Implement Key API

[richardschneider]

Integrate the keychain into js-ipfs

• the keychain is constructed in pre-start so it always available
• add the ipfs key commands from this spec
• add the HTTP API routes and resources for key

Other tasks

• add spec/tests to interface-ipfs-core
• add "key" to js-ipfs-api
• allow creation/reading of CMS

[richardschneider]

@diasdavid this needs both ipfs/js-ipfs-repo#156 and libp2p/js-libp2p-keychain#6 to be released to NPM

[richardschneider]

@diasdavid I need a NPM release of libp2p-keychain. Currently the package.json is getting it from github

[daviddias]

Following up on ipfs/team-mgmt#535 (comment), the next steps to get this merge are (by order):

• Get the node-forge primitives that are being used in libp2p-keychain exposed by libp2p-crypto
  • Explore if we can code pick the functions that we want or if there is another module that doesn't require us to bring node-forge.
• Release libp2p-crypto
• Release libp2p-keychain
• Expose the .crypto and .key APIs in js-libp2p
• Update this PR

[daviddias]

@pgte would love to have your thoughts coming from PeerPad and all the crypto libs you had to import to make it work. Ideally, after this PR, you should be able to just use js-ipfs for crypto calls directly.

[richardschneider]

@diasdavid A very good approach to resolving these crypto issues!

My immediate concern is that this PR changes 16 files to support ipfs key management. These changes will become harder to merge as time goes on.

Why don't I create a NoKeychain, as I did with pubsub. This will simply throw a NYI error. That way, we get these changes into master without requiring node.forge. And it partially implements #1135

[daviddias]

Please use the commandCount and not a loose assertion like above

[richardschneider]

I strongly disagree. Commands come and go. This is a very brittle test. Why test for the number of commands? All we want to test is that the commands can be obtained.

[richardschneider]

@diasdavid any comment?

[daviddias]

It is not brittle if it is testing that the output of the commands call is returning the exact number of commands.

[richardschneider]

@diasdavid I just find it odd that when I add a command, there's this little test that I don't know about that then fails. Considering that js-ipfs tests take ~30 mins to run and some tests fail indeterminately, it gets overlooked.

So I will agree to disagree with you.

Do you want me to restore the original hard coded count?

[richardschneider]

@diasdavid node-forge required primitives can be found at libp2p/js-libp2p-keychain#7 (comment)

[richardschneider]

@diasdavid RTM. This PR provides the framework for ipfs key, both commands, routes and core.

The core uses NoKeychain that just generates a Not Yet Implemented error. This DOES NOT use node-forge.

[daviddias]

@richardschneider there is no rush in merging a PR to add an API that only throws an error saying it is not implemented. Let's get the plan -- #1133 (comment) -- done first.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@cfa38ca). Click here to learn what that means.
The diff coverage is 80.57%.

@@           Coverage Diff            @@
##             master   #1133   +/-   ##
========================================
  Coverage          ?   83.5%           
========================================
  Files             ?     132           
  Lines             ?    2885           
  Branches          ?       0           
========================================
  Hits              ?    2409           
  Misses            ?     476           
  Partials          ?       0

Impacted Files	Coverage Δ
src/cli/commands/init.js	76.92% <ø> (ø)
src/http/index.js	82.71% <ø> (ø)
src/http/api/routes/index.js	100% <100%> (ø)
src/cli/utils.js	93.22% <100%> (ø)
src/http/api/routes/key.js	100% <100%> (ø)
src/core/components/index.js	100% <100%> (ø)
src/core/components/init.js	88.52% <100%> (ø)
src/http/api/resources/index.js	100% <100%> (ø)
src/cli/commands/key.js	100% <100%> (ø)
src/core/boot.js	94.33% <100%> (ø)
... and 11 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cfa38ca...bab526e. Read the comment docs.

[richardschneider]

@diasdavid I guess a rebase is required. Can you explain the commands I need. Last time I tried, the PR got munted.

[richardschneider]

@diasdavid ready for review. Can you tell me magic to do a rebase?

[daviddias]

s/Security/Crypto and Key Management

[daviddias]

Add also the crypto API while you are at it

[richardschneider]

crypto is NYI, there's not even a spec yet.

[daviddias]

There is the same spec that there is for key https://github.com/ipfs/specs/tree/master/keystore#interface

[richardschneider]

The crypt command is not implemented in go. Also, I have issues with the proposed spec; which I would like to raise in another place.

[richardschneider]

See libp2p/js-libp2p-keychain#19

[richardschneider]

@diasdavid As promised, my xmas gift to IPFS and with 5 hours to spare.

Key management is now ready for review and hopefully a merge. This is dependent upon the following open PRs

• feat: generate unique options for a key chain libp2p/js-libp2p-keychain#20
• Tests for key exchange ipfs-inactive/interface-js-ipfs-core#187
• feat: support key/export and key/import ipfs-inactive/js-ipfs-http-client#653

[daviddias]

Close to an LGTM. Made some comments.

[daviddias]

This empty line can be removed

[richardschneider]

done

[daviddias]

Docs, nice!

[daviddias]

👍

[daviddias]

Why remove the webworker test?

[richardschneider]

@diasdavid It came in when I did a rebase. Should I restore to original?

[daviddias]

Fixing this.

[daviddias]

Is this still needed ??

[richardschneider]

Yes, we need it. If the IPFS is started without --pass, then no-keychain is used.

