/
guardiankey.go
153 lines (126 loc) · 3.81 KB
/
guardiankey.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
package guardiand
import (
"crypto/ecdsa"
"crypto/rand"
"errors"
"fmt"
"io/ioutil"
"log"
"os"
"github.com/alephium/wormhole-fork/node/pkg/common"
ethcrypto "github.com/ethereum/go-ethereum/crypto"
"github.com/spf13/cobra"
"golang.org/x/crypto/openpgp/armor" //nolint
"google.golang.org/protobuf/proto"
"github.com/alephium/wormhole-fork/node/pkg/devnet"
nodev1 "github.com/alephium/wormhole-fork/node/pkg/proto/node/v1"
)
var keyDescription *string
const (
GuardianKeyArmoredBlock = "WORMHOLE GUARDIAN PRIVATE KEY"
)
func init() {
keyDescription = KeygenCmd.Flags().String("desc", "", "Human-readable key description (optional)")
}
var KeygenCmd = &cobra.Command{
Use: "keygen [KEYFILE]",
Short: "Create guardian key at the specified path",
Run: runKeygen,
Args: cobra.ExactArgs(1),
}
func runKeygen(cmd *cobra.Command, args []string) {
common.LockMemory()
common.SetRestrictiveUmask()
log.Print("Creating new key at ", args[0])
gk, err := ecdsa.GenerateKey(ethcrypto.S256(), rand.Reader)
if err != nil {
log.Fatalf("failed to generate key: %v", err)
}
err = writeGuardianKey(gk, *keyDescription, args[0], false)
if err != nil {
log.Fatalf("failed to write key: %v", err)
}
}
// loadGuardianKey loads a serialized guardian key from disk.
func loadGuardianKey(filename string) (*ecdsa.PrivateKey, error) {
f, err := os.Open(filename)
if err != nil {
return nil, fmt.Errorf("failed to open file: %w", err)
}
p, err := armor.Decode(f)
if err != nil {
return nil, fmt.Errorf("failed to read armored file: %w", err)
}
if p.Type != GuardianKeyArmoredBlock {
return nil, fmt.Errorf("invalid block type: %s", p.Type)
}
b, err := ioutil.ReadAll(p.Body)
if err != nil {
return nil, fmt.Errorf("failed to read file: %w", err)
}
var m nodev1.GuardianKey
err = proto.Unmarshal(b, &m)
if err != nil {
return nil, fmt.Errorf("failed to deserialize protobuf: %w", err)
}
if *network != "devnet" && m.UnsafeDeterministicKey {
return nil, errors.New("refusing to use deterministic key in production")
}
gk, err := ethcrypto.ToECDSA(m.Data)
if err != nil {
return nil, fmt.Errorf("failed to deserialize raw key data: %w", err)
}
return gk, nil
}
// writeGuardianKey serializes a guardian key and writes it to disk.
func writeGuardianKey(key *ecdsa.PrivateKey, description string, filename string, unsafe bool) error {
if _, err := os.Stat(filename); err == nil { // file exists
if unsafe {
return nil // skip to write because the key is deterministic in devnet
}
return errors.New("refusing to override existing key")
}
m := &nodev1.GuardianKey{
Data: ethcrypto.FromECDSA(key),
UnsafeDeterministicKey: unsafe,
}
// The private key is a really long-lived piece of data, and we really want to use the stable binary
// protobuf encoding with field tags to make sure that we can safely evolve it in the future.
b, err := proto.Marshal(m)
if err != nil {
panic(err)
}
f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0600)
if err != nil {
return fmt.Errorf("failed to open file: %w", err)
}
headers := map[string]string{
"PublicKey": ethcrypto.PubkeyToAddress(key.PublicKey).String(),
}
if description != "" {
headers["Description"] = description
}
a, err := armor.Encode(f, GuardianKeyArmoredBlock, headers)
if err != nil {
panic(err)
}
_, err = a.Write(b)
if err != nil {
return fmt.Errorf("failed to write to file: %w", err)
}
err = a.Close()
if err != nil {
return err
}
return f.Close()
}
// generateDevnetGuardianKey returns a deterministic testnet key.
func generateDevnetGuardianKey() (*ecdsa.PrivateKey, error) {
// Figure out our devnet index
idx, err := devnet.GetDevnetIndex()
if err != nil {
return nil, err
}
// Generate guardian key
return devnet.InsecureDeterministicEcdsaKeyByIndex(ethcrypto.S256(), uint64(idx)), nil
}