2020-08-06 05:26:52 +00:00
|
|
|
// This tool allows for simple encrypting and decrypting of EIP-2335 compliant, BLS12-381
|
|
|
|
|
// keystore.json files which as password protected. This is helpful in development to inspect
|
2021-06-26 19:00:33 +00:00
|
|
|
// the contents of keystores created by Ethereum validator wallets or to easily produce keystores from a
|
|
|
|
|
// specified secret to move them around in a standard format between Ethereum consensus clients.
|
2020-08-06 05:26:52 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/hex"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"fmt"
|
|
|
|
|
"log"
|
|
|
|
|
"os"
|
|
|
|
|
"path/filepath"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/google/uuid"
|
|
|
|
|
"github.com/logrusorgru/aurora"
|
|
|
|
|
"github.com/pkg/errors"
|
2024-02-15 05:46:47 +00:00
|
|
|
"github.com/prysmaticlabs/prysm/v5/crypto/bls"
|
|
|
|
|
"github.com/prysmaticlabs/prysm/v5/io/file"
|
|
|
|
|
"github.com/prysmaticlabs/prysm/v5/io/prompt"
|
|
|
|
|
"github.com/prysmaticlabs/prysm/v5/validator/keymanager"
|
2020-08-06 05:26:52 +00:00
|
|
|
"github.com/urfave/cli/v2"
|
|
|
|
|
keystorev4 "github.com/wealdtech/go-eth2-wallet-encryptor-keystorev4"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
keystoresFlag = &cli.StringFlag{
|
|
|
|
|
Name: "keystores",
|
|
|
|
|
Value: "",
|
|
|
|
|
Usage: "Path to a file or directory containing keystore files",
|
|
|
|
|
Required: true,
|
|
|
|
|
}
|
|
|
|
|
passwordFlag = &cli.StringFlag{
|
|
|
|
|
Name: "password",
|
|
|
|
|
Value: "",
|
|
|
|
|
Usage: "Password for the keystore(s)",
|
|
|
|
|
}
|
|
|
|
|
privateKeyFlag = &cli.StringFlag{
|
|
|
|
|
Name: "private-key",
|
|
|
|
|
Value: "",
|
|
|
|
|
Usage: "Hex string for the BLS12-381 private key you wish encrypt into a keystore file",
|
|
|
|
|
Required: true,
|
|
|
|
|
}
|
|
|
|
|
outputPathFlag = &cli.StringFlag{
|
|
|
|
|
Name: "output-path",
|
|
|
|
|
Value: "",
|
|
|
|
|
Usage: "Output path to write the newly encrypted keystore file",
|
|
|
|
|
Required: true,
|
|
|
|
|
}
|
|
|
|
|
au = aurora.NewAurora(true /* enable colors */)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
|
app := &cli.App{
|
|
|
|
|
Name: "Keystore utility",
|
|
|
|
|
Description: "Utility to encrypt and decrypt EIP-2335 compliant keystore.json files for BLS12-381 private keys",
|
|
|
|
|
Usage: "",
|
|
|
|
|
Commands: []*cli.Command{
|
|
|
|
|
{
|
|
|
|
|
Name: "decrypt",
|
|
|
|
|
Usage: "decrypt a specified keystore file or directory containing keystore files",
|
|
|
|
|
Flags: []cli.Flag{
|
|
|
|
|
keystoresFlag,
|
|
|
|
|
passwordFlag,
|
|
|
|
|
},
|
|
|
|
|
Action: decrypt,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Name: "encrypt",
|
|
|
|
|
Usage: "encrypt a specified hex value of a BLS12-381 private key into a keystore file",
|
|
|
|
|
Flags: []cli.Flag{
|
|
|
|
|
passwordFlag,
|
|
|
|
|
privateKeyFlag,
|
|
|
|
|
outputPathFlag,
|
|
|
|
|
},
|
|
|
|
|
Action: encrypt,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
err := app.Run(os.Args)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func decrypt(cliCtx *cli.Context) error {
|
|
|
|
|
keystorePath := cliCtx.String(keystoresFlag.Name)
|
|
|
|
|
if keystorePath == "" {
|
|
|
|
|
return errors.New("--keystore must be set")
|
|
|
|
|
}
|
2021-09-17 21:55:24 +00:00
|
|
|
fullPath, err := file.ExpandPath(keystorePath)
|
2020-08-06 05:26:52 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "could not expand path: %s", keystorePath)
|
|
|
|
|
}
|
|
|
|
|
password := cliCtx.String(passwordFlag.Name)
|
|
|
|
|
isPasswordSet := cliCtx.IsSet(passwordFlag.Name)
|
|
|
|
|
if !isPasswordSet {
|
2021-09-17 21:55:24 +00:00
|
|
|
password, err = prompt.PasswordPrompt("Input the keystore(s) password", func(s string) error {
|
2020-08-06 05:26:52 +00:00
|
|
|
// Any password is valid.
