Add CLI command to export bundler private key (#3752)

* feat: add export-bundler-key CLI command

Add new CLI command to export bundler private key using the
omni_exportBundlerPrivateKey RPC method. The command:
- Loads authorized ECDSA private key from file
- Connects to worker via WebSocket
- Retrieves worker's RSA shielding public key
- Generates and RSA-encrypts AES key
- Signs timestamp with authorized key
- Calls RPC to get encrypted bundler key
- Decrypts and displays the bundler private key

Usage:
  executor-worker export-bundler-key \
    --authorized-key-path <path> \
    --worker-url <url>

* feat: add print_ecdsa_pubkey helper utility

Add example program to extract compressed ECDSA public key from
a 32-byte seed file. Useful for generating the public key needed
to configure OE_BUNDLER_KEY_EXPORT_AUTHORIZED_PUBKEY.

Usage:
  cargo run --example print_ecdsa_pubkey <path_to_seed_file>

* test: add automated test script for export-bundler-key

Add end-to-end test script that:
- Generates test authorized key
- Extracts public key and configures worker
- Builds and starts worker in background
- Runs export-bundler-key command
- Validates successful key export
- Cleans up resources automatically

Usage:
  cd executor-worker && ./test-export-bundler-key.sh

* fixing fmt issue

Author: silva-fj

tee-worker/omni-executor/Cargo.lock

@@ -7,11 +7,17 @@ edition.workspace = true
 [dependencies]
 alloy = { workspace = true, features = ["signer-local"] }
 clap = { workspace = true, features = ["derive"] }
+ethers = { workspace = true }
 hex = { workspace = true }
+jsonrpsee = { workspace = true, features = ["ws-client"] }
 metrics-exporter-prometheus = { workspace = true }
+rand = { workspace = true }
+rsa = { workspace = true }
 rust_decimal = { workspace = true }
 scale-encode = { workspace = true }
+serde = { workspace = true }
 serde_json = { workspace = true }
+sha2 = { workspace = true }
 tokio = { workspace = true, features = ["macros", "rt-multi-thread", "signal"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }

tee-worker/omni-executor/executor-worker/Cargo.toml

@@ -0,0 +1,43 @@
+use executor_crypto::{ecdsa, PairTrait};
+use std::env;
+use std::fs;
+use std::process;
+
+fn main() {
+	let args: Vec<String> = env::args().collect();
+
+	if args.len() != 2 {
+		eprintln!("Usage: {} <path_to_32_byte_seed_file>", args[0]);
+		eprintln!("\nExample:");
+		eprintln!("  {} /tmp/test-keys/authorized_key.bin", args[0]);
+		process::exit(1);
+	}
+
+	let key_path = &args[1];
+
+	let seed_bytes = fs::read(key_path).unwrap_or_else(|e| {
+		eprintln!("❌ Error: Failed to read key file '{}': {}", key_path, e);
+		process::exit(1);
+	});
+
+	if seed_bytes.len() != 32 {
+		eprintln!("❌ Error: Invalid key file length. Expected 32 bytes, got {}", seed_bytes.len());
+		process::exit(1);
+	}
+
+	let mut seed = [0u8; 32];
+	seed.copy_from_slice(&seed_bytes);
+
+	let pair = ecdsa::Pair::from_seed_slice(&seed).unwrap_or_else(|e| {
+		eprintln!("❌ Error: Failed to create keypair from seed: {:?}", e);
+		process::exit(1);
+	});
+
+	let pubkey = pair.public();
+	let pubkey_hex = hex::encode(pubkey.0);
+
+	println!("Compressed ECDSA Public Key (33 bytes):");
+	println!("{}", pubkey_hex);
+	println!("\nEnvironment Variable:");
+	println!("OE_BUNDLER_KEY_EXPORT_AUTHORIZED_PUBKEY={}", pubkey_hex);
+}

tee-worker/omni-executor/executor-worker/examples/print_ecdsa_pubkey.rs

@@ -11,6 +11,7 @@ pub struct Cli {
 #[derive(Subcommand)]
 pub enum Commands {
 	Run(Box<RunArgs>),
+	ExportBundlerKey(ExportBundlerKeyArgs),
 }
 
