Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: wallet security solution #10805

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions api/api_full.go
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,10 @@ type FullNode interface {
// WalletValidateAddress validates whether a given string can be decoded as a well-formed address
WalletValidateAddress(context.Context, string) (address.Address, error) //perm:read

// wallet-security FullNodeExt WalletCustomMethod
// WalletCustomMethod wallet extension operation
WalletCustomMethod(context.Context, WalletMethod, []interface{}) (interface{}, error) //perm:admin

// Other

// MethodGroup: Client
Expand Down
3 changes: 3 additions & 0 deletions api/api_wallet.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,4 +44,7 @@ type Wallet interface {
WalletExport(context.Context, address.Address) (*types.KeyInfo, error) //perm:admin
WalletImport(context.Context, *types.KeyInfo) (address.Address, error) //perm:admin
WalletDelete(context.Context, address.Address) error //perm:admin

// wallet-security WalletExt WalletCustomMethod
WalletCustomMethod(context.Context, WalletMethod, []interface{}) (interface{}, error) //perm:admin
}
44 changes: 44 additions & 0 deletions api/api_wallet_ext.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
package api

import (
"github.com/filecoin-project/go-address"
)

// wallet-security AddrListEncrypt stuct
type AddrListEncrypt struct {
Addr address.Address
Encrypt bool
}
type WalletMethod int64

const (
Unknown WalletMethod = 0
WalletListForEnc WalletMethod = 1
WalletExportForEnc WalletMethod = 2
WalletDeleteForEnc WalletMethod = 3
WalletAddPasswd WalletMethod = 4
WalletResetPasswd WalletMethod = 5
WalletClearPasswd WalletMethod = 6
WalletCheckPasswd WalletMethod = 7
WalletEncrypt WalletMethod = 8
WalletDecrypt WalletMethod = 9
WalletIsEncrypt WalletMethod = 10
)

var WalletMethodStr = map[WalletMethod]string{
Unknown: "Unknown",
WalletListForEnc: "WalletListForEnc",
WalletExportForEnc: "WalletExportForEnc",
WalletDeleteForEnc: "WalletDeleteForEnc",
WalletAddPasswd: "WalletAddPasswd",
WalletResetPasswd: "WalletResetPasswd",
WalletClearPasswd: "WalletClearPasswd",
WalletCheckPasswd: "WalletCheckPasswd",
WalletEncrypt: "WalletEncrypt",
WalletDecrypt: "WalletDecrypt",
WalletIsEncrypt: "WalletIsEncrypt",
}

func (w WalletMethod) String() string {
return WalletMethodStr[w]
}
5 changes: 5 additions & 0 deletions api/docgen/docgen.go
Original file line number Diff line number Diff line change
Expand Up @@ -482,6 +482,11 @@ func ExampleValue(method string, t, parent reflect.Type) interface{} {
}
case reflect.Interface:
return struct{}{}
// wallet-security fix docgen build err
case reflect.Int64:
return 0
case reflect.Map:
return make(map[string]string)
}

panic(fmt.Sprintf("No example value for type: %s (method '%s')", t, method))
Expand Down
15 changes: 15 additions & 0 deletions api/mocks/mock_full.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 26 additions & 0 deletions api/proxy_gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions api/v0api/full.go
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,10 @@ type FullNode interface {
// WalletValidateAddress validates whether a given string can be decoded as a well-formed address
WalletValidateAddress(context.Context, string) (address.Address, error) //perm:read

// wallet-security FullNodeExt WalletCustomMethod
// WalletCustomMethod wallet extension operation
WalletCustomMethod(context.Context, api.WalletMethod, []interface{}) (interface{}, error) //perm:admin

// Other

// MethodGroup: Client
Expand Down
13 changes: 13 additions & 0 deletions api/v0api/proxy_gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions api/v0api/v0mocks/mock_full.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Binary file modified build/openrpc/full.json.gz
Binary file not shown.
Binary file modified build/openrpc/gateway.json.gz
Binary file not shown.
Binary file modified build/openrpc/miner.json.gz
Binary file not shown.
Binary file modified build/openrpc/worker.json.gz
Binary file not shown.
20 changes: 17 additions & 3 deletions chain/wallet/key/key.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,16 @@ func GenerateKey(typ types.KeyType) (*Key, error) {
if err != nil {
return nil, err
}

