feat: op-signer: Necessary script adjustments [5/N] (#379)

janjakubnanista · web-flow · commit a5823a4805c7 · 2025-08-20T20:13:21.000-07:00
**Description** In this PR, the script for generating local credentials is adjusted to fit our usecase (unnecessary indirection is removed & file permissions are adjusted). Additionally, [an inline script from the original PR](https://github.com/ethpandaops/optimism-package/pull/207/files#diff-8952ca36c0cbca2168c99c185e468d02357daaab464a93cd7bf58bf8f3b90eb0R136) is moved into a shell script - this script converts a HEX private key to a PEM file. This is necessary since `op-signer` requires private keys (that we have in the deployment output in HEX) to be converted to PEM files. Both of these scripts can be tested locally so if we ever decide to test these, it would be very easy.
diff --git a/src/signer/op-signer/scripts/convert-private-key.sh b/src/signer/op-signer/scripts/convert-private-key.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env sh
+
+# Get private key from the script arguments
+if [ $# -ne 1 ]; then
+    echo "Error: Private key argument is required."
+    exit 1
+fi
+
+# We grab the private key from the arguments
+PRIVATE_KEY="$1"; shift
+
+# We convert it to ASCII
+PRIVATE_KEY_ASCII=$(echo -n "$PRIVATE_KEY" | xxd -r -p)
+
+# And pad it 
+PRIVATE_KEY_PREFIX="\\x30\\x2e\\x02\\x01\\x01\\x04\\x20"
+PRIVATE_KEY_SUFFIX="\\xa0\\x07\\x06\\x05\\x2b\\x81\\x04\\x00\\x0a"
+PRIVATE_KEY_WRAPPED="${PRIVATE_KEY_PREFIX}${PRIVATE_KEY_ASCII}${PRIVATE_KEY_SUFFIX}"
+
+# And finally we create the EC encoded private key
+printf "%b" "$PRIVATE_KEY_WRAPPED" | openssl ec -inform DER -outform PEM
diff --git a/src/signer/op-signer/scripts/gen-local-creds.sh b/src/signer/op-signer/scripts/gen-local-creds.sh
@@ -1,17 +1,17 @@
 #!/usr/bin/env sh
 
+#
+# This script is based on https://github.com/ethereum-optimism/infra/blob/main/op-signer/gen-local-creds.sh
+# with small adjustments to fit to our use case
+#
+
 set -euo pipefail
 
-if [ -z "$TLS_DIR" ]; then
+if [ -z "${TLS_DIR-}" ]; then
     SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
     TLS_DIR="$SCRIPT_DIR/tls"
 fi
 
-OPENSSL_IMAGE="alpine/openssl:3.3.3"
-
-USER_UID=$(id -u)
-USER_GID=$(id -g)
-
 CERT_ORG_NAME="OP-Signer Local Org"
 MOD_LENGTH=2048
 
@@ -24,34 +24,12 @@ CLIENT_TLS_CERT="tls.crt"
 CLIENT_PRIVATE_KEY="ec_private.pem"
 CLIENT_OPENSSL_CNF="openssl.cnf"
 
-# Check if we should use Docker (default to true if not set)
-USE_DOCKER=${OP_SIGNER_GEN_TLS_DOCKER:-true}
-
-# Helper function to run openssl commands
-run_openssl() {
-    if [ "$USE_DOCKER" = "true" ]; then
-        docker run --rm \
-            -v "$TLS_DIR:$TLS_DIR" \
-            -u "$USER_UID:$USER_GID" \
-            "$OPENSSL_IMAGE" "$@"
-    else
-        # Check if openssl is available locally
-        if ! command -v openssl &> /dev/null; then
-            echo "Error: OpenSSL is not installed locally. Please install OpenSSL or use Docker by setting OP_SIGNER_GEN_TLS_DOCKER=true"
-            exit 1
-        fi
-        openssl "$@"
-    fi
-}
-
 generate_ca() {
-    local force="$1"
-    [ "$force" = "true" ] || [ ! -f "$CA_CERT" ] || return 0
-
     echo
     echo "Generating CA..."
 
-    run_openssl req -newkey "rsa:$MOD_LENGTH" \
+    openssl req \
+        -newkey "rsa:$MOD_LENGTH" \
         -new -nodes -x509 \
         -days 365 \
         -sha256 \
@@ -72,7 +50,13 @@ generate_client_tls() {
     
     # Generate client key
     echo "Generating client key..."
-    run_openssl genrsa -out "$clientDir/$CLIENT_TLS_KEY" "$MOD_LENGTH"
+    openssl genrsa -out "$clientDir/$CLIENT_TLS_KEY" "$MOD_LENGTH"
+
+    # Since we are in a testing environment, we are not so strict about file permissions
+    # 
+    # Allowing the private key to be readable by all users
+    # makes the integration with op-signer easier
+    chmod 644 "$clientDir/$CLIENT_TLS_KEY"
 
     local confFile="$clientDir/$CLIENT_OPENSSL_CNF"
     
@@ -85,15 +69,19 @@ subjectAltName=DNS:$hostname
 EOF
     
     echo "Generating client certificate signing request..."
-    run_openssl req -new -key "$clientDir/$CLIENT_TLS_KEY" \
+    openssl req \
+        -new \
+        -key "$clientDir/$CLIENT_TLS_KEY" \
         -sha256 \
         -out "$clientDir/$CLIENT_TLS_CSR" \
         -subj "/O=$CERT_ORG_NAME/CN=$hostname" \
         -extensions san \
         -config "$confFile"
     
     echo "Generating client certificate..."
-    run_openssl x509 -req -in "$clientDir/$CLIENT_TLS_CSR" \
+    openssl x509 \
+        -req \
+        -in "$clientDir/$CLIENT_TLS_CSR" \
         -sha256 \
         -CA "$CA_CERT" \
         -CAkey "$CA_KEY" \
@@ -106,11 +94,18 @@ EOF
 
 generate_client_signing_key() {
     local hostname="$1"
+
     echo
     echo "Generating private key for $hostname..."
+    
     local clientDir="$TLS_DIR/$hostname"
     mkdir -p "$clientDir"
-    run_openssl ecparam -name secp256k1 -genkey -noout -param_enc explicit \
+    
+    openssl ecparam \
+        -name secp256k1 \
+        -genkey \
+        -noout \
+        -param_enc explicit \
         -out "$clientDir/$CLIENT_PRIVATE_KEY"
 }
 
@@ -148,12 +143,7 @@ fi
 TARGET="$1"; shift
 
 echo "----------------------------------------"
-echo "!!!! DO NOT USE IN PRODUCTION !!!!!"
-echo "This script is meant for development/testing ONLY."
-echo "Generating credentials..."
-echo
-echo "Target: $TARGET"
-echo "Using Docker: $USE_DOCKER"
+echo "Generating credentials for $TARGET"
 echo "----------------------------------------"
 
 mkdir -p "$TLS_DIR"
@@ -184,6 +174,5 @@ case "$TARGET" in
 esac
 
 echo "----------------------------------------"
-echo
 echo "Credentials generated successfully."
 echo "----------------------------------------"
