@libp2p/keychain 4.1.6 → 5.0.0-18dd3cb26

package/src/keychain.ts

@@ -1,17 +1,19 @@
 /* eslint max-nested-callbacks: ["error", 5] */
 
 import { pbkdf2, randomBytes } from '@libp2p/crypto'
-import { generateKeyPair, importKey, unmarshalPrivateKey } from '@libp2p/crypto/keys'
-import { CodeError, serviceCapabilities } from '@libp2p/interface'
-import { peerIdFromKeys } from '@libp2p/peer-id'
+import { privateKeyToProtobuf } from '@libp2p/crypto/keys'
+import { InvalidParametersError, NotFoundError, serviceCapabilities } from '@libp2p/interface'
 import { Key } from 'interface-datastore/key'
 import mergeOptions from 'merge-options'
+import { base58btc } from 'multiformats/bases/base58'
+import { sha256 } from 'multiformats/hashes/sha2'
 import sanitize from 'sanitize-filename'
 import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
 import { toString as uint8ArrayToString } from 'uint8arrays/to-string'
-import { codes } from './errors.js'
-import type { KeychainComponents, KeychainInit, Keychain, KeyInfo } from './index.js'
-import type { Logger, KeyType, PeerId } from '@libp2p/interface'
+import { exportPrivateKey } from './utils/export.js'
+import { importPrivateKey } from './utils/import.js'
+import type { KeychainComponents, KeychainInit, Keychain as KeychainInterface, KeyInfo } from './index.js'
+import type { Logger, PrivateKey } from '@libp2p/interface'
 
 const keyPrefix = '/pkcs8/'
 const infoPrefix = '/info/'
@@ -72,6 +74,13 @@ function DsInfoName (name: string): Key {
   return new Key(infoPrefix + name)
 }
 
+export async function keyId (key: PrivateKey): Promise<string> {
+  const pb = privateKeyToProtobuf(key)
+  const hash = await sha256.digest(pb)
+
+  return base58btc.encode(hash.bytes).substring(1)
+}
+
 /**
  * Manages the lifecycle of a key. Keys are encrypted at rest using PKCS #8.
  *
@@ -80,7 +89,7 @@ function DsInfoName (name: string): Key {
  * - '/pkcs8/*key-name*', contains the PKCS #8 for the key
  *
  */
-export class DefaultKeychain implements Keychain {
+export class Keychain implements KeychainInterface {
   private readonly components: KeychainComponents
   private readonly init: KeychainInit
   private readonly log: Logger
@@ -147,151 +156,149 @@ export class DefaultKeychain implements Keychain {
     return defaultOptions
   }
 
-  /**
-   * Create a new key.
-   *
-   * @param {string} name - The local key name; cannot already exist.
-   * @param {string} type - One of the key types; 'rsa'.
-   * @param {number} [size = 2048] - The key size in bits. Used for rsa keys only
-   */
-  async createKey (name: string, type: KeyType, size = 2048): Promise<KeyInfo> {
-    if (!validateKeyName(name) || name === 'self') {
+  async findKeyByName (name: string): Promise<KeyInfo> {
+    if (!validateKeyName(name)) {
       await randomDelay()
-      throw new CodeError('Invalid key name', codes.ERR_INVALID_KEY_NAME)
+      throw new InvalidParametersError(`Invalid key name '${name}'`)
     }
 
-    if (typeof type !== 'string') {
-      await randomDelay()
-      throw new CodeError('Invalid key type', codes.ERR_INVALID_KEY_TYPE)
-    }
+    const dsname = DsInfoName(name)
 
