password-protected keystore with sc_keystore #3320
Comments
If you load this SURI, you will find out that this is not the SURI of your private key. The actual SURI is polkadot-sdk/substrate/primitives/core/src/crypto.rs Lines 949 to 950 in a17b49a |
|
I still think that the doc of the |
|
@Hugo-Trentesaux what is the implementation of your Because if you generated the keypair without the password (as I suspect) you end up with a problem. If you try to sign using the pair you manually generated, it will not correspond to the one that your keystore will try to find. Example let suri = "drill pledge public bunker involve nose vanish buddy day puppy coast patrol";
let (keypair, _): (sr25519::Pair, _) = Pair::from_phrase(&suri, None).unwrap(); // No password specified for key gen
let password = String::from("pass");
let keystore = LocalKeystore::open(Path::new("/tmp/password"), Some(password.clone().into())).unwrap();
let keytype = KeyTypeId(*b"user");
keystore.insert(keytype, &suri, &keypair.public()).unwrap();
let res = keystore.sr25519_sign(keytype, &keypair.public(), b"message");
assert!(res.is_err()); // `keypair.public()` is not the same as the one the keystore will try to use (which is that one augmented with the pass)If you indend to use a Option 1 - Generate the key directly using the keystore methodsNo need to let public = keystore.sr25519_generate_new(keytype, None).unwrap();
let sig = keystore.sr25519_sign(keytype, &public, b"message").unwrap().unwrap();
assert!(sr25519::Pair::verify(&sig, b"message", &public));Option 2 - Generate the key ouside the keystore but with the passwordThe password you use should match the one used when you open the keystore let (keypair, _): (sr25519::Pair, _) = Pair::from_phrase(&suri, Some(&password)).unwrap(); |
I have totally overseen this 🙈 Maybe the best would be we return an error in |
|
I mean it is not the best solution at all, but we also don't have that many possibilities. |
Basically we have two options:
|
Close: #3320 @Hugo-Trentesaux are these docs better for explaining the internals?
The problem is that if a node operator is using the |
You are right, I forgot to mention that. I do not want to override the password: Sr25519Pair::from_string(secret, None)
I also forgot to mention the context: I intended to use this crate not in the context of a node, but in a wallet. That's why I need the user to be able to insert exactly the mnemonic he wants, including derivation scheme. The general idea is:
My intent was to store the high entropy mnemonic in a file encrypted with low entropy user password as you would do with
Yes, with this doc I was able to identify that this crate was not what I was looking for. (bonus) If you are curious of what I finally used, I chose $ cat ~/.local/share/vault/5DfhGyQdFobKM8NsWvEeAKk5EQQgYe9AydgJ7rMB6E1EqRzV
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCBscTQxMCsyWGpRU00zS1Qx
dDJKQVVRIDEzCk4ySWdubXljMkdPQlJERWpuZUpEekg4NGdtSmVHZWhpVCs3Ky8r
QWpnRTAKLS0tIHRQMFA3ZG9LRENtSncyTTkrQVFPZjJyTW9DZzFDdFVCckN3VDE0
UkJYMEUKcGlmGWxGDOkfsdqL2JuN8thkQPpMJItmkAs3JfzGt/s=
-----END AGE ENCRYPTED FILE-----And this can be encrypted using ssh keys, which is convenient. |
Refer to #3320 discussion
Close: paritytech#3320 @Hugo-Trentesaux are these docs better for explaining the internals?
Refer to paritytech#3320 discussion
I tried to use a password-protected keystore with
LocalKeystorefromsc_keystorewith this naive approach:But when looking in the keystore file, I get the SURI in clear:
cat .local/share/mytool/7573657296723102a2e339276775717781cbf445953362f7cc65df7e9be5bce5ee21c570 "drill pledge public bunker involve nose vanish buddy day puppy coast patrol"%If this is the intended behavior, I think it's worth documenting in https://docs.rs/sc-keystore/latest/sc_keystore/struct.LocalKeystore.html#method.open
The text was updated successfully, but these errors were encountered: