crypto and key-management api for DeepKey: Keystore & PassphraseManager

CHANGELOG.md

@@ -10,12 +10,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Adds `nix-shell` support for Mac OS X [#1132](https://github.com/holochain/holochain-rust/pull/1132)
 - Adds `hc-test-all` command to `nix-shell` [#1132](https://github.com/holochain/holochain-rust/pull/1132)
 - Adds `./scripts/nix/pod.sh` script to isolate/debug `nix-shell` commands [#1139](https://github.com/holochain/holochain-rust/pull/1139)
+- Adds keystore and passphrase management service [#1104](https://github.com/holochain/holochain-rust/pull/1104)
 - Adds tooling to manage dependencies in Cargo.toml [#1140](https://github.com/holochain/holochain-rust/pull/1140)
 
 ### Changed
 
 - `nix-shell` is now the recommended development approach on supported platforms [#1132](https://github.com/holochain/holochain-rust/pull/1132)
 - Pins every dependant crate version with `=x.y.z` at the Cargo.toml level [#1140](https://github.com/holochain/holochain-rust/pull/1140)
+- Breaking Change: `key_file` value now renamed to `keystore_file` in both config.toml files and the conductor's `admin/agent/add` interface [#1104](https://github.com/holochain/holochain-rust/pull/1104)
 
 ### Deprecated
 

Cargo.toml

@@ -12,7 +12,7 @@ members = [
   "net",
   "nodejs_waiter",
   "sodium",
-  "hc_dpki",
+  "dpki",
   "test_bin",
 ]
 exclude = [

cli/Cargo.toml

@@ -8,7 +8,7 @@ holochain_core_types = { path = "../core_types" }
 holochain_core = { path = "../core" }
 holochain_common = { path = "../common" }
 holochain_conductor_api = { path = "../conductor_api" }
-holochain_dpki = { path = "../hc_dpki" }
+holochain_dpki = { path = "../dpki" }
 holochain_sodium = { path = "../sodium" }
 holochain_wasm_utils = { path = "../wasm_utils" }
 structopt = "=0.2.15"

cli/src/cli/keygen.rs

@@ -1,21 +1,19 @@
 use error::DefaultResult;
 use holochain_common::paths::keys_directory;
-use holochain_dpki::{key_blob::Blobbable, key_bundle::KeyBundle, seed::SeedType, SEED_SIZE};
-use holochain_sodium::secbuf::SecBuf;
-use rpassword;
-use std::{
-    fs::{create_dir_all, File},
-    io::prelude::*,
-    path::PathBuf,
+use holochain_conductor_api::{
+    key_loaders::mock_passphrase_manager,
+    keystore::{Keystore, PRIMARY_KEYBUNDLE_ID},
 };
+use holochain_dpki::SEED_SIZE;
+use rpassword;
+use std::{fs::create_dir_all, path::PathBuf};
 
 pub fn keygen(path: Option<PathBuf>, passphrase: Option<String>) -> DefaultResult<()> {
-    println!(
-        "This will create a new agent key bundle - that is all keys needed to represent one agent."
-    );
-    println!("This key bundle will be stored in a file, encrypted with a passphrase.");
-    println!("The passphrase is securing the keys and will be needed, together with the key file, in order to use the key.");
-    println!("Please enter a secret passphrase below, you will have to enter it again when unlocking this key to use within a Holochain conductor.");
+    println!("This will create a new agent keystore and populate it with an agent keybundle");
+    println!("(=all keys needed to represent an agent: public/private keys for signing/encryption");
+    println!("This keybundle will be stored encrypted by passphrase within the keystore file.");
+    println!("The passphrase is securing the keys and will be needed, together with the file, in order to use the key.");
+    println!("Please enter a secret passphrase below, you will have to enter it again when unlocking these keys to use within a Holochain conductor.");
 
     let passphrase = passphrase.unwrap_or_else(|| {
         let passphrase1 = rpassword::read_password_from_tty(Some("Passphrase: ")).unwrap();
@@ -27,49 +25,36 @@ pub fn keygen(path: Option<PathBuf>, passphrase: Option<String>) -> DefaultResul
         passphrase1
     });
 
