secret store separated from util (#1304)

* bump rust-crypto

* initial version of account provider utilizing secret store

* update lazy_static to latest version

* AccountProvider accounts method

* new AccountProvider tests in progress

* basic tests for new AccountProvider

* ethcore compiles with new account provider and secret store

* ethcore-rpc build now compiling with new AccountProvider

* most rpc tests passing with new accounts_provider

* fixed basic_authority tests

* fixed eth_transaction_count rpc test

* fixed mocked/eth.rs tests

* fixed personal tests

* fixed personal signer rpc tests

* removed warnings

* parity compiling fine with new sstore

* fixed import direction

* do not unlock temporarily when we have the password

* removed TODO in account import

* display warning on auto account import failure

* fixed compiling of ethstore on windows

* ethstore as a part of parity repo

* added ethkey

ethcore/src/account_provider.rs

@@ -0,0 +1,266 @@
+// Copyright 2015, 2016 Ethcore (UK) Ltd.
+// This file is part of Parity.
+
+// Parity is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Parity is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Parity.  If not, see <http://www.gnu.org/licenses/>.
+
+//! Account management.
+
+use std::fmt;
+use std::sync::RwLock;
+use std::collections::HashMap;
+use util::{Address as H160, H256, H520};
+use ethstore::{SecretStore, Error as SSError, SafeAccount, EthStore};
+use ethstore::dir::{KeyDirectory};
+use ethstore::ethkey::{Address as SSAddress, Message as SSMessage, Secret as SSSecret, Random, Generator};
+
+/// Type of unlock.
+#[derive(Clone)]
+enum Unlock {
+	/// If account is unlocked temporarily, it should be locked after first usage.
+	Temp,
+	/// Account unlocked permantently can always sign message.
+	/// Use with caution.
+	Perm,
+}
+
+/// Data associated with account.
+#[derive(Clone)]
+struct AccountData {
+	unlock: Unlock,
+	password: String,
+}
+
+/// `AccountProvider` errors.
+#[derive(Debug)]
+pub enum Error {
+	/// Returned when account is not unlocked.
+	NotUnlocked,
+	/// Returned when signing fails.
+	SStore(SSError),
+}
+
+impl fmt::Display for Error {
+	fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> {
+		match *self {
+			Error::NotUnlocked => write!(f, "Account is locked"),
+			Error::SStore(ref e) => write!(f, "{}", e),
+		}
+	}
+}
+
+impl From<SSError> for Error {
+	fn from(e: SSError) -> Self {
+		Error::SStore(e)
+	}
+}
+
+macro_rules! impl_bridge_type {
+	($name: ident, $size: expr, $core: ident, $store: ident) => {
+		/// Primitive
+		pub struct $name([u8; $size]);
+
+		impl From<[u8; $size]> for $name {
+			fn from(s: [u8; $size]) -> Self {
+				$name(s)
+			}
+		}
+
+		impl From<$core> for $name {
+			fn from(s: $core) -> Self {
+				$name(s.0)
+			}
+		}
+
+		impl From<$store> for $name {
+			fn from(s: $store) -> Self {
+				$name(s.into())
+			}
+		}
+
+		impl Into<$core> for $name {
+			fn into(self) -> $core {
+				$core(self.0)
+			}
+		}
+
+		impl Into<$store> for $name {
+			fn into(self) -> $store {
+				$store::from(self.0)
+			}
+		}
+	}
+}
+
+impl_bridge_type!(Secret, 32, H256, SSSecret);
+impl_bridge_type!(Message, 32, H256, SSMessage);
+impl_bridge_type!(Address, 20, H160, SSAddress);
+
+
+struct NullDir;
+
+impl KeyDirectory for NullDir {
+	fn load(&self) -> Result<Vec<SafeAccount>, SSError> {
+		Ok(vec![])
+	}
+
+	fn insert(&self, _account: SafeAccount) -> Result<(), SSError> {
+		Ok(())
+	}
+
+	fn remove(&self, _address: &SSAddress) -> Result<(), SSError> {
+		Ok(())
+	}
+}
+
+/// Account management.
+/// Responsible for unlocking accounts.
+pub struct AccountProvider {
+	unlocked: RwLock<HashMap<SSAddress, AccountData>>,
+	sstore: Box<SecretStore>,
+}
+
+impl AccountProvider {
+	/// Creates new account provider.
+	pub fn new(sstore: Box<SecretStore>) -> Self {
+		AccountProvider {
+			unlocked: RwLock::new(HashMap::new()),
+			sstore: sstore,
+		}
+	}
+
+	/// Creates not disk backed provider.
+	pub fn transient_provider() -> Self {
+		AccountProvider {
+			unlocked: RwLock::new(HashMap::new()),
+			sstore: Box::new(EthStore::open(Box::new(NullDir)).unwrap())
+		}
+	}
+
+	/// Creates new random account.
+	pub fn new_account(&self, password: &str) -> Result<H160, Error> {
+		let secret = Random.generate().unwrap().secret().clone();
