Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a5d2e56
commit cccb635
Showing
284 changed files
with
22,047 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
*.tmp | ||
*.tmp.* | ||
.vscode/ | ||
npm-debug.log* | ||
|
||
.idea/ | ||
.sourcemaps/ | ||
.sass-cache/ | ||
.tmp/ | ||
.versions/ | ||
coverage/ | ||
dist/ | ||
node_modules/ | ||
tmp/ | ||
temp/ | ||
platforms/ | ||
plugins/ | ||
plugins/android.json | ||
plugins/ios.json | ||
www/ | ||
.DS_Store | ||
Thumbs.db | ||
UserInterfaceState.xcuserstate | ||
*.md5 | ||
lintReport.json | ||
lcov.info | ||
reports/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# EditorConfig helps developers define and maintain consistent coding styles between different editors and IDEs | ||
# editorconfig.org | ||
|
||
root = true | ||
|
||
[*] | ||
indent_style = space | ||
indent_size = 2 | ||
|
||
# We recommend you to keep these unchanged | ||
end_of_line = lf | ||
charset = utf-8 | ||
trim_trailing_whitespace = true | ||
insert_final_newline = true | ||
|
||
[*.md] | ||
trim_trailing_whitespace = false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# Specifies intentionally untracked files to ignore when using Git | ||
# http://git-scm.com/docs/gitignore | ||
|
||
*~ | ||
*.sw[mnpcod] | ||
*.log | ||
*.tmp | ||
*.tmp.* | ||
log.txt | ||
*.sublime-project | ||
*.sublime-workspace | ||
.vscode/ | ||
npm-debug.log* | ||
|
||
.idea/ | ||
.sourcemaps/ | ||
.sass-cache/ | ||
.tmp/ | ||
.versions/ | ||
coverage/ | ||
dist/ | ||
node_modules/ | ||
tmp/ | ||
temp/ | ||
platforms/ | ||
plugins/ | ||
plugins/android.json | ||
plugins/ios.json | ||
www/ | ||
$RECYCLE.BIN/ | ||
lintReport.json | ||
lcov.info | ||
reports/ | ||
|
||
.DS_Store | ||
Thumbs.db | ||
UserInterfaceState.xcuserstate | ||
e2e-reports/* | ||
|
||
airgap_cordova_secure_storage_deploy | ||
airgap_cordova_secure_storage_deploy.pub |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
image: docker:latest | ||
|
||
variables: | ||
IMAGE_TAG: $CI_REGISTRY_IMAGE | ||
IMAGE_TAG_CURRENT: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA | ||
IMAGE_TAG_LATEST: $CI_REGISTRY_IMAGE:latest | ||
IMAGE_TAG_ANDROID_CURRENT: $CI_REGISTRY_IMAGE:android-$CI_COMMIT_SHA | ||
IMAGE_TAG_ANDROID_LATEST: $CI_REGISTRY_IMAGE:android-latest | ||
|
||
stages: | ||
- build | ||
- test | ||
- native_build | ||
- qa | ||
|
||
build_ionic: | ||
stage: build | ||
before_script: | ||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY | ||
- echo "$GITLAB_DEPLOY_SSH_KEY" > airgap_cordova_secure_storage_deploy | ||
- echo "$GITLAB_DEPLOY_SSH_KEY_PUB" > airgap_cordova_secure_storage_deploy.pub | ||
script: | ||
- docker build --cache-from $IMAGE_TAG_LATEST -t $IMAGE_TAG . | ||
- docker tag $IMAGE_TAG $IMAGE_TAG_CURRENT | ||
- docker tag $IMAGE_TAG $IMAGE_TAG_LATEST | ||
- docker push $IMAGE_TAG_CURRENT | ||
- docker push $IMAGE_TAG_LATEST | ||
tags: | ||
- docker | ||
|
||
unit: | ||
stage: test | ||
before_script: | ||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY | ||
script: | ||
- docker run --name unit-$CI_COMMIT_SHA $IMAGE_TAG_CURRENT npm run test-ci | ||
- docker run --name lint-$CI_COMMIT_SHA $IMAGE_TAG_CURRENT npm run lint-ci | ||
- docker cp unit-$CI_COMMIT_SHA:/app/coverage/lcov.info lcov.info | ||
- docker cp lint-$CI_COMMIT_SHA:/app/lintReport.json lintReport.json | ||
after_script: | ||
- docker rm unit-$CI_COMMIT_SHA | ||
- docker rm lint-$CI_COMMIT_SHA | ||
tags: | ||
- docker | ||
