arrayio / array-io-keychain Goto Github PK
View Code? Open in Web Editor NEWA highly secure standalone application for signing transactions and generating key pairs.
Home Page: https://keychain.array.io/
License: MIT License
A highly secure standalone application for signing transactions and generating key pairs.
Home Page: https://keychain.array.io/
License: MIT License
Linux version of keychain has password entry window. This function had been added in task #5.
Within this task passentry submodule had been added to keychain solution. From security considerations passentry gui window executes from user context (not from keychain service user).
Next we need to add gravatar function on Linux platform. For this you need:
Also, we need to make test tool for this solution.
Test tools must have following functions:
Also I have additional question: what about implementation gravatar function on windows platfrom. Is it in our plans? Who will implement this?
Now, keychain uses reflection from fc library for serialisation json-packet.
It is supposed to do "reflection" independent from fc.
The gui must have:
after signature another text should appear
Attacker can grab pass secret by displaying fake password entry window for user. User will pass secret to the fake window and attacker will can to grab secret.
We need to implement protection mechanism like alt+ctrl+del in windows OS. User must enter specific keyboard shortcut, that attacker can not capture. If attacker will try to print fake pass entry window user will press a key combination. Our service will capture this keyboard shortcut, kill fake pass entry window and display truly pass entry window.
We must to figure out how to implement this protection mechanism on Windows, Linux and MacOS.
Need to implement signing transaction for bitcoin.
Parent task: #11
It is necesary to create keychain installer for Windows
Parent task: #7
It is necessary to integrate source files of terminal program "password entry" and GUI into project array-io-keychain
Linux version of keychain has password entry window. This function had been added in task #5.
Within this task passentry submodule had been added to keychain solution. From security considerations passentry gui window executes from user context (not from keychain service user).
Next we need to add gravatar function on Linux platform. For this you need:
Also, we need to make test tool for this solution.
Test tools must have following functions:
Also I have additional question: what about implementation gravatar function on windows platfrom. Is it in our plans? Who will implement this?
Need to implement lock/unlock behavior in keychain.
Keychain must store decrypted private key in memory during the specified time (unlock timeout). Store time is configured value. At this step this value may be hardcoded. Next unlock timeout value will be able to set by configuration. Storing decrypted private key in memory provide as sign next user transactions without necessary of entering key password every time.
Decrypted private key must store in keychain memory
Also it need to add lock command to keychain API.
lock command must have following parameters:
Need to create websocket server for all platforms.
WS server will run as service (linux daemon). WS server will install into the OS by keychain package jointly with keychain app (keychain service on Windows)
How it work:
WS server
client app => receive rpc request by web socket transport - it may be requests from client apps =>
=> open pipe channel with keychain (keychain service on windows) =>
=> send keychain commands (json format) =>
=> receive keychain response =>
=> translate keychain response to the websocket => client app
Need to create installer for Windows 7/8/10. Installer for Win10 is priority target.
Need to test keychain ethereum sign format on ethereum node
Need to create key manager GUI for all platforms
Prototype for gui is here
We'll have next fields on main table
Key info window:
Functions must be implemented:
At this moment keychain store key files in file system. Keys are protected from copying by symmetric encryption. But at this moment this solutions does not provide proper level of protection from following risks:
It is preferable to use native secure mechanisms in OS for reliable and secure storing of keys.
Need to implement secure password entry.
Platforms must be supported:
Platform should be supported in future:
Design features
Windows
Macos
The immediate task: Need to figure out design features for secure password entry on Macos.
Linux (X11)
Parent task: #11
It is necesary to create keychain installer for Mac
https://github.com/arrayio/array-io-keychain/wiki/keychain-sample-commands
CMD_
prefixCMD_SIGN
-> sign
Bug has been detected: keychain_pass_entry_app can not start password entry window on Win10.
keychain_pass_entry_app successfully run and show pass entry window on Win7, but does not work on Win10.
Need to fix it.
Need to run WS server https://github.com/joewalnes/websocketd/wiki/Ten-minute-tutorial on Windows. In this configuration we can run keychain on windows without keychain_service_win.
Need to modify existing keychain command line app. This app will run by ws server in system user context and can run pass_ent_app utility.
Need to try run keychain in this configuration.
Parent task: #11
It is necesary to create keychain deb-package for ubuntu/debian/mint
Parent task: #7
Some keyboard layout have key modifiers (French, for example). This provides the ability to press more one key for one symbol. It is necessary to implement read this symbols on low-level.
The task is pending.
Need to implement parse transaction mechanism in keychain.
Description wil come soon...
Need to run WS server https://github.com/joewalnes/websocketd/wiki/Ten-minute-tutorial on MacOS and try to run keychain app by ws server.
Need to run ws server on Linux
https://github.com/joewalnes/websocketd/wiki/Ten-minute-tutorial
Need to run keychain app by ws server.
it is necesary to implement bitcoin signature to keychain
Parent task: #9
websocket interface will be used for signing transaction from web-interface.
