Client: segregate signing

src/bin_client/tezos-init-sandboxed-client.sh

@@ -183,22 +183,13 @@ DICTATOR_SECRET="edsk31vznjHSSpGExDMHYASz45VZqXN4DPxvsa4hAyY8dHM28cZzp6"
 
 add_sandboxed_bootstrap_identities() {
 
-    ${client} add public key bootstrap1 ${BOOTSTRAP1_PUBLIC}
+    ${client} import unencrypted secret key bootstrap1 ${BOOTSTRAP1_SECRET}
-    ${client} add secret key bootstrap1 ${BOOTSTRAP1_SECRET}
+    ${client} import unencrypted secret key bootstrap2 ${BOOTSTRAP2_SECRET}
+    ${client} import unencrypted secret key bootstrap3 ${BOOTSTRAP3_SECRET}
+    ${client} import unencrypted secret key bootstrap4 ${BOOTSTRAP4_SECRET}
+    ${client} import unencrypted secret key bootstrap5 ${BOOTSTRAP5_SECRET}
 
-    ${client} add public key bootstrap2 ${BOOTSTRAP2_PUBLIC}
+    ${client} import unencrypted secret key dictator ${DICTATOR_SECRET}
-    ${client} add secret key bootstrap2 ${BOOTSTRAP2_SECRET}
-
-    ${client} add public key bootstrap3 ${BOOTSTRAP3_PUBLIC}
-    ${client} add secret key bootstrap3 ${BOOTSTRAP3_SECRET}
-
-    ${client} add public key bootstrap4 ${BOOTSTRAP4_PUBLIC}
-    ${client} add secret key bootstrap4 ${BOOTSTRAP4_SECRET}
-
-    ${client} add public key bootstrap5 ${BOOTSTRAP5_PUBLIC}
-    ${client} add secret key bootstrap5 ${BOOTSTRAP5_SECRET}
-
-    ${client} add secret key dictator ${DICTATOR_SECRET}
 
 }
 

src/lib_client_base/client_keys.ml

@@ -7,6 +7,20 @@
 (*                                                                        *)
 (**************************************************************************)
 
+type error += Unregistered_key_scheme of string
+let () =
+  register_error_kind `Permanent
+    ~id: "cli.unregistered_key_scheme"
+    ~title: "Unregistered key scheme"
+    ~description: "A key has been provided with an \
+                   unregistered scheme (no corresponding plugin)"
+    ~pp:
+      (fun ppf s ->
+         Format.fprintf ppf "No matching plugin for key scheme %s" s)
+    Data_encoding.(obj1 (req "value" string))
+    (function Unregistered_key_scheme s -> Some s | _ -> None)
+    (fun s -> Unregistered_key_scheme s)
+
 module Public_key_hash = Client_aliases.Alias (struct
     type t = Ed25519.Public_key_hash.t
     let encoding = Ed25519.Public_key_hash.encoding
@@ -15,21 +29,127 @@ module Public_key_hash = Client_aliases.Alias (struct
     let name = "public key hash"
   end)
 
-module Public_key = Client_aliases.Alias (struct
+module type LOCATOR = sig
-    type t = Ed25519.Public_key.t
+  val name : string
-    let encoding = Ed25519.Public_key.encoding
+  type t
-    let of_source s = Lwt.return (Ed25519.Public_key.of_b58check s)
-    let to_source p = return (Ed25519.Public_key.to_b58check p)
-    let name = "public key"
-  end)
 
-module Secret_key = Client_aliases.Alias (struct
+  val create : scheme:string -> location:string -> t
-    type t = Ed25519.Secret_key.t
+  val scheme : t -> string
-    let encoding = Ed25519.Secret_key.encoding
+  val location : t -> string
-    let of_source s = Lwt.return (Ed25519.Secret_key.of_b58check s)
+  val to_string : t -> string
-    let to_source p = return (Ed25519.Secret_key.to_b58check p)
+  val pp : Format.formatter -> t -> unit
+end
+
+type sk_locator = Sk_locator of { scheme : string ; location : string }
+type pk_locator = Pk_locator of { scheme : string ; location : string }
+
+module Sk_locator = struct
   let name = "secret key"
-  end)
+  type t = sk_locator
+
+  let create ~scheme ~location =
+    Sk_locator { scheme ; location }
+
+  let scheme (Sk_locator { scheme }) = scheme
+  let location (Sk_locator { location }) = location
+
+  let to_string (Sk_locator { scheme ; location }) =
+    scheme ^ ":" ^  location
+
+  let pp ppf (Sk_locator { scheme ; location }) =
+    Format.pp_print_string ppf (scheme ^ ":" ^ location)
+end
+
+module Pk_locator = struct
+  let name = "public key"
+  type t = pk_locator
+
+  let create ~scheme ~location =
+    Pk_locator { scheme ; location }
+
+  let scheme (Pk_locator { scheme }) = scheme
+  let location (Pk_locator { location }) = location
+
+  let to_string (Pk_locator { scheme ; location }) =
+    scheme ^ ":" ^  location
+
+  let pp ppf (Pk_locator { scheme ; location }) =
+    Format.pp_print_string ppf (scheme ^ ":" ^ location)
+end
+
+module type KEY = sig
+  type t
+  val to_b58check : t -> string
+  val of_b58check_exn : string -> t
+end
+
+module Locator (K : KEY) (L : LOCATOR) = struct
+  include L
+
+  let of_unencrypted k =
+    L.create ~scheme:"unencrypted"
+      ~location:(K.to_b58check k)
+
+  let of_string s =
+    match String.index s ':' with
+    | exception Not_found ->
+        of_unencrypted (K.of_b58check_exn s)
+    | i ->
+        let len = String.length s in
+        create
+          ~scheme:(String.sub s 0 i)
+          ~location:(String.sub s (i+1) (len-i-1))
+
+  let of_source s =  return (of_string s)
+  let to_source t = return (to_string t)
+
+  let encoding = Data_encoding.(conv to_string of_string string)
+end
+
+module Secret_key_locator = Locator(Ed25519.Secret_key)(Sk_locator)
+module Secret_key = Client_aliases.Alias (Secret_key_locator)
+module Public_key_locator = Locator(Ed25519.Public_key)(Pk_locator)
+module Public_key = Client_aliases.Alias (Public_key_locator)
+
+module type SIGNER = sig
+  type secret_key
+  type public_key
+  val scheme : string
+  val sk_locator_of_human_input :
+    Client_commands.logging_wallet ->
+    string list -> sk_locator tzresult Lwt.t
+  val pk_locator_of_human_input :
+    Client_commands.logging_wallet ->
+    string list -> pk_locator tzresult Lwt.t
+  val sk_of_locator : sk_locator -> secret_key tzresult Lwt.t
+  val pk_of_locator : pk_locator -> public_key tzresult Lwt.t
+  val sk_to_locator : secret_key -> sk_locator Lwt.t
+  val pk_to_locator : public_key -> pk_locator Lwt.t
+  val neuterize : secret_key -> public_key Lwt.t
+  val public_key : public_key -> Ed25519.Public_key.t Lwt.t
+  val public_key_hash : public_key -> Ed25519.Public_key_hash.t Lwt.t
+  val sign : secret_key -> MBytes.t -> Ed25519.Signature.t tzresult Lwt.t
+end
+
+let signers_table : (string, (module SIGNER)) Hashtbl.t = Hashtbl.create 13
+let register_signer signer =
+  let module Signer = (val signer : SIGNER) in
+  Hashtbl.replace signers_table Signer.scheme signer
+
+let find_signer_for_key ~scheme =
+  match Hashtbl.find signers_table scheme with
+  | exception Not_found -> error (Unregistered_key_scheme scheme)
+  | signer -> ok signer
+
+let sign ((Sk_locator { scheme }) as skloc) buf =
+  Lwt.return (find_signer_for_key ~scheme) >>=? fun signer ->
+  let module Signer = (val signer : SIGNER) in
+  Signer.sk_of_locator skloc >>=? fun t ->
+  Signer.sign t buf
+
+let append loc buf =
+  sign loc buf >>|? fun signature ->
+  MBytes.concat buf (Ed25519.Signature.to_bytes signature)
 
