Canton Signing Key format

I’m working on a service that will generate a keypair immediately on request for a participant and later inject it into the participant (rather than waiting for the keypair to be created on initial startup of participants). While testing my keys in the canton console, it’s unclear what format the key file should be in. These are the commands I ran in the console (started the instance with ./bin/canton -c examples/01-simple-topology/simple-topology.conf --manual-start):

val participant = participants.local.head
participant.keys.secret.upload("/identity/secret.key", Some("an-identity"))

Where the secret.key is generated from: openssl ecparam -name secp256k1 -genkey -noout -out ec-secp256k1-priv-key.pem.

I have also tried to generate the key programmatically using the following:

Security.addProvider(new BouncyCastleProvider())
CryptoParams(keySize = 256, algorithm = "ECDSA", signatureAlgorithm = "SHA256WithECDSA", provider = BouncyCastleProvider.PROVIDER_NAME)
val keyPairGenerator = KeyPairGenerator.getInstance(crytoParams.algorithm, BouncyCastleProvider.PROVIDER_NAME)
keyPairGenerator.initialize(crytoParams.keySize)
val keyPair = keyPairGenerator.generateKeyPair()
writeByteArray(keyPair.privateKey.getEncoded)

Do you have any guidance on what I should change?

Hi, I will try this myself to better understand what is happening (maybe something related with the key format). Do you have the error message you get?

My understanding is that Canton keys are handled and stored in a Google Protobuf format and it is not possible to use standard X509 or RSA/ED25519 formatted certificates.

What is the use case? If it is to pre-define keys then this may need to be done using an offline instance of Canton and go through initialization phase.

I get the following error message: java.lang.IllegalArgumentException: Problem while importing key pair. Error: Failed to parse crypto key pair: BufferException(com.google.protobuf.InvalidProtocolBufferException: Protocol message contained an invalid tag (zero).), BufferException(com.google.protobuf.InvalidProtocolBufferException: Protocol message contained an invalid tag (zero).)

So this aligns with probably needing to serialize the keys into protobuf. Would you be able to show me where in the canton codebase the key serialization is occurring?

Additionally, as a bit more background for this, we are creating a service that will have an endpoint for our internal joiner-service (connect+ to join a participant and domain) to hit when creating a participant and these encrypted key pairs with be stored on the admin ledger