Merge pull request #648 from openmina/fix/configure-keypair

Fix configure keypair

Author: tizoc

cli/src/commands/node/mod.rs

@@ -28,6 +28,11 @@ pub struct Node {
     #[arg(long)]
     pub libp2p_keypair: Option<String>,
 
+    // warning, this overrides `OPENMINA_P2P_SEC_KEY`
+    /// Compatibility with OCaml Mina node
+    #[arg(env = "MINA_LIBP2P_PASS")]
+    pub libp2p_password: Option<String>,
+
     /// Http port to listen on
     #[arg(long, short, env, default_value = "3000")]
     pub port: u16,
@@ -70,6 +75,8 @@ pub struct Node {
     /// MINA_PRIVKEY_PASS must be set to decrypt the keyfile
     #[arg(long, env)]
     pub producer_key: Option<PathBuf>,
+    #[arg(env = "MINA_PRIVKEY_PASS")]
+    pub producer_key_password: Option<String>,
     /// Snark fee, in Mina
     #[arg(long, env, default_value_t = 1_000_000)]
     pub snarker_fee: u64,
@@ -131,10 +138,8 @@ impl Node {
         }
 
         // warning, this overrides `OPENMINA_P2P_SEC_KEY`
-        if let Some(key_file) = self.libp2p_keypair {
-            use openmina_node_account::AccountSecretKey;
-
-            match AccountSecretKey::from_encrypted_file(&key_file) {
+        if let (Some(key_file), Some(password)) = (&self.libp2p_keypair, &self.libp2p_password) {
+            match AccountSecretKey::from_encrypted_file(key_file, password) {
                 Ok(sk) => {
                     node_builder.p2p_sec_key(SecretKey::from_bytes(sk.to_bytes()));
                     node::core::info!(
@@ -151,8 +156,16 @@ impl Node {
                         file_name = key_file,
                         err = err.to_string(),
                     );
+                    return Err(err.into());
                 }
             }
+        } else if self.libp2p_keypair.is_some() && self.libp2p_password.is_none() {
+            let error = "keyfile is specified, but `MINA_LIBP2P_PASS` is not set";
+            node::core::error!(
+                node::core::log::system_time();
+                summary = error,
+            );
+            return Err(anyhow::anyhow!(error));
         }
 
         node_builder.p2p_libp2p_port(self.libp2p_port);
@@ -169,11 +182,13 @@ impl Node {
             node_builder.initial_peers_from_url(url)?;
         }
 
-        if let Some(producer_key_path) = self.producer_key {
+        if let (Some(producer_key_path), Some(pasword)) =
+            (self.producer_key, &self.producer_key_password)
+        {
             node::core::info!(node::core::log::system_time(); summary = "loading provers index");
             ledger::proofs::gates::get_provers();
             node::core::info!(node::core::log::system_time(); summary = "loaded provers index");
-            node_builder.block_producer_from_file(producer_key_path)?;
+            node_builder.block_producer_from_file(producer_key_path, pasword)?;
         }
 
         if let Some(sec_key) = self.run_snarker {

node/account/src/secret_key.rs

@@ -1,4 +1,4 @@
-use std::{env, fmt, fs, path::Path, str::FromStr};
+use std::{fmt, fs, path::Path, str::FromStr};
 
 use argon2::{password_hash::SaltString, Argon2, Params, PasswordHasher};
 use base64::Engine;
@@ -73,19 +73,26 @@ impl AccountSecretKey {
         self.0.public.clone().into_compressed()
     }
 
-    pub fn from_encrypted_file(path: impl AsRef<Path>) -> Result<Self, EncryptionError> {
+    pub fn from_encrypted_file(
+        path: impl AsRef<Path>,
+        password: &str,
+    ) -> Result<Self, EncryptionError> {
         let key_file = fs::File::open(path)?;
         let encrypted: EncryptedSecretKey = serde_json::from_reader(key_file)?;
-        encrypted.try_decrypt()
+        encrypted.try_decrypt(password)
     }
 
-    pub fn to_encrypted_file(&self, path: impl AsRef<Path>) -> Result<(), EncryptionError> {
+    pub fn to_encrypted_file(
+        &self,
+        path: impl AsRef<Path>,
+        password: &str,
+    ) -> Result<(), EncryptionError> {
         if path.as_ref().exists() {
             panic!("File {} already exists", path.as_ref().display())
         }
 
         let f = fs::File::create(path)?;
-        let encrypted = EncryptedSecretKey::encrypt(&self.to_bytes())?;
+        let encrypted = EncryptedSecretKey::encrypt(&self.to_bytes(), password)?;
 
         serde_json::to_writer(f, &encrypted)?;
         Ok(())
@@ -188,8 +195,6 @@ pub enum EncryptionError {
     Io(#[from] std::io::Error),
     #[error(transparent)]
     SerdeJson(#[from] serde_json::Error),
-    #[error("MINA_PRIVKEY_PASS environment variable must be set!")]
-    PasswordEnvVarMissing,
 }
 