 let gen_keys ?(force=false) ?seed (cctxt : #Client_commands.wallet) name =
   let seed =
@@ -37,8 +157,10 @@ let gen_keys ?(force=false) ?seed (cctxt : #Client_commands.wallet) name =
     | None -> Ed25519.Seed.generate ()
     | Some s -> s in
   let _, public_key, secret_key = Ed25519.generate_seeded_key seed in
-  Secret_key.add ~force cctxt name secret_key >>=? fun () ->
+  Secret_key.add ~force cctxt name
-  Public_key.add ~force cctxt name public_key >>=? fun () ->
+    (Secret_key_locator.of_unencrypted secret_key) >>=? fun () ->
+  Public_key.add ~force cctxt name
+    (Public_key_locator.of_unencrypted public_key) >>=? fun () ->
   Public_key_hash.add ~force
     cctxt name (Ed25519.Public_key.hash public_key) >>=? fun () ->
   return ()
@@ -82,8 +204,10 @@ let gen_keys_containing ?(prefix=false) ?(force=false) ~containing ~name (cctxt
             let hash = Ed25519.Public_key_hash.to_b58check @@ Ed25519.Public_key.hash public_key in
             if matches hash
             then
-              Secret_key.add ~force cctxt name secret_key >>=? fun () ->
+              Secret_key.add ~force cctxt name
-              Public_key.add ~force cctxt name public_key >>=? fun () ->
+                (Secret_key_locator.of_unencrypted secret_key) >>=? fun () ->
+              Public_key.add ~force cctxt name
+                (Public_key_locator.of_unencrypted public_key) >>=? fun () ->
               Public_key_hash.add ~force cctxt name (Ed25519.Public_key.hash public_key) >>=? fun () ->
               return hash
             else begin if attempts mod 25_000 = 0
@@ -96,39 +220,44 @@ let gen_keys_containing ?(prefix=false) ?(force=false) ~containing ~name (cctxt
           return ()
         end
 
-let check_keys_consistency pk sk =
-  let message = MBytes.of_string "Voulez-vous coucher avec moi, ce soir ?" in
-  let signature = Ed25519.sign sk message in
-  Ed25519.Signature.check pk signature message
-
 let get_key (cctxt : #Client_commands.wallet) pkh =
   Public_key_hash.rev_find cctxt pkh >>=? function
   | None -> failwith "no keys for the source contract manager"
   | Some n ->
       Public_key.find cctxt n >>=? fun pk ->
       Secret_key.find cctxt n >>=? fun sk ->
+      let scheme = Secret_key_locator.scheme sk in
+      Lwt.return (find_signer_for_key ~scheme) >>=? fun signer ->
+      let module Signer = (val signer : SIGNER) in
+      Signer.pk_of_locator pk >>=? fun pk ->
+      Signer.public_key pk >>= fun pk ->
       return (n, pk, sk)
 
 let get_keys (wallet : #Client_commands.wallet) =
   Secret_key.load wallet >>=? fun sks ->
-  Lwt_list.filter_map_s
+  Lwt_list.filter_map_s begin fun (name, sk) ->
-    (fun (name, sk) ->
     begin
       Public_key.find wallet name >>=? fun pk ->
       Public_key_hash.find wallet name >>=? fun pkh ->
+      let scheme = Public_key_locator.scheme pk in
+      Lwt.return
+        (find_signer_for_key ~scheme) >>=? fun signer ->
+      let module Signer = (val signer : SIGNER) in
+      Signer.pk_of_locator pk >>=? fun pk ->
+      Signer.public_key pk >>= fun pk ->
       return (name, pkh, pk, sk)
     end >>= function
     | Ok r -> Lwt.return (Some r)
-       | Error _ -> Lwt.return_none)
+    | Error _ -> Lwt.return_none
-    sks >>= fun keys ->
+  end sks >>= fun keys ->
   return keys
 
 let list_keys cctxt =
   Public_key_hash.load cctxt >>=? fun l ->
   map_s
     (fun (name, pkh) ->
-       Public_key.mem cctxt name >>=? fun pkm ->
+       Public_key.find_opt cctxt name >>=? fun pkm ->
-       Secret_key.mem cctxt name >>=? fun pks ->
+       Secret_key.find_opt cctxt name >>=? fun pks ->
        return (name, pkh, pkm, pks))
     l
 
@@ -159,6 +288,13 @@ let commands () =
       ~parameter:"-show-secret"
       ~doc:"show the private key" in
   [
+    command ~group ~desc: "List supported signing schemes."
+      no_options
+      (fixed [ "list" ; "signing" ; "schemes" ])
+      (fun () (cctxt : Client_commands.full_context) ->
+         let schemes = Hashtbl.fold (fun k _ a -> k :: a) signers_table [] in
+         let schemes = List.sort String.compare schemes in
+         Lwt_list.iter_s (cctxt#message "%s") schemes >>= return) ;
 
     command ~group ~desc: "Generate a pair of keys."
       (args1 Secret_key.force_switch)
@@ -183,40 +319,60 @@ let commands () =
 
     command ~group ~desc: "Add a secret key to the wallet."
       (args1 Secret_key.force_switch)
-      (prefixes [ "add" ; "secret" ; "key" ]
+      (prefix "import"
+       @@ string
+         ~name:"scheme"
+         ~desc:"Scheme to use when adding a secret key"
+       @@ prefixes [ "secret" ; "key" ]
        @@ Secret_key.fresh_alias_param
-       @@ Secret_key.source_param
+       @@ seq_of_param (string
-       @@ stop)
+                          ~name:"secret key specification"
-      (fun force name sk cctxt ->
+                          ~desc:"Specification of a secret key"))
+      (fun force scheme name spec cctxt ->
          Secret_key.of_fresh cctxt force name >>=? fun name ->
+         Lwt.return (find_signer_for_key ~scheme) >>=? fun signer ->
+         let module Signer = (val signer : SIGNER) in
+         Signer.sk_locator_of_human_input
+           (cctxt :> Client_commands.logging_wallet) spec >>=? fun skloc ->
+         Signer.sk_of_locator skloc >>=? fun sk ->
+         Signer.neuterize sk >>= fun pk ->
+         Signer.pk_to_locator pk >>= fun pkloc ->
          Public_key.find_opt cctxt name >>=? function
          | None ->
-             let pk = Ed25519.Secret_key.to_public_key sk in
+             Signer.public_key_hash pk >>= fun pkh ->
-             Public_key_hash.add ~force cctxt
+             Secret_key.add ~force cctxt name skloc >>=? fun () ->
-               name (Ed25519.Public_key.hash pk) >>=? fun () ->
+             Public_key_hash.add ~force cctxt name pkh >>=? fun () ->
-             Public_key.add ~force cctxt name pk >>=? fun () ->
+             Public_key.add ~force cctxt name pkloc
-             Secret_key.add ~force cctxt name sk
          | Some pk ->
-             fail_unless
+             fail_unless (pkloc = pk || force)
-               (check_keys_consistency pk sk || force)
                (failure
                   "public and secret keys '%s' don't correspond, \
                    please don't use -force" name) >>=? fun () ->
-             Secret_key.add ~force cctxt name sk) ;
+             Secret_key.add ~force cctxt name skloc) ;
 