Need to implement signature for Ripple blockchain.
It is need to implement signing transaction for graphene blockchains without bitashares core libraries.
We don't want to link:
We need to use secp256k1 library from https://github.com/bitcoin-core/secp256k1.git, not from https://github.com/bitshares/secp256k1-zkp.git.
It is possible to add required function to bitcoin-core/secp256k1 if it is necessary to sign graphene transactions.
All mentions of Algorithm that relate to symmetric encryption should be renamed to 'cipher'.
This shiould be done inside code, and .md files.
{ "command": "create", "params": { "keyname": "test1", "encrypted": true, "algo": "CIPHER_AES256", "curve": "CURVE_SECP256K1" } }
should look like this:
{ "command": "create", "params": { "keyname": "test1", "encrypted": true, "cipher": "aes256", "curve": "secp256k1" } }
also
remove relics such as prefixes in the name of cipherss and curves, and make them lower case letters.
Setup CI/CD (Jenkins) For supported platforms:
I try to run WS server and start keychain app by server on incoming ws connection.
Keychain send to the clien json response in human readable form like this
{
"command": "create",
"params":
{
"keyname": "test1",
"encrypted": true,
"curve": "secp256k1",
"cipher": "aes256"
}
}
But ws client don't receive last brace.
{
"command": "create",
"params":
{
"keyname": "test1",
"encrypted": true,
"curve": "secp256k1",
"cipher": "aes256"
}
If keychain send response in one string this response does not reach the client at all.
Need to fix it.
It is necessary to run putty client with admin privileges to connect to named pipe on Windows. Need to reduce this requirements.
Keychain can not built on windows in release mode. In release mode compiler do not produce fc_light::~iostream destructor for some reason.
Need to fix it.
AIP: -
Title: Keychain application
Status: Draft
Type: Client
Author: @vladiuz1 ([email protected])
Created: 2018-03-20
A keychain is a multiformart multiplatform secure keystore application. At the moment a developer of multichain functionality is using different formats of storing keys. bitcoind, geth keystore, electrum's keyfiles all use the same public/private key standards but store them in different file formats, and have different interfaces to interract with keys.
Most blockchain project's wallets have duplicate functionality, and many differ only in the hash function signing transactions and generating addresses. However functionally it is the same public/private key cryptography with repeating functionality. create/sign/get public key.
Array.io client application can eventually be used for design of multi-blockchain applications. For example direct atomic swaps, lightning network applications, multi-blockchain wallets, etc. A keystorage that can keep and sign a key from any blockchain is extremely helpful. Security of keeping the key in a dapps environment is of utmost importance. Hence keychain environment must be separated from client application.
An Array.io Keychain is an application that creates and manages private/public key pairs and signs transactions. It is a standalone application that can be run in commandline or gui mode.
The most important functionality of the keychain is ability to sign transactions. Most blockchain projects today are using the same public/private key algorithm - secp256k1. And one key may be used for many different blockchains. The keychain must be modular application that knows how to sign trsansactions of multiple blockchains. It must understand multiple raw transaction formats eventually.
Another important command of the keychain is generation key pairs. As part of generation flow, a user must be prompted to write down a 12 word mnemonic seed.
And since the generation of keys is the main feature, we must also allow adding functionality to recognize multiple wallet formats, so keys could be conveniently imported into keychain from other client formats. E.g. electrum, ethereum, bitcoind's wallet.dat, etc...
Even though this is a standalone application it will rarely be launched by a user in either GUI or command line mode. It will most often be used by dapps server or array-io-node to sign transaction in a pipeline mode. Where the output of node or server is piped to the input of array-io-keychain.
arrayio-keychain command [options] [arguments]
Command | Arguments | Options | Result | Description | Issue |
---|---|---|---|---|---|
list | key list |
list all master keys in keychain | |||
sign | key_file , raw_tx |
-hd_path, -in_format, -out_format | signature |
sing a raw transaction | |
public_key | key_file |
-hd_path, -out_format | public_key |
get public key for the wallet | #18 |
create | key_file |
-cruve, -cipher | success |
create a new keypair | |
seed | key_file |
-language | seed |
view BIP39 mnemonic seed for the key | |
restore | key_file |
-curve, -cipher, -language | success |
restore key pair from a BIP39 seed | |
remove | key_file |
-delete | success |
remove a key from keychain | |
export | key_file , filename |
-format | success |
export key to an alternative format | |
import | filename , key_file |
-format, -cipher | success |
import key from another format | |
list-ciphers | <list> |
list available ciphers you can use to encrypt your wallet | |||
list-curves | <list> |
list availble curves | |||
help | command |
display help |
$ array-io-keychain sign —keyname=test0 --chainid=1 --in-format=hex --out-format=hex 871689d060721b5cec5a010080841e00000000000011130065cd1d0000000000000000
< 1f3314428fe189b2a5424b874dc4ef25c8df65c9d13504ede32a2b2c4c8ada5041161705139e81b981c5c31336d719cf40bd5619a24d890c89b1772944c3fffcc4
$ array-io-keychain —keyname=test0
> sign --chainid=1 --in-format=hex --out-format=hex 871689d060721b5cec5a010080841e00000000000011130065cd1d0000000000000000
< 1f3314428fe189b2a5424b874dc4ef25c8df65c9d13504ede32a2b2c4c8ada5041161705139e81b981c5c31336d719cf40bd5619a24d890c89b1772944c3fffcc4
For compability with Ethereum account it is need calculate address of account using non-standard SHA3 algorithm. For this need to replace openssl::SHA3 to ethash::SHA3 in toAddress() function.