|
|
|
|
|
return nil
|
|
|
|
|
})
|
2020-10-01 18:53:36 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2020-08-06 05:26:52 +00:00
|
|
|
}
|
2021-09-17 21:55:24 +00:00
|
|
|
isDir, err := file.HasDir(fullPath)
|
2020-08-06 05:26:52 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "could not check if path exists: %s", fullPath)
|
|
|
|
|
}
|
|
|
|
|
if isDir {
|
2022-04-18 20:42:07 +00:00
|
|
|
files, err := os.ReadDir(fullPath)
|
2020-08-06 05:26:52 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "could not read directory: %s", fullPath)
|
|
|
|
|
}
|
|
|
|
|
for _, f := range files {
|
|
|
|
|
if f.IsDir() {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
keystorePath := filepath.Join(fullPath, f.Name())
|
|
|
|
|
if err := readAndDecryptKeystore(keystorePath, password); err != nil {
|
|
|
|
|
fmt.Printf("could not read nor decrypt keystore at path %s: %v\n", keystorePath, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return readAndDecryptKeystore(fullPath, password)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Attempts to encrypt a passed-in BLS12-3381 private key into the EIP-2335
|
|
|
|
|
// keystore.json format. If a file at the specified output path exists, asks the user
|
|
|
|
|
// to confirm overwriting its contents. If the value passed in is not a valid BLS12-381
|
|
|
|
|
// private key, the function will fail.
|
|
|
|
|
func encrypt(cliCtx *cli.Context) error {
|
|
|
|
|
var err error
|
|
|
|
|
password := cliCtx.String(passwordFlag.Name)
|
|
|
|
|
isPasswordSet := cliCtx.IsSet(passwordFlag.Name)
|
|
|
|
|
if !isPasswordSet {
|
2021-09-17 21:55:24 +00:00
|
|
|
password, err = prompt.PasswordPrompt("Input the keystore(s) password", func(s string) error {
|
2020-08-06 05:26:52 +00:00
|
|
|
// Any password is valid.
|
|
|
|
|
return nil
|
|
|
|
|
})
|
2020-10-01 18:53:36 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2020-08-06 05:26:52 +00:00
|
|
|
}
|
|
|
|
|
privateKeyString := cliCtx.String(privateKeyFlag.Name)
|
|
|
|
|
if privateKeyString == "" {
|
|
|
|
|
return errors.New("--private-key must not be empty")
|
|
|
|
|
}
|
|
|
|
|
outputPath := cliCtx.String(outputPathFlag.Name)
|
|
|
|
|
if outputPath == "" {
|
|
|
|
|
return errors.New("--output-path must be set")
|
|
|
|
|
}
|
2021-09-17 21:55:24 +00:00
|
|
|
fullPath, err := file.ExpandPath(outputPath)
|
2020-08-06 05:26:52 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "could not expand path: %s", outputPath)
|
|
|
|
|
}
|
Implement EIP-3076 minimal slashing protection, using a filesystem database (#13360)
* `EpochFromString`: Use already defined `Uint64FromString` function.
* `Test_uint64FromString` => `Test_FromString`
This test function tests more functions than `Uint64FromString`.
* Slashing protection history: Remove unreachable code.
The function `NewKVStore` creates, via `kv.UpdatePublicKeysBuckets`,
a new item in the `proposal-history-bucket-interchange`.
IMO there is no real reason to prefer `proposal` than `attestation`
as a prefix for this bucket, but this is the way it is done right now
and renaming the bucket will probably be backward incompatible.
An `attestedPublicKey` cannot exist without
the corresponding `proposedPublicKey`.
Thus, the `else` portion of code removed in this commit is not reachable.