-    command ~group ~desc: "Add a public key to the wallet."
+    command ~group ~desc: "add a public key to the wallet."
       (args1 Public_key.force_switch)
-      (prefixes [ "add" ; "public" ; "key" ]
+      (prefix "import"
+       @@ string
+         ~name:"scheme"
+         ~desc:"Scheme to use when adding a public key"
+       @@ prefixes [ "public" ; "key" ]
        @@ Public_key.fresh_alias_param
-       @@ Public_key.source_param
+       @@ seq_of_param (string
-       @@ stop)
+                          ~name:"public key specification"
-      (fun force name key cctxt ->
+                          ~desc:"Specification of a public key"))
+      (fun force scheme name location cctxt ->
          Public_key.of_fresh cctxt force name >>=? fun name ->
-         Public_key_hash.add ~force cctxt
+         Lwt.return (find_signer_for_key ~scheme) >>=? fun signer ->
-           name (Ed25519.Public_key.hash key) >>=? fun () ->
+         let module Signer = (val signer : SIGNER) in
-         Public_key.add ~force cctxt name key) ;
+         Signer.pk_locator_of_human_input
+           (cctxt :> Client_commands.logging_wallet) location >>=? fun pkloc ->
+         Signer.pk_of_locator pkloc >>=? fun pk ->
+         Signer.public_key_hash pk >>= fun pkh ->
+         Public_key_hash.add ~force cctxt name pkh >>=? fun () ->
+         Public_key.add ~force cctxt name pkloc) ;
 
-    command ~group ~desc: "Add a public key to the wallet."
+    command ~group ~desc: "Add an identity to the wallet."
       (args1 Public_key.force_switch)
       (prefixes [ "add" ; "identity" ]
        @@ Public_key_hash.fresh_alias_param
@@ -226,19 +382,22 @@ let commands () =
          Public_key_hash.of_fresh cctxt force name >>=? fun name ->
          Public_key_hash.add ~force cctxt name hash) ;
 
-    command ~group ~desc: "List all public key hashes and associated keys."
+    command ~group ~desc: "List all identities and associated keys."
       no_options
       (fixed [ "list" ; "known" ; "identities" ])
       (fun () (cctxt : Client_commands.full_context) ->
          list_keys cctxt >>=? fun l ->
-         iter_s
+         iter_s begin fun (name, pkh, pk, sk) ->
-           (fun (name, pkh, pkm, pks) ->
            Public_key_hash.to_source pkh >>=? fun v ->
-              cctxt#message "%s: %s%s%s" name v
+           begin match pk, sk with
-                (if pkm then " (public key known)" else "")
+             | None, None ->
-                (if pks then " (secret key known)" else "") >>= fun () ->
+                 cctxt#message "%s: %s" name v
-              return ())
+             | _, Some Sk_locator { scheme } ->
-           l) ;
+                 cctxt#message "%s: %s (%s sk known)" name v scheme
+             | Some Pk_locator { scheme }, _ ->
+                 cctxt#message "%s: %s (%s pk known)" name v scheme
+           end >>= fun () -> return ()
+         end l) ;
 
     command ~group ~desc: "Show the keys associated with an identity."
       (args1 show_private_switch)
@@ -250,20 +409,24 @@ let commands () =
          alias_keys cctxt name >>=? fun key_info ->
          match key_info with
          | None -> ok_lwt @@ cctxt#message "No keys found for identity"
-         | Some (hash, pub, priv) ->
+         | Some (pkh, pk, skloc) ->
-             Public_key_hash.to_source hash >>=? fun hash ->
+             ok_lwt @@ cctxt#message "Hash: %a"
-             ok_lwt @@ cctxt#message "Hash: %s" hash >>=? fun () ->
+               Ed25519.Public_key_hash.pp pkh >>=? fun () ->
-             match pub with
+             match pk with
              | None -> return ()
-             | Some pub ->
+             | Some (Pk_locator { scheme } as pkloc) ->
-                 Public_key.to_source pub >>=? fun pub ->
+                 Lwt.return (find_signer_for_key ~scheme) >>=? fun signer ->
-                 ok_lwt @@ cctxt#message "Public Key: %s" pub >>=? fun () ->
+                 let module Signer = (val signer : SIGNER) in
+                 Signer.pk_of_locator pkloc >>=? fun pk ->
+                 Signer.public_key pk >>= fun pk ->
+                 ok_lwt @@ cctxt#message "Public Key: %a"
+                   Ed25519.Public_key.pp pk >>=? fun () ->
                  if show_private then
-                   match priv with
+                   match skloc with
                    | None -> return ()
-                   | Some priv ->
+                   | Some skloc ->
-                       Secret_key.to_source priv >>=? fun priv ->
+                       Secret_key.to_source skloc >>=? fun skloc ->
-                       ok_lwt @@ cctxt#message "Secret Key: %s" priv
+                       ok_lwt @@ cctxt#message "Secret Key: %s" skloc
                  else return ()) ;
 
     command ~group ~desc: "Forget the entire wallet of keys."

src/lib_client_base/client_keys.mli

@@ -7,30 +7,100 @@
 (*                                                                        *)
 (**************************************************************************)
 