 #[derive(Args)]
@@ -47,3 +48,11 @@ pub struct RunArgs {
 	#[arg(long, default_value = "3456", value_name = "mock server port")]
 	pub mock_server_port: u16,
 }
+
+#[derive(Args)]
+pub struct ExportBundlerKeyArgs {
+	#[arg(short, long, value_name = "path to authorized ECDSA private key file (32-byte seed)")]
+	pub authorized_key_path: String,
+	#[arg(short, long, default_value = "ws://127.0.0.1:3456", value_name = "worker WebSocket URL")]
+	pub worker_url: String,
+}

tee-worker/omni-executor/executor-worker/src/cli.rs

@@ -23,7 +23,7 @@ use alloy::primitives::Address;
 use alloy::signers::local::PrivateKeySigner;
 use binance_api::BinanceApiClient;
 use clap::Parser;
-use cli::{Cli, Commands};
+use cli::{Cli, Commands, ExportBundlerKeyArgs};
 use config_loader::ConfigLoader;
 use cross_chain_intent_executor::{Chain, CrossChainIntentExecutor, RpcEndpointRegistry};
 use ethereum_intent_executor::EthereumIntentExecutor;
@@ -73,6 +73,9 @@ async fn main() -> Result<(), ()> {
 	let cli = Cli::parse();
 
 	match cli.cmd {
+		Commands::ExportBundlerKey(args) => {
+			export_bundler_key(args).await?;
+		},
 		Commands::Run(args) => {
 			if args.enable_mock_server {
 				#[cfg(feature = "mock-server")]
@@ -555,3 +558,144 @@ async fn main() -> Result<(), ()> {
 