artifacts: | ||
paths: | ||
- lcov.info | ||
- lintReport.json | ||
|
||
build_android: | ||
stage: native_build | ||
when: manual | ||
tags: | ||
- docker | ||
before_script: | ||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY | ||
- echo "$GITLAB_DEPLOY_SSH_KEY" > airgap_cordova_secure_storage_deploy | ||
- echo "$GITLAB_DEPLOY_SSH_KEY_PUB" > airgap_cordova_secure_storage_deploy.pub | ||
script: | ||
- docker build -f build/android/Dockerfile -t $IMAGE_TAG_ANDROID_CURRENT --build-arg KEYSTORE_PASSWORD="$KEYSTORE_PASSWORD" --build-arg KEYSTORE_ALIAS="$KEYSTORE_ALIAS" --build-arg BUILD_NR="$CI_PIPELINE_ID" . | ||
- docker run --name $CI_PIPELINE_ID $IMAGE_TAG_ANDROID_CURRENT echo "container ran." | ||
- docker cp $CI_PIPELINE_ID:/app/android-release-unsigned.apk android-release-unsigned-$CI_PIPELINE_ID.apk | ||
- docker cp $CI_PIPELINE_ID:/app/android-debug.apk android-debug-$CI_PIPELINE_ID.apk | ||
after_script: | ||
- docker rm -f $CI_PIPELINE_ID || true | ||
artifacts: | ||
paths: | ||
- android-release-unsigned-$CI_PIPELINE_ID.apk | ||
- android-debug-$CI_PIPELINE_ID.apk | ||
|
||
build_ios: | ||
stage: native_build | ||
when: manual | ||
before_script: | ||
- echo "$GITLAB_DEPLOY_SSH_KEY" > airgap_cordova_secure_storage_deploy | ||
- echo "$GITLAB_DEPLOY_SSH_KEY_PUB" > airgap_cordova_secure_storage_deploy.pub | ||
script: | ||
- npm install | ||
- sed -i -e "s/ios-CFBundleVersion=\"1.0.0\"/ios-CFBundleVersion=\"1.0.$CI_PIPELINE_ID\"/g" config.xml | ||
- ionic run build --prod | ||
- ionic cordova platform rm ios | ||
- ionic cordova platform add ios@latest | ||
- find ./resources/ -name "*.png" -exec convert "{}" -alpha off "{}" \; | ||
- fastlane ios beta | ||
artifacts: | ||
paths: | ||
- app-release.ipa | ||
tags: | ||
- ios | ||
|
||
qa: | ||
stage: qa | ||
before_script: | ||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY | ||
script: | ||
- docker create --name qa-$CI_PIPELINE_ID $IMAGE_TAG_CURRENT npm run sonar-scanner -- -X -Dsonar.typescript.lcov.reportPaths=lcov.info -Dsonar.typescript.tslint.reportPaths=lintReport.json -Dsonar.test.inclusions=**/*.spec.ts -Dsonar.tests=src/ -Dsonar.exclusions=**/node_modules/**,**/*.spec.ts -Dsonar.sources=src/ -Dsonar.host.url=$SONAR_URL -Dsonar.login=$SONAR_LOGIN -Dsonar.gitlab.commit_sha=$CI_COMMIT_SHA -Dsonar.gitlab.ref_name=$CI_COMMIT_REF_NAME -Dsonar.gitlab.project_id=$CI_PROJECT_ID | ||
- docker cp lcov.info qa-$CI_PIPELINE_ID:/app/lcov.info | ||
- docker cp lintReport.json qa-$CI_PIPELINE_ID:/app/lintReport.json | ||
- docker start -a qa-$CI_PIPELINE_ID | ||
after_script: | ||
- docker rm -f qa-$CI_PIPELINE_ID || true | ||
tags: | ||
- docker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
FROM node:8-slim | ||
|
||
# See https://crbug.com/795759 | ||
RUN apt-get update && apt-get install -yq libgconf-2-4 bzip2 build-essential | ||
RUN apt-get install -yq git | ||
|
||
# Install latest chrome dev package and fonts to support major charsets (Chinese, Japanese, Arabic, Hebrew, Thai and a few others) | ||
# Note: this installs the necessary libs to make the bundled version of Chromium that Puppeteer | ||
# installs, work. | ||
RUN apt-get update && apt-get install -y wget --no-install-recommends \ | ||
&& wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \ | ||
&& sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \ | ||
&& apt-get update \ | ||
&& apt-get install -y google-chrome-unstable fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-kacst ttf-freefont \ | ||