+(** {2 Location of keys using schemes} *)
+
+type sk_locator = Sk_locator of { scheme : string ; location : string }
+type pk_locator = Pk_locator of { scheme : string ; location : string }
+
+module type LOCATOR = sig
+  val name : string
+  type t
+
+  val create : scheme:string -> location:string -> t
+  val scheme : t -> string
+  val location : t -> string
+  val to_string : t -> string
+  val pp : Format.formatter -> t -> unit
+end
+
+module Secret_key_locator : LOCATOR with type t = sk_locator
+module Public_key_locator : LOCATOR with type t = pk_locator
+
+(** {2 Cryptographic keys tables } *)
+
 module Public_key_hash :
   Client_aliases.Alias with type t = Ed25519.Public_key_hash.t
-module Public_key : Client_aliases.Alias with type t = Ed25519.Public_key.t
+module Public_key :
-module Secret_key : Client_aliases.Alias with type t = Ed25519.Secret_key.t
+  Client_aliases.Alias with type t = pk_locator
+module Secret_key :
+  Client_aliases.Alias with type t = sk_locator
+
+(** {2 Interface for external signing modules.} *)
+
+module type SIGNER = sig
+  type secret_key
+  type public_key
+
+  val scheme : string
+  (** [scheme] is the name of the scheme implemented by this signer
+      module. *)
+
+  val sk_locator_of_human_input :
+    Client_commands.logging_wallet ->
+    string list -> sk_locator tzresult Lwt.t
+  (** [sk_locator_of_human_input wallet spec] is the [sk_locator]
+      corresponding to the human readable specification [spec] (plugin
+      dependent). *)
+
+  val pk_locator_of_human_input :
+    Client_commands.logging_wallet ->
+    string list -> pk_locator tzresult Lwt.t
+  (** [pk_locator_of_human_input wallet spec] is the [pk_locator]
+      corresponding to the human readable specification [spec] (plugin
+      dependent). *)
+
+  val sk_of_locator : sk_locator -> secret_key tzresult Lwt.t
+  (** [sk_of_locator skloc] is the secret key at [skloc]. *)
+
+  val pk_of_locator : pk_locator -> public_key tzresult Lwt.t
+  (** [pk_of_locator pkloc] is the public key at [pkloc]. *)
+
+  val sk_to_locator : secret_key -> sk_locator Lwt.t
+  (** [sk_to_locator sk] is the location of secret key [sk]. *)
+
+  val pk_to_locator : public_key -> pk_locator Lwt.t
+  (** [pk_to_locator pk] is the location of public key [pk]. *)
+
+  val neuterize : secret_key -> public_key Lwt.t
+  (** [neuterize sk] is the corresponding [pk]. *)
+
+  val public_key : public_key -> Ed25519.Public_key.t Lwt.t
+  (** [public_key pk] is the Ed25519 version of [pk]. *)
+
+  val public_key_hash : public_key -> Ed25519.Public_key_hash.t Lwt.t
+  (** [public_key_hash pk] is the hash of [pk]. *)
+
+  val sign : secret_key -> MBytes.t -> Ed25519.Signature.t tzresult Lwt.t
+  (** [sign sk data] is signature obtained by signing [data] with
+      [sk]. *)
+end
+
+val register_signer : (module SIGNER) -> unit
+(** [register_signer signer] sets first-class module [signer] as
+    signer for keys with scheme [(val signer : SIGNER).scheme]. *)
+
+val find_signer_for_key : scheme:string -> (module SIGNER) tzresult
+val sign : sk_locator -> MBytes.t -> Ed25519.Signature.t tzresult Lwt.t
+val append : sk_locator -> MBytes.t -> MBytes.t tzresult Lwt.t
 
 val get_key:
   Client_commands.full_context ->
   Public_key_hash.t ->
-  ( string * Public_key.t * Secret_key.t ) tzresult Lwt.t
+  (string * Ed25519.Public_key.t * sk_locator) tzresult Lwt.t
 
 val get_keys:
   #Client_commands.wallet ->
-  ( string * Public_key_hash.t * Public_key.t * Secret_key.t ) list tzresult Lwt.t
+  (string * Public_key_hash.t * Ed25519.Public_key.t * sk_locator) list tzresult Lwt.t
-
-val list_keys:
-  Client_commands.full_context ->
-  (string * Public_key_hash.t * bool * bool) list tzresult Lwt.t
-
-val gen_keys:
-  ?force:bool ->
-  ?seed: Ed25519.Seed.t ->
-  #Client_commands.wallet ->
-  string ->
-  unit tzresult Lwt.t
 
 val force_switch : (bool, Client_commands.full_context) Cli_entries.arg
 

src/lib_client_base/client_signer_unencrypted.ml

@@ -0,0 +1,53 @@
+(**************************************************************************)
+(*                                                                        *)
+(*    Copyright (c) 2014 - 2017.                                          *)
+(*    Dynamic Ledger Solutions, Inc. <contact@tezos.com>                  *)
+(*                                                                        *)
+(*    All rights reserved. No warranty, explicit or implicit, provided.   *)
+(*                                                                        *)
+(**************************************************************************)
+
+open Client_keys
+
+module Unencrypted_signer : SIGNER = struct
+  let scheme = "unencrypted"
+
+  type secret_key = Ed25519.Secret_key.t
+  type public_key = Ed25519.Public_key.t
+
+  let sk_locator_of_human_input _cctxt = function
+    | sk :: _ ->
+        return (Secret_key_locator.create ~scheme ~location:sk)
+    | [] ->
+        let _, _, sk = Ed25519.generate_key () in
+        return (Secret_key_locator.create ~scheme
+                  ~location:(Ed25519.Secret_key.to_b58check sk))
+
+  let pk_locator_of_human_input _cctxt = function
+    | [] -> failwith "Missing public key argument"
+    | pk :: _ -> return (Public_key_locator.create ~scheme ~location:pk)
+
+  let sk_of_locator (Sk_locator { location }) =
+    Lwt.return (Ed25519.Secret_key.of_b58check location)
+
+  let pk_of_locator (Pk_locator { location }) =
+    Lwt.return (Ed25519.Public_key.of_b58check location)
+
+  let sk_to_locator sk =
+    Secret_key_locator.create
+      ~scheme ~location:(Ed25519.Secret_key.to_b58check sk) |>
+    Lwt.return
+
+  let pk_to_locator pk =
+    Public_key_locator.create
+      ~scheme ~location:(Ed25519.Public_key.to_b58check pk) |>
+    Lwt.return
+
+  let neuterize x = Lwt.return (Ed25519.Secret_key.to_public_key x)
+  let public_key x = Lwt.return x
+  let public_key_hash x = Lwt.return (Ed25519.Public_key.hash x)
+  let sign t buf = return (Ed25519.sign t buf)
+end
+
+let () =
+  register_signer (module Unencrypted_signer)

src/lib_client_base/jbuild

@@ -6,6 +6,7 @@
   (libraries (tezos-base
               tezos-shell-services
               tezos-rpc-http))
+  (library_flags (:standard -linkall))
   (flags (:standard -w -9+27-30-32-40@8
                     -safe-string
                     -open Tezos_base__TzPervasives

src/lib_crypto/ed25519.ml

@@ -51,12 +51,14 @@ module Public_key = struct
   let of_b58check_exn s =
     match Base58.simple_decode b58check_encoding s with
     | Some x -> x
-    | None -> Pervasives.failwith "Unexpected hash (ed25519 public key)"
+    | None -> Pervasives.failwith
+                (Printf.sprintf "%s is not an ed25519 public key" s)
   let of_b58check s =
     match Base58.simple_decode b58check_encoding s with
     | Some x -> Ok x
-    | None -> generic_error "Unexpected hash (ed25519 public key)"
+    | None -> generic_error "%s is not an ed25519 public key" s
   let to_b58check s = Base58.simple_encode b58check_encoding s
+  let pp ppf t = Format.fprintf ppf "%s" (to_b58check t)
 