-    const dsname = DsName(name)
-    const exists = await this.components.datastore.has(dsname)
-    if (exists) {
+    try {
+      const res = await this.components.datastore.get(dsname)
+      return JSON.parse(uint8ArrayToString(res))
+    } catch (err: any) {
       await randomDelay()
-      throw new CodeError('Key name already exists', codes.ERR_KEY_ALREADY_EXISTS)
-    }
-
-    switch (type.toLowerCase()) {
-      case 'rsa':
-        if (!Number.isSafeInteger(size) || size < 2048) {
-          await randomDelay()
-          throw new CodeError('Invalid RSA key size', codes.ERR_INVALID_KEY_SIZE)
-        }
-        break
-      default:
-        break
+      this.log.error(err)
+      throw new NotFoundError(`Key '${name}' does not exist.`)
     }
+  }
 
-    let keyInfo
+  async findKeyById (id: string): Promise<KeyInfo> {
     try {
-      const keypair = await generateKeyPair(type, size)
-      const kid = await keypair.id()
-      const cached = privates.get(this)
-
-      if (cached == null) {
-        throw new CodeError('dek missing', codes.ERR_INVALID_PARAMETERS)
+      const query = {
+        prefix: infoPrefix
       }
 
-      const dek = cached.dek
-      const pem = await keypair.export(dek)
-      keyInfo = {
-        name,
-        id: kid
+      for await (const value of this.components.datastore.query(query)) {
+        const key = JSON.parse(uint8ArrayToString(value.value))
+
+        if (key.id === id) {
+          return key
+        }
       }
-      const batch = this.components.datastore.batch()
-      batch.put(dsname, uint8ArrayFromString(pem))
-      batch.put(DsInfoName(name), uint8ArrayFromString(JSON.stringify(keyInfo)))
 
-      await batch.commit()
+      throw new InvalidParametersError(`Key with id '${id}' does not exist.`)
     } catch (err: any) {
       await randomDelay()
       throw err
     }
-
-    return keyInfo
   }
 
-  /**
-   * List all the keys.
-   *
-   * @returns {Promise<KeyInfo[]>}
-   */
-  async listKeys (): Promise<KeyInfo[]> {
-    const query = {
-      prefix: infoPrefix
+  async importKey (name: string, key: PrivateKey): Promise<KeyInfo> {
+    if (!validateKeyName(name) || name === 'self') {
+      await randomDelay()
+      throw new InvalidParametersError(`Invalid key name '${name}'`)
     }
-
-    const info = []
-    for await (const value of this.components.datastore.query(query)) {
-      info.push(JSON.parse(uint8ArrayToString(value.value)))
+    if (key == null) {
+      await randomDelay()
+      throw new InvalidParametersError('Key is required')
+    }
+    const dsname = DsName(name)
+    const exists = await this.components.datastore.has(dsname)
+    if (exists) {
+      await randomDelay()
+      throw new InvalidParametersError(`Key '${name}' already exists`)
     }
 
-    return info
-  }
-
-  /**
-   * Find a key by it's id
-   */
-  async findKeyById (id: string): Promise<KeyInfo> {
+    let kid: string
+    let pem: string
     try {
-      const keys = await this.listKeys()
-      const key = keys.find((k) => k.id === id)
+      kid = await keyId(key)
+      const cached = privates.get(this)
 
-      if (key == null) {
-        throw new CodeError(`Key with id '${id}' does not exist.`, codes.ERR_KEY_NOT_FOUND)
+      if (cached == null) {
+        throw new InvalidParametersError('dek missing')
       }
 
-      return key
+      const dek = cached.dek
+      pem = await exportPrivateKey(key, dek, key.type === 'RSA' ? 'pkcs-8' : 'libp2p-key')
     } catch (err: any) {
       await randomDelay()
       throw err
     }
+
+    const keyInfo = {
+      name,
+      id: kid
+    }
+    const batch = this.components.datastore.batch()
+    batch.put(dsname, uint8ArrayFromString(pem))
+    batch.put(DsInfoName(name), uint8ArrayFromString(JSON.stringify(keyInfo)))
+    await batch.commit()
+
+    return keyInfo
   }
 
