testutil/keystore: switch to pbkdf2 cipher (#344)

Switches to pbkdf2 cipher. Also error when loading and no files found. category: refactor ticket: #343
ObolNetwork · Apr 4, 2022 · 54dea89 · 54dea89
1 parent d7330a3
commit 54dea89
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 5 deletions.
diff --git a/testutil/keystore/keystore.go b/testutil/keystore/keystore.go
@@ -12,8 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// Package keystore provides functions to store and load simnet private keys
-// to/from EIP 2335 compatible keystore files with "simnet" as passwords.
+// Package keystore provides functions to store and load private keys
+// to/from EIP 2335 compatible keystore files. Password are expected/created
+// in files with same identical names as the keystores, except with txt extension.
 package keystore
 
 import (
@@ -74,6 +75,10 @@ func LoadKeys(dir string) ([]*bls_sig.SecretKey, error) {
 		return nil, errors.Wrap(err, "read files")
 	}
 
+	if len(files) == 0 {
+		return nil, errors.New("no keys found")
+	}
+
 	var resp []*bls_sig.SecretKey
 	for _, f := range files {
 		b, err := os.ReadFile(f)
@@ -111,7 +116,7 @@ type keystore struct {
 	Name    string                 `json:"name"`
 }
 
-// encrypt returns the secret as an encrypted keystore.
+// encrypt returns the secret as an encrypted keystore using pbkdf2 cipher.
 func encrypt(secret *bls_sig.SecretKey, password string, random io.Reader) (keystore, error) {
 	secretBytes, err := tblsconv.SecretToBytes(secret)
 	if err != nil {
@@ -127,7 +132,7 @@ func encrypt(secret *bls_sig.SecretKey, password string, random io.Reader) (keys
 		return keystore{}, errors.Wrap(err, "marshal pubkey")
 	}
 
-	encryptor := keystorev4.New(keystorev4.WithCipher("scrypt"))
+	encryptor := keystorev4.New()
 	fields, err := encryptor.Encrypt(secretBytes, password)
 	if err != nil {
 		return keystore{}, errors.Wrap(err, "encrypt keystore")
@@ -144,7 +149,13 @@ func encrypt(secret *bls_sig.SecretKey, password string, random io.Reader) (keys
 
 // decrypt returns the secret from the encrypted (empty password) keystore.
 func decrypt(store keystore, password string) (*bls_sig.SecretKey, error) {
-	encryptor := keystorev4.New(keystorev4.WithCipher("scrypt"))
+	// Ugly way to check if the untyped store.Crypto field contains a "scrypt" kdf function.
+	cipher := "pbkdf2"
+	if strings.Contains(fmt.Sprint(store.Crypto["kdf"]), "scrypt") {
+		cipher = "scrypt"
+	}
+
+	encryptor := keystorev4.New(keystorev4.WithCipher(cipher))
 	secretBytes, err := encryptor.Decrypt(store.Crypto, password)
 	if err != nil {
 		return nil, errors.Wrap(err, "decrypt keystore")

diff --git a/testutil/keystore/keystore_test.go b/testutil/keystore/keystore_test.go
@@ -15,6 +15,7 @@
 package keystore_test
 
 import (
+	"fmt"
 	"os"
 	"testing"
 
@@ -45,3 +46,19 @@ func TestStoreLoad(t *testing.T) {
 
 	require.Equal(t, secrets, actual)
 }
+
+func TestLoadEmpty(t *testing.T) {
+	_, err := keystore.LoadKeys(".")
+	require.Error(t, err)
+}
+
+func TestLoadScrypt(t *testing.T) {
+	secrets, err := keystore.LoadKeys("testdata")
+	require.NoError(t, err)
+
+	require.Len(t, secrets, 1)
+
+	b, err := secrets[0].MarshalBinary()
+	require.NoError(t, err)
+	require.Equal(t, "10b16fc552aa607fa1399027f7b86ab789077e470b5653b338693dc2dde02468", fmt.Sprintf("%x", b))
+}
diff --git a/testutil/keystore/testdata/keystore-scrypt.json b/testutil/keystore/testdata/keystore-scrypt.json
@@ -0,0 +1,31 @@
+{
+ "crypto": {
+  "checksum": {
+   "function": "sha256",
+   "message": "4f4234d42ce148673d2c4ac1a90e3a6d640bfc587673173862311ead379bab77",
+   "params": {}
+  },
+  "cipher": {
+   "function": "aes-128-ctr",
+   "message": "3d2a3c2637adac3b6829b2f4a3832c002338092fc105d60530d4446dac485c4d",
+   "params": {
+    "iv": "94ca64152a3f8395e05cd50929bb4e7d"
+   }
+  },
+  "kdf": {
+   "function": "scrypt",
+   "message": "",
+   "params": {
+    "dklen": 32,
+    "n": 262144,
+    "p": 1,
+    "r": 8,
+    "salt": "760596fa5e376b691abb8d74b973583562cd636f4db0ef8f1962d27eca0c528d"
+   }
+  }
+ },
+ "uuid": "3E40BBD1-565C-0F76-6508-DF06F57803F9",
+ "pubkey": "affcbf73c0609899141340513dc85f0ab2b6099e7beb700b7dbc000bcefc25b621405a6b9e29578f708bfd443332202c",
+ "version": 4,
+ "name": "keystore"
+}
diff --git a/testutil/keystore/testdata/keystore-scrypt.txt b/testutil/keystore/testdata/keystore-scrypt.txt
@@ -0,0 +1 @@
+b919b2444a86353a5f226911efe5105e