libsecp256k1 - берём самую свежую и продвинутую и пробуем интегрировать в свою ноду,
для чего необходимо будет допилить библиотеку fc, чтобы поддерживать новые сигнатуры из новой библиотеки secp256k1
This task follows from #1
Linux version of keychain has password entry window. This function had been added in task #5.
Within this task passentry submodule had been added to keychain solution. From security considerations passentry gui window executes from user context (not from keychain service user).
Next we need to add gravatar function on Linux platform. For this you need:
Also, we need to make test tool for this solution.
Test tools must have following functions:
Also I have additional question: what about implementation gravatar function on windows platfrom. Is it in our plans? Who will implement this?
Need to implement signing transaction for ethereum.
Need to run bitcoin testnet -- is it possible to start ethereum node on local machine without connection to testnet?
Need to modify ethereum cli_wallet to generate unsigned binary transaction.
It is necessary to implement a call to keychain from web site (swap.online, for example) to sign the transaction. The Keychain must return the signed transaction to site. The POST method is supposed to be used.
The keychain must have command-line interface: #15
Need to implement basic functions of keychain declared in #2.
the public_key must be returned in one of these formats:
hex
base64
base58
wif
(with optional params: --prefix
, --compression
, --version
from this page.)For wif (wallet import format) you shall use the following default option values:
--prefix = ''
--version = 0x80
--compression = 0x01
--hd
option will return a hierachical deterministic public key derived from either saved public key [un]encrypted private key.
Another option to implement is --derive
. This will return a public key derived from private key rather than returning the saved public key from wallet storage (derived during the creation of the key pair).
If this option is selected and the private key is encrypted such request will prompt user for password.
Once hierarchical deterministic wallets are ready, the --derive option will similarly derive the public key directly from private key rather than from saved public key in the wallet storage.
hex
formatbase64
formatwif
format according to http://learnmeabitcoin.com/glossary/wif--compression
option for wif
format--version
option for wif
format--prefix
option for wif
format--hd
option--derive
optionParent task: #7
For enhanced security, program "password entry" should not have GUI. It is proposed to implement GUI in another programm, that started and controlled through pipe.
It is proposed to use QT for cross-platform GUI implementation.
GUI is complete. It is necessary to implement of the interface with the terminal program.
Source files:
https://github.com/arrayio/array-io-keychain/tree/research/app/linux/passentry_gui
Enviroment: Windows 10, SDK 10.0.17763.0, UAC is disabled, LLVM-2017
While using Putty and enter next command like:
{
"command": "create",
"params":
{
"keyname": "test1",
"encrypted": true,
"curve": "secp256k1",
"cipher": "aes256"
}
}
1. keychainservice cant create and handle new process with existed binary keychain_pass_entry_app.exe (but if you run only this binary it works). If keychain_pass_entry_app cant start keychain_service_win cant process next commands in current session.
Test with positive result was only on Windows 7, x64 (on VirtualBox) from root user.
Test with negative result only on Windows 10, x64 (on VirtualBox and host OS) from root and common user.
Need to implement logging system for collect errors and warnings from keychain and array-io-core submodules.
Most probably, boost log library will be integrated into keychain.
We need to develop GUI for manipulationg transactions and its information.
Global steps for realization:
Keychain service (windows) crashes on pipe client disconnect.
Test case:
Need to fix it.
The integrator has a need to call pipe line command in asynchronouse mode. For this purpose, we need to add the id field in the pipeline command. Then integrator will be able to match requests and responses.
Parent task: #7
It is necessary to implement pipe-interface between terminal program and GUI. For this purpose it is supposed to use JSON-format
Linux version of keychain has password entry window. This function had been added in task #5.
Within this task passentry submodule had been added to keychain solution. From security considerations passentry gui window executes from user context (not from keychain service user).
Next we need to add gravatar function on Linux platform. For this you need:
Also, we need to make test tool for this solution.
Test tools must have following functions:
Also I have additional question: what about implementation gravatar function on windows platfrom. Is it in our plans? Who will implement this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.