mirror of https://github.com/waku-org/nwaku.git
577 lines
17 KiB
Nim
577 lines
17 KiB
Nim
# This implementation is originally taken from nim-eth keyfile module https://github.com/status-im/nim-eth/blob/master/eth/keyfile and adapted to
|
|
# - create keyfiles for arbitrary-long input byte data (rather than fixed-size private keys)
|
|
# - allow storage of multiple keyfiles (encrypted with different passwords) in same file and iteration among successful decryptions
|
|
# - enable/disable at compilation time the keyfile id and version fields
|
|
|
|
when (NimMajor, NimMinor) < (1, 4):
|
|
{.push raises: [Defect].}
|
|
else:
|
|
{.push raises: [].}
|
|
|
|
import
|
|
std/[os, strutils, json, sequtils],
|
|
nimcrypto/[bcmode, hmac, rijndael, pbkdf2, sha2, sysrand, utils, keccak, scrypt],
|
|
stew/results,
|
|
eth/keys,
|
|
eth/keyfile/uuid
|
|
|
|
export results
|
|
|
|
const
|
|
# Version 3 constants
|
|
SaltSize = 16
|
|
DKLen = 32
|
|
MaxDKLen = 128
|
|
ScryptR = 1
|
|
ScryptP = 8
|
|
Pbkdf2WorkFactor = 1_000_000
|
|
ScryptWorkFactor = 262_144
|
|
|
|
type
|
|
KeyFileError* = enum
|
|
RandomError = "keyfile error: Random generator error"
|
|
UuidError = "keyfile error: UUID generator error"
|
|
BufferOverrun = "keyfile error: Supplied buffer is too small"
|
|
IncorrectDKLen = "keyfile error: `dklen` parameter is 0 or more then MaxDKLen"
|
|
MalformedError = "keyfile error: JSON has incorrect structure"
|
|
NotImplemented = "keyfile error: Feature is not implemented"
|
|
NotSupported = "keyfile error: Feature is not supported"
|
|
EmptyMac = "keyfile error: `mac` parameter is zero length or not in hexadecimal form"
|
|
EmptyCiphertext = "keyfile error: `ciphertext` parameter is zero length or not in hexadecimal format"
|
|
EmptySalt = "keyfile error: `salt` parameter is zero length or not in hexadecimal format"
|
|
EmptyIV = "keyfile error: `cipherparams.iv` parameter is zero length or not in hexadecimal format"
|
|
IncorrectIV = "keyfile error: Size of IV vector is not equal to cipher block size"
|
|
PrfNotSupported = "keyfile error: PRF algorithm for PBKDF2 is not supported"
|
|
KdfNotSupported = "keyfile error: KDF algorithm is not supported"
|
|
CipherNotSupported = "keyfile error: `cipher` parameter is not supported"
|
|
IncorrectMac = "keyfile error: `mac` verification failed"
|
|
ScryptBadParam = "keyfile error: bad scrypt's parameters"
|
|
OsError = "keyfile error: OS specific error"
|
|
IoError = "keyfile error: IO specific error"
|
|
JsonError = "keyfile error: JSON encoder/decoder error"
|
|
KeyfileDoesNotExist = "keyfile error: file does not exist"
|
|
|
|
KdfKind* = enum
|
|
PBKDF2, ## PBKDF2
|
|
SCRYPT ## SCRYPT
|
|
|
|
HashKind* = enum
|
|
HashNoSupport, HashSHA2_224, HashSHA2_256, HashSHA2_384, HashSHA2_512,
|
|
HashKECCAK224, HashKECCAK256, HashKECCAK384, HashKECCAK512,
|
|
HashSHA3_224, HashSHA3_256, HashSHA3_384, HashSHA3_512
