(* *)
(* Copyright (c) 2014 - 2017. *)
(* Dynamic Ledger Solutions, Inc. <> *)
(* *)
(* All rights reserved. No warranty, explicit or implicit, provided. *)
(* *)
open Client_keys
let scheme = "encrypted"
module Raw = struct
(* *)
let salt_len = 8
(* Fixed zero nonce *)
let nonce = Crypto_box.zero_nonce
let pbkdf ~salt ~password =
(Pbkdf.pbkdf2 ~prf:`SHA512 ~count:2048 ~dk_len:32l
~salt: (Cstruct.of_bigarray salt)
~password: (Cstruct.of_bigarray password))
let encrypt ~password sk =
let salt = Rand.generate salt_len in
let key = Crypto_box.Secretbox.unsafe_of_bytes (pbkdf ~password ~salt) in
let msg = Data_encoding.Binary.to_bytes_exn Signature.Secret_key.encoding sk in
let encrypted_passwd = key msg nonce in
MBytes.concat "" [ salt ; encrypted_passwd ]
let decrypt ~password ~encrypted_sk =
let len = MBytes.length encrypted_sk in
let salt = MBytes.sub encrypted_sk 0 salt_len in
let encrypted_sk = MBytes.sub encrypted_sk salt_len (len - salt_len) in
let key = Crypto_box.Secretbox.unsafe_of_bytes (pbkdf ~salt ~password) in
match Crypto_box.Secretbox.box_open key encrypted_sk nonce with
| None -> return None
| Some bytes ->
match Data_encoding.Binary.of_bytes Signature.Secret_key.encoding bytes with
| None -> failwith "Corrupted wallet, deciphered key is invalid"
| Some sk -> return (Some sk)
let decrypted = Hashtbl.create 13
let passwords = ref []
let rec interactive_decrypt_loop
(cctxt : #Client_context.prompter)
?name ~encrypted_sk =
match name with
| None ->
"Enter password for encrypted key: "
| Some name ->
"Enter password for encrypted key \"%s\": " name
end >>=? fun password ->
Raw.decrypt ~password ~encrypted_sk >>=? function
| None ->
interactive_decrypt_loop cctxt ?name ~encrypted_sk
| Some sk ->
passwords := password :: !passwords ;
return sk
let rec noninteractice_decrypt_loop ~encrypted_sk = function
| [] -> return None
| password :: passwords ->
Raw.decrypt ~password ~encrypted_sk >>=? function
| None -> noninteractice_decrypt_loop ~encrypted_sk passwords
| Some sk -> return (Some sk)
let decrypt_payload cctxt ?name encrypted_sk =
match Base58.safe_decode encrypted_sk with
| None -> failwith "Not a Base58 encoded encrypted key"
| Some encrypted_sk ->
let encrypted_sk = MBytes.of_string encrypted_sk in
noninteractice_decrypt_loop ~encrypted_sk !passwords >>=? function
| Some sk -> return sk
| None -> interactive_decrypt_loop cctxt ?name ~encrypted_sk
let decrypt cctxt ?name sk_uri =
let payload = Uri.path (sk_uri : sk_uri :> Uri.t) in
decrypt_payload cctxt ?name payload >>=? fun sk ->
Hashtbl.replace decrypted sk_uri sk ;
return sk
let decrypt_all (cctxt : #Client_context.io_wallet) =
Secret_key.load cctxt >>=? fun sks ->
iter_s begin fun (name, sk_uri) ->
if Uri.scheme (sk_uri : sk_uri :> Uri.t) <> Some scheme then
decrypt cctxt ~name sk_uri >>=? fun _ ->
end sks
let rec read_passphrase (cctxt : =
"Enter passphrase to encrypt your key: " >>=? fun password ->
"Confirm passphrase: " >>=? fun confirm ->
if not (MBytes.equal password confirm) then
cctxt#message "Passphrases do not match." >>= fun () ->
read_passphrase cctxt
return password
let encrypt cctxt sk =
read_passphrase cctxt >>=? fun password ->
let payload = Raw.encrypt ~password sk in
let path = Base58.safe_encode (MBytes.to_string payload) in
let sk_uri = Client_keys.make_sk_uri (Uri.make ~scheme ~path ()) in
Hashtbl.replace decrypted sk_uri sk ;
return sk_uri
module Make(C : sig val cctxt: Client_context.prompter end) = struct
let scheme = "encrypted"
let title =
"Built-in signer using encrypted keys."
let description =
"Valid secret key URIs are of the form\n\
\ - encrypted:<encrypted_key>\n\
where <encrypted_key> is the encrypted (passphrase protected \
using Nacl's cryptobox and pbkdf) secret key, formatted in \
unprefixed Base58.\n\
Valid public key URIs are of the form\n\
\ - encrypted:<public_key>\n\
where <public_key> is the public key in Base58."
let public_key = Unencrypted.public_key
let public_key_hash = Unencrypted.public_key_hash
let neuterize sk_uri =
decrypt C.cctxt sk_uri >>=? fun sk ->
return (Unencrypted.make_pk (Signature.Secret_key.to_public_key sk))
let sign ?watermark sk_uri buf =
decrypt C.cctxt sk_uri >>=? fun sk ->
return (Signature.sign ?watermark sk buf)