// wallet-security 加密
pk1, err := MakeByte(pk)
if err != nil {
return nil, err
}

ki := types.KeyInfo{
Type: typ,
PrivateKey: pk,
PrivateKey: pk1, //PrivateKey: pk,
}
return NewKey(ki)
}
Expand All @@ -39,8 +46,15 @@ func NewKey(keyinfo types.KeyInfo) (*Key, error) {
KeyInfo: keyinfo,
}

var err error
k.PublicKey, err = sigs.ToPublic(ActSigType(k.Type), k.PrivateKey)
// wallet-security 解密
// var err error
// k.PublicKey, err = sigs.ToPublic(ActSigType(k.Type), k.PrivateKey)
pk, err := UnMakeByte(k.PrivateKey)
if err != nil {
return nil, err
}
k.PublicKey, err = sigs.ToPublic(ActSigType(k.Type), pk)

if err != nil {
return nil, err
}
Expand Down
104 changes: 104 additions & 0 deletions chain/wallet/key/key_ext.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
package key

import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/hex"
"io"

"golang.org/x/xerrors"
)

var AddrPrefix = []byte{0xff, 0xff, 0xff, 0xff, 0xff} // addrPrefix = "/////"
var WalletPasswd string = ""
var PasswdPath string = ""

// wallet-security AESEncrypt/AESDecrypt
// IsSetup check setup password for wallet
func IsSetup() bool {
return PasswdPath != ""
}

// IsLock check setup lock for wallet
func IsLock() bool {
return WalletPasswd == ""
}

func AESEncrypt(key, plaintext []byte) ([]byte, error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, xerrors.Errorf("passwd must 6 to 16 characters")
}

ciphertext := make([]byte, aes.BlockSize+len(plaintext))
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, err
}

stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[aes.BlockSize:], plaintext)

return ciphertext, nil
}

func AESDecrypt(key, ciphertext []byte) ([]byte, error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, xerrors.Errorf("passwd must 6 to 16 characters")
} else if len(ciphertext) < aes.BlockSize {
return nil, xerrors.Errorf("passwd must 6 to 16 characters")
}

iv := ciphertext[:aes.BlockSize]
ciphertext = ciphertext[aes.BlockSize:]
stream := cipher.NewCFBDecrypter(block, iv)
stream.XORKeyStream(ciphertext, ciphertext)

return ciphertext, nil
}

func UnMakeByte(pk []byte) ([]byte, error) {
if !IsSetup() {
return pk, nil
}

if !bytes.Equal(pk[:4], AddrPrefix) {
return pk, nil
} else if !IsLock() {
msg := make([]byte, len(pk)-4)
copy(msg, pk[4:])
m5_passwd, _ := hex.DecodeString(WalletPasswd)
return AESDecrypt(m5_passwd, msg)
}
return nil, xerrors.Errorf("wallet is lock")
}

func MakeByte(pk []byte) ([]byte, error) {
if !IsSetup() {
return pk, nil
}

if IsLock() {
return nil, xerrors.Errorf("wallet is lock")
}

m5_passwd, _ := hex.DecodeString(WalletPasswd)
msg, err := AESEncrypt(m5_passwd, pk)
if err != nil {
return nil, err
}
text := make([]byte, len(msg)+4)
copy(text[:4], AddrPrefix)
copy(text[4:], msg)
return text, nil
}

func IsPrivateKeyEnc(pk []byte) bool {
if !IsSetup() || !bytes.Equal(pk[:4], AddrPrefix) {
return false
}
return true
}
6 changes: 6 additions & 0 deletions chain/wallet/ledger/ledger.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,12 @@ func (lw LedgerWallet) WalletNew(ctx context.Context, t types.KeyType) (address.
return lw.importKey(ctx, lki)
}

// wallet-security LedgerWallet WalletCustomMethod
// WalletCustomMethod dont use this method for LedgerWallet
func (lw *LedgerWallet) WalletCustomMethod(ctx context.Context, meth api.WalletMethod, args []interface{}) (interface{}, error) {
return nil, xerrors.Errorf("LedgerWallet do not support extension operations for the time being")
}

func (lw *LedgerWallet) Get() api.Wallet {
if lw == nil {
return nil
Expand Down
Loading