|
|
|
|
CryptKind* = enum
|
|
CipherNoSupport, ## Cipher not supported
|
|
AES128CTR ## AES-128-CTR
|
|
|
|
CipherParams = object
|
|
iv: seq[byte]
|
|
|
|
Cipher = object
|
|
kind: CryptKind
|
|
params: CipherParams
|
|
text: seq[byte]
|
|
|
|
Crypto = object
|
|
kind: KdfKind
|
|
cipher: Cipher
|
|
kdfParams: JsonNode
|
|
mac: seq[byte]
|
|
|
|
ScryptParams* = object
|
|
dklen: int
|
|
n, p, r: int
|
|
salt: string
|
|
|
|
Pbkdf2Params* = object
|
|
dklen: int
|
|
c: int
|
|
prf: HashKind
|
|
salt: string
|
|
|
|
DKey = array[DKLen, byte]
|
|
KfResult*[T] = Result[T, KeyFileError]
|
|
|
|
const
|
|
SupportedHashes = [
|
|
"sha224", "sha256", "sha384", "sha512",
|
|
"keccak224", "keccak256", "keccak384", "keccak512",
|
|
"sha3_224", "sha3_256", "sha3_384", "sha3_512"
|
|
]
|
|
|
|
SupportedHashesKinds = [
|
|
HashSHA2_224, HashSHA2_256, HashSHA2_384, HashSHA2_512,
|
|
HashKECCAK224, HashKECCAK256, HashKECCAK384, HashKECCAK512,
|
|
HashSHA3_224, HashSHA3_256, HashSHA3_384, HashSHA3_512
|
|
]
|
|
|
|
# When true, the keyfile json will contain "version" and "id" fields, respectively. Default to false.
|
|
VersionInKeyfile: bool = false
|
|
IdInKeyfile: bool = false
|
|
|
|
proc mapErrTo[T, E](r: Result[T, E], v: static KeyFileError): KfResult[T] =
|
|
r.mapErr(proc (e: E): KeyFileError = v)
|
|
|
|
proc `$`(k: KdfKind): string =
|
|
case k
|
|
of SCRYPT:
|
|
return "scrypt"
|
|
else:
|
|
return "pbkdf2"
|
|
|
|
proc `$`(k: CryptKind): string =
|
|
case k
|
|
of AES128CTR:
|
|
return "aes-128-ctr"
|
|
else:
|
|
return "aes-128-ctr"
|
|
|
|
# Parses the prf name to HashKind
|
|
proc getPrfHash(prf: string): HashKind =
|
|
let p = prf.toLowerAscii()
|
|
if p.startsWith("hmac-"):
|
|
var hash = p[5..^1]
|
|
var res = SupportedHashes.find(hash)
|
|
if res >= 0:
|
|
return SupportedHashesKinds[res]
|
|
return HashNoSupport
|
|
|
|
# Parses the cipher name to CryptoKind
|
|
proc getCipher(c: string): CryptKind =
|
|
var cl = c.toLowerAscii()
|
|
if cl == "aes-128-ctr":
|
|
return AES128CTR
|
|
else:
|
|
return CipherNoSupport
|
|
|
|
# Key derivation routine for PBKDF2
|
|
proc deriveKey(password: string,
|
|
salt: string,
|
|
kdfkind: KdfKind,
|
|
hashkind: HashKind,
|
|
workfactor: int): KfResult[DKey] =
|
|
if kdfkind == PBKDF2:
|
|
var output: DKey
|
|
var c = if workfactor == 0: Pbkdf2WorkFactor else: workfactor
|
|
case hashkind
|
|
of HashSHA2_224:
|
|
var ctx: HMAC[sha224]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashSHA2_256:
|
|
var ctx: HMAC[sha256]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashSHA2_384:
|
|
var ctx: HMAC[sha384]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashSHA2_512:
|
|
var ctx: HMAC[sha512]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashKECCAK224:
|
|
var ctx: HMAC[keccak224]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashKECCAK256:
|
|
