mirror of
https://gitlab.com/pulsechaincom/prysm-pulse.git
synced 2025-01-03 08:37:37 +00:00
ef21d3adf8
* `EpochFromString`: Use already defined `Uint64FromString` function. * `Test_uint64FromString` => `Test_FromString` This test function tests more functions than `Uint64FromString`. * Slashing protection history: Remove unreachable code. The function `NewKVStore` creates, via `kv.UpdatePublicKeysBuckets`, a new item in the `proposal-history-bucket-interchange`. IMO there is no real reason to prefer `proposal` than `attestation` as a prefix for this bucket, but this is the way it is done right now and renaming the bucket will probably be backward incompatible. An `attestedPublicKey` cannot exist without the corresponding `proposedPublicKey`. Thus, the `else` portion of code removed in this commit is not reachable. We raise an error if we get there. This is also probably the reason why the removed `else` portion was not tested. * `NewKVStore`: Switch items in `createBuckets`. So the order corresponds to `schema.go` * `slashableAttestationCheck`: Fix comments and logs. * `ValidatorClient.db`: Use `iface.ValidatorDB`. * BoltDB database: Implement `GraffitiFileHash`. * Filesystem database: Creates `db.go`. This file defines the following structs: - `Store` - `Graffiti` - `Configuration` - `ValidatorSlashingProtection` This files implements the following public functions: - `NewStore` - `Close` - `Backup` - `DatabasePath` - `ClearDB` - `UpdatePublicKeysBuckets` This files implements the following private functions: - `slashingProtectionDirPath` - `configurationFilePath` - `configuration` - `saveConfiguration` - `validatorSlashingProtection` - `saveValidatorSlashingProtection` - `publicKeys` * Filesystem database: Creates `genesis.go`. This file defines the following public functions: - `GenesisValidatorsRoot` - `SaveGenesisValidatorsRoot` * Filesystem database: Creates `graffiti.go`. This file defines the following public functions: - `SaveGraffitiOrderedIndex` - `GraffitiOrderedIndex` * Filesystem database: Creates `migration.go`. This file defines the following public functions: - `RunUpMigrations` - `RunDownMigrations` * Filesystem database: Creates proposer_settings.go. This file defines the following public functions: - `ProposerSettings` - `ProposerSettingsExists` - `SaveProposerSettings` * Filesystem database: Creates `attester_protection.go`. This file defines the following public functions: - `EIPImportBlacklistedPublicKeys` - `SaveEIPImportBlacklistedPublicKeys` - `SigningRootAtTargetEpoch` - `LowestSignedTargetEpoch` - `LowestSignedSourceEpoch` - `AttestedPublicKeys` - `CheckSlashableAttestation` - `SaveAttestationForPubKey` - `SaveAttestationsForPubKey` - `AttestationHistoryForPubKey` * Filesystem database: Creates `proposer_protection.go`. This file defines the following public functions: - `HighestSignedProposal` - `LowestSignedProposal` - `ProposalHistoryForPubKey` - `ProposalHistoryForSlot` - `ProposedPublicKeys` * Ensure that the filesystem store implements the `ValidatorDB` interface. * `slashableAttestationCheck`: Check the database type. * `slashableProposalCheck`: Check the database type. * `slashableAttestationCheck`: Allow usage of minimal slashing protection. * `slashableProposalCheck`: Allow usage of minimal slashing protection. * `ImportStandardProtectionJSON`: Check the database type. * `ImportStandardProtectionJSON`: Allow usage of min slashing protection. * Implement `RecursiveDirFind`. * Implement minimal<->complete DB conversion. 3 public functions are implemented: - `IsCompleteDatabaseExisting` - `IsMinimalDatabaseExisting` - `ConvertDatabase` * `setupDB`: Add `isSlashingProtectionMinimal` argument. The feature addition is located in `validator/node/node_test.go`. The rest of this commit consists in minimal slashing protection testing. * `setupWithKey`: Add `isSlashingProtectionMinimal` argument. The feature addition is located in `validator/client/propose_test.go`. The rest of this commit consists in tests wrapping. * `setup`: Add `isSlashingProtectionMinimal` argument. The added feature is located in the `validator/client/propose_test.go` file. The rest of this commit consists in tests wrapping. * `initializeFromCLI` and `initializeForWeb`: Factorize db init. * Add `convert-complete-to-minimal` command. * Creates `--enable-minimal-slashing-protection` flag. * `importSlashingProtectionJSON`: Check database type. * `exportSlashingProtectionJSON`: Check database type. * `TestClearDB`: Test with minimal slashing protection. * KeyManager: Test with minimal slashing protection. * RPC: KeyManager: Test with minimal slashing protection. * `convert-complete-to-minimal`: Change option names. Options were: - `--source` (for source data directory), and - `--target` (for target data directory) However, since this command deals with slashing protection, which has source (epochs) and target (epochs), the initial option names may confuse the user. In this commit: `--source` ==> `--source-data-dir` `--target` ==> `--target-data-dir` * Set `SlashableAttestationCheck` as an iface method. And delete `CheckSlashableAttestation` from iface. * Move helpers functions in a more general directory. No functional change. * Extract common structs out of `kv`. ==> `filesystem` does not depend anymore on `kv`. ==> `iface` does not depend anymore on `kv`. ==> `slashing-protection` does not depend anymore on `kv`. * Move `ValidateMetadata` in `validator/helpers`. * `ValidateMetadata`: Test with mock. This way, we can: - Avoid any circular import for tests. - Implement once for all `iface.ValidatorDB` implementations the `ValidateMetadata`function. - Have tests (and coverage) of `ValidateMetadata`in its own package. The ideal solution would have been to implement `ValidateMetadata` as a method with the `iface.ValidatorDB`receiver. Unfortunately, golang does not allow that. * `iface.ValidatorDB`: Implement ImportStandardProtectionJSON. The whole purpose of this commit is to avoid the `switch validatorDB.(type)` in `ImportStandardProtectionJSON`. * `iface.ValidatorDB`: Implement `SlashableProposalCheck`. * Remove now useless `slashableProposalCheck`. * Delete useless `ImportStandardProtectionJSON`. * `file.Exists`: Detect directories and return an error. Before, `Exists` was only able to detect if a file exists. Now, this function takes an extra `File` or `Directory` argument. It detects either if a file or a directory exists. Before, if an error was returned by `os.Stat`, the the file was considered as non existing. Now, it is treated as a real error. * Replace `os.Stat` by `file.Exists`. * Remove `Is{Complete,Minimal}DatabaseExisting`. * `publicKeys`: Add log if unexpected file found. * Move `{Source,Target}DataDirFlag`in `db.go`. * `failedAttLocalProtectionErr`: `var`==> `const` * `signingRoot`: `32`==> `fieldparams.RootLength`. * `validatorClientData`==> `validator-client-data`. To be consistent with `slashing-protection`. * Add progress bars for `import` and `convert`. * `parseBlocksForUniquePublicKeys`: Move in `db/kv`. * helpers: Remove unused `initializeProgressBar` function.
271 lines
8.1 KiB
Go
271 lines
8.1 KiB
Go
// This tool allows for simple encrypting and decrypting of EIP-2335 compliant, BLS12-381
|
|
// keystore.json files which as password protected. This is helpful in development to inspect
|
|
// the contents of keystores created by Ethereum validator wallets or to easily produce keystores from a
|
|
// specified secret to move them around in a standard format between Ethereum consensus clients.
|
|
package main
|
|
|
|
import (
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"log"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/logrusorgru/aurora"
|
|
"github.com/pkg/errors"
|
|
"github.com/prysmaticlabs/prysm/v5/crypto/bls"
|
|
"github.com/prysmaticlabs/prysm/v5/io/file"
|
|
"github.com/prysmaticlabs/prysm/v5/io/prompt"
|
|
"github.com/prysmaticlabs/prysm/v5/validator/keymanager"
|
|
"github.com/urfave/cli/v2"
|
|
keystorev4 "github.com/wealdtech/go-eth2-wallet-encryptor-keystorev4"
|
|
)
|
|
|
|
var (
|
|
keystoresFlag = &cli.StringFlag{
|
|
Name: "keystores",
|
|
Value: "",
|
|
Usage: "Path to a file or directory containing keystore files",
|
|
Required: true,
|
|
}
|
|
passwordFlag = &cli.StringFlag{
|
|
Name: "password",
|
|
Value: "",
|
|
Usage: "Password for the keystore(s)",
|
|
}
|
|
privateKeyFlag = &cli.StringFlag{
|
|
Name: "private-key",
|
|
Value: "",
|
|
Usage: "Hex string for the BLS12-381 private key you wish encrypt into a keystore file",
|
|
Required: true,
|
|
}
|
|
outputPathFlag = &cli.StringFlag{