-    let mut seed = SecBuf::with_secure(SEED_SIZE);
-    seed.randomize();
-
-    let mut keybundle = KeyBundle::new_from_seed_buf(&mut seed, SeedType::Mock)
-        .expect("Failed to generate keybundle");
-    let passphrase_bytes = passphrase.as_bytes();
-    let mut passphrase_buf = SecBuf::with_insecure(passphrase_bytes.len());
-    passphrase_buf
-        .write(0, passphrase_bytes)
-        .expect("SecBuf must be writeable");
+    let mut keystore = Keystore::new(mock_passphrase_manager(passphrase), None)?;
+    keystore.add_random_seed("root_seed", SEED_SIZE)?;
 
-    let blob = keybundle
-        .as_blob(&mut passphrase_buf, "hint".to_string(), None)
-        .expect("Failed to encrypt with passphrase.");
+    let (pub_key, _) = keystore.add_keybundle_from_seed("root_seed", PRIMARY_KEYBUNDLE_ID)?;
 
     let path = if None == path {
         let p = keys_directory();
         create_dir_all(p.clone())?;
-        p.join(keybundle.get_id().clone())
+        p.join(pub_key.clone())
     } else {
         path.unwrap()
     };
 
-    let mut file = File::create(path.clone())?;
-    file.write_all(serde_json::to_string(&blob).unwrap().as_bytes())?;
+    keystore.save(path.clone())?;
+
     println!("");
-    println!("Succesfully created new agent keys.");
+    println!("Succesfully created new agent keystore.");
     println!("");
-    println!("Public address: {}", keybundle.get_id());
+    println!("Public address: {}", pub_key);
     println!("Bundle written to: {}.", path.to_str().unwrap());
     println!("");
-    println!("You can set this file in a conductor config as key_file for an agent.");
+    println!("You can set this file in a conductor config as keystore_file for an agent.");
     Ok(())
 }
 
 #[cfg(test)]
 pub mod test {
     use super::*;
-    use holochain_dpki::key_blob::KeyBlob;
-    use std::{
-        fs::{remove_file, File},
-        path::PathBuf,
-    };
+    use holochain_conductor_api::{key_loaders::mock_passphrase_manager, keystore::Keystore};
+    use std::{fs::remove_file, path::PathBuf};
 
     #[test]
     fn keygen_roundtrip() {
@@ -78,13 +63,11 @@ pub mod test {
 
         keygen(Some(path.clone()), Some(passphrase.clone())).expect("Keygen should work");
 
-        let mut file = File::open(path.clone()).unwrap();
-        let mut contents = String::new();
-        file.read_to_string(&mut contents).unwrap();
+        let mut keystore =
+            Keystore::new_from_file(path.clone(), mock_passphrase_manager(passphrase), None)
+                .unwrap();
 
-        let blob: KeyBlob = serde_json::from_str(&contents).unwrap();
-        let mut passphrase = SecBuf::with_insecure_from_string(passphrase);
-        let keybundle = KeyBundle::from_blob(&blob, &mut passphrase, None);
+        let keybundle = keystore.get_keybundle(PRIMARY_KEYBUNDLE_ID);
 
         assert!(keybundle.is_ok());
 

cli/src/cli/run.rs

@@ -5,7 +5,8 @@ use holochain_common::env_vars::EnvVar;
 use holochain_conductor_api::{
     conductor::{mount_conductor_from_config, CONDUCTOR},
     config::*,
-    key_loaders::{test_keybundle, test_keybundle_loader},
+    key_loaders::{test_keystore, test_keystore_loader},
+    keystore::PRIMARY_KEYBUNDLE_ID,
     logger::LogRules,
 };
 use holochain_core_types::agent::AgentId;
@@ -26,7 +27,7 @@ pub fn run(
     mount_conductor_from_config(conductor_config);
     let mut conductor_guard = CONDUCTOR.lock().unwrap();
     let conductor = conductor_guard.as_mut().expect("Conductor must be mounted");
-    conductor.key_loader = test_keybundle_loader();
+    conductor.key_loader = test_keystore_loader();
 
     conductor
         .load_config()
@@ -97,13 +98,17 @@ fn agent_configuration() -> AgentConfiguration {
         .value()
         .ok()
         .unwrap_or_else(|| String::from(AGENT_NAME_DEFAULT));
-    let keybundle = test_keybundle(&agent_name);
-    let agent_id = AgentId::new(&agent_name, keybundle.get_id());
+    let mut keystore = test_keystore(&agent_name);
+    let pub_key = keystore
+        .get_keybundle(PRIMARY_KEYBUNDLE_ID)
+        .expect("should be able to get keybundle")
+        .get_id();
+    let agent_id = AgentId::new(&agent_name, pub_key);
     AgentConfiguration {
         id: AGENT_CONFIG_ID.into(),
         name: agent_id.nick,
         public_address: agent_id.pub_sign_key,
-        key_file: agent_name,
+        keystore_file: agent_name,
         holo_remote_key: None,
     }
 }
@@ -274,7 +279,7 @@ mod tests {
                 name: "testAgent".to_string(),
                 public_address: "HcScjN8wBwrn3tuyg89aab3a69xsIgdzmX5P9537BqQZ5A7TEZu7qCY4Xzzjhma"
                     .to_string(),
-                key_file: "testAgent".to_string(),
+                keystore_file: "testAgent".to_string(),
                 holo_remote_key: None,
             },
         );