var ctx: HMAC[keccak256]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashKECCAK384:
|
|
var ctx: HMAC[keccak384]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashKECCAK512:
|
|
var ctx: HMAC[keccak512]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashSHA3_224:
|
|
var ctx: HMAC[sha3_224]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashSHA3_256:
|
|
var ctx: HMAC[sha3_256]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashSHA3_384:
|
|
var ctx: HMAC[sha3_384]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
of HashSHA3_512:
|
|
var ctx: HMAC[sha3_512]
|
|
discard ctx.pbkdf2(password, salt, c, output)
|
|
ctx.clear()
|
|
ok(output)
|
|
else:
|
|
err(PrfNotSupported)
|
|
else:
|
|
err(NotImplemented)
|
|
|
|
# Scrypt wrapper
|
|
func scrypt[T, M](password: openArray[T], salt: openArray[M],
|
|
N, r, p: int, output: var openArray[byte]): int =
|
|
let (xyvLen, bLen) = scryptCalc(N, r, p)
|
|
var xyv = newSeq[uint32](xyvLen)
|
|
var b = newSeq[byte](bLen)
|
|
scrypt(password, salt, N, r, p, xyv, b, output)
|
|
|
|
# Key derivation routine for Scrypt
|
|
proc deriveKey(password: string, salt: string,
|
|
workFactor, r, p: int): KfResult[DKey] =
|
|
|
|
let wf = if workFactor == 0: ScryptWorkFactor else: workFactor
|
|
var output: DKey
|
|
if scrypt(password, salt, wf, r, p, output) == 0:
|
|
return err(ScryptBadParam)
|
|
|
|
return ok(output)
|
|
|
|
# Encryption routine
|
|
proc encryptData(plaintext: openArray[byte],
|
|
cryptkind: CryptKind,
|
|
key: openArray[byte],
|
|
iv: openArray[byte]): KfResult[seq[byte]] =
|
|
if cryptkind == AES128CTR:
|
|
var ciphertext = newSeqWith(plaintext.len, 0.byte)
|
|
var ctx: CTR[aes128]
|
|
ctx.init(toOpenArray(key, 0, 15), iv)
|
|
ctx.encrypt(plaintext, ciphertext)
|
|
ctx.clear()
|
|
ok(ciphertext)
|
|
else:
|
|
err(NotImplemented)
|
|
|
|
# Decryption routine
|
|
proc decryptData(ciphertext: openArray[byte],
|
|
cryptkind: CryptKind,
|
|
key: openArray[byte],
|
|
iv: openArray[byte]): KfResult[seq[byte]] =
|
|
if cryptkind == AES128CTR:
|
|
if len(iv) != aes128.sizeBlock:
|
|
return err(IncorrectIV)
|
|
var plaintext = newSeqWith(ciphertext.len, 0.byte)
|
|
var ctx: CTR[aes128]
|
|
ctx.init(toOpenArray(key, 0, 15), iv)
|
|
ctx.decrypt(ciphertext, plaintext)
|
|
ctx.clear()
|
|
ok(plaintext)
|
|
else:
|
|
err(NotImplemented)
|
|
|
|
# Encodes KDF parameters in JSON
|
|
proc kdfParams(kdfkind: KdfKind, salt: string, workfactor: int): KfResult[JsonNode] =
|
|
if kdfkind == SCRYPT:
|
|
let wf = if workfactor == 0: ScryptWorkFactor else: workfactor
|
|
ok(%*
|
|
{
|
|
"dklen": DKLen,
|
|
"n": wf,
|
|
"r": ScryptR,
|
|
"p": ScryptP,
|
|
"salt": salt
|
|
}
|
|
)
|
|
elif kdfkind == PBKDF2:
|
|
let wf = if workfactor == 0: Pbkdf2WorkFactor else: workfactor
|
|
ok(%*
|
|
{
|
|
"dklen": DKLen,
|
|
"c": wf,
|
|
"prf": "hmac-sha256",
|
|
"salt": salt
|
|
}
|
|
)
|
|
else:
|
|
err(NotImplemented)
