You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

174 lines
4.8 KiB

  1. package cryptostore
  2. import (
  3. "strings"
  4. crypto "github.com/tendermint/go-crypto"
  5. keys "github.com/tendermint/go-crypto/keys"
  6. )
  7. // Manager combines encyption and storage implementation to provide
  8. // a full-featured key manager
  9. type Manager struct {
  10. es encryptedStorage
  11. codec keys.Codec
  12. }
  13. func New(coder Encoder, store keys.Storage, codec keys.Codec) Manager {
  14. return Manager{
  15. es: encryptedStorage{
  16. coder: coder,
  17. store: store,
  18. },
  19. codec: codec,
  20. }
  21. }
  22. // exists just to make sure we fulfill the Signer interface
  23. func (s Manager) assertSigner() keys.Signer {
  24. return s
  25. }
  26. // exists just to make sure we fulfill the Manager interface
  27. func (s Manager) assertKeyManager() keys.Manager {
  28. return s
  29. }
  30. // Create adds a new key to the storage engine, returning error if
  31. // another key already stored under this name
  32. //
  33. // algo must be a supported go-crypto algorithm: ed25519, secp256k1
  34. func (s Manager) Create(name, passphrase, algo string) (keys.Info, string, error) {
  35. gen, err := getGenerator(algo)
  36. if err != nil {
  37. return keys.Info{}, "", err
  38. }
  39. // 128-bits are the all the randomness we can make use of
  40. secret := crypto.CRandBytes(16)
  41. key := gen.Generate(secret)
  42. err = s.es.Put(name, passphrase, key)
  43. if err != nil {
  44. return keys.Info{}, "", err
  45. }
  46. // we append the type byte to the serialized secret to help with recovery
  47. // ie [secret] = [secret] + [type]
  48. typ := key.Bytes()[0]
  49. secret = append(secret, typ)
  50. seed, err := s.codec.BytesToWords(secret)
  51. phrase := strings.Join(seed, " ")
  52. return info(name, key), phrase, err
  53. }
  54. // Recover takes a seed phrase and tries to recover the private key.
  55. //
  56. // If the seed phrase is valid, it will create the private key and store
  57. // it under name, protected by passphrase.
  58. //
  59. // Result similar to New(), except it doesn't return the seed again...
  60. func (s Manager) Recover(name, passphrase, seedphrase string) (keys.Info, error) {
  61. words := strings.Split(strings.TrimSpace(seedphrase), " ")
  62. secret, err := s.codec.WordsToBytes(words)
  63. if err != nil {
  64. return keys.Info{}, err
  65. }
  66. // secret is comprised of the actual secret with the type appended
  67. // ie [secret] = [secret] + [type]
  68. l := len(secret)
  69. secret, typ := secret[:l-1], secret[l-1]
  70. gen, err := getGeneratorByType(typ)
  71. if err != nil {
  72. return keys.Info{}, err
  73. }
  74. key := gen.Generate(secret)
  75. // d00d, it worked! create the bugger....
  76. err = s.es.Put(name, passphrase, key)
  77. return info(name, key), err
  78. }
  79. // List loads the keys from the storage and enforces alphabetical order
  80. func (s Manager) List() (keys.Infos, error) {
  81. res, err := s.es.List()
  82. res.Sort()
  83. return res, err
  84. }
  85. // Get returns the public information about one key
  86. func (s Manager) Get(name string) (keys.Info, error) {
  87. _, info, err := s.es.store.Get(name)
  88. return info, err
  89. }
  90. // Sign will modify the Signable in order to attach a valid signature with
  91. // this public key
  92. //
  93. // If no key for this name, or the passphrase doesn't match, returns an error
  94. func (s Manager) Sign(name, passphrase string, tx keys.Signable) error {
  95. key, _, err := s.es.Get(name, passphrase)
  96. if err != nil {
  97. return err
  98. }
  99. sig := key.Sign(tx.SignBytes())
  100. pubkey := key.PubKey()
  101. return tx.Sign(pubkey, sig)
  102. }
  103. // Export decodes the private key with the current password, encodes
  104. // it with a secure one-time password and generates a sequence that can be
  105. // Imported by another Manager
  106. //
  107. // This is designed to copy from one device to another, or provide backups
  108. // during version updates.
  109. func (s Manager) Export(name, oldpass, transferpass string) ([]byte, error) {
  110. key, _, err := s.es.Get(name, oldpass)
  111. if err != nil {
  112. return nil, err
  113. }
  114. res, err := s.es.coder.Encrypt(key, transferpass)
  115. return res, err
  116. }
  117. // Import accepts bytes generated by Export along with the same transferpass
  118. // If they are valid, it stores the password under the given name with the
  119. // new passphrase.
  120. func (s Manager) Import(name, newpass, transferpass string, data []byte) error {
  121. key, err := s.es.coder.Decrypt(data, transferpass)
  122. if err != nil {
  123. return err
  124. }
  125. return s.es.Put(name, newpass, key)
  126. }
  127. // Delete removes key forever, but we must present the
  128. // proper passphrase before deleting it (for security)
  129. func (s Manager) Delete(name, passphrase string) error {
  130. // verify we have the proper password before deleting
  131. _, _, err := s.es.Get(name, passphrase)
  132. if err != nil {
  133. return err
  134. }
  135. return s.es.Delete(name)
  136. }
  137. // Update changes the passphrase with which a already stored key is encoded.
  138. //
  139. // oldpass must be the current passphrase used for encoding, newpass will be
  140. // the only valid passphrase from this time forward
  141. func (s Manager) Update(name, oldpass, newpass string) error {
  142. key, _, err := s.es.Get(name, oldpass)
  143. if err != nil {
  144. return err
  145. }
  146. // we must delete first, as Putting over an existing name returns an error
  147. s.Delete(name, oldpass)
  148. return s.es.Put(name, newpass, key)
  149. }