+		let address = try!(self.sstore.insert_account(secret, password));
+		Ok(Address::from(address).into())
+	}
+
+	/// Inserts new account into underlying store.
+	/// Does not unlock account!
+	pub fn insert_account<S>(&self, secret: S, password: &str) -> Result<H160, Error> where Secret: From<S> {
+		let s = Secret::from(secret);
+		let address = try!(self.sstore.insert_account(s.into(), password));
+		Ok(Address::from(address).into())
+	}
+
+	/// Returns addresses of all accounts.
+	pub fn accounts(&self) -> Vec<H160> {
+		self.sstore.accounts().into_iter().map(|a| H160(a.into())).collect()
+	}
+
+	/// Helper method used for unlocking accounts.
+	fn unlock_account<A>(&self, account: A, password: String, unlock: Unlock) -> Result<(), Error> where Address: From<A> {
+		let a = Address::from(account);
+		let account = a.into();
+		// verify password by signing dump message
+		// result may be discarded
+		let _ = try!(self.sstore.sign(&account, &password, &Default::default()));
+
+		// check if account is already unlocked pernamently, if it is, do nothing
+		{
+			let unlocked = self.unlocked.read().unwrap();
+			if let Some(data) = unlocked.get(&account) {
+				if let Unlock::Perm = data.unlock {
+					return Ok(())
+				}
+			}
+		}
+
+		let data = AccountData {
+			unlock: unlock,
+			password: password,
+		};
+
+		let mut unlocked = self.unlocked.write().unwrap();
+		unlocked.insert(account, data);
+		Ok(())
+	}
+
+	/// Unlocks account permanently.
+	pub fn unlock_account_permanently<A>(&self, account: A, password: String) -> Result<(), Error> where Address: From<A> {
+		self.unlock_account(account, password, Unlock::Perm)
+	}
+
+	/// Unlocks account temporarily (for one signing).
+	pub fn unlock_account_temporarily<A>(&self, account: A, password: String) -> Result<(), Error> where Address: From<A> {
+		self.unlock_account(account, password, Unlock::Temp)
+	}
+
+	/// Signs the message. Account must be unlocked.
+	pub fn sign<A, M>(&self, account: A, message: M) -> Result<H520, Error> where Address: From<A>, Message: From<M> {
+		let account = Address::from(account).into();
+		let message = Message::from(message).into();
+
+		let data = {
+			let unlocked = self.unlocked.read().unwrap();
+			try!(unlocked.get(&account).ok_or(Error::NotUnlocked)).clone()
+		};
+
+		if let Unlock::Temp = data.unlock {
+			let mut unlocked = self.unlocked.write().unwrap();
+			unlocked.remove(&account).expect("data exists: so key must exist: qed");
+		}
+
+		let signature = try!(self.sstore.sign(&account, &data.password, &message));
+		Ok(H520(signature.into()))
+	}
+
+	/// Unlocks an account, signs the message, and locks it again.
+	pub fn sign_with_password<A, M>(&self, account: A, password: String, message: M) -> Result<H520, Error> where Address: From<A>, Message: From<M> {
+		let account = Address::from(account).into();
+		let message = Message::from(message).into();
+		let signature = try!(self.sstore.sign(&account, &password, &message));
+		Ok(H520(signature.into()))
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use super::AccountProvider;
+	use ethstore::SecretStore;
+	use ethstore::ethkey::{Generator, Random};
+
+	#[test]
+	fn unlock_account_temp() {
+		let kp = Random.generate().unwrap();
+		let ap = AccountProvider::transient_provider();
+		assert!(ap.insert_account(kp.secret().clone(), "test").is_ok());
+		assert!(ap.unlock_account_temporarily(kp.address(), "test1".into()).is_err());
+		assert!(ap.unlock_account_temporarily(kp.address(), "test".into()).is_ok());
+		assert!(ap.sign(kp.address(), [0u8; 32]).is_ok());
+		assert!(ap.sign(kp.address(), [0u8; 32]).is_err());
+	}
+
+	#[test]
+	fn unlock_account_perm() {
+		let kp = Random.generate().unwrap();
+		let ap = AccountProvider::transient_provider();
+		assert!(ap.insert_account(kp.secret().clone(), "test").is_ok());
+		assert!(ap.unlock_account_permanently(kp.address(), "test1".into()).is_err());
+		assert!(ap.unlock_account_permanently(kp.address(), "test".into()).is_ok());
+		assert!(ap.sign(kp.address(), [0u8; 32]).is_ok());
+		assert!(ap.sign(kp.address(), [0u8; 32]).is_ok());
+		assert!(ap.unlock_account_temporarily(kp.address(), "test".into()).is_ok());
+		assert!(ap.sign(kp.address(), [0u8; 32]).is_ok());
+		assert!(ap.sign(kp.address(), [0u8; 32]).is_ok());
+	}
+}