   let of_hex s = of_string (Hex.to_string s)
   let of_hex_exn s = of_string_exn (Hex.to_string s)
@@ -157,12 +159,14 @@ module Secret_key = struct
   let of_b58check_exn s =
     match of_b58check_opt s with
     | Some x -> x
-    | None -> Pervasives.failwith "Unexpected hash (ed25519 secret key)"
+    | None -> Pervasives.failwith
+                (Printf.sprintf "%s is not an ed25519 secret key" s)
   let of_b58check s =
     match of_b58check_opt s with
     | Some x -> Ok x
-    | None -> generic_error "Unexpected hash (ed25519 secret key)"
+    | None -> generic_error "%s is not an ed25519 secret key" s
   let to_b58check s = Base58.simple_encode seed_encoding s
+  let pp ppf t = Format.fprintf ppf "%s" (to_b58check t)
 
   let of_bytes_opt s =
     match Sodium.Sign.Bigbytes.to_seed s with
@@ -243,12 +247,14 @@ module Signature = struct
   let of_b58check_exn s =
     match Base58.simple_decode b58check_encoding s with
     | Some x -> x
-    | None -> Pervasives.failwith "Unexpected hash (ed25519 signature)"
+    | None -> Pervasives.failwith
+                (Printf.sprintf "%s is not an ed25519 signature" s)
   let of_b58check s =
     match Base58.simple_decode b58check_encoding s with
     | Some x -> Ok x
-    | None -> generic_error "Unexpected hash (ed25519 signature)"
+    | None -> generic_error "%s is not an ed25519 signature" s
   let to_b58check s = Base58.simple_encode b58check_encoding s
+  let pp ppf t = Format.fprintf ppf "%s" (to_b58check t)
 
   let of_bytes_opt s =
     match Sodium.Sign.Bigbytes.to_signature s with

src/lib_crypto/ed25519.mli

@@ -19,6 +19,7 @@ module Public_key : sig
 
   include Compare.S
   val encoding: t Data_encoding.t
+  val pp : Format.formatter -> t -> unit
 
   val param:
     ?name:string ->
@@ -51,6 +52,7 @@ module Secret_key : sig
 
   type t
   val encoding: t Data_encoding.t
+  val pp : Format.formatter -> t -> unit
 
   val param:
     ?name:string ->
@@ -79,6 +81,7 @@ module Signature : sig
 
   type t
   val encoding: t Data_encoding.t
+  val pp : Format.formatter -> t -> unit
 
   val param:
     ?name:string ->

src/lib_stdlib/option.ml

@@ -15,6 +15,9 @@ let apply ~f = function
   | None -> None
   | Some x -> f x
 
+let (>>=) x f = apply ~f x
+let (>>|) x f = map ~f x
+
 let iter ~f = function
   | None -> ()
   | Some x -> f x

src/lib_stdlib/option.mli

@@ -13,6 +13,9 @@ val map: f:('a -> 'b) -> 'a option -> 'b option
 (** [(f x)] if input is [Some x], or [None] if it's [None] **)
 val apply: f:('a -> 'b option) -> 'a option -> 'b option
 
+val (>>=) : 'a option -> ('a -> 'b option) -> 'b option
+val (>>|) : 'a option -> ('a -> 'b) -> 'b option
+
 (** Call [(f x)] if input is [Some x], noop if it's [None] **)
 val iter: f:('a -> unit) -> 'a option -> unit
 

src/proto_alpha/lib_client/client_baking_endorsement.ml

@@ -103,13 +103,12 @@ let inject_endorsement (cctxt : Client_commands.full_context)
     ~block:bi.hash
     ~slot:slot
     () >>=? fun bytes ->
-  let signed_bytes = Ed25519.Signature.append src_sk bytes in
+  Client_keys.append src_sk bytes >>=? fun signed_bytes ->
   Client_node_rpcs.inject_operation
     cctxt ?async ~net_id:bi.net_id signed_bytes >>=? fun oph ->
   State.record_endorsement cctxt level bi.hash slot oph >>=? fun () ->
   return oph
 
-
 let previously_endorsed_slot cctxt level slot =
   State.get_endorsement cctxt level slot >>=? function
   | None -> return false

src/proto_alpha/lib_client/client_baking_endorsement.mli

@@ -13,7 +13,7 @@ open Tezos_context
 val forge_endorsement:
   Client_commands.full_context ->
   Client_proto_rpcs.block ->
-  src_sk:secret_key ->
+  src_sk:Client_keys.sk_locator ->
   ?slot:int ->
   ?max_priority:int ->
   public_key ->

src/proto_alpha/lib_client/client_baking_forge.ml

@@ -30,14 +30,13 @@ let forge_block_header
     let unsigned_header =
       Tezos_context.Block_header.forge_unsigned
         shell { priority ; seed_nonce_hash ; proof_of_work_nonce } in
-    let signed_header =
+    Client_keys.append delegate_sk unsigned_header >>=? fun signed_header ->
-      Ed25519.Signature.append delegate_sk unsigned_header in
     let block_hash = Block_hash.hash_bytes [signed_header] in
     if Baking.check_hash block_hash stamp_threshold then
-      signed_header
+      return signed_header
     else
       loop () in
-  return (loop ())
+  loop ()
 
 let empty_proof_of_work_nonce =
   MBytes.of_string

src/proto_alpha/lib_client/client_baking_forge.mli

@@ -23,7 +23,7 @@ val inject_block:
   shell_header:Block_header.shell_header ->
   priority:int ->
   seed_nonce_hash:Nonce_hash.t ->
-  src_sk:secret_key ->
+  src_sk:Client_keys.sk_locator ->
   Tezos_base.Operation.t list list ->
   Block_hash.t tzresult Lwt.t
 (** [inject_block cctxt blk ?force ~priority ~timestamp ~fitness
@@ -45,7 +45,7 @@ val forge_block:
   ?timestamp:Time.t ->
   priority:[`Set of int | `Auto of (public_key_hash * int option * bool)] ->
   seed_nonce_hash:Nonce_hash.t ->
-  src_sk:secret_key ->
+  src_sk:Client_keys.sk_locator ->
   unit ->
   Block_hash.t tzresult Lwt.t
 (** [forge_block cctxt parent_blk ?force ?operations ?best_effort

src/proto_alpha/lib_client/client_baking_lib.mli

@@ -17,7 +17,7 @@ val bake_block:
   ?force:bool ->
   ?max_priority: int ->
   ?free_baking: bool ->
-  ?src_sk:secret_key ->
+  ?src_sk:Client_keys.sk_locator ->
   public_key_hash ->
   unit tzresult Lwt.t
 

src/proto_alpha/lib_client/client_proto_context.ml

@@ -62,8 +62,9 @@ let transfer rpc_config
     ~branch ~source ~sourcePubKey:src_pk ~counter ~amount
     ~destination ?parameters ~fee () >>=? fun bytes ->
   Client_node_rpcs.Blocks.predecessor rpc_config block >>=? fun predecessor ->
-  let signature = Ed25519.sign src_sk bytes in
+  Client_keys.sign src_sk bytes >>=? fun signature ->
-  let signed_bytes = Ed25519.Signature.concat bytes signature in
+  let signed_bytes =
+    MBytes.concat bytes (Ed25519.Signature.to_bytes signature) in
   let oph = Operation_hash.hash_bytes [ signed_bytes ] in
   Client_proto_rpcs.Helpers.apply_operation rpc_config block
     predecessor oph bytes (Some signature) >>=? fun contracts ->
@@ -112,7 +113,7 @@ let originate_account ?branch
     ~branch ~source ~sourcePubKey:src_pk ~managerPubKey:manager_pkh
     ~counter ~balance ~spendable:true
     ?delegatable ?delegatePubKey:delegate ~fee () >>=? fun bytes ->
-  let signature = Ed25519.sign src_sk bytes in
+  Client_keys.sign src_sk bytes >>=? fun signature ->
   originate rpc_config ~block ~net_id ~signature bytes
 