-  /**
-   * Find a key by it's name.
-   *
-   * @param {string} name - The local key name.
-   * @returns {Promise<KeyInfo>}
-   */
-  async findKeyByName (name: string): Promise<KeyInfo> {
+  async exportKey (name: string): Promise<PrivateKey> {
     if (!validateKeyName(name)) {
       await randomDelay()
-      throw new CodeError(`Invalid key name '${name}'`, codes.ERR_INVALID_KEY_NAME)
+      throw new InvalidParametersError(`Invalid key name '${name}'`)
     }
 
-    const dsname = DsInfoName(name)
+    const dsname = DsName(name)
     try {
       const res = await this.components.datastore.get(dsname)
-      return JSON.parse(uint8ArrayToString(res))
+      const pem = uint8ArrayToString(res)
+      const cached = privates.get(this)
+
+      if (cached == null) {
+        throw new InvalidParametersError('dek missing')
+      }
+
+      const dek = cached.dek
+
+      return await importPrivateKey(pem, dek)
     } catch (err: any) {
       await randomDelay()
-      this.log.error(err)
-      throw new CodeError(`Key '${name}' does not exist.`, codes.ERR_KEY_NOT_FOUND)
+      throw err
     }
   }
 
-  /**
-   * Remove an existing key.
-   *
-   * @param {string} name - The local key name; must already exist.
-   * @returns {Promise<KeyInfo>}
-   */
   async removeKey (name: string): Promise<KeyInfo> {
     if (!validateKeyName(name) || name === 'self') {
       await randomDelay()
-      throw new CodeError(`Invalid key name '${name}'`, codes.ERR_INVALID_KEY_NAME)
+      throw new InvalidParametersError(`Invalid key name '${name}'`)
     }
+
     const dsname = DsName(name)
     const keyInfo = await this.findKeyByName(name)
     const batch = this.components.datastore.batch()
     batch.delete(dsname)
     batch.delete(DsInfoName(name))
     await batch.commit()
+
     return keyInfo
   }
 
+  /**
+   * List all the keys.
+   *
+   * @returns {Promise<KeyInfo[]>}
+   */
+  async listKeys (): Promise<KeyInfo[]> {
+    const query = {
+      prefix: infoPrefix
+    }
+
+    const info = []
+    for await (const value of this.components.datastore.query(query)) {
+      info.push(JSON.parse(uint8ArrayToString(value.value)))
+    }
+
+    return info
+  }
+
   /**
    * Rename a key
    *
@@ -302,11 +309,11 @@ export class DefaultKeychain implements Keychain {
   async renameKey (oldName: string, newName: string): Promise<KeyInfo> {
     if (!validateKeyName(oldName) || oldName === 'self') {
       await randomDelay()
-      throw new CodeError(`Invalid old key name '${oldName}'`, codes.ERR_OLD_KEY_NAME_INVALID)
+      throw new InvalidParametersError(`Invalid old key name '${oldName}'`)
     }
     if (!validateKeyName(newName) || newName === 'self') {
       await randomDelay()
-      throw new CodeError(`Invalid new key name '${newName}'`, codes.ERR_NEW_KEY_NAME_INVALID)
+      throw new InvalidParametersError(`Invalid new key name '${newName}'`)
     }
     const oldDsname = DsName(oldName)
     const newDsname = DsName(newName)
@@ -316,7 +323,7 @@ export class DefaultKeychain implements Keychain {
     const exists = await this.components.datastore.has(newDsname)
     if (exists) {
       await randomDelay()
-      throw new CodeError(`Key '${newName}' already exists`, codes.ERR_KEY_ALREADY_EXISTS)
+      throw new InvalidParametersError(`Key '${newName}' already exists`)
     }
 
     try {
@@ -338,199 +345,27 @@ export class DefaultKeychain implements Keychain {
     }
   }
 