We raise an error if we get there.
This is also probably the reason why the removed `else` portion was not
tested.
* `NewKVStore`: Switch items in `createBuckets`.
So the order corresponds to `schema.go`
* `slashableAttestationCheck`: Fix comments and logs.
* `ValidatorClient.db`: Use `iface.ValidatorDB`.
* BoltDB database: Implement `GraffitiFileHash`.
* Filesystem database: Creates `db.go`.
This file defines the following structs:
- `Store`
- `Graffiti`
- `Configuration`
- `ValidatorSlashingProtection`
This files implements the following public functions:
- `NewStore`
- `Close`
- `Backup`
- `DatabasePath`
- `ClearDB`
- `UpdatePublicKeysBuckets`
This files implements the following private functions:
- `slashingProtectionDirPath`
- `configurationFilePath`
- `configuration`
- `saveConfiguration`
- `validatorSlashingProtection`
- `saveValidatorSlashingProtection`
- `publicKeys`
* Filesystem database: Creates `genesis.go`.
This file defines the following public functions:
- `GenesisValidatorsRoot`
- `SaveGenesisValidatorsRoot`
* Filesystem database: Creates `graffiti.go`.
This file defines the following public functions:
- `SaveGraffitiOrderedIndex`
- `GraffitiOrderedIndex`
* Filesystem database: Creates `migration.go`.
This file defines the following public functions:
- `RunUpMigrations`
- `RunDownMigrations`
* Filesystem database: Creates proposer_settings.go.
This file defines the following public functions:
- `ProposerSettings`
- `ProposerSettingsExists`
- `SaveProposerSettings`
* Filesystem database: Creates `attester_protection.go`.
This file defines the following public functions:
- `EIPImportBlacklistedPublicKeys`
- `SaveEIPImportBlacklistedPublicKeys`
- `SigningRootAtTargetEpoch`
- `LowestSignedTargetEpoch`
- `LowestSignedSourceEpoch`
- `AttestedPublicKeys`
- `CheckSlashableAttestation`
- `SaveAttestationForPubKey`
- `SaveAttestationsForPubKey`
- `AttestationHistoryForPubKey`
* Filesystem database: Creates `proposer_protection.go`.
This file defines the following public functions:
- `HighestSignedProposal`
- `LowestSignedProposal`
- `ProposalHistoryForPubKey`
- `ProposalHistoryForSlot`
- `ProposedPublicKeys`
* Ensure that the filesystem store implements the `ValidatorDB` interface.
* `slashableAttestationCheck`: Check the database type.
* `slashableProposalCheck`: Check the database type.
* `slashableAttestationCheck`: Allow usage of minimal slashing protection.
* `slashableProposalCheck`: Allow usage of minimal slashing protection.
* `ImportStandardProtectionJSON`: Check the database type.
* `ImportStandardProtectionJSON`: Allow usage of min slashing protection.
* Implement `RecursiveDirFind`.
* Implement minimal<->complete DB conversion.
3 public functions are implemented:
- `IsCompleteDatabaseExisting`
- `IsMinimalDatabaseExisting`
- `ConvertDatabase`
* `setupDB`: Add `isSlashingProtectionMinimal` argument.
The feature addition is located in `validator/node/node_test.go`.
The rest of this commit consists in minimal slashing protection testing.
* `setupWithKey`: Add `isSlashingProtectionMinimal` argument.
The feature addition is located in `validator/client/propose_test.go`.
The rest of this commit consists in tests wrapping.
* `setup`: Add `isSlashingProtectionMinimal` argument.
The added feature is located in the `validator/client/propose_test.go`
file.
The rest of this commit consists in tests wrapping.
* `initializeFromCLI` and `initializeForWeb`: Factorize db init.
* Add `convert-complete-to-minimal` command.
* Creates `--enable-minimal-slashing-protection` flag.
* `importSlashingProtectionJSON`: Check database type.
* `exportSlashingProtectionJSON`: Check database type.
* `TestClearDB`: Test with minimal slashing protection.
* KeyManager: Test with minimal slashing protection.
* RPC: KeyManager: Test with minimal slashing protection.
* `convert-complete-to-minimal`: Change option names.
Options were:
- `--source` (for source data directory), and
- `--target` (for target data directory)
However, since this command deals with slashing protection, which has
source (epochs) and target (epochs), the initial option names may confuse
the user.