|
|
|
|
# Decodes hex strings to byte sequences
|
|
proc decodeHex*(m: string): seq[byte] =
|
|
if len(m) > 0:
|
|
try:
|
|
return utils.fromHex(m)
|
|
except CatchableError:
|
|
return newSeq[byte]()
|
|
else:
|
|
return newSeq[byte]()
|
|
|
|
# Parses the salt from hex string to byte string
|
|
proc decodeSalt(m: string): string =
|
|
var sarr: seq[byte]
|
|
if len(m) > 0:
|
|
try:
|
|
sarr = utils.fromHex(m)
|
|
var output = newString(len(sarr))
|
|
copyMem(addr output[0], addr sarr[0], len(sarr))
|
|
return output
|
|
except CatchableError:
|
|
return ""
|
|
else:
|
|
return ""
|
|
|
|
# Compares the message authentication code
|
|
proc compareMac(m1: openArray[byte], m2: openArray[byte]): bool =
|
|
if len(m1) == len(m2) and len(m1) > 0:
|
|
return equalMem(unsafeAddr m1[0], unsafeAddr m2[0], len(m1))
|
|
else:
|
|
return false
|
|
|
|
# Creates a keyfile for secret encrypted with password according to the other parameters
|
|
# Returns keyfile in JSON according to Web3 Secure storage format (here, differently than standard, version and id are optional)
|
|
proc createKeyFileJson*(secret: openArray[byte],
|
|
password: string,
|
|
version: int = 3,
|
|
cryptkind: CryptKind = AES128CTR,
|
|
kdfkind: KdfKind = PBKDF2,
|
|
workfactor: int = 0): KfResult[JsonNode] =
|
|
## Create JSON object with keyfile structure.
|
|
##
|
|
## ``secret`` - secret data, which will be stored
|
|
## ``password`` - encryption password
|
|
## ``outjson`` - result JSON object
|
|
## ``version`` - version of keyfile format (default is 3)
|
|
## ``cryptkind`` - algorithm for encryption
|
|
## (default is AES128-CTR)
|
|
## ``kdfkind`` - algorithm for key deriviation function (default is PBKDF2)
|
|
## ``workfactor`` - Key deriviation function work factor, 0 is to use
|
|
## default workfactor.
|
|
var iv: array[aes128.sizeBlock, byte]
|
|
var salt: array[SaltSize, byte]
|
|
var saltstr = newString(SaltSize)
|
|
if randomBytes(iv) != aes128.sizeBlock:
|
|
return err(RandomError)
|
|
if randomBytes(salt) != SaltSize:
|
|
return err(RandomError)
|
|
copyMem(addr saltstr[0], addr salt[0], SaltSize)
|
|
|
|
let u = ? uuidGenerate().mapErrTo(UuidError)
|
|
|
|
let
|
|
dkey = case kdfkind
|
|
of PBKDF2: ? deriveKey(password, saltstr, kdfkind, HashSHA2_256, workfactor)
|
|
of SCRYPT: ? deriveKey(password, saltstr, workfactor, ScryptR, ScryptP)
|
|
|
|
ciphertext = ? encryptData(secret, cryptkind, dkey, iv)
|
|
|
|
var ctx: keccak256
|
|
ctx.init()
|
|
ctx.update(toOpenArray(dkey, 16, 31))
|
|
ctx.update(ciphertext)
|
|
var mac = ctx.finish()
|
|
ctx.clear()
|
|
|
|
let params = ? kdfParams(kdfkind, toHex(salt, true), workfactor)
|
|
|
|
let json = %*
|
|
{
|
|
"crypto": {
|
|
"cipher": $cryptkind,
|
|
"cipherparams": {
|
|
"iv": toHex(iv, true)
|
|
},
|
|
"ciphertext": toHex(ciphertext, true),
|
|
"kdf": $kdfkind,
|
|
"kdfparams": params,
|
|
"mac": toHex(mac.data, true),
