Configurable keys security (#1080)
* adding options & cli flags * adding it to the key deriving * removed duplicated option
This commit is contained in:
Nikolay Volf
Gav Wood
parent
9b91444638
commit
2b78e511c9
|
|
@ -42,6 +42,9 @@ Account Options:
|
|||
ACCOUNTS is a comma-delimited list of addresses.
|
||||
--password FILE Provide a file containing a password for unlocking
|
||||
an account.
|
||||
--keys-iterations NUM Specify the number of iterations to use when deriving key
|
||||
from the password (bigger is more secure)
|
||||
[default: 10240].
|
||||
|
||||
Networking Options:
|
||||
--port PORT Override the port on which the node should listen
|
||||
|
|
@ -182,6 +185,7 @@ pub struct Args {
|
|||
pub flag_password: Vec<String>,
|
||||
pub flag_cache: Option<usize>,
|
||||
pub flag_keys_path: String,
|
||||
pub flag_keys_iterations: u32,
|
||||
pub flag_bootnodes: Option<String>,
|
||||
pub flag_network_id: Option<String>,
|
||||
pub flag_pruning: String,
|
||||
|
|
|
|||
|
|
@ -117,6 +117,10 @@ impl Configuration {
|
|||
self.args.flag_keys_path.replace("$HOME", env::home_dir().unwrap().to_str().unwrap())
|
||||
}
|
||||
|
||||
pub fn keys_iterations(&self) -> u32 {
|
||||
self.args.flag_keys_iterations
|
||||
}
|
||||
|
||||
pub fn spec(&self) -> Spec {
|
||||
match self.chain().as_str() {
|
||||
"frontier" | "homestead" | "mainnet" => ethereum::new_frontier(),
|
||||
|
|
@ -245,7 +249,7 @@ impl Configuration {
|
|||
.collect::<Vec<_>>()
|
||||
.into_iter()
|
||||
}).collect::<Vec<_>>();
|
||||
let account_service = AccountService::new_in(Path::new(&self.keys_path()));
|
||||
let account_service = AccountService::with_security(Path::new(&self.keys_path()), self.keys_iterations());
|
||||
if let Some(ref unlocks) = self.args.flag_unlock {
|
||||
for d in unlocks.split(',') {
|
||||
let a = Address::from_str(clean_0x(&d)).unwrap_or_else(|_| {
|
||||
|
|
|
|||
|
|
@ -219,7 +219,7 @@ fn flush_stdout() {
|
|||
fn execute_account_cli(conf: Configuration) {
|
||||
use util::keys::store::SecretStore;
|
||||
use rpassword::read_password;
|
||||
let mut secret_store = SecretStore::new_in(Path::new(&conf.keys_path()));
|
||||
let mut secret_store = SecretStore::with_security(Path::new(&conf.keys_path()), conf.keys_iterations());
|
||||
if conf.args.cmd_new {
|
||||
println!("Please note that password is NOT RECOVERABLE.");
|
||||
print!("Type password: ");
|
||||
|
|
|
|||
|
|
@ -73,6 +73,7 @@ pub enum SigningError {
|
|||
pub struct SecretStore {
|
||||
directory: KeyDirectory,
|
||||
unlocks: RwLock<HashMap<Address, AccountUnlock>>,
|
||||
key_iterations: u32,
|
||||
}
|
||||
|
||||
struct AccountUnlock {
|
||||
|
|
@ -128,10 +129,15 @@ impl AccountProvider for AccountService {
|
|||
impl AccountService {
|
||||
/// New account service with the keys store in specific location
|
||||
pub fn new_in(path: &Path) -> Self {
|
||||
let secret_store = RwLock::new(SecretStore::new_in(path));
|
||||
AccountService::with_security(path, KEY_ITERATIONS)
|
||||
}
|
||||
|
||||
/// New account service with the keys store in specific location and configured security parameters
|
||||
pub fn with_security(path: &Path, key_iterations: u32) -> Self {
|
||||
let secret_store = RwLock::new(SecretStore::with_security(path, key_iterations));
|
||||
secret_store.write().unwrap().try_import_existing();
|
||||
AccountService {
|
||||
secret_store: secret_store
|
||||
secret_store: secret_store,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -157,10 +163,16 @@ impl AccountService {
|
|||
impl SecretStore {
|
||||
/// new instance of Secret Store in specific directory
|
||||
pub fn new_in(path: &Path) -> Self {
|
||||
SecretStore::with_security(path, KEY_ITERATIONS)
|
||||
}
|
||||
|
||||
/// new instance of Secret Store in specific directory and configured security parameters
|
||||
pub fn with_security(path: &Path, key_iterations: u32) -> Self {
|
||||
::std::fs::create_dir_all(&path).expect("Cannot access requested key directory - critical");
|
||||
SecretStore {
|
||||
directory: KeyDirectory::new(path),
|
||||
unlocks: RwLock::new(HashMap::new()),
|
||||
key_iterations: key_iterations,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -206,6 +218,7 @@ impl SecretStore {
|
|||
SecretStore {
|
||||
directory: KeyDirectory::new(path.as_path()),
|
||||
unlocks: RwLock::new(HashMap::new()),
|
||||
key_iterations: KEY_ITERATIONS,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -289,8 +302,8 @@ fn derive_key_iterations(password: &str, salt: &H256, c: u32) -> (Bytes, Bytes)
|
|||
(derived_right_bits.to_vec(), derived_left_bits.to_vec())
|
||||
}
|
||||
|
||||
fn derive_key(password: &str, salt: &H256) -> (Bytes, Bytes) {
|
||||
derive_key_iterations(password, salt, KEY_ITERATIONS)
|
||||
fn derive_key(password: &str, salt: &H256, iterations: u32) -> (Bytes, Bytes) {
|
||||
derive_key_iterations(password, salt, iterations)
|
||||
}
|
||||
|
||||
fn derive_key_scrypt(password: &str, salt: &H256, n: u32, p: u32, r: u32) -> (Bytes, Bytes) {
|
||||
|
|
@ -346,7 +359,7 @@ impl EncryptedHashMap<H128> for SecretStore {
|
|||
|
||||
// two parts of derived key
|
||||
// DK = [ DK[0..15] DK[16..31] ] = [derived_left_bits, derived_right_bits]
|
||||
let (derived_left_bits, derived_right_bits) = derive_key(password, &salt);
|
||||
let (derived_left_bits, derived_right_bits) = derive_key(password, &salt, self.key_iterations);
|
||||
|
||||
let mut cipher_text = vec![0u8; value.as_slice().len()];
|
||||
// aes-128-ctr with initial vector of iv
|
||||
|
|
@ -361,7 +374,7 @@ impl EncryptedHashMap<H128> for SecretStore {
|
|||
iv,
|
||||
salt,
|
||||
mac,
|
||||
KEY_ITERATIONS,
|
||||
self.key_iterations,
|
||||
KEY_LENGTH));
|
||||
key_file.id = key;
|
||||
if let Err(io_error) = self.directory.save(key_file) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue