Configurable keys security (#1080)

* adding options & cli flags * adding it to the key deriving * removed duplicated option
openethereum · May 14, 2016 · 2b78e51 · 2b78e51
1 parent 9b91444
commit 2b78e51
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 8 deletions.
diff --git a/parity/cli.rs b/parity/cli.rs
@@ -42,6 +42,9 @@ Account Options:
                            ACCOUNTS is a comma-delimited list of addresses.
   --password FILE          Provide a file containing a password for unlocking
                            an account.
+  --keys-iterations NUM    Specify the number of iterations to use when deriving key
+                           from the password (bigger is more secure)
+                           [default: 10240].
 
 Networking Options:
   --port PORT              Override the port on which the node should listen
@@ -182,6 +185,7 @@ pub struct Args {
 	pub flag_password: Vec<String>,
 	pub flag_cache: Option<usize>,
 	pub flag_keys_path: String,
+	pub flag_keys_iterations: u32,
 	pub flag_bootnodes: Option<String>,
 	pub flag_network_id: Option<String>,
 	pub flag_pruning: String,

diff --git a/parity/configuration.rs b/parity/configuration.rs
@@ -117,6 +117,10 @@ impl Configuration {
 		self.args.flag_keys_path.replace("$HOME", env::home_dir().unwrap().to_str().unwrap())
 	}
 
+	pub fn keys_iterations(&self) -> u32 {
+		self.args.flag_keys_iterations
+	}
+
 	pub fn spec(&self) -> Spec {
 		match self.chain().as_str() {
 			"frontier" | "homestead" | "mainnet" => ethereum::new_frontier(),
@@ -245,7 +249,7 @@ impl Configuration {
 				.collect::<Vec<_>>()
 				.into_iter()
 		}).collect::<Vec<_>>();
-		let account_service = AccountService::new_in(Path::new(&self.keys_path()));
+		let account_service = AccountService::with_security(Path::new(&self.keys_path()), self.keys_iterations());
 		if let Some(ref unlocks) = self.args.flag_unlock {
 			for d in unlocks.split(',') {
 				let a = Address::from_str(clean_0x(&d)).unwrap_or_else(|_| {

diff --git a/parity/main.rs b/parity/main.rs
@@ -219,7 +219,7 @@ fn flush_stdout() {
 fn execute_account_cli(conf: Configuration) {
 	use util::keys::store::SecretStore;
 	use rpassword::read_password;
-	let mut secret_store = SecretStore::new_in(Path::new(&conf.keys_path()));
+	let mut secret_store = SecretStore::with_security(Path::new(&conf.keys_path()), conf.keys_iterations());
 	if conf.args.cmd_new {
 		println!("Please note that password is NOT RECOVERABLE.");
 		print!("Type password: ");

diff --git a/util/src/keys/store.rs b/util/src/keys/store.rs
@@ -73,6 +73,7 @@ pub enum SigningError {
 pub struct SecretStore {
 	directory: KeyDirectory,
 	unlocks: RwLock<HashMap<Address, AccountUnlock>>,
+	key_iterations: u32,
 }
 
 struct AccountUnlock {
@@ -128,10 +129,15 @@ impl AccountProvider for AccountService {
 impl AccountService {
 	/// New account service with the keys store in specific location
 	pub fn new_in(path: &Path) -> Self {
-		let secret_store = RwLock::new(SecretStore::new_in(path));
+		AccountService::with_security(path, KEY_ITERATIONS)
+	}
+
+	/// New account service with the keys store in specific location and configured security parameters
+	pub fn with_security(path: &Path, key_iterations: u32) -> Self {
+		let secret_store = RwLock::new(SecretStore::with_security(path, key_iterations));
 		secret_store.write().unwrap().try_import_existing();
 		AccountService {
-			secret_store: secret_store
+			secret_store: secret_store,
 		}
 	}
 
@@ -157,10 +163,16 @@ impl AccountService {
 impl SecretStore {
 	/// new instance of Secret Store in specific directory
 	pub fn new_in(path: &Path) -> Self {
+		SecretStore::with_security(path, KEY_ITERATIONS)
+	}
+
+	/// new instance of Secret Store in specific directory and configured security parameters
+	pub fn with_security(path: &Path, key_iterations: u32) -> Self {
 		::std::fs::create_dir_all(&path).expect("Cannot access requested key directory - critical");
 		SecretStore {
 			directory: KeyDirectory::new(path),
 			unlocks: RwLock::new(HashMap::new()),
+			key_iterations: key_iterations,
 		}
 	}
 
@@ -206,6 +218,7 @@ impl SecretStore {
 		SecretStore {
 			directory: KeyDirectory::new(path.as_path()),
 			unlocks: RwLock::new(HashMap::new()),
+			key_iterations: KEY_ITERATIONS,
 		}
 	}
 
@@ -289,8 +302,8 @@ fn derive_key_iterations(password: &str, salt: &H256, c: u32) -> (Bytes, Bytes)
 	(derived_right_bits.to_vec(), derived_left_bits.to_vec())
 }
 
-fn derive_key(password: &str, salt: &H256) -> (Bytes, Bytes) {
-	derive_key_iterations(password, salt, KEY_ITERATIONS)
+fn derive_key(password: &str, salt: &H256, iterations: u32) -> (Bytes, Bytes) {
+	derive_key_iterations(password, salt, iterations)
 }
 
 fn derive_key_scrypt(password: &str, salt: &H256, n: u32, p: u32, r: u32) -> (Bytes, Bytes) {
@@ -346,7 +359,7 @@ impl EncryptedHashMap<H128> for SecretStore {
 
 		// two parts of derived key
 		// DK = [ DK[0..15] DK[16..31] ] = [derived_left_bits, derived_right_bits]
-		let (derived_left_bits, derived_right_bits) = derive_key(password, &salt);
+		let (derived_left_bits, derived_right_bits) = derive_key(password, &salt, self.key_iterations);
 
 		let mut cipher_text = vec![0u8; value.as_slice().len()];
 		// aes-128-ctr with initial vector of iv
@@ -361,7 +374,7 @@ impl EncryptedHashMap<H128> for SecretStore {
 				iv,
 				salt,
 				mac,
-				KEY_ITERATIONS,
+				self.key_iterations,
 				KEY_LENGTH));
 		key_file.id = key;
 		if let Err(io_error) = self.directory.save(key_file) {