tendermint/keys/cryptostore/encoder.go

package cryptostore

import (
	"github.com/pkg/errors"

	crypto "github.com/tendermint/go-crypto"
	"github.com/tendermint/go-crypto/bcrypt"
)

const (
	// BcryptCost is as parameter to increase the resistance of the
	// encoded keys to brute force password guessing
	//
	// Jae: 14 is good today (2016)
	//
	// Ethan: loading the key (at each signing) takes a second on my desktop,
	// this is hard for laptops and deadly for mobile. You can raise it again,
	// but for now, I will make this usable
	//
	// TODO: review value
	BCryptCost = 12
)

var (
	// SecretBox uses the algorithm from NaCL to store secrets securely
	SecretBox Encoder = secretbox{}
	// Noop doesn't do any encryption, should only be used in test code
	Noop Encoder = noop{}
)

// Encoder is used to encrypt any key with a passphrase for storage.
//
// This should use a well-designed symetric encryption algorithm
type Encoder interface {
	Encrypt(privKey crypto.PrivKey, passphrase string) (saltBytes []byte, encBytes []byte, err error)
	Decrypt(saltBytes []byte, encBytes []byte, passphrase string) (privKey crypto.PrivKey, err error)
}

type secretbox struct{}

func (e secretbox) Encrypt(privKey crypto.PrivKey, passphrase string) (saltBytes []byte, encBytes []byte, err error) {
	if passphrase == "" {
		return nil, privKey.Bytes(), nil
	}

	saltBytes = crypto.CRandBytes(16)
	key, err := bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost)
	if err != nil {
		return nil, nil, errors.Wrap(err, "Couldn't generate bcrypt key from passphrase.")
	}
	key = crypto.Sha256(key) // Get 32 bytes
	privKeyBytes := privKey.Bytes()
	return saltBytes, crypto.EncryptSymmetric(privKeyBytes, key), nil
}

func (e secretbox) Decrypt(saltBytes []byte, encBytes []byte, passphrase string) (privKey crypto.PrivKey, err error) {
	privKeyBytes := encBytes
	// NOTE: Some keys weren't encrypted with a passphrase and hence we have the conditional
	if passphrase != "" {
		var key []byte
		key, err = bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost)
		if err != nil {
			return crypto.PrivKey{}, errors.Wrap(err, "Invalid Passphrase")
		}
		key = crypto.Sha256(key) // Get 32 bytes
		privKeyBytes, err = crypto.DecryptSymmetric(encBytes, key)
		if err != nil {
			return crypto.PrivKey{}, errors.Wrap(err, "Invalid Passphrase")
		}
	}
	privKey, err = crypto.PrivKeyFromBytes(privKeyBytes)
	if err != nil {
		return crypto.PrivKey{}, errors.Wrap(err, "Private Key")
	}
	return privKey, nil
}

type noop struct{}

func (n noop) Encrypt(key crypto.PrivKey, passphrase string) (saltBytes []byte, encBytes []byte, err error) {
	return []byte{}, key.Bytes(), nil
}

func (n noop) Decrypt(saltBytes []byte, encBytes []byte, passphrase string) (privKey crypto.PrivKey, err error) {
	return crypto.PrivKeyFromBytes(encBytes)
}
Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`package cryptostore`

			`import (`
			`"github.com/pkg/errors"`
Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00
Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`crypto "github.com/tendermint/go-crypto"`
Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`"github.com/tendermint/go-crypto/bcrypt"`
Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`)`

Parameterize and lower bcrypt cost 2017-10-24 11:48:13 +02:00			`const (`
			`// BcryptCost is as parameter to increase the resistance of the`
			`// encoded keys to brute force password guessing`
			`//`
			`// Jae: 14 is good today (2016)`
			`//`
			`// Ethan: loading the key (at each signing) takes a second on my desktop,`
			`// this is hard for laptops and deadly for mobile. You can raise it again,`
			`// but for now, I will make this usable`
			`//`
			`// TODO: review value`
			`BCryptCost = 12`
			`)`

Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`var (`
			`// SecretBox uses the algorithm from NaCL to store secrets securely`
			`SecretBox Encoder = secretbox{}`
			`// Noop doesn't do any encryption, should only be used in test code`
			`Noop Encoder = noop{}`
			`)`

			`// Encoder is used to encrypt any key with a passphrase for storage.`
			`//`
			`// This should use a well-designed symetric encryption algorithm`
			`type Encoder interface {`
Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`Encrypt(privKey crypto.PrivKey, passphrase string) (saltBytes []byte, encBytes []byte, err error)`
			`Decrypt(saltBytes []byte, encBytes []byte, passphrase string) (privKey crypto.PrivKey, err error)`
Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`}`

			`type secretbox struct{}`

Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`func (e secretbox) Encrypt(privKey crypto.PrivKey, passphrase string) (saltBytes []byte, encBytes []byte, err error) {`
			`if passphrase == "" {`
			`return nil, privKey.Bytes(), nil`
			`}`

			`saltBytes = crypto.CRandBytes(16)`
Parameterize and lower bcrypt cost 2017-10-24 11:48:13 +02:00			`key, err := bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost)`
Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`if err != nil {`
			`return nil, nil, errors.Wrap(err, "Couldn't generate bcrypt key from passphrase.")`
encoder accepts empty string as unencoded bytes 2017-08-29 20:42:50 +02:00			`}`
Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`key = crypto.Sha256(key) // Get 32 bytes`
			`privKeyBytes := privKey.Bytes()`
			`return saltBytes, crypto.EncryptSymmetric(privKeyBytes, key), nil`
Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`}`

Fix bug introduced by metalinting... 2017-10-24 12:14:20 +02:00			`func (e secretbox) Decrypt(saltBytes []byte, encBytes []byte, passphrase string) (privKey crypto.PrivKey, err error) {`
Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`privKeyBytes := encBytes`
			`// NOTE: Some keys weren't encrypted with a passphrase and hence we have the conditional`
			`if passphrase != "" {`
Fix bug introduced by metalinting... 2017-10-24 12:14:20 +02:00			`var key []byte`
Parameterize and lower bcrypt cost 2017-10-24 11:48:13 +02:00			`key, err = bcrypt.GenerateFromPassword(saltBytes, []byte(passphrase), BCryptCost)`
encoder accepts empty string as unencoded bytes 2017-08-29 20:42:50 +02:00			`if err != nil {`
			`return crypto.PrivKey{}, errors.Wrap(err, "Invalid Passphrase")`
			`}`
Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`key = crypto.Sha256(key) // Get 32 bytes`
			`privKeyBytes, err = crypto.DecryptSymmetric(encBytes, key)`
			`if err != nil {`
			`return crypto.PrivKey{}, errors.Wrap(err, "Invalid Passphrase")`
			`}`
			`}`
Fix bug introduced by metalinting... 2017-10-24 12:14:20 +02:00			`privKey, err = crypto.PrivKeyFromBytes(privKeyBytes)`
Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`if err != nil {`
Improve error message 2017-10-23 18:39:34 +02:00			`return crypto.PrivKey{}, errors.Wrap(err, "Private Key")`
Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`}`
Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`return privKey, nil`
Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`}`

			`type noop struct{}`

Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`func (n noop) Encrypt(key crypto.PrivKey, passphrase string) (saltBytes []byte, encBytes []byte, err error) {`
			`return []byte{}, key.Bytes(), nil`
Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`}`

Upgrade keys to use bcrypt with salts (#38) This commit adds salts to the library using bcrypt. 2017-10-12 14:26:59 +02:00			`func (n noop) Decrypt(saltBytes []byte, encBytes []byte, passphrase string) (privKey crypto.PrivKey, err error) {`
			`return crypto.PrivKeyFromBytes(encBytes)`
Import keystore logic from light-client 2017-02-28 18:07:59 +01:00			`}`