 let faucet ?branch ~manager_pkh block rpc_config () =
@@ -132,7 +133,7 @@ let delegate_contract rpc_config
   Client_proto_rpcs.Helpers.Forge.Manager.delegation rpc_config block
     ~branch ~source ?sourcePubKey:src_pk ~counter ~fee delegate_opt
   >>=? fun bytes ->
-  let signature = Ed25519.sign manager_sk bytes in
+  Client_keys.sign manager_sk bytes >>=? fun signature ->
   let signed_bytes = Ed25519.Signature.concat bytes signature in
   let oph = Operation_hash.hash_bytes [ signed_bytes ] in
   Client_node_rpcs.inject_operation
@@ -229,5 +230,5 @@ let originate_contract
     ~counter ~balance ~spendable:spendable
     ~delegatable ?delegatePubKey:delegate
     ~script:{ code ; storage } ~fee () >>=? fun bytes ->
-  let signature = Ed25519.sign src_sk bytes in
+  Client_keys.sign src_sk bytes >>=? fun signature ->
   originate cctxt ~block ~signature bytes

src/proto_alpha/lib_client/client_proto_context.mli

@@ -26,7 +26,8 @@ val get_manager :
   Client_commands.full_context ->
   Client_proto_rpcs.block ->
   Contract.t ->
-  (string * public_key_hash * public_key * secret_key) tzresult Lwt.t
+  (string * public_key_hash *
+   public_key * Client_keys.sk_locator) tzresult Lwt.t
 
 val get_balance:
   #Client_rpcs.ctxt ->
@@ -40,7 +41,7 @@ val set_delegate :
   fee:Tez.tez ->
   Contract.t ->
   src_pk:public_key ->
-  manager_sk:secret_key ->
+  manager_sk:Client_keys.sk_locator ->
   public_key_hash option ->
   Operation_list_hash.elt tzresult Lwt.t
 
@@ -53,13 +54,13 @@ val source_to_keys:
   Client_commands.full_context ->
   Client_proto_rpcs.block ->
   Contract.t ->
-  (public_key * secret_key) tzresult Lwt.t
+  (public_key * Client_keys.sk_locator) tzresult Lwt.t
 
 val originate_account :
   ?branch:int ->
   source:Contract.t ->
   src_pk:public_key ->
-  src_sk:Ed25519.Secret_key.t ->
+  src_sk:Client_keys.sk_locator ->
   manager_pkh:public_key_hash ->
   ?delegatable:bool ->
   ?delegate:public_key_hash ->
@@ -92,7 +93,7 @@ val originate_contract:
   balance:Tez.t ->
   source:Contract.t ->
   src_pk:public_key ->
-  src_sk:Ed25519.Secret_key.t ->
+  src_sk:Client_keys.sk_locator ->
   code:Script.expr ->
   Client_commands.full_context ->
   (Operation_hash.t * Contract.t) tzresult Lwt.t
@@ -110,7 +111,7 @@ val transfer :
   ?branch:int ->
   source:Contract.t ->
   src_pk:public_key ->
-  src_sk:Ed25519.Secret_key.t ->
+  src_sk:Client_keys.sk_locator ->
   destination:Contract.t ->
   ?arg:string ->
   amount:Tez.t ->

src/proto_alpha/lib_client/client_proto_programs.ml

@@ -85,9 +85,9 @@ let trace
   Client_proto_rpcs.Helpers.trace_code cctxt
     block program.expanded (storage.expanded, input.expanded, amount)
 
-let hash_and_sign (data : Michelson_v1_parser.parsed) (typ : Michelson_v1_parser.parsed) key block cctxt =
+let hash_and_sign (data : Michelson_v1_parser.parsed) (typ : Michelson_v1_parser.parsed) sk block cctxt =
   Client_proto_rpcs.Helpers.hash_data cctxt block (data.expanded, typ.expanded) >>=? fun hash ->
-  let signature = Ed25519.sign key (MBytes.of_string hash) in
+  Client_keys.sign sk (MBytes.of_string hash) >>=? fun signature ->
   return (hash,
           signature |>
           Data_encoding.Binary.to_bytes Ed25519.Signature.encoding |>

src/proto_alpha/lib_client/client_proto_programs.mli

@@ -50,7 +50,7 @@ val print_run_result :
 val hash_and_sign :
   Michelson_v1_parser.parsed ->
   Michelson_v1_parser.parsed ->
-  Ed25519.Secret_key.t ->
+  Client_keys.sk_locator ->
   Client_proto_rpcs.block ->
   #Client_rpcs.ctxt ->
   (string * string) tzresult Lwt.t

src/proto_alpha/lib_client/client_proto_programs_commands.ml

@@ -172,8 +172,8 @@ let commands () =
        @@ prefixes [ "for" ]
        @@ Client_keys.Secret_key.alias_param
        @@ stop)
-      (fun () data typ (_, key) cctxt ->
+      (fun () data typ (_, sk) cctxt ->
-         Client_proto_programs.hash_and_sign data typ key cctxt#block cctxt >>= begin function
+         Client_proto_programs.hash_and_sign data typ sk cctxt#block cctxt >>= begin function
            | Ok (hash, signature) ->
                cctxt#message "@[<v 0>Hash: %S@,Signature: %S@]" hash signature
            | Error errs ->

src/proto_genesis/lib_client/client_proto_main.ml

@@ -23,7 +23,7 @@ let call_error_service1 rpc_config s block a1 =
   | Ok (Ok v) -> return v
   | Error _ as err -> Lwt.return err
 
-let bake rpc_config ?(timestamp = Time.now ()) block command seckey =
+let bake rpc_config ?(timestamp = Time.now ()) block command sk =
   let block = Client_rpcs.last_baked_block block in
   let proto_header = Data_encoding.Binary.to_bytes Data.Command.encoding command in
   Client_node_rpcs.Blocks.preapply
@@ -31,7 +31,7 @@ let bake rpc_config ?(timestamp = Time.now ()) block command seckey =
   let blk =
     Data_encoding.Binary.to_bytes Block_header.encoding
       { shell = shell_header ; proto = proto_header } in
-  let signed_blk = Ed25519.Signature.append seckey blk in
+  Client_keys.append sk blk >>=? fun signed_blk ->
   Client_node_rpcs.inject_block rpc_config signed_blk []
 