 	Ok(())
 }
+
+async fn export_bundler_key(args: ExportBundlerKeyArgs) -> Result<(), ()> {
+	use alloy::primitives::keccak256;
+	use executor_crypto::{
+		aes256::{aes_decrypt, Aes256Key, Aes256KeyNonce, AesOutput},
+		ecdsa, PairTrait,
+	};
+	use jsonrpsee::{core::client::ClientT, rpc_params, ws_client::WsClientBuilder};
+	use rsa::{Oaep, RsaPublicKey};
+	use sha2::Sha256;
+	use std::time::{SystemTime, UNIX_EPOCH};
+
+	info!("Loading authorized key from: {}", args.authorized_key_path);
+
+	let authorized_key_bytes = std::fs::read(&args.authorized_key_path).map_err(|e| {
+		error!("Failed to read authorized key file: {:?}", e);
+		eprintln!("❌ Error: Failed to read authorized key file: {}", e);
+	})?;
+
+	if authorized_key_bytes.len() != 32 {
+		error!(
+			"Invalid authorized key length: expected 32 bytes, got {}",
+			authorized_key_bytes.len()
+		);
+		eprintln!("❌ Error: Invalid authorized key file (expected 32 bytes)");
+		return Err(());
+	}
+
+	let mut authorized_seed = [0u8; 32];
+	authorized_seed.copy_from_slice(&authorized_key_bytes);
+
+	let authorized_pair = ecdsa::Pair::from_seed_slice(&authorized_seed).map_err(|e| {
+		error!("Failed to create keypair from seed: {:?}", e);
+		eprintln!("❌ Error: Failed to create keypair from authorized key");
+	})?;
+
+	info!("Authorized public key: {:?}", authorized_pair.public());
+
+	info!("Connecting to worker at: {}", args.worker_url);
+	let client = WsClientBuilder::default().build(&args.worker_url).await.map_err(|e| {
+		error!("Failed to connect to worker: {:?}", e);
+		eprintln!("❌ Error: Failed to connect to worker at {}: {}", args.worker_url, e);
+	})?;
+
+	info!("Getting shielding key from worker...");
+	#[derive(serde::Deserialize, Debug)]
+	struct ShieldingKeyResponse {
+		n: ethers::types::Bytes,
+		e: ethers::types::Bytes,
+	}
+
+	let shielding_key: ShieldingKeyResponse =
+		client.request("omni_getShieldingKey", rpc_params![]).await.map_err(|e| {
+			error!("Failed to get shielding key: {:?}", e);
+			eprintln!("❌ Error: Failed to get shielding key from worker: {}", e);
+		})?;
+
+	let mut n_bytes = shielding_key.n.to_vec();
+	n_bytes.reverse();
+	let mut e_bytes = shielding_key.e.to_vec();
+	e_bytes.reverse();
+
+	let rsa_public_key = RsaPublicKey::new(
+		rsa::BigUint::from_bytes_be(&n_bytes),
+		rsa::BigUint::from_bytes_be(&e_bytes),
+	)
+	.map_err(|e| {
+		error!("Failed to create RSA public key: {:?}", e);
+		eprintln!("❌ Error: Failed to create RSA public key: {}", e);
+	})?;
+
+	info!("Generating random AES key...");
+	let aes_key: Aes256Key = rand::random();
+
+	info!("RSA-encrypting AES key...");
+	let encrypted_aes_key = rsa_public_key
+		.encrypt(&mut rand::thread_rng(), Oaep::new::<Sha256>(), &aes_key)
+		.map_err(|e| {
+			error!("Failed to RSA-encrypt AES key: {:?}", e);
+			eprintln!("❌ Error: Failed to RSA-encrypt AES key: {}", e);
+		})?;
+
+	let timestamp = SystemTime::now()
+		.duration_since(UNIX_EPOCH)
+		.map_err(|e| {
+			error!("Failed to get current time: {:?}", e);
+			eprintln!("❌ Error: System time error");
+		})?
+		.as_millis() as u64;
+
+	info!("Signing timestamp: {}", timestamp);
+	let timestamp_str = timestamp.to_string();
+	let challenge_hash = keccak256(timestamp_str.as_bytes());
+	let signature = authorized_pair.sign_prehashed(&challenge_hash.0);
+
+	let signature_hex = format!("0x{}", hex::encode(signature.0));
+	let encrypted_key_hex = format!("0x{}", hex::encode(&encrypted_aes_key));
+
+	info!("Calling omni_exportBundlerPrivateKey RPC...");
+	#[derive(serde::Deserialize, Debug)]
+	struct SerdeAesOutput {
+		ciphertext: ethers::types::Bytes,
+		aad: ethers::types::Bytes,
+		nonce: ethers::types::Bytes,
+	}
+
+	let encrypted_response: SerdeAesOutput = client
+		.request(
+			"omni_exportBundlerPrivateKey",
+			rpc_params![timestamp, signature_hex, encrypted_key_hex],
+		)
+		.await
+		.map_err(|e| {
+			error!("RPC call failed: {:?}", e);
+			eprintln!("❌ Error: RPC call failed: {}", e);
+		})?;
+
+	info!("Decrypting bundler private key...");
+	let nonce: Aes256KeyNonce = encrypted_response.nonce.to_vec().try_into().map_err(|_| {
+		error!("Invalid nonce length in response");
+		eprintln!("❌ Error: Invalid response nonce length");
+	})?;
+
+	let mut aes_output = AesOutput {
+		ciphertext: encrypted_response.ciphertext.to_vec(),
+		aad: encrypted_response.aad.to_vec(),
+		nonce,
+	};
+
+	let bundler_key = aes_decrypt(&aes_key, &mut aes_output).ok_or_else(|| {
+		error!("Failed to decrypt bundler private key");
+		eprintln!("❌ Error: Failed to decrypt bundler private key");
+	})?;
+
+	let bundler_key_hex = format!("0x{}", hex::encode(&bundler_key));
+
+	println!("\n✅ Bundler Private Key: {}", bundler_key_hex);
+	println!("⚠️  WARNING: This is a sensitive key. Store it securely and never share it.\n");
+
+	Ok(())
+}