|
|
},
|
|
}
|
|
|
|
if IdInKeyfile:
|
|
json.add("id", %($u))
|
|
if VersionInKeyfile:
|
|
json.add("version", %version)
|
|
|
|
ok(json)
|
|
|
|
# Parses Cipher JSON information
|
|
proc decodeCrypto(n: JsonNode): KfResult[Crypto] =
|
|
var crypto = n.getOrDefault("crypto")
|
|
if isNil(crypto):
|
|
return err(MalformedError)
|
|
|
|
var kdf = crypto.getOrDefault("kdf")
|
|
if isNil(kdf):
|
|
return err(MalformedError)
|
|
|
|
var c: Crypto
|
|
case kdf.getStr()
|
|
of "pbkdf2": c.kind = PBKDF2
|
|
of "scrypt": c.kind = SCRYPT
|
|
else: return err(KdfNotSupported)
|
|
|
|
var cipherparams = crypto.getOrDefault("cipherparams")
|
|
if isNil(cipherparams):
|
|
return err(MalformedError)
|
|
|
|
c.cipher.kind = getCipher(crypto.getOrDefault("cipher").getStr())
|
|
c.cipher.params.iv = decodeHex(cipherparams.getOrDefault("iv").getStr())
|
|
c.cipher.text = decodeHex(crypto.getOrDefault("ciphertext").getStr())
|
|
c.mac = decodeHex(crypto.getOrDefault("mac").getStr())
|
|
c.kdfParams = crypto.getOrDefault("kdfparams")
|
|
|
|
if c.cipher.kind == CipherNoSupport:
|
|
return err(CipherNotSupported)
|
|
if len(c.cipher.text) == 0:
|
|
return err(EmptyCiphertext)
|
|
if len(c.mac) == 0:
|
|
return err(EmptyMac)
|
|
if isNil(c.kdfParams):
|
|
return err(MalformedError)
|
|
|
|
return ok(c)
|
|
|
|
# Parses PNKDF2 JSON parameters
|
|
proc decodePbkdf2Params(params: JsonNode): KfResult[Pbkdf2Params] =
|
|
var p: Pbkdf2Params
|
|
p.salt = decodeSalt(params.getOrDefault("salt").getStr())
|
|
if len(p.salt) == 0:
|
|
return err(EmptySalt)
|
|
|
|
p.dklen = params.getOrDefault("dklen").getInt()
|
|
p.c = params.getOrDefault("c").getInt()
|
|
p.prf = getPrfHash(params.getOrDefault("prf").getStr())
|
|
|
|
if p.prf == HashNoSupport:
|
|
return err(PrfNotSupported)
|
|
if p.dklen == 0 or p.dklen > MaxDKLen:
|
|
return err(IncorrectDKLen)
|
|
|
|
return ok(p)
|
|
|
|
# Parses JSON Scrypt parameters
|
|
proc decodeScryptParams(params: JsonNode): KfResult[ScryptParams] =
|
|
var p: ScryptParams
|
|
p.salt = decodeSalt(params.getOrDefault("salt").getStr())
|
|
if len(p.salt) == 0:
|
|
return err(EmptySalt)
|
|
|
|
p.dklen = params.getOrDefault("dklen").getInt()
|
|
p.n = params.getOrDefault("n").getInt()
|
|
p.p = params.getOrDefault("p").getInt()
|
|
p.r = params.getOrDefault("r").getInt()
|
|
|
|
if p.dklen == 0 or p.dklen > MaxDKLen:
|
|
return err(IncorrectDKLen)
|
|
|
|
return ok(p)
|
|
|
|
# Decrypts data
|
|
func decryptSecret(crypto: Crypto, dkey: DKey): KfResult[seq[byte]] =
|
|
var ctx: keccak256
|
|
ctx.init()
|
|
ctx.update(toOpenArray(dkey, 16, 31))
|
|
ctx.update(crypto.cipher.text)
|
|
var mac = ctx.finish()
|
|
ctx.clear()
|
|
if not compareMac(mac.data, crypto.mac):
|
|
return err(IncorrectMac)
|
|
|
|
let plaintext = ? decryptData(crypto.cipher.text, crypto.cipher.kind, dkey, crypto.cipher.params.iv)
|
|
|
|
ok(plaintext)