-  /**
-   * Export an existing key as a PEM encrypted PKCS #8 string
-   */
-  async exportKey (name: string, password: string): Promise<string> {
-    if (!validateKeyName(name)) {
-      await randomDelay()
-      throw new CodeError(`Invalid key name '${name}'`, codes.ERR_INVALID_KEY_NAME)
-    }
-    if (password == null) {
-      await randomDelay()
-      throw new CodeError('Password is required', codes.ERR_PASSWORD_REQUIRED)
-    }
-
-    const dsname = DsName(name)
-    try {
-      const res = await this.components.datastore.get(dsname)
-      const pem = uint8ArrayToString(res)
-      const cached = privates.get(this)
-
-      if (cached == null) {
-        throw new CodeError('dek missing', codes.ERR_INVALID_PARAMETERS)
-      }
-
-      const dek = cached.dek
-      const privateKey = await importKey(pem, dek)
-      const keyString = await privateKey.export(password)
-
-      return keyString
-    } catch (err: any) {
-      await randomDelay()
-      throw err
-    }
-  }
-
-  /**
-   * Export an existing key as a PeerId
-   */
-  async exportPeerId (name: string): Promise<PeerId> {
-    const password = 'temporary-password'
-    const pem = await this.exportKey(name, password)
-    const privateKey = await importKey(pem, password)
-
-    return peerIdFromKeys(privateKey.public.bytes, privateKey.bytes)
-  }
-
-  /**
-   * Import a new key from a PEM encoded PKCS #8 string
-   *
-   * @param {string} name - The local key name; must not already exist.
-   * @param {string} pem - The PEM encoded PKCS #8 string
-   * @param {string} password - The password.
-   * @returns {Promise<KeyInfo>}
-   */
-  async importKey (name: string, pem: string, password: string): Promise<KeyInfo> {
-    if (!validateKeyName(name) || name === 'self') {
-      await randomDelay()
-      throw new CodeError(`Invalid key name '${name}'`, codes.ERR_INVALID_KEY_NAME)
-    }
-    if (pem == null) {
-      await randomDelay()
-      throw new CodeError('PEM encoded key is required', codes.ERR_PEM_REQUIRED)
-    }
-    const dsname = DsName(name)
-    const exists = await this.components.datastore.has(dsname)
-    if (exists) {
-      await randomDelay()
-      throw new CodeError(`Key '${name}' already exists`, codes.ERR_KEY_ALREADY_EXISTS)
-    }
-
-    let privateKey
-    try {
-      privateKey = await importKey(pem, password)
-    } catch (err: any) {
-      await randomDelay()
-      throw new CodeError('Cannot read the key, most likely the password is wrong', codes.ERR_CANNOT_READ_KEY)
-    }
-
-    let kid
-    try {
-      kid = await privateKey.id()
-      const cached = privates.get(this)
-
-      if (cached == null) {
-        throw new CodeError('dek missing', codes.ERR_INVALID_PARAMETERS)
-      }
-
-      const dek = cached.dek
-      pem = await privateKey.export(dek)
-    } catch (err: any) {
-      await randomDelay()
-      throw err
-    }
-
-    const keyInfo = {
-      name,
-      id: kid
-    }
-    const batch = this.components.datastore.batch()
-    batch.put(dsname, uint8ArrayFromString(pem))
-    batch.put(DsInfoName(name), uint8ArrayFromString(JSON.stringify(keyInfo)))
-    await batch.commit()
-
-    return keyInfo
-  }
-
-  /**
-   * Import a peer key
-   */
-  async importPeer (name: string, peer: PeerId): Promise<KeyInfo> {
-    try {
-      if (!validateKeyName(name)) {
-        throw new CodeError(`Invalid key name '${name}'`, codes.ERR_INVALID_KEY_NAME)
-      }
-      if (peer == null) {
-        throw new CodeError('PeerId is required', codes.ERR_MISSING_PRIVATE_KEY)
-      }
-      if (peer.privateKey == null) {
