Merge pull request hyperledger-indy#811 from keichiri/feature/wallet_key_rotation

jovfer · web-flow · commit def962e9cf5e · 2018-05-31T11:13:31.000+03:00
wallet key rotation
diff --git a/libindy/src/services/wallet/mod.rs b/libindy/src/services/wallet/mod.rs
@@ -30,6 +30,7 @@ use self::storage::default::SQLiteStorageType;
 use self::storage::plugged::PluggedStorageType;
 use self::wallet::{Wallet, Keys, Tags};
 use self::indy_crypto::utils::json::{JsonDecodable, JsonEncodable};
+use utils::crypto::pwhash_argon2i13::PwhashArgon2i13;
 
 
 #[derive(Serialize, Deserialize, Debug)]
@@ -63,22 +64,30 @@ impl<'a> JsonDecodable<'a> for WalletConfig {}
 #[derive(Debug)]
 pub struct WalletCredentials {
     master_key: [u8; 32],
+    rekey: Option<[u8; 32]>,
     storage_credentials: String,
 }
 
-use utils::crypto::pwhash_argon2i13::PwhashArgon2i13;
 
 impl WalletCredentials {
     fn from_json(json: &str, salt: &[u8; PwhashArgon2i13::SALTBYTES]) -> Result<WalletCredentials, WalletError> {
         if let serde_json::Value::Object(m) = serde_json::from_str(json)? {
-            let master_key = if let Some(key) = m["key"].as_str() {
+            let master_key = if let Some(key) = m.get("key").and_then(|s| s.as_str()) {
                 let mut master_key: [u8; ChaCha20Poly1305IETF::KEYBYTES] = [0; ChaCha20Poly1305IETF::KEYBYTES];
                 PwhashArgon2i13::derive_key(&mut master_key, key.as_bytes(), salt)?;
                 master_key
             } else {
                 return Err(WalletError::InputError(String::from("Credentials missing 'key' field")));
             };
 
+            let rekey = if let Some(key) =  m.get("rekey").and_then(|s| s.as_str()) {
+                let mut rekey: [u8; ChaCha20Poly1305IETF::KEYBYTES] = [0; ChaCha20Poly1305IETF::KEYBYTES];
+                PwhashArgon2i13::derive_key(&mut rekey, key.as_bytes(), salt)?;
+                Some(rekey)
+            } else {
+                None
+            };
+
             let storage_credentials = serde_json::to_string(
                 &m.get("storage_credentials")
                     .and_then(|storage_credentials| storage_credentials.as_object())
@@ -87,6 +96,7 @@ impl WalletCredentials {
 
             Ok(WalletCredentials {
                 master_key,
+                rekey,
                 storage_credentials
             })
         } else {
@@ -274,8 +284,7 @@ impl WalletService {
         let config = serde_json::from_str::<WalletConfig>(&config_json)
             .map_err(|err| CommonError::InvalidState(format!("Cannot deserialize Storage Config")))?;
 
-        let credentials = WalletCredentials::from_json(credentials, &config.salt)?
-        ;
+        let credentials = WalletCredentials::from_json(credentials, &config.salt)?;
         let storage = storage_type.open_storage(name,
                                                 Some(&config_json),
                                                 &credentials.storage_credentials)?;
@@ -288,9 +297,13 @@ impl WalletService {
             Ok(keys_vector) => keys_vector,
             Err(_) => return Err(WalletError::AccessFailed("Invalid master key provided".to_string())),
         };
+
         let keys = Keys::new(keys_vector);
 
         let wallet = Wallet::new(name, &descriptor.pool_name, storage, keys);
+        if let Some(ref rekey) = credentials.rekey {
+            wallet.rotate_key(&rekey[..])?;
+        }
         let wallet_handle = SequenceUtils::get_next_id();
         wallets.insert(wallet_handle, Box::new(wallet));
 
@@ -727,6 +740,14 @@ mod tests {
         String::from(r#"{"key":"my_key"}"#)
     }
 