|
|
|
|
# Parse JSON keyfile and decrypts its content using password
|
|
proc decodeKeyFileJson*(j: JsonNode,
|
|
password: string): KfResult[seq[byte]] =
|
|
## Decode secret from keyfile json object ``j`` using
|
|
## password string ``password``.
|
|
let res = decodeCrypto(j)
|
|
if res.isErr:
|
|
return err(res.error)
|
|
let crypto = res.get()
|
|
|
|
case crypto.kind
|
|
of PBKDF2:
|
|
let res = decodePbkdf2Params(crypto.kdfParams)
|
|
if res.isErr:
|
|
return err(res.error)
|
|
|
|
let params = res.get()
|
|
let dkey = ? deriveKey(password, params.salt, PBKDF2, params.prf, params.c)
|
|
return decryptSecret(crypto, dkey)
|
|
|
|
of SCRYPT:
|
|
let res = decodeScryptParams(crypto.kdfParams)
|
|
if res.isErr:
|
|
return err(res.error)
|
|
|
|
let params = res.get()
|
|
let dkey = ? deriveKey(password, params.salt, params.n, params.r, params.p)
|
|
return decryptSecret(crypto, dkey)
|
|
|
|
# Loads the file at pathname, decrypts and returns all keyfiles encrypted under password
|
|
proc loadKeyFiles*(pathname: string,
|
|
password: string): KfResult[seq[KfResult[seq[byte]]]] =
|
|
## Load and decode data from file with pathname
|
|
## ``pathname``, using password string ``password``.
|
|
## The index successful decryptions is returned
|
|
var data: JsonNode
|
|
var decodedKeyfile: KfResult[seq[byte]]
|
|
var successfullyDecodedKeyfiles: seq[KfResult[seq[byte]]]
|
|
|
|
if fileExists(pathname) == false:
|
|
return err(KeyfileDoesNotExist)
|
|
|
|
# Note that lines strips the ending newline, if present
|
|
try:
|
|
for keyfile in lines(pathname):
|
|
|
|
# We skip empty lines
|
|
if keyfile.len == 0:
|
|
continue
|
|
# We skip all lines that doesn't seem to define a json
|
|
if keyfile[0] != '{' or keyfile[^1] != '}':
|
|
continue
|
|
|
|
try:
|
|
data = json.parseJson(keyfile)
|
|
except JsonParsingError:
|
|
return err(JsonError)
|
|
except ValueError:
|
|
return err(JsonError)
|
|
except OSError:
|
|
return err(OsError)
|
|
except Exception: #parseJson raises Exception
|
|
return err(OsError)
|
|
|
|
decodedKeyfile = decodeKeyFileJson(data, password)
|
|
if decodedKeyfile.isOk():
|
|
successfullyDecodedKeyfiles.add decodedKeyfile
|
|
|
|
except IOError:
|
|
return err(IoError)
|
|
|
|
return ok(successfullyDecodedKeyfiles)
|
|
|
|
# Note that the keyfile is open in Append mode so that multiple credentials can be stored in same file
|
|
proc saveKeyFile*(pathname: string,
|
|
jobject: JsonNode): KfResult[void] =
|
|
## Save JSON object ``jobject`` to file with pathname ``pathname``.
|
|
var
|
|
f: File
|
|
if not f.open(pathname, fmAppend):
|
|
return err(OsError)
|
|
try:
|
|
# To avoid other users/attackers to be able to read keyfiles, we make the file readable/writable only by the running user
|
|
setFilePermissions(pathname, {fpUserWrite, fpUserRead})
|
|
f.write($jobject)
|
|
# We store a keyfile per line
|
|
f.write("\n")
|
|
ok()
|
|
except CatchableError:
|
|
err(OsError)
|
|
finally:
|
|
f.close()
|
|
|