grassrootseconomics/openethereum
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Configurable keys security (#1080)

Browse Source 
* adding options & cli flags

* adding it to the key deriving

* removed duplicated option
This commit is contained in:
Nikolay Volf 2016-05-14 14:30:25 +03:00 committed by Gav Wood
parent 9b91444638
commit 2b78e511c9
4 changed files with 29 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
parity/cli.rs
View File

@ -42,6 +42,9 @@ Account Options:
ACCOUNTS is a comma-delimited list of addresses. ACCOUNTS is a comma-delimited list of addresses.
--password FILE Provide a file containing a password for unlocking --password FILE Provide a file containing a password for unlocking
an account. an account.
--keys-iterations NUM Specify the number of iterations to use when deriving key
from the password (bigger is more secure)
[default: 10240].
Networking Options: Networking Options:
--port PORT Override the port on which the node should listen --port PORT Override the port on which the node should listen
@ -182,6 +185,7 @@ pub struct Args {
pub flag_password: Vec<String>, pub flag_password: Vec<String>,
pub flag_cache: Option<usize>, pub flag_cache: Option<usize>,
pub flag_keys_path: String, pub flag_keys_path: String,
pub flag_keys_iterations: u32,
pub flag_bootnodes: Option<String>, pub flag_bootnodes: Option<String>,
pub flag_network_id: Option<String>, pub flag_network_id: Option<String>,
pub flag_pruning: String, pub flag_pruning: String,

6
parity/configuration.rs
View File

@ -117,6 +117,10 @@ impl Configuration {
self.args.flag_keys_path.replace("$HOME", env::home_dir().unwrap().to_str().unwrap()) self.args.flag_keys_path.replace("$HOME", env::home_dir().unwrap().to_str().unwrap())
} }
pub fn keys_iterations(&self) -> u32 {
self.args.flag_keys_iterations
}
pub fn spec(&self) -> Spec { pub fn spec(&self) -> Spec {
match self.chain().as_str() { match self.chain().as_str() {
"frontier" | "homestead" | "mainnet" => ethereum::new_frontier(), "frontier" | "homestead" | "mainnet" => ethereum::new_frontier(),
@ -245,7 +249,7 @@ impl Configuration {
.collect::<Vec<_>>() .collect::<Vec<_>>()
.into_iter() .into_iter()
}).collect::<Vec<_>>(); }).collect::<Vec<_>>();
let account_service = AccountService::new_in(Path::new(&self.keys_path())); let account_service = AccountService::with_security(Path::new(&self.keys_path()), self.keys_iterations());
if let Some(ref unlocks) = self.args.flag_unlock { if let Some(ref unlocks) = self.args.flag_unlock {
for d in unlocks.split(',') { for d in unlocks.split(',') {
let a = Address::from_str(clean_0x(&d)).unwrap_or_else(|_| { let a = Address::from_str(clean_0x(&d)).unwrap_or_else(|_| {

2
parity/main.rs
View File

@ -219,7 +219,7 @@ fn flush_stdout() {
fn execute_account_cli(conf: Configuration) { fn execute_account_cli(conf: Configuration) {
use util::keys::store::SecretStore; use util::keys::store::SecretStore;
use rpassword::read_password; use rpassword::read_password;
let mut secret_store = SecretStore::new_in(Path::new(&conf.keys_path())); let mut secret_store = SecretStore::with_security(Path::new(&conf.keys_path()), conf.keys_iterations());
if conf.args.cmd_new { if conf.args.cmd_new {
println!("Please note that password is NOT RECOVERABLE."); println!("Please note that password is NOT RECOVERABLE.");
print!("Type password: "); print!("Type password: ");

