y.c1 = libff::alt_bn128_Fq(verificationVectorMult[i][3].asCString());
+        verificationValue = verificationValue + value;
+    }
+    verificationValue.to_affine_coordinates();
+    REQUIRE( verificationValue == decrypted_share_G2 );
+
    BLSSigShareSet sigShareSet(t, n);

    string hash = SAMPLE_HASH;

-    auto hash_arr = make_shared < array < uint8_t, 32 >> ();
+    auto hash_arr = make_shared < array < uint8_t, 32 > >();

    uint64_t binLen;


--- a/testw.py
+++ b/testw.py
@@ -36,6 +36,7 @@ testList = ["[first-run]",
            "[get-server-version]",
            "[backup-key]",
            "[delete-bls-key]",
+            "[import-ecdsa-key]",
            "[ecdsa-aes-key-gen]",
            "[ecdsa-aes-key-sig-gen]",
            "[ecdsa-aes-get-pub-key]",
@@ -43,7 +44,6 @@ testList = ["[first-run]",
            "[bls-key-encrypt]",
            "[dkg-aes-gen]",
            "[dkg-aes-encr-sshares]",
-            "[dkg-verify]",
            "[dkg-api]",
            "[dkg-bls]",
            "[dkg-poly-exists]",