 let int64_parameter =
@@ -74,12 +74,11 @@ let commands () =
        @@ Client_keys.Secret_key.source_param
          ~name:"password" ~desc:"Dictator's key"
        @@ stop)
-      begin fun timestamp hash fitness validation_passes seckey (cctxt : Client_commands.full_context) ->
+      begin fun timestamp hash fitness validation_passes sk (cctxt : Client_commands.full_context) ->
         let fitness =
           Tezos_client_alpha.Proto_alpha.Fitness_repr.from_int64 fitness in
         bake cctxt ?timestamp cctxt#block
-          (Activate { protocol = hash ; validation_passes ; fitness })
+          (Activate { protocol = hash ; validation_passes ; fitness }) sk >>=? fun hash ->
-          seckey >>=? fun hash ->
         cctxt#answer "Injected %a" Block_hash.pp_short hash >>= fun () ->
         return ()
       end ;
@@ -93,15 +92,15 @@ let commands () =
          ~desc:"Hardcoded number of validation passes (integer)"
          int_parameter
        @@ prefixes [ "and" ; "key" ]
-       @@ Ed25519.Secret_key.param
+       @@ Client_keys.Secret_key.source_param
          ~name:"password" ~desc:"Dictator's key"
        @@ stop)
-      begin fun timestamp hash validation_passes seckey cctxt ->
+      begin fun timestamp hash validation_passes sk cctxt ->
         bake cctxt ?timestamp cctxt#block
           (Activate_testnet { protocol = hash ;
                               validation_passes ;
                               delay = Int64.mul 24L 3600L })
-          seckey >>=? fun hash ->
+          sk >>=? fun hash ->
         cctxt#answer "Injected %a" Block_hash.pp_short hash >>= fun () ->
         return ()
       end ;

src/proto_genesis/lib_client/client_proto_main.mli

@@ -14,6 +14,6 @@ val bake:
   ?timestamp: Time.t ->
   Client_node_rpcs.Blocks.block ->
   Data.Command.t ->
-  Environment.Ed25519.Secret_key.t ->
+  Client_keys.sk_locator ->
   Block_hash.t tzresult Lwt.t
 

test/proto_alpha/proto_alpha_helpers.ml

@@ -34,12 +34,11 @@ let no_write_context config block : Client_commands.full_context = object
   method block = block
 end
 
-let dictator_sk =
-  Ed25519.Secret_key.of_b58check_exn
-    "edsk31vznjHSSpGExDMHYASz45VZqXN4DPxvsa4hAyY8dHM28cZzp6"
-
 let activate_alpha () =
   let fitness = Fitness_repr.from_int64 0L in
+  let dictator_sk = Client_keys.Secret_key_locator.create
+      ~scheme:"unencrypted"
+      ~location:"edsk31vznjHSSpGExDMHYASz45VZqXN4DPxvsa4hAyY8dHM28cZzp6" in
   Tezos_client_genesis.Client_proto_main.bake
     (new Client_rpcs.http_ctxt !rpc_config) (`Head 0)
     (Activate  { protocol = Client_proto_main.protocol ; validation_passes = 1 ;
@@ -138,48 +137,26 @@ module Account = struct
   type bootstrap_accounts = { b1 : t ; b2 : t ; b3 : t ; b4 : t ;  b5 : t  ; }
 
   let bootstrap_accounts =
-    let bootstrap1_pk =
-      Ed25519.Public_key.of_b58check_exn
-        "edpkuBknW28nW72KG6RoHtYW7p12T6GKc7nAbwYX5m8Wd9sDVC9yav" in
-    let bootstrap2_pk =
-      Ed25519.Public_key.of_b58check_exn
-        "edpktzNbDAUjUk697W7gYg2CRuBQjyPxbEg8dLccYYwKSKvkPvjtV9" in
-    let bootstrap3_pk =
-      Ed25519.Public_key.of_b58check_exn
-        "edpkuTXkJDGcFd5nh6VvMz8phXxU3Bi7h6hqgywNFi1vZTfQNnS1RV" in
-    let bootstrap4_pk =
-      Ed25519.Public_key.of_b58check_exn
-        "edpkuFrRoDSEbJYgxRtLx2ps82UdaYc1WwfS9sE11yhauZt5DgCHbU" in
-    let bootstrap5_pk =
-      Ed25519.Public_key.of_b58check_exn
-        "edpkv8EUUH68jmo3f7Um5PezmfGrRF24gnfLpH3sVNwJnV5bVCxL2n" in
     let bootstrap1_sk =
-      Ed25519.Secret_key.of_b58check_exn
       "edsk3gUfUPyBSfrS9CCgmCiQsTCHGkviBDusMxDJstFtojtc1zcpsh" in
     let bootstrap2_sk =
-      Ed25519.Secret_key.of_b58check_exn
       "edsk39qAm1fiMjgmPkw1EgQYkMzkJezLNewd7PLNHTkr6w9XA2zdfo" in
     let bootstrap3_sk =
-      Ed25519.Secret_key.of_b58check_exn
       "edsk4ArLQgBTLWG5FJmnGnT689VKoqhXwmDPBuGx3z4cvwU9MmrPZZ" in
     let bootstrap4_sk =
-      Ed25519.Secret_key.of_b58check_exn
       "edsk2uqQB9AY4FvioK2YMdfmyMrer5R8mGFyuaLLFfSRo8EoyNdht3" in
     let bootstrap5_sk =
-      Ed25519.Secret_key.of_b58check_exn
       "edsk4QLrcijEffxV31gGdN2HU7UpyJjA8drFoNcmnB28n89YjPNRFm" in
     let cpt = ref 0 in
-    match List.map begin fun (pk, sk) ->
+    match List.map begin fun sk ->
         incr cpt ;
+        let sk = Ed25519.Secret_key.of_b58check_exn sk in
         let alias = Printf.sprintf "bootstrap%d" !cpt in
+        let pk = Ed25519.Secret_key.to_public_key sk in
         let pkh = Ed25519.Public_key.hash pk in
         { alias ; contract = Contract.default_contract pkh; pkh ; pk ; sk }
-      end [
+      end [ bootstrap1_sk; bootstrap2_sk; bootstrap3_sk;
-        bootstrap1_pk, bootstrap1_sk;
+            bootstrap4_sk; bootstrap5_sk; ]
-        bootstrap2_pk, bootstrap2_sk;
-        bootstrap3_pk, bootstrap3_sk;
-        bootstrap4_pk, bootstrap4_sk;
-        bootstrap5_pk, bootstrap5_sk; ]
     with
     | [ b1 ; b2 ; b3 ; b4 ; b5 ] -> { b1 ; b2 ; b3 ; b4 ; b5 }
     | _ -> assert false
@@ -190,11 +167,14 @@ module Account = struct
       ~(account:t)
       ~destination
       ~amount () =
+    let src_sk = Client_keys.Secret_key_locator.create
+        ~scheme:"unencrypted"
+        ~location:(Ed25519.Secret_key.to_b58check account.sk) in
     Client_proto_context.transfer (new Client_rpcs.http_ctxt !rpc_config)
       block
       ~source:account.contract
       ~src_pk:account.pk
-      ~src_sk:account.sk
+      ~src_sk
       ~destination
       ~amount
       ~fee ()
@@ -210,10 +190,13 @@ module Account = struct
     let delegatable, delegate = match delegate with
       | None -> false, None
       | Some delegate -> true, Some delegate in
+    let src_sk = Client_keys.Secret_key_locator.create
+        ~scheme:"unencrypted"
+        ~location:(Ed25519.Secret_key.to_b58check src.sk) in
     Client_proto_context.originate_account
       ~source:src.contract
       ~src_pk:src.pk
-      ~src_sk:src.sk
+      ~src_sk
       ~manager_pkh
       ~balance
       ~delegatable
@@ -429,6 +412,9 @@ module Baking = struct
       | Error _ -> assert false
       | Ok nonce -> nonce in
     let seed_nonce_hash = Nonce.hash seed_nonce in
+    let src_sk = Client_keys.Secret_key_locator.create
+        ~scheme:"unencrypted"
+        ~location:(Ed25519.Secret_key.to_b58check contract.sk) in
     Client_baking_forge.forge_block
       (new Client_rpcs.http_ctxt !rpc_config)
       block
@@ -438,7 +424,7 @@ module Baking = struct
       ~sort:false
       ~priority:(`Auto (contract.pkh, Some 1024, false))
       ~seed_nonce_hash
-      ~src_sk:contract.sk
+      ~src_sk
       ()
 