In this commit:
`--source` ==> `--source-data-dir`
`--target` ==> `--target-data-dir`
* Set `SlashableAttestationCheck` as an iface method.
And delete `CheckSlashableAttestation` from iface.
* Move helpers functions in a more general directory.
No functional change.
* Extract common structs out of `kv`.
==> `filesystem` does not depend anymore on `kv`.
==> `iface` does not depend anymore on `kv`.
==> `slashing-protection` does not depend anymore on `kv`.
* Move `ValidateMetadata` in `validator/helpers`.
* `ValidateMetadata`: Test with mock.
This way, we can:
- Avoid any circular import for tests.
- Implement once for all `iface.ValidatorDB` implementations
the `ValidateMetadata`function.
- Have tests (and coverage) of `ValidateMetadata`in
its own package.
The ideal solution would have been to implement `ValidateMetadata` as
a method with the `iface.ValidatorDB`receiver.
Unfortunately, golang does not allow that.
* `iface.ValidatorDB`: Implement ImportStandardProtectionJSON.
The whole purpose of this commit is to avoid the `switch validatorDB.(type)`
in `ImportStandardProtectionJSON`.
* `iface.ValidatorDB`: Implement `SlashableProposalCheck`.
* Remove now useless `slashableProposalCheck`.
* Delete useless `ImportStandardProtectionJSON`.
* `file.Exists`: Detect directories and return an error.
Before, `Exists` was only able to detect if a file exists.
Now, this function takes an extra `File` or `Directory` argument.
It detects either if a file or a directory exists.
Before, if an error was returned by `os.Stat`, the the file was
considered as non existing.
Now, it is treated as a real error.
* Replace `os.Stat` by `file.Exists`.
* Remove `Is{Complete,Minimal}DatabaseExisting`.
* `publicKeys`: Add log if unexpected file found.
* Move `{Source,Target}DataDirFlag`in `db.go`.
* `failedAttLocalProtectionErr`: `var`==> `const`
* `signingRoot`: `32`==> `fieldparams.RootLength`.
* `validatorClientData`==> `validator-client-data`.
To be consistent with `slashing-protection`.
* Add progress bars for `import` and `convert`.
* `parseBlocksForUniquePublicKeys`: Move in `db/kv`.
* helpers: Remove unused `initializeProgressBar` function.
2024-03-05 15:27:15 +00:00
|
|
|
|
|
|
|
|
exists, err := file.Exists(fullPath, file.Regular)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "could not check if file exists: %s", fullPath)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if exists {
|
2021-09-17 21:55:24 +00:00
|
|
|
response, err := prompt.ValidatePrompt(
|
2020-08-20 17:53:09 +00:00
|
|
|
os.Stdin,
|
2020-08-06 05:26:52 +00:00
|
|
|
fmt.Sprintf("file at path %s already exists, are you sure you want to overwrite it? [y/n]", fullPath),
|
|
|
|
|
func(s string) error {
|
|
|
|
|
input := strings.ToLower(s)
|
|
|
|
|
if input != "y" && input != "n" {
|
|
|
|
|
return errors.New("please confirm the above text")
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
2021-09-17 21:55:24 +00:00
|
|
|
return errors.Wrap(err, "could not validate userprompt confirmation")
|
2020-08-06 05:26:52 +00:00
|
|
|
}
|
|
|
|
|
if response == "n" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if len(privateKeyString) > 2 && strings.Contains(privateKeyString, "0x") {
|
|
|
|
|
privateKeyString = privateKeyString[2:] // Strip the 0x prefix, if any.