+    fn _rekey_credentials() -> String {
+        String::from(r#"{"key":"my_key", "rekey": "my_new_key"}"#)
+    }
+
+    fn _credentials_for_new_key() -> String {
+        String::from(r#"{"key": "my_new_key"}"#)
+    }
+
     fn _cleanup() {
         let mut path = std::env::home_dir().unwrap();
         path.push(".indy_client");
@@ -877,6 +898,16 @@ mod tests {
         wallet_service.create_wallet("pool1", "test_wallet", None, None, &_credentials()).unwrap();
         wallet_service.open_wallet("test_wallet", None, &_credentials()).unwrap();
     }
+
+    #[test]
+    fn wallet_service_open_wallet_without_master_key_in_credentials_returns_error() {
+        _cleanup();
+
+        let wallet_service = WalletService::new();
+        wallet_service.create_wallet("pool1", "test_wallet", None, None, &_credentials()).unwrap();
+        let res = wallet_service.open_wallet("test_wallet", None, "{}");
+        assert_match!(Err(WalletError::InputError(_)), res);
+    }
     //
     //    //    #[test]
     //    //    fn wallet_service_open_works_for_plugged() {
@@ -1509,4 +1540,39 @@ mod tests {
         let get_pool_name_res = wallet_service.get_pool_name(1);
         assert_match!(Err(WalletError::InvalidHandle(_)), get_pool_name_res);
     }
+
+    /**
+        Key rotation test
+    */
+    #[test]
+    fn wallet_service_key_rotation() {
+        _cleanup();
+
+        let wallet_service = WalletService::new();
+        wallet_service.create_wallet("pool1", "test_wallet", None, None, &_credentials()).unwrap();
+        let wallet_handle = wallet_service.open_wallet("test_wallet", None, &_credentials()).unwrap();
+
+        wallet_service.add_record(wallet_handle, "type", "key1", "value1", "{}").unwrap();
+        let record = wallet_service.get_record(wallet_handle, "type", "key1", &_fetch_options(true, true, true)).unwrap();
+        assert_eq!("type", record.get_type().unwrap());
+        assert_eq!("value1", record.get_value().unwrap());
+
+        wallet_service.close_wallet(wallet_handle).unwrap();
+
+        let wallet_handle = wallet_service.open_wallet("test_wallet", None, &_rekey_credentials()).unwrap();
+        let record = wallet_service.get_record(wallet_handle, "type", "key1", &_fetch_options(true, true, true)).unwrap();
+        assert_eq!("type", record.get_type().unwrap());
+        assert_eq!("value1", record.get_value().unwrap());
+        wallet_service.close_wallet(wallet_handle).unwrap();
+
+        // Access failed for old key
+        let res = wallet_service.open_wallet("test_wallet", None, &_credentials());
+        assert_match!(Err(WalletError::AccessFailed(_)), res);
+
+        // Works ok with new key when reopening
+        let wallet_handle = wallet_service.open_wallet("test_wallet", None, &_credentials_for_new_key()).unwrap();
+        let record = wallet_service.get_record(wallet_handle, "type", "key1", &_fetch_options(true, true, true)).unwrap();
+        assert_eq!("type", record.get_type().unwrap());
+        assert_eq!("value1", record.get_value().unwrap());
+    }
 }
diff --git a/libindy/src/services/wallet/storage/default/mod.rs b/libindy/src/services/wallet/storage/default/mod.rs
@@ -541,7 +541,7 @@ impl WalletStorage for SQLiteStorage {
     }
 
     fn set_storage_metadata(&self, metadata: &Vec<u8>) -> Result<(), WalletStorageError> {
-        match self.conn.execute("INSERT OR REPLACE INTO metadata(value) VALUES(?1)",&[metadata]) {
+        match self.conn.execute("UPDATE metadata SET value = ?1",&[metadata]) {
             Ok(_) => Ok(()),
             Err(error) => {
                 Err(WalletStorageError::IOError(format!("Error occurred while inserting the keys: {}", error)))
diff --git a/libindy/src/services/wallet/wallet.rs b/libindy/src/services/wallet/wallet.rs
@@ -66,6 +66,19 @@ impl Keys {
 
         return ChaCha20Poly1305IETF::encrypt_as_not_searchable(&keys, &master_key);
     }
+
+    pub fn encrypt(&self, master_key: &[u8]) -> Vec<u8> {
+        let mut keys = Vec::new();
+        keys.extend_from_slice(&self.type_key);
+        keys.extend_from_slice(&self.name_key);
+        keys.extend_from_slice(&self.value_key);
+        keys.extend_from_slice(&self.item_hmac_key);
+        keys.extend_from_slice(&self.tag_name_key);
+        keys.extend_from_slice(&self.tag_value_key);
+        keys.extend_from_slice(&self.tags_hmac_key);
+
+        return ChaCha20Poly1305IETF::encrypt_as_not_searchable(&keys, &master_key);
+    }
 }
 
 
@@ -239,6 +252,12 @@ impl Wallet {
         Ok(())
     }
 
+    pub(super) fn rotate_key(&self, new_master_key: &[u8]) -> Result<(), WalletError> {
+        let new_metadata = self.keys.encrypt(new_master_key);
+        self.storage.set_storage_metadata(&new_metadata)?;
+        Ok(())
+    }
+
     pub fn get_pool_name(&self) -> String {
         self.pool_name.clone()
     }
@@ -286,8 +305,8 @@ mod tests {
 
 
     fn _cleanup() {
-        std::fs::remove_dir_all(_wallet_path());
-        std::fs::create_dir(_wallet_path());
+        std::fs::remove_dir_all(_wallet_path()).unwrap();
+        std::fs::create_dir(_wallet_path()).unwrap();
     }
 
     fn _credentials() -> String {
@@ -322,6 +341,15 @@ mod tests {
         ];
     }
 
+    fn _get_test_new_master_key() -> [u8; 32] {
+        return [
+            2, 2, 3, 4, 5, 6, 7, 8,
+            2, 2, 3, 4, 5, 6, 7, 8,
+            2, 2, 3, 4, 5, 6, 7, 8,
+            2, 2, 3, 4, 5, 6, 7, 8
+        ];
+    }
+
     fn _get_test_keys() -> Vec<u8> {
         return vec![
             1, 2, 3, 4, 5, 6, 7, 8,
@@ -583,7 +611,7 @@ mod tests {
 
     #[test]
     fn wallet_update_tags() {
-                _cleanup();
+        _cleanup();
         let mut wallet = _create_wallet();
         let type_ = "test";
         let name = "name";

Original file line number	Diff line number	Diff line change
`@@ -541,7 +541,7 @@ impl WalletStorage for SQLiteStorage {`
`541`	`541`	`}`
`542`	`542`
`543`	`543`	`fn set_storage_metadata(&self, metadata: &Vec<u8>) -> Result<(), WalletStorageError> {`
`544`		`- match self.conn.execute("INSERT OR REPLACE INTO metadata(value) VALUES(?1)",&[metadata]) {`
	`544`	`+ match self.conn.execute("UPDATE metadata SET value = ?1",&[metadata]) {`
`545`	`545`	`Ok(_) => Ok(()),`
`546`	`546`	`Err(error) => {`
`547`	`547`	`Err(WalletStorageError::IOError(format!("Error occurred while inserting the keys: {}", error)))`