   let endorsement_reward block =

test/proto_alpha/proto_alpha_helpers.mli

@@ -79,7 +79,7 @@ module Account : sig
     ?block:Client_proto_rpcs.block ->
     ?fee: Tez.t ->
     contract:Contract.t ->
-    manager_sk:secret_key ->
+    manager_sk:Client_keys.Secret_key_locator.t ->
     src_pk:public_key ->
     public_key_hash option ->
     Operation_hash.t tzresult Lwt.t

test/proto_alpha/test_origination.ml

@@ -64,10 +64,14 @@ let run blkid ({ b1 ; b2 ; _ } : Helpers.Account.bootstrap_accounts) =
     ~balance:(cents 1000L) () >>=? fun (_oph, d_contract) ->
 
   (* Change delegate of a non-delegatable contract *)
+  let manager_sk = Client_keys.Secret_key_locator.create
+      ~scheme:"unencrypted"
+      ~location:(Ed25519.Secret_key.to_b58check b1.sk) in
+
   Helpers.Account.set_delegate
     ~fee:(cents 5L)
     ~contract:nd_contract
-    ~manager_sk:b1.sk
+    ~manager_sk
     ~src_pk:b1.pk
     (Some b2.pkh) >>= fun result ->
   Assert.non_delegatable ~msg:__LOC__ result ;
@@ -75,7 +79,7 @@ let run blkid ({ b1 ; b2 ; _ } : Helpers.Account.bootstrap_accounts) =
   (* Change delegate of a delegatable contract *)
   Helpers.Account.set_delegate
     ~contract:d_contract
-    ~manager_sk:b1.sk
+    ~manager_sk
     ~src_pk:b1.pk
     (Some b2.pkh) >>=? fun _result ->
   Assert.delegate_equal ~msg:__LOC__ d_contract (Some b2.pkh) >>=? fun () ->

test/test_utils.sh

@@ -196,20 +196,10 @@ assert_fails() {
     fi
 }
 
-BOOTSTRAP1_IDENTITY=tz1KqTpEZ7Yob7QbPE4Hy4Wo8fHG8LhKxZSx
-BOOTSTRAP1_PUBLIC=edpkuBknW28nW72KG6RoHtYW7p12T6GKc7nAbwYX5m8Wd9sDVC9yav
 BOOTSTRAP1_SECRET=edsk3gUfUPyBSfrS9CCgmCiQsTCHGkviBDusMxDJstFtojtc1zcpsh
-BOOTSTRAP2_IDENTITY=tz1gjaF81ZRRvdzjobyfVNsAeSC6PScjfQwN
-BOOTSTRAP2_PUBLIC=edpktzNbDAUjUk697W7gYg2CRuBQjyPxbEg8dLccYYwKSKvkPvjtV9
 BOOTSTRAP2_SECRET=edsk39qAm1fiMjgmPkw1EgQYkMzkJezLNewd7PLNHTkr6w9XA2zdfo
-BOOTSTRAP3_IDENTITY=tz1faswCTDciRzE4oJ9jn2Vm2dvjeyA9fUzU
-BOOTSTRAP3_PUBLIC=edpkuTXkJDGcFd5nh6VvMz8phXxU3Bi7h6hqgywNFi1vZTfQNnS1RV
 BOOTSTRAP3_SECRET=edsk4ArLQgBTLWG5FJmnGnT689VKoqhXwmDPBuGx3z4cvwU9MmrPZZ
-BOOTSTRAP4_IDENTITY=tz1b7tUupMgCNw2cCLpKTkSD1NZzB5TkP2sv
-BOOTSTRAP4_PUBLIC=edpkuFrRoDSEbJYgxRtLx2ps82UdaYc1WwfS9sE11yhauZt5DgCHbU
 BOOTSTRAP4_SECRET=edsk2uqQB9AY4FvioK2YMdfmyMrer5R8mGFyuaLLFfSRo8EoyNdht3
-BOOTSTRAP5_IDENTITY=tz1ddb9NMYHZi5UzPdzTZMYQQZoMub195zgv
-BOOTSTRAP5_PUBLIC=edpkv8EUUH68jmo3f7Um5PezmfGrRF24gnfLpH3sVNwJnV5bVCxL2n
 BOOTSTRAP5_SECRET=edsk4QLrcijEffxV31gGdN2HU7UpyJjA8drFoNcmnB28n89YjPNRFm
 
 KEY1=foo
@@ -217,25 +207,11 @@ KEY2=bar
 
 add_bootstrap_identities() {
     client=${1:-${TZCLIENT}}
-    # ${client} add identity bootstrap1 ${BOOTSTRAP1_IDENTITY}
+    ${client} import unencrypted secret key bootstrap1 ${BOOTSTRAP1_SECRET}
-    ${client} add public key bootstrap1 ${BOOTSTRAP1_PUBLIC}
+    ${client} import unencrypted secret key bootstrap2 ${BOOTSTRAP2_SECRET}
-    ${client} add secret key bootstrap1 ${BOOTSTRAP1_SECRET}
+    ${client} import unencrypted secret key bootstrap3 ${BOOTSTRAP3_SECRET}
-
+    ${client} import unencrypted secret key bootstrap4 ${BOOTSTRAP4_SECRET}
-    # ${client} add identity bootstrap2 ${BOOTSTRAP2_IDENTITY}
+    ${client} import unencrypted secret key bootstrap5 ${BOOTSTRAP5_SECRET}
-    ${client} add public key bootstrap2 ${BOOTSTRAP2_PUBLIC}
-    ${client} add secret key bootstrap2 ${BOOTSTRAP2_SECRET}
-
-    # ${client} add identity bootstrap3 ${BOOTSTRAP3_IDENTITY}
-    ${client} add public key bootstrap3 ${BOOTSTRAP3_PUBLIC}
-    ${client} add secret key bootstrap3 ${BOOTSTRAP3_SECRET}
-
-    # ${client} add identity bootstrap4 ${BOOTSTRAP4_IDENTITY}
-    ${client} add public key bootstrap4 ${BOOTSTRAP4_PUBLIC}
-    ${client} add secret key bootstrap4 ${BOOTSTRAP4_SECRET}
-
-    # ${client} add identity bootstrap5 ${BOOTSTRAP5_IDENTITY}
-    ${client} add public key bootstrap5 ${BOOTSTRAP5_PUBLIC}
-    ${client} add secret key bootstrap5 ${BOOTSTRAP5_SECRET}
 
     sleep 2