ethcore/src/basic_authority.rs

@@ -17,7 +17,7 @@
 //! A blockchain engine that supports a basic, non-BFT proof-of-authority.
 
 use common::*;
-use util::keys::store::AccountProvider;
+use account_provider::AccountProvider;
 use block::*;
 use spec::{CommonParams, Spec};
 use engine::*;
@@ -105,15 +105,13 @@ impl Engine for BasicAuthority {
 	/// be returned.
 	fn generate_seal(&self, block: &ExecutedBlock, accounts: Option<&AccountProvider>) -> Option<Vec<Bytes>> {
 		if let Some(ap) = accounts {
-			// check to see if author is contained in self.our_params.authorities
-			if self.our_params.authorities.contains(block.header().author()) {
-				if let Ok(secret) = ap.account_secret(block.header().author()) {
-					return Some(block.header().author_seal(&secret));
-				} else {
-					trace!(target: "basicauthority", "generate_seal: FAIL: accounts secret key unavailable");
-				}
+			let header = block.header();
+			let message = header.bare_hash();
+			// account should be pernamently unlocked, otherwise sealing will fail
+			if let Ok(signature) = ap.sign(*block.header().author(), message) {
+				return Some(vec![encode(&signature).to_vec()]);
 			} else {
-				trace!(target: "basicauthority", "generate_seal: FAIL: block author {} isn't one of the authorized accounts {:?}", block.header().author(), self.our_params.authorities);
+				trace!(target: "basicauthority", "generate_seal: FAIL: accounts secret key unavailable");
 			}
 		} else {
 			trace!(target: "basicauthority", "generate_seal: FAIL: accounts not provided");
@@ -176,16 +174,6 @@ impl Header {
 	pub fn signature(&self) -> H520 {
 		decode(&self.seal()[0])
 	}
-
-	/// Generate a seal for the block with the given `secret`.
-	pub fn author_seal(&self, secret: &Secret) -> Vec<Bytes> {
-		vec![encode(&ec::sign(secret, &self.bare_hash()).unwrap_or(Signature::new())).to_vec()]
-	}
-
-	/// Set the nonce and mix hash fields of the header.
-	pub fn sign(&mut self, secret: &Secret) {
-		self.seal = self.author_seal(secret);
-	}
 }
 
 /// Create a new test chain spec with `BasicAuthority` consensus engine.
@@ -197,7 +185,7 @@ mod tests {
 	use common::*;
 	use block::*;
 	use tests::helpers::*;
-	use util::keys::{TestAccountProvider, TestAccount};
+	use account_provider::AccountProvider;
 