|
|
Name: "output-path",
|
|
Value: "",
|
|
Usage: "Output path to write the newly encrypted keystore file",
|
|
Required: true,
|
|
}
|
|
au = aurora.NewAurora(true /* enable colors */)
|
|
)
|
|
|
|
func main() {
|
|
app := &cli.App{
|
|
Name: "Keystore utility",
|
|
Description: "Utility to encrypt and decrypt EIP-2335 compliant keystore.json files for BLS12-381 private keys",
|
|
Usage: "",
|
|
Commands: []*cli.Command{
|
|
{
|
|
Name: "decrypt",
|
|
Usage: "decrypt a specified keystore file or directory containing keystore files",
|
|
Flags: []cli.Flag{
|
|
keystoresFlag,
|
|
passwordFlag,
|
|
},
|
|
Action: decrypt,
|
|
},
|
|
{
|
|
Name: "encrypt",
|
|
Usage: "encrypt a specified hex value of a BLS12-381 private key into a keystore file",
|
|
Flags: []cli.Flag{
|
|
passwordFlag,
|
|
privateKeyFlag,
|
|
outputPathFlag,
|
|
},
|
|
Action: encrypt,
|
|
},
|
|
},
|
|
}
|
|
err := app.Run(os.Args)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func decrypt(cliCtx *cli.Context) error {
|
|
keystorePath := cliCtx.String(keystoresFlag.Name)
|
|
if keystorePath == "" {
|
|
return errors.New("--keystore must be set")
|
|
}
|
|
fullPath, err := file.ExpandPath(keystorePath)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "could not expand path: %s", keystorePath)
|
|
}
|
|
password := cliCtx.String(passwordFlag.Name)
|
|
isPasswordSet := cliCtx.IsSet(passwordFlag.Name)
|
|
if !isPasswordSet {
|
|
password, err = prompt.PasswordPrompt("Input the keystore(s) password", func(s string) error {
|
|
// Any password is valid.
|
|
return nil
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
isDir, err := file.HasDir(fullPath)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "could not check if path exists: %s", fullPath)
|
|
}
|
|
if isDir {
|
|
files, err := os.ReadDir(fullPath)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "could not read directory: %s", fullPath)
|
|
}
|
|
for _, f := range files {
|
|
if f.IsDir() {
|
|
continue
|
|
}
|
|
keystorePath := filepath.Join(fullPath, f.Name())
|
|
if err := readAndDecryptKeystore(keystorePath, password); err != nil {
|
|
fmt.Printf("could not read nor decrypt keystore at path %s: %v\n", keystorePath, err)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
return readAndDecryptKeystore(fullPath, password)
|
|
}
|
|
|
|
// Attempts to encrypt a passed-in BLS12-3381 private key into the EIP-2335
|
|
// keystore.json format. If a file at the specified output path exists, asks the user
|
|
// to confirm overwriting its contents. If the value passed in is not a valid BLS12-381
|
|
// private key, the function will fail.
|
|
func encrypt(cliCtx *cli.Context) error {
|
|
var err error
|
|
password := cliCtx.String(passwordFlag.Name)
|
|
isPasswordSet := cliCtx.IsSet(passwordFlag.Name)
|
|
if !isPasswordSet {
|
|
password, err = prompt.PasswordPrompt("Input the keystore(s) password", func(s string) error {
|
|
// Any password is valid.
|
|
return nil
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
privateKeyString := cliCtx.String(privateKeyFlag.Name)
|
|
if privateKeyString == "" {
|
|
return errors.New("--private-key must not be empty")
|
|
}
|
|
outputPath := cliCtx.String(outputPathFlag.Name)
|
|
if outputPath == "" {
|
|
return errors.New("--output-path must be set")
|
|
}
|
|
fullPath, err := file.ExpandPath(outputPath)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "could not expand path: %s", outputPath)
|
|
}
|
|
|
|
exists, err := file.Exists(fullPath, file.Regular)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "could not check if file exists: %s", fullPath)
|
|
}
|
|
|
|
if exists {
|
|
response, err := prompt.ValidatePrompt(
|
|
os.Stdin,
|
|
fmt.Sprintf("file at path %s already exists, are you sure you want to overwrite it? [y/n]", fullPath),
|
|
func(s string) error {
|
|
input := strings.ToLower(s)
|
|
if input != "y" && input != "n" {
|
|
return errors.New("please confirm the above text")
|
|
}
|
|
return nil
|
|
},
|
|
)
|
|
if err != nil {
|
|
return errors.Wrap(err, "could not validate userprompt confirmation")
|
|
}
|
|
if response == "n" {
|
|
return nil
|
|
}
|
|
}
|
|
if len(privateKeyString) > 2 && strings.Contains(privateKeyString, "0x") {
|
|
privateKeyString = privateKeyString[2:] // Strip the 0x prefix, if any.
|
|
}
|
|
bytesValue, err := hex.DecodeString(privateKeyString)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "could not decode as hex string: %s", privateKeyString)
|
|
}
|
|
privKey, err := bls.SecretKeyFromBytes(bytesValue)
|
|
if err != nil {
|
|
return errors.Wrap(err, "not a valid BLS12-381 private key")
|
|
}
|
|
pubKey := fmt.Sprintf("%x", privKey.PublicKey().Marshal())
|
|
encryptor := keystorev4.New()
|
|
id, err := uuid.NewRandom()
|
|
if err != nil {
|
|
return errors.Wrap(err, "could not generate new random uuid")
|
|
}
|
|
cryptoFields, err := encryptor.Encrypt(bytesValue, password)
|
|
if err != nil {
|
|
return errors.Wrap(err, "could not encrypt into new keystore")
|
|
}
|
|
item := &keymanager.Keystore{
|
|
Crypto: cryptoFields,
|
|
ID: id.String(),
|
|
Version: encryptor.Version(),
|
|
Pubkey: pubKey,
|
|
Description: encryptor.Name(),
|
|
}
|
|
encodedFile, err := json.MarshalIndent(item, "", "\t")
|
|
if err != nil {
|
|
return errors.Wrap(err, "could not json marshal keystore")
|
|
}
|
|
if err := file.WriteFile(fullPath, encodedFile); err != nil {
|
|
return errors.Wrapf(err, "could not write file at path: %s", fullPath)
|
|
}
|
|
fmt.Printf(
|
|
"\nWrote encrypted keystore file at path %s\n",
|
|
au.BrightMagenta(fullPath),
|
|
)
|
|
fmt.Printf("Pubkey: %s\n", au.BrightGreen(
|
|
fmt.Sprintf("%#x", privKey.PublicKey().Marshal()),
|
|
))
|
|
return nil
|
|
}
|
|
|
|
// Reads the keystore file at the provided path and attempts
|
|
// to decrypt it with the specified passwords.
|
|
func readAndDecryptKeystore(fullPath, password string) error {
|
|
f, err := os.ReadFile(fullPath) // #nosec G304
|
|
if err != nil {
|
|
return errors.Wrapf(err, "could not read file at path: %s", fullPath)
|
|
}
|
|
decryptor := keystorev4.New()
|
|
keystoreFile := &keymanager.Keystore{}
|
|
if err := json.Unmarshal(f, keystoreFile); err != nil {
|
|
return errors.Wrap(err, "could not JSON unmarshal keystore file")
|
|
}
|
|
// We extract the validator signing private key from the keystore
|
|
// by utilizing the password.
|
|
privKeyBytes, err := decryptor.Decrypt(keystoreFile.Crypto, password)
|
|
if err != nil {
|
|
if strings.Contains(err.Error(), "invalid checksum") {
|
|
return fmt.Errorf("incorrect password for keystore at path: %s", fullPath)
|
|
}
|
|
return err
|
|
}
|
|
|
|
var pubKeyBytes []byte
|
|
// Attempt to use the pubkey present in the keystore itself as a field. If unavailable,
|
|
// then utilize the public key directly from the private key.
|
|
if keystoreFile.Pubkey != "" {
|
|
pubKeyBytes, err = hex.DecodeString(keystoreFile.Pubkey)
|
|
if err != nil {
|
|
return errors.Wrap(err, "could not decode pubkey from keystore")
|
|
}
|
|
} else {
|
|
privKey, err := bls.SecretKeyFromBytes(privKeyBytes)
|
|
if err != nil {
|
|
return errors.Wrap(err, "could not initialize private key from bytes")
|
|
}
|
|
pubKeyBytes = privKey.PublicKey().Marshal()
|
|
}
|
|
fmt.Printf("\nDecrypted keystore %s\n", au.BrightMagenta(fullPath))
|
|
fmt.Printf("Privkey: %#x\n", au.BrightGreen(privKeyBytes))
|
|
fmt.Printf("Pubkey: %#x\n", au.BrightGreen(pubKeyBytes))
|
|
return nil
|
|
}
|