Funktionierender Prototyp des Serious Games zur Vermittlung von Wissen zu Software-Engineering-Arbeitsmodellen.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

_secmod.py 21KB

1 year ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567
  1. ###############################################################################
  2. #
  3. # The MIT License (MIT)
  4. #
  5. # Copyright (c) typedef int GmbH
  6. #
  7. # Permission is hereby granted, free of charge, to any person obtaining a copy
  8. # of this software and associated documentation files (the "Software"), to deal
  9. # in the Software without restriction, including without limitation the rights
  10. # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  11. # copies of the Software, and to permit persons to whom the Software is
  12. # furnished to do so, subject to the following conditions:
  13. #
  14. # The above copyright notice and this permission notice shall be included in
  15. # all copies or substantial portions of the Software.
  16. #
  17. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  18. # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  19. # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  20. # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  21. # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  22. # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  23. # THE SOFTWARE.
  24. #
  25. ###############################################################################
  26. import binascii
  27. import os
  28. import configparser
  29. from collections.abc import MutableMapping
  30. from typing import Optional, Union, Dict, Any, List, Iterator
  31. from threading import Lock
  32. import txaio
  33. import nacl
  34. from eth_account.account import Account
  35. from eth_account.signers.local import LocalAccount
  36. from py_eth_sig_utils.eip712 import encode_typed_data
  37. from py_eth_sig_utils.utils import ecsign, ecrecover_to_pub, checksum_encode, sha3
  38. from py_eth_sig_utils.signing import v_r_s_to_signature, signature_to_v_r_s
  39. from autobahn.wamp.interfaces import ISecurityModule, IEthereumKey
  40. from autobahn.xbr._mnemonic import mnemonic_to_private_key
  41. from autobahn.util import parse_keyfile
  42. from autobahn.wamp.cryptosign import CryptosignKey
  43. __all__ = ('EthereumKey', 'SecurityModuleMemory', )
  44. class EthereumKey(object):
  45. """
  46. Base class to implement :class:`autobahn.wamp.interfaces.IEthereumKey`.
  47. """
  48. def __init__(self, key_or_address: Union[LocalAccount, str, bytes], can_sign: bool,
  49. security_module: Optional[ISecurityModule] = None,
  50. key_no: Optional[int] = None) -> None:
  51. if can_sign:
  52. # https://eth-account.readthedocs.io/en/latest/eth_account.html#eth_account.account.Account
  53. assert type(key_or_address) == LocalAccount
  54. self._key = key_or_address
  55. self._address = key_or_address.address
  56. else:
  57. assert type(key_or_address) in (str, bytes)
  58. self._key = None
  59. self._address = key_or_address
  60. self._can_sign = can_sign
  61. self._security_module = security_module
  62. self._key_no = key_no
  63. @property
  64. def security_module(self) -> Optional['ISecurityModule']:
  65. """
  66. Implements :meth:`autobahn.wamp.interfaces.IKey.security_module`.
  67. """
  68. return self._security_module
  69. @property
  70. def key_no(self) -> Optional[int]:
  71. """
  72. Implements :meth:`autobahn.wamp.interfaces.IKey.key_no`.
  73. """
  74. return self._key_no
  75. @property
  76. def key_type(self) -> str:
  77. """
  78. Implements :meth:`autobahn.wamp.interfaces.IKey.key_type`.
  79. """
  80. return 'ethereum'
  81. def public_key(self, binary: bool = False) -> Union[str, bytes]:
  82. """
  83. Implements :meth:`autobahn.wamp.interfaces.IKey.public_key`.
  84. """
  85. raise NotImplementedError()
  86. @property
  87. def can_sign(self) -> bool:
  88. """
  89. Implements :meth:`autobahn.wamp.interfaces.IKey.can_sign`.
  90. """
  91. return self._can_sign
  92. def address(self, binary: bool = False) -> Union[str, bytes]:
  93. """
  94. Implements :meth:`autobahn.wamp.interfaces.IEthereumKey.address`.
  95. """
  96. if binary:
  97. return binascii.a2b_hex(self._address[2:])
  98. else:
  99. return self._address
  100. def sign(self, data: bytes) -> bytes:
  101. """
  102. Implements :meth:`autobahn.wamp.interfaces.IKey.sign`.
  103. """
  104. # FIXME: implement signing of raw data
  105. raise NotImplementedError()
  106. def recover(self, data: bytes, signature: bytes) -> bytes:
  107. """
  108. Implements :meth:`autobahn.wamp.interfaces.IKey.recover`.
  109. """
  110. # FIXME: implement signing address recovery from signature of raw data
  111. raise NotImplementedError()
