|
@ -7,6 +7,20 @@ import ( |
|
|
"github.com/tendermint/go-crypto/bcrypt" |
|
|
"github.com/tendermint/go-crypto/bcrypt" |
|
|
) |
|
|
) |
|
|
|
|
|
|
|
|
|
|
|
const ( |
|
|
|
|
|
// BcryptCost is as parameter to increase the resistance of the
|
|
|
|
|
|
// encoded keys to brute force password guessing
|
|
|
|
|
|
//
|
|
|
|
|
|
// Jae: 14 is good today (2016)
|
|
|
|
|
|
//
|
|
|
|
|
|
// Ethan: loading the key (at each signing) takes a second on my desktop,
|
|
|
|
|
|
// this is hard for laptops and deadly for mobile. You can raise it again,
|
|
|
|
|
|
// but for now, I will make this usable
|
|
|
|
|
|
//
|
|
|
|
|
|
// TODO: review value
|
|
|
|
|
|
BCryptCost = 12 |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
var ( |
|
|
var ( |
|
|
// SecretBox uses the algorithm from NaCL to store secrets securely
|
|
|
// SecretBox uses the algorithm from NaCL to store secrets securely
|
|
|
SecretBox Encoder = secretbox{} |
|
|
SecretBox Encoder = secretbox{} |
|
@ -30,7 +44,7 @@ func (e secretbox) Encrypt(privKey crypto.PrivKey, passphrase string) (saltBytes |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
saltBytes = crypto.CRandBytes(16) |
|
|
saltBytes = crypto.CRandBytes(16) |
|
|
key, err := bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), 14) // TODO parameterize. 14 is good today (2016)
|
|
|
|
|
|
|
|
|
key, err := bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost) |
|
|
if err != nil { |
|
|
if err != nil { |
|
|
return nil, nil, errors.Wrap(err, "Couldn't generate bcrypt key from passphrase.") |
|
|
return nil, nil, errors.Wrap(err, "Couldn't generate bcrypt key from passphrase.") |
|
|
} |
|
|
} |
|
@ -44,7 +58,7 @@ func (e secretbox) Decrypt(saltBytes []byte, encBytes []byte, passphrase string) |
|
|
// NOTE: Some keys weren't encrypted with a passphrase and hence we have the conditional
|
|
|
// NOTE: Some keys weren't encrypted with a passphrase and hence we have the conditional
|
|
|
if passphrase != "" { |
|
|
if passphrase != "" { |
|
|
var key []byte |
|
|
var key []byte |
|
|
key, err = bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), 14) // TODO parameterize. 14 is good today (2016)
|
|
|
|
|
|
|
|
|
key, err = bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost) |
|
|
if err != nil { |
|
|
if err != nil { |
|
|
return crypto.PrivKey{}, errors.Wrap(err, "Invalid Passphrase") |
|
|
return crypto.PrivKey{}, errors.Wrap(err, "Invalid Passphrase") |
|
|
} |
|
|
} |
|
|