--no-install-recommends \ | ||
&& rm -rf /var/lib/apt/lists/* \ | ||
&& apt-get purge --auto-remove -y curl \ | ||
&& rm -rf /src/*.deb | ||
|
||
# create app directory | ||
RUN mkdir /app | ||
WORKDIR /app | ||
|
||
# Install app dependencies, using wildcard if package-lock exists | ||
COPY package.json /app | ||
COPY package-lock.json /app | ||
|
||
# copy deploy keys for pull-access | ||
RUN mkdir -p /root/.ssh | ||
|
||
COPY airgap_cordova_secure_storage_deploy /root/.ssh/id_rsa | ||
COPY airgap_cordova_secure_storage_deploy.pub /root/.ssh/id_rsa.pub | ||
|
||
RUN chmod 700 /root/.ssh/id_rsa | ||
|
||
RUN echo "Host gitlab.papers.tech\n\tStrictHostKeyChecking no\n" >> /root/.ssh/config | ||
|
||
# install dependencies | ||
RUN npm install | ||
|
||
# install static webserver | ||
RUN npm install node-static -g | ||
|
||
# Bundle app source | ||
COPY . /app | ||
|
||
# set to production | ||
RUN export NODE_ENV=production | ||
|
||
# build | ||
RUN npm run build | ||
|
||
CMD ["static", "-p", "8100", "-a", "0.0.0.0", "www"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,55 @@ | ||
# AirGap Vault | ||
We will release the code on GitHub shortly. Meanwhile you can download the app through the Google Play Store https://play.google.com/store/apps/details?id=it.airgap.vault | ||
# Secure Mobile Offline Keystore and Signer | ||
|
||
An open source mobile app used to store secrets and sign transactions securely. | ||
|
||
## Introduction | ||
|
||
Together with the Aeternity team we identified the urging need for an easy and secure method to generate crypto currency keys, store them and use them to sign transactions. Having worked with large financial institutions helping them in securing their most sensitive apps, the AirGap team believes to give the crypto community a tool that meets the highest possible standards of mobile security. | ||
|
||
## Attack Vectors | ||
|
||
These are the relevant attack vectors we identified and how we mitigate them, feel free to contact us and discuss possible other scenarios: | ||
|
||
## App 2 App Communication | ||
|
||
The security concept behind air gapped systems is to work with 2 physically separated devices, one of which has no connection to the outside world (internet). In our context the component which has no internet connection is this signer app. The two component communicate through URL schemes, these URLs can be simply provided with QR codes. | ||
|
||
## Key Generation | ||
|
||
### Entropy Seeder | ||
|
||
The entropy seeder uses the native secure random functionality provided by the system and concatenates this with the sha3 hash of the additional entropy. The rationale behind this is: | ||
|
||
- the sha3 hashing algorithm is cryptographically secure such that the following holds: `entropy(sha3(secureRandom())) >= entropy(secureRandom())` | ||
- adding bytes to the sha3 function will never lover entropy but only add to it such that the following holds: `entropy(sha3(secureRandom() + additionaEntropy)) >= entropy(sha3(secureRandom()))` | ||
- by reusing the hash of an earlier "round" as a salt we can incorporate the entire collected entropy of the previous round. | ||
- native secure random cannot be fully trusted because there is no API to check the entropy pool it's using | ||
|
||
For more technical people here the algorithm being used for the entropy seeding: | ||
|
||
``` | ||
const ENTROPY_BYTE_SIZE = 256 | ||