25
util/src/keys/store.rs
View File

@ -73,6 +73,7 @@ pub enum SigningError {
pub struct SecretStore { pub struct SecretStore {
directory: KeyDirectory, directory: KeyDirectory,
unlocks: RwLock<HashMap<Address, AccountUnlock>>, unlocks: RwLock<HashMap<Address, AccountUnlock>>,
key_iterations: u32,
} }
struct AccountUnlock { struct AccountUnlock {
@ -128,10 +129,15 @@ impl AccountProvider for AccountService {
impl AccountService { impl AccountService {
/// New account service with the keys store in specific location /// New account service with the keys store in specific location
pub fn new_in(path: &Path) -> Self { pub fn new_in(path: &Path) -> Self {
let secret_store = RwLock::new(SecretStore::new_in(path)); AccountService::with_security(path, KEY_ITERATIONS)
}
/// New account service with the keys store in specific location and configured security parameters
pub fn with_security(path: &Path, key_iterations: u32) -> Self {
let secret_store = RwLock::new(SecretStore::with_security(path, key_iterations));
secret_store.write().unwrap().try_import_existing(); secret_store.write().unwrap().try_import_existing();
AccountService { AccountService {
secret_store: secret_store secret_store: secret_store,
} }
} }
@ -157,10 +163,16 @@ impl AccountService {
impl SecretStore { impl SecretStore {
/// new instance of Secret Store in specific directory /// new instance of Secret Store in specific directory
pub fn new_in(path: &Path) -> Self { pub fn new_in(path: &Path) -> Self {
SecretStore::with_security(path, KEY_ITERATIONS)
}
/// new instance of Secret Store in specific directory and configured security parameters
pub fn with_security(path: &Path, key_iterations: u32) -> Self {
::std::fs::create_dir_all(&path).expect("Cannot access requested key directory - critical"); ::std::fs::create_dir_all(&path).expect("Cannot access requested key directory - critical");
SecretStore { SecretStore {
directory: KeyDirectory::new(path), directory: KeyDirectory::new(path),
unlocks: RwLock::new(HashMap::new()), unlocks: RwLock::new(HashMap::new()),
key_iterations: key_iterations,
} }
} }
@ -206,6 +218,7 @@ impl SecretStore {
SecretStore { SecretStore {
directory: KeyDirectory::new(path.as_path()), directory: KeyDirectory::new(path.as_path()),
unlocks: RwLock::new(HashMap::new()), unlocks: RwLock::new(HashMap::new()),
key_iterations: KEY_ITERATIONS,
} }
} }
@ -289,8 +302,8 @@ fn derive_key_iterations(password: &str, salt: &H256, c: u32) -> (Bytes, Bytes)
(derived_right_bits.to_vec(), derived_left_bits.to_vec()) (derived_right_bits.to_vec(), derived_left_bits.to_vec())
} }
fn derive_key(password: &str, salt: &H256) -> (Bytes, Bytes) { fn derive_key(password: &str, salt: &H256, iterations: u32) -> (Bytes, Bytes) {
derive_key_iterations(password, salt, KEY_ITERATIONS) derive_key_iterations(password, salt, iterations)
} }
fn derive_key_scrypt(password: &str, salt: &H256, n: u32, p: u32, r: u32) -> (Bytes, Bytes) { fn derive_key_scrypt(password: &str, salt: &H256, n: u32, p: u32, r: u32) -> (Bytes, Bytes) {
@ -346,7 +359,7 @@ impl EncryptedHashMap<H128> for SecretStore {
// two parts of derived key // two parts of derived key
// DK = [ DK[0..15] DK[16..31] ] = [derived_left_bits, derived_right_bits] // DK = [ DK[0..15] DK[16..31] ] = [derived_left_bits, derived_right_bits]
let (derived_left_bits, derived_right_bits) = derive_key(password, &salt); let (derived_left_bits, derived_right_bits) = derive_key(password, &salt, self.key_iterations);
let mut cipher_text = vec![0u8; value.as_slice().len()]; let mut cipher_text = vec![0u8; value.as_slice().len()];
// aes-128-ctr with initial vector of iv // aes-128-ctr with initial vector of iv
@ -361,7 +374,7 @@ impl EncryptedHashMap<H128> for SecretStore {
iv, iv,
salt, salt,
mac, mac,
KEY_ITERATIONS, self.key_iterations,
KEY_LENGTH)); KEY_LENGTH));
key_file.id = key; key_file.id = key;
if let Err(io_error) = self.directory.save(key_file) { if let Err(io_error) = self.directory.save(key_file) {