|
|
|
|
|
}
|
|
|
|
|
bytesValue, err := hex.DecodeString(privateKeyString)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "could not decode as hex string: %s", privateKeyString)
|
|
|
|
|
}
|
|
|
|
|
privKey, err := bls.SecretKeyFromBytes(bytesValue)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "not a valid BLS12-381 private key")
|
|
|
|
|
}
|
|
|
|
|
pubKey := fmt.Sprintf("%x", privKey.PublicKey().Marshal())
|
|
|
|
|
encryptor := keystorev4.New()
|
|
|
|
|
id, err := uuid.NewRandom()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "could not generate new random uuid")
|
|
|
|
|
}
|
|
|
|
|
cryptoFields, err := encryptor.Encrypt(bytesValue, password)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "could not encrypt into new keystore")
|
|
|
|
|
}
|
2020-10-15 22:31:52 +00:00
|
|
|
item := &keymanager.Keystore{
|
2023-06-14 20:48:30 +00:00
|
|
|
Crypto: cryptoFields,
|
|
|
|
|
ID: id.String(),
|
|
|
|
|
Version: encryptor.Version(),
|
|
|
|
|
Pubkey: pubKey,
|
|
|
|
|
Description: encryptor.Name(),
|
2020-08-06 05:26:52 +00:00
|
|
|
}
|
|
|
|
|
encodedFile, err := json.MarshalIndent(item, "", "\t")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "could not json marshal keystore")
|
|
|
|
|
}
|
2021-09-17 21:55:24 +00:00
|
|
|
if err := file.WriteFile(fullPath, encodedFile); err != nil {
|
2020-08-06 05:26:52 +00:00
|
|
|
return errors.Wrapf(err, "could not write file at path: %s", fullPath)
|
|
|
|
|
}
|
|
|
|
|
fmt.Printf(
|
|
|
|
|
"\nWrote encrypted keystore file at path %s\n",
|
|
|
|
|
au.BrightMagenta(fullPath),
|
|
|
|
|
)
|
|
|
|
|
fmt.Printf("Pubkey: %s\n", au.BrightGreen(
|
|
|
|
|
fmt.Sprintf("%#x", privKey.PublicKey().Marshal()),
|
|
|
|
|
))
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Reads the keystore file at the provided path and attempts
|
|
|
|
|
// to decrypt it with the specified passwords.
|
2020-10-12 15:43:19 +00:00
|
|
|
func readAndDecryptKeystore(fullPath, password string) error {
|
2022-06-27 13:34:38 +00:00
|
|
|
f, err := os.ReadFile(fullPath) // #nosec G304
|
2020-08-06 05:26:52 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "could not read file at path: %s", fullPath)
|
|
|
|
|
}
|
|
|
|
|
decryptor := keystorev4.New()
|
2020-10-15 22:31:52 +00:00
|
|
|
keystoreFile := &keymanager.Keystore{}
|
2022-06-27 13:34:38 +00:00
|
|
|
if err := json.Unmarshal(f, keystoreFile); err != nil {
|
2020-08-06 05:26:52 +00:00
|
|
|
return errors.Wrap(err, "could not JSON unmarshal keystore file")
|
|
|
|
|
}
|
|
|
|
|
// We extract the validator signing private key from the keystore
|
|
|
|
|
// by utilizing the password.
|
|
|
|
|
privKeyBytes, err := decryptor.Decrypt(keystoreFile.Crypto, password)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if strings.Contains(err.Error(), "invalid checksum") {
|
|
|
|
|
return fmt.Errorf("incorrect password for keystore at path: %s", fullPath)
|
|
|
|
|
}
|
|
|
|
|
return err
|
|
|
|
|
}
|
2020-08-06 21:56:25 +00:00
|
|
|
|
|
|
|
|
var pubKeyBytes []byte
|
|
|
|
|
// Attempt to use the pubkey present in the keystore itself as a field. If unavailable,
|
|
|
|
|
// then utilize the public key directly from the private key.
|
|
|
|
|
if keystoreFile.Pubkey != "" {
|
|
|
|
|
pubKeyBytes, err = hex.DecodeString(keystoreFile.Pubkey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "could not decode pubkey from keystore")
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
privKey, err := bls.SecretKeyFromBytes(privKeyBytes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "could not initialize private key from bytes")
|
|
|
|
|
}
|
|
|
|
|
pubKeyBytes = privKey.PublicKey().Marshal()
|
2020-08-06 05:26:52 +00:00
|
|
|
}
|
|
|
|
|
fmt.Printf("\nDecrypted keystore %s\n", au.BrightMagenta(fullPath))
|
|
|
|
|
fmt.Printf("Privkey: %#x\n", au.BrightGreen(privKeyBytes))
|
2020-08-06 21:56:25 +00:00
|
|
|
fmt.Printf("Pubkey: %#x\n", au.BrightGreen(pubKeyBytes))
|
2020-08-06 05:26:52 +00:00
|
|
|
return nil
|
|
|
|
|
}
|