let entropyHashHexString = null | ||
function toHexString(array){ | ||
return array.map(function(i) { | ||
return ('0' + i.toString(16)).slice(-2); | ||
}).join(''); | ||
} | ||
function seedEntropy (additionalEntropyArray) { | ||
const secureRandomArray = new Uint8Array(ENTROPY_BYTE_SIZE) | ||
window.crypto.getRandomValues(secureRandomArray) | ||
console.log(entropyHashHexString+toHexString(secureRandomArray)+toHexString(additionalEntropyArray)) | ||
entropyHashHexString = sha3_256(entropyHashHexString+toHexString(secureRandomArray)+toHexString(additionalEntropyArray)) | ||
return entropyHashHexString | ||
} | ||
``` | ||
|
||
## Similar Initiatives | ||
|
||
- https://github.com/paritytech/parity-signer | ||
- https://bitkey.io/ | ||
- https://myetherwallet.com/ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
FROM agileek/ionic-framework:3.19.1 | ||
|
||
RUN apt-get update -y | ||
RUN apt-get install -y bzip2 build-essential | ||
RUN apt-get install -y pkg-config libcairo2-dev | ||
RUN apt-get install -y libjpeg-dev | ||
|
||
# install fastlane | ||
RUN gem install fastlane -NV | ||
|
||
# android build tools version | ||
RUN ["/opt/tools/android-accept-licenses.sh", "android update sdk --all --no-ui --filter build-tools-26.0.2,android-27"] | ||
|
||
# create app directory | ||
RUN mkdir /app | ||
WORKDIR /app | ||
|
||
# install npm 5.7.0 to fix https://github.com/npm/npm/issues/19356 | ||
RUN npm install -g npm@5.7.0 | ||
|
||
# install ionic | ||
RUN npm install -g ionic@3.20.0 | ||
|
||
# Install app dependencies, using wildcard if package-lock exists | ||
COPY package.json /app/package.json | ||
COPY package-lock.json /app/package-lock.json | ||
|
||
# copy deploy keys for pull-access | ||
RUN mkdir -p /root/.ssh | ||
|
||
COPY airgap_cordova_secure_storage_deploy /root/.ssh/id_rsa | ||
COPY airgap_cordova_secure_storage_deploy.pub /root/.ssh/id_rsa.pub | ||
|
||
RUN chmod 700 /root/.ssh/id_rsa | ||
|
||
RUN echo "Host gitlab.papers.tech\n\tStrictHostKeyChecking no\n" >> /root/.ssh/config | ||
|
||
# install dependencies | ||
RUN npm install --no-optional | ||
|
||
# copy config.xml, ionic configs and resources to allow plugin installation | ||
COPY config.xml /app/config.xml | ||
COPY ionic.config.json /app/ionic.config.json | ||
COPY ./resources /app/resources | ||
|
||
RUN mkdir www | ||
|
||
# run ionic android build | ||
RUN ionic info | ||
|
||
# removing cordova-plugin-airgap-secure-storage from package.json due to https://issues.apache.org/jira/browse/CB-13507 | ||
RUN sed -i '/cordova-plugin-airgap-secure-storage/d' ./package.json | ||
|
||
# Bundle app source | ||
COPY ./hooks /app/hooks | ||
|
||
# add android platform | ||
RUN ionic cordova platforms add android | ||
|
||
# Bundle app source | ||
COPY . /app | ||
|
||
# set version code | ||
ARG BUILD_NR | ||
RUN sed -i -e "s/android-versionCode=\"1\"/android-versionCode=\"$BUILD_NR\"/g" config.xml | ||
|
||
# build apk | ||
RUN ionic cordova build android --prod --release --no-interactive | ||
|
||
# copy release-apk | ||
RUN cp /app/platforms/android/app/build/outputs/apk/release/app-release-unsigned.apk android-release-unsigned.apk | ||
|
||
RUN cp android-release-unsigned.apk android-debug.apk | ||
|
||
# sign using debug key | ||
RUN jarsigner -verbose -keystore ./build/android/debug.keystore -storepass android -keypass android android-debug.apk androiddebugkey |
Binary file not shown.
Oops, something went wrong.