[daviddias]

Isn't pass just the key to encrypt it locally? The user should be able to run all of these methods even if locally the key is stored in plain text.

[richardschneider]

No key is stored in plain text. All keys are encrypted at rest with an encryption key that is derived from the the pass phrase --pass. See https://github.com/libp2p/js-libp2p-keychain#private-key-storage for more details.

[fiatjaf]

Why can't the private keys be stored as plaintext and within reach from the local user without this password-PBKDF2-whatever stuff? go-ipfs does that.

[daviddias]

It is not brittle if it is testing that the output of the commands call is returning the exact number of commands.

[richardschneider]

@diasdavid @victorbjelkholm need help! Circle CI is failing

sudo dpkg -i libnss3*.deb
(Reading database ... 447846 files and directories currently installed.)
Preparing to unpack libnss3-1d_3.28.4-0ubuntu0.14.04.3_amd64.deb ...
Unpacking libnss3-1d:amd64 (2:3.28.4-0ubuntu0.14.04.3) over (2:3.28.4-0ubuntu0.14.04.3) ...
dpkg: error processing archive libnss3-1d_3.28.4-0ubuntu0.14.04.3_i386.deb (--install):
 package architecture (i386) does not match system (amd64)

[richardschneider]

@diasdavid @dryajov I've spent the day rebasing this PR and changing the test code to use the new ipfsd-ctl code.

Two tests suites are still failing, which seem to indicated that -pass ... argument is not being passed to the deamon. I'll start investigating in more detail.

It's a bit hard because of ipfs/js-ipfsd-ctl#185 and I only have a windows machine to test with. You really have to get the go boys to release for win32 so that appveyor works. Why isn't Jenkins be used for this project?

@diasdavid When will this get merged? It was ready in late December!

[richardschneider]

@diasdavid I need a new NPM release of js-libp2p-keychain with updated deps on js-libp2p-crypto.

Hopefully a new release will fix the following failed tests

  9) interface-ipfs-core tests .key exchange exports:
     Uncaught AssertionError: expected [Error: this only supports TripleDES] to not exist
      at Timeout.ipfs.key.export [as _onTimeout] (node_modules/interface-ipfs-core/src/key.js:156:30)
  10) interface-ipfs-core tests .key exchange imports:
     Uncaught AssertionError: expected [Error: PEM encoded key is required] to not exist
      at Timeout.ipfs.key.import [as _onTimeout] (node_modules/interface-ipfs-core/src/key.js:169:30)
  11) interface-ipfs-core tests .key exchange removes:
     Uncaught AssertionError: expected [Error: Key 'clone' does not exist. ENOENT: no such file or directory, open '/tmp/ipfs-test-554d23dceba5050855569143a605eeb0/keys/info/clone.data'] to not exist
      at Timeout.ipfs.key.rm [as _onTimeout] (node_modules/interface-ipfs-core/src/key.js:183:30)```

[richardschneider]

Thanks @diasdavid, the NPM release did fix those 3 tests.

[richardschneider]

@diasdavid I'm stuck with the HTTP API ## interface-ipfs-core over ipfs-api .key test suite.

Both the cli and core test suites are passing. And the the core test suite uses the same test cases as HTTP API!

I think its some circular reference issue between ipfsd-ctl, ipfs-api and ipfs; but I cannot prove it. Because of ipfs/js-ipfsd-ctl#193, I cannot even look at debug logs.

What do you think about merging/releasing this PR, then rebuilding the others and trying again?

Any ideas are greatly appreciated!!!!!!!!!!!

[richardschneider]

@dryajov see above comment.

Here's a typical failure

 HTTP API ## interface-ipfs-core over ipfs-api .key .gen
Debug: internal, implementation, error 
    AssertionError: expected [Error: Key management requires '--pass ...' option] to not exist
    at ipfs.key.gen (/home/ubuntu/js-ipfs/node_modules/interface-ipfs-core/src/key.js:48:32)
    at send (/home/ubuntu/js-ipfs/node_modules/ipfs-api/src/utils/send-request.js:206:16)
    at f (/home/ubuntu/js-ipfs/node_modules/once/once.js:25:25)

And the code that runs the tests

const DaemonFactory = require('ipfsd-ctl')
const df = DaemonFactory.create({ exec: 'src/cli/bin.js' })
const options = {
  args: ['--pass ipfs-is-awesome-software']
}

const nodes = []
const common = {
  setup: function (callback) {
    callback(null, {
      spawnNode: (cb) => {
        df.spawn(options, (err, _ipfsd) => {
          if (err) {
            return cb(err)
          }

          nodes.push(_ipfsd)
          cb(null, _ipfsd.api)
        })
      }
    })
  },
  teardown: function (callback) {
    parallel(nodes.map((node) => (cb) => node.stop(cb)), callback)
  }
}

test.key(common)

[dryajov]

@richardschneider ack - I'll take a look.

(just linking the related issue here ipfs/js-ipfsd-ctl#194)

[richardschneider]

@diasdavid Circle and Travis green lights! Let's merge before another breaking change.

Big thanks to @dryajov for getting the HTTP API tests to work.

[daviddias]

👏🏽👏🏽👏🏽 awesome work! Thank you :)

Will just wait for that second Travis run to the finish, it was failing before

[richardschneider]

@diasdavid and it just passed as I was reading your comment!