 	#[test]
 	fn has_valid_metadata() {
@@ -251,24 +239,11 @@ mod tests {
 		}
 	}
 
-	#[test]
-	fn can_do_signature_verification() {
-		let secret = "".sha3();
-		let addr = KeyPair::from_secret("".sha3()).unwrap().address();
-
-		let engine = new_test_authority().engine;
-		let mut header: Header = Header::default();
-		header.set_author(addr);
-		header.sign(&secret);
-
-		assert!(engine.verify_block_unordered(&header, None).is_ok());
-	}
-
 	#[test]
 	fn can_generate_seal() {
-		let addr = KeyPair::from_secret("".sha3()).unwrap().address();
-		let accounts = hash_map![addr => TestAccount{unlocked: true, password: Default::default(), secret: "".sha3()}];
-		let tap = TestAccountProvider::new(accounts);
+		let tap = AccountProvider::transient_provider();
+		let addr = tap.insert_account("".sha3(), "").unwrap();
+		tap.unlock_account_permanently(addr, "".into()).unwrap();
 
 		let spec = new_test_authority();
 		let engine = &spec.engine;
@@ -278,10 +253,9 @@ mod tests {
 		spec.ensure_db_good(db.as_hashdb_mut());
 		let last_hashes = vec![genesis_header.hash()];
 		let vm_factory = Default::default();
-		let b = OpenBlock::new(engine.deref(), &vm_factory, false, db, &genesis_header, last_hashes, addr.clone(), 3141562.into(), vec![]).unwrap();
+		let b = OpenBlock::new(engine.deref(), &vm_factory, false, db, &genesis_header, last_hashes, addr, 3141562.into(), vec![]).unwrap();
 		let b = b.close_and_lock();
 		let seal = engine.generate_seal(b.block(), Some(&tap)).unwrap();
-
 		assert!(b.try_seal(engine.deref(), seal).is_ok());
 	}
 }

ethcore/src/engine.rs

@@ -17,7 +17,7 @@
 //! Consensus engine specification
 
 use common::*;
-use util::keys::store::AccountProvider;
+use account_provider::AccountProvider;
 use block::ExecutedBlock;
 use spec::CommonParams;
 use evm::Schedule;

ethcore/src/lib.rs

@@ -91,10 +91,12 @@ extern crate ethjson;
 extern crate bloomchain;
 #[macro_use] extern crate ethcore_ipc as ipc;
 extern crate rayon;
+pub extern crate ethstore;
 
 #[cfg(test)] extern crate ethcore_devtools as devtools;
 #[cfg(feature = "jit" )] extern crate evmjit;
 
+pub mod account_provider;
 pub mod basic_authority;
 pub mod block;
 pub mod block_queue;
@@ -140,4 +142,4 @@ mod json_tests;
 
 pub use types::*;
 pub use evm::get_info;
-pub use executive::contract_address;
+pub use executive::contract_address;

ethcore/src/miner/miner.rs

@@ -18,7 +18,7 @@ use rayon::prelude::*;
 use std::sync::atomic::AtomicBool;
 
 use util::*;
-use util::keys::store::{AccountProvider};
+use account_provider::AccountProvider;
 use views::{BlockView, HeaderView};
 use client::{MiningBlockChainClient, Executive, Executed, EnvInfo, TransactOptions, BlockID, CallAnalytics};
 use block::{ClosedBlock, IsBlock};

ethcore/src/types/transaction.rs

@@ -140,8 +140,13 @@ impl Transaction {
 
 	/// Signs the transaction as coming from `sender`.
 	pub fn sign(self, secret: &Secret) -> SignedTransaction {
-		let sig = ec::sign(secret, &self.hash());
-		let (r, s, v) = sig.unwrap().to_rsv();
+		let sig = ec::sign(secret, &self.hash()).unwrap();
+		self.with_signature(sig)
+	}
+
+	/// Signs the transaction with signature.
+	pub fn with_signature(self, sig: H520) -> SignedTransaction {
+		let (r, s, v) = sig.to_rsv();
 		SignedTransaction {
 			unsigned: self,
 			r: r,