-
Notifications
You must be signed in to change notification settings - Fork 268
Signing 3 - Key loading/handling in Conductor #1010
Conversation
…s not match the actual address of the key loaded from file
@lucksus - so long as I misread this question at first, and thought we needed a clone for SecBuf... here's that code in case it's useful someday, lol. Keys are generally very small so cloning is cheap: https://github.com/holochain/holochain-rust/compare/clone-secbuf |
conductor_api/src/conductor/base.rs
Outdated
let passphrase = rpassword::read_password_from_tty(Some("Passphrase: "))?; | ||
|
||
let bundle: KeyBundle = serde_json::from_str(&contents)?; | ||
let mut passphrase = SecBuf::with_insecure_from_string(passphrase); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
passphrases should use secure memory
Ideally, we'd use a low-level keyboard binding to prevent a class of malware keyloggers and input the data directly into a secure buffer.
For the short-term, we should be sure to zero the memory in "passphrase" returned by the rpassword utility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had tried that already in hc keygen
but SodiumBuf
doesn't allow arbitrary sizes for secure buffers. Only multiples of 8. Also, since the passphrase is coming in as a String
, it wouldn't make it much safer, right?
But yeah, so you are saying, we should roll our own read_password_from_tty
eventually?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
: ) right, that totally makes sense. I'll create an issue to do the alignment in the background and deal with appropriately sized slice references in the SecBuf so we don't have to worry about the sizing during implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some security comments. Looking awesome, I'm excited to see this coming together!
@neonphog, I've implemented your change requests, except for using a secure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one tiny change in an error message
let agent_config = self | ||
.config | ||
.agent_by_id(agent_id) | ||
.ok_or(format!("Agent '{}' not found", agent_id))?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.ok_or(format!("Agent '{}' not found", agent_id))?; | |
.ok_or(format!("Agent '{}' not found in config", agent_id))?; |
on top of #968
Context
All the pre-work enabling the Conductor to create real signatures from real keys read out of real files.
Steps
KeyLoader
that is implemented with a default that reads files from the filesystem and prompts for a passphrase