conductor/example-config/basic.toml

@@ -2,13 +2,13 @@ bridges = []
 
 [[agents]]
 id = "test agent 1"
-key_file = "holo_tester.key"
+keystore_file = "holo_tester.key"
 name = "Holo Tester 1"
 public_address = "HoloTester1-----------------------------------------------------------------------AAACZp4xHB"
 
 [[agents]]
 id = "test agent 2"
-key_file = "holo_tester.key"
+keystore_file = "holo_tester.key"
 name = "Holo Tester 2"
 public_address = "HoloTester2-----------------------------------------------------------------------AAAGy4WW9e"
 

conductor/example-config/empty-container.toml

@@ -2,7 +2,7 @@
 id = "test agent 1"
 name = "Holo Tester 1"
 public_address = "HoloTester1-----------------------------------------------------------------------AAACZp4xHB"
-key_file = "holo_tester.key"
+keystore_file = "holo_tester.key"
 
 dnas = []
 

conductor/example-config/holo.toml

@@ -3,7 +3,7 @@ signing_service_uri = "http://localhost:8888"
 
 [[agents]]
 id = "test agent 1"
-key_file = "holo_tester.key"
+keystore_file = "holo_tester.key"
 name = "Holo Tester 1"
 public_address = "HoloTester1-----------------------------------------------------------------------AAACZp4xHB"
 holo_remote_key = true

conductor/example-config/static-only.toml

@@ -2,7 +2,7 @@
 id = "test agent 1"
 name = "Holo Tester 1"
 public_address = "HoloTester1-----------------------------------------------------------------------AAACZp4xHB"
-key_file = "holo_tester.key"
+keystore_file = "holo_tester.key"
 
 [[ui_bundles]]
 id = "bundle1"

conductor_api/Cargo.toml

@@ -7,7 +7,7 @@ authors = ["Holochain Core Dev Team <[email protected]>"]
 holochain_cas_implementations = { path = "../cas_implementations" }
 holochain_core = { path = "../core" }
 holochain_core_types = { path = "../core_types" }
-holochain_dpki = { path = "../hc_dpki" }
+holochain_dpki = { path = "../dpki" }
 holochain_net = { path = "../net" }
 holochain_sodium = { path = "../sodium" }
 holochain_common = { path = "../common" }

conductor_api/src/conductor/admin.rs

@@ -566,7 +566,7 @@ pub mod tests {
         format!(
             r#"[[agents]]
 id = 'test-agent-1'
-key_file = 'holo_tester1.key'
+keystore_file = 'holo_tester1.key'
 name = 'Holo Tester 1'
 public_address = '{}'"#,
             test_keybundle(1).get_id()
@@ -577,7 +577,7 @@ public_address = '{}'"#,
         format!(
             r#"[[agents]]
 id = 'test-agent-2'
-key_file = 'holo_tester2.key'
+keystore_file = 'holo_tester2.key'
 name = 'Holo Tester 2'
 public_address = '{}'"#,
             test_keybundle(2).get_id()
@@ -1379,7 +1379,7 @@ type = 'websocket'"#,
             id: String::from("new-agent"),
             name: String::from("Mr. New"),
             public_address: AgentId::generate_fake("new").address().to_string(),
-            key_file: String::from("new-test-path"),
+            keystore_file: String::from("new-test-path"),
             holo_remote_key: None,
         };
 
@@ -1399,7 +1399,7 @@ type = 'websocket'"#,
             String::from(
                 r#"[[agents]]
 id = 'new-agent'
-key_file = 'new-test-path'
+keystore_file = 'new-test-path'
 name = 'Mr. New'
 public_address = 'HcScIkRaAaaaaaaaaaAaaaAAAAaaaaaaaaAaaaaAaaaaaaaaAaaAAAAatzu4aqa'"#,
             ),