-        throw new CodeError('PeerId.privKey is required', codes.ERR_MISSING_PRIVATE_KEY)
-      }
-
-      const privateKey = await unmarshalPrivateKey(peer.privateKey)
-
-      const dsname = DsName(name)
-      const exists = await this.components.datastore.has(dsname)
-      if (exists) {
-        await randomDelay()
-        throw new CodeError(`Key '${name}' already exists`, codes.ERR_KEY_ALREADY_EXISTS)
-      }
-
-      const cached = privates.get(this)
-
-      if (cached == null) {
-        throw new CodeError('dek missing', codes.ERR_INVALID_PARAMETERS)
-      }
-
-      const dek = cached.dek
-      const pem = await privateKey.export(dek)
-      const keyInfo: KeyInfo = {
-        name,
-        id: peer.toString()
-      }
-      const batch = this.components.datastore.batch()
-      batch.put(dsname, uint8ArrayFromString(pem))
-      batch.put(DsInfoName(name), uint8ArrayFromString(JSON.stringify(keyInfo)))
-      await batch.commit()
-      return keyInfo
-    } catch (err: any) {
-      await randomDelay()
-      throw err
-    }
-  }
-
-  /**
-   * Gets the private key as PEM encoded PKCS #8 string
-   */
-  async getPrivateKey (name: string): Promise<string> {
-    if (!validateKeyName(name)) {
-      await randomDelay()
-      throw new CodeError(`Invalid key name '${name}'`, codes.ERR_INVALID_KEY_NAME)
-    }
-
-    try {
-      const dsname = DsName(name)
-      const res = await this.components.datastore.get(dsname)
-      return uint8ArrayToString(res)
-    } catch (err: any) {
-      await randomDelay()
-      this.log.error(err)
-      throw new CodeError(`Key '${name}' does not exist.`, codes.ERR_KEY_NOT_FOUND)
-    }
-  }
-
   /**
    * Rotate keychain password and re-encrypt all associated keys
    */
   async rotateKeychainPass (oldPass: string, newPass: string): Promise<void> {
     if (typeof oldPass !== 'string') {
       await randomDelay()
-      throw new CodeError(`Invalid old pass type '${typeof oldPass}'`, codes.ERR_INVALID_OLD_PASS_TYPE)
+      throw new InvalidParametersError(`Invalid old pass type '${typeof oldPass}'`)
     }
     if (typeof newPass !== 'string') {
       await randomDelay()
-      throw new CodeError(`Invalid new pass type '${typeof newPass}'`, codes.ERR_INVALID_NEW_PASS_TYPE)
+      throw new InvalidParametersError(`Invalid new pass type '${typeof newPass}'`)
     }
     if (newPass.length < 20) {
       await randomDelay()
-      throw new CodeError(`Invalid pass length ${newPass.length}`, codes.ERR_INVALID_PASS_LENGTH)
+      throw new InvalidParametersError(`Invalid pass length ${newPass.length}`)
     }
     this.log('recreating keychain')
     const cached = privates.get(this)
 
     if (cached == null) {
-      throw new CodeError('dek missing', codes.ERR_INVALID_PARAMETERS)
+      throw new InvalidParametersError('dek missing')
     }
 
     const oldDek = cached.dek
@@ -548,9 +383,9 @@ export class DefaultKeychain implements Keychain {
     for (const key of keys) {
       const res = await this.components.datastore.get(DsName(key.name))
       const pem = uint8ArrayToString(res)
-      const privateKey = await importKey(pem, oldDek)
+      const privateKey = await importPrivateKey(pem, oldDek)
       const password = newDek.toString()
-      const keyAsPEM = await privateKey.export(password)
+      const keyAsPEM = await exportPrivateKey(privateKey, password, privateKey.type === 'RSA' ? 'pkcs-8' : 'libp2p-key')
 
       // Update stored key
       const batch = this.components.datastore.batch()

package/src/utils/constants.ts

@@ -0,0 +1,3 @@
+export const SALT_LENGTH = 16
+export const KEY_SIZE = 32
+export const ITERATIONS = 10000