 #[derive(Serialize, Deserialize, Debug)]
@@ -222,10 +227,8 @@ impl EncryptedSecretKey {
         ))
     }
 
-    pub fn try_decrypt(&self) -> Result<AccountSecretKey, EncryptionError> {
+    pub fn try_decrypt(&self, password: &str) -> Result<AccountSecretKey, EncryptionError> {
         // prepare inputs to cipher
-        let password =
-            env::var("MINA_PRIVKEY_PASS").map_err(|_| EncryptionError::PasswordEnvVarMissing)?;
         let password = password.as_bytes();
         let pwsalt = self.pwsalt.try_decode(Self::ENCRYPTION_DATA_VERSION_BYTE)?;
         let nonce = self.nonce.try_decode(Self::ENCRYPTION_DATA_VERSION_BYTE)?;
@@ -253,14 +256,12 @@ impl EncryptedSecretKey {
         Ok(AccountSecretKey::from_bytes(&decrypted[1..])?)
     }
 
-    pub fn encrypt(key: &[u8]) -> Result<Self, EncryptionError> {
+    pub fn encrypt(key: &[u8], password: &str) -> Result<Self, EncryptionError> {
         let argon2 = Self::setup_argon(Self::PW_DIFF)?;
 
         // add the prefix byt to the key
         let mut key_prefixed = vec![Self::SECRET_KEY_PREFIX_BYTE];
         key_prefixed.extend(key);
-        let password =
-            env::var("MINA_PRIVKEY_PASS").map_err(|_| EncryptionError::PasswordEnvVarMissing)?;
 
         let salt = SaltString::generate(&mut OsRng);
         let password_hash = argon2
@@ -290,6 +291,8 @@ impl EncryptedSecretKey {
 
 #[cfg(test)]
 mod tests {
+    use std::env;
+
     use super::*;
 
     #[test]
@@ -316,18 +319,19 @@ mod tests {
 
     #[test]
     fn test_encrypt_decrypt() {
-        env::set_var("MINA_PRIVKEY_PASS", "not-very-secure-pass");
+        let password = "not-very-secure-pass";
+
         let new_key = AccountSecretKey::rand();
         let tmp_dir = env::temp_dir();
         let tmp_path = format!("{}/{}-key", tmp_dir.display(), new_key.public_key());
 
         // dump encrypted file
         new_key
-            .to_encrypted_file(&tmp_path)
+            .to_encrypted_file(&tmp_path, password)
             .expect("Failed to encrypt secret key");
 
         // load and decrypt
-        let decrypted = AccountSecretKey::from_encrypted_file(&tmp_path)
+        let decrypted = AccountSecretKey::from_encrypted_file(&tmp_path, password)
             .expect("Failed to decrypt secret key file");
 
         assert_eq!(
@@ -339,10 +343,10 @@ mod tests {
 
     #[test]
     fn test_ocaml_key_decrypt() {
-        env::set_var("MINA_PRIVKEY_PASS", "not-very-secure-pass");
+        let password = "not-very-secure-pass";
         let key_path = "../tests/files/accounts/test-key-1";
         let expected_public_key = "B62qmg7n4XqU3SFwx9KD9B7gxsKwxJP5GmxtBpHp1uxyN3grujii9a1";
-        let decrypted = AccountSecretKey::from_encrypted_file(key_path)
+        let decrypted = AccountSecretKey::from_encrypted_file(key_path, password)
             .expect("Failed to decrypt secret key file");
 
         assert_eq!(

node/native/src/node/builder.rs

@@ -180,8 +180,9 @@ impl NodeBuilder {
     pub fn block_producer_from_file(
         &mut self,
         path: impl AsRef<Path>,
+        password: &str,
     ) -> anyhow::Result<&mut Self> {
-        let key = AccountSecretKey::from_encrypted_file(path)
+        let key = AccountSecretKey::from_encrypted_file(path, password)
             .context("Failed to decrypt secret key file")?;
         Ok(self.block_producer(key))
     }

producer-dashboard/src/main.rs

@@ -41,7 +41,10 @@ async fn main() {
     let db = Database::open(config.database_path).expect("Failed to open Database");
     println!("[main] DB opened");
 
-    let key = AccountSecretKey::from_encrypted_file(config.private_key_path)
+    let password = std::env::var("MINA_PRIVKEY_PASS")
+        .expect("Expected password in the variable `MINA_PRIVKEY_PASS`");
+
+    let key = AccountSecretKey::from_encrypted_file(config.private_key_path, &password)
         .expect("failed to decrypt secret key file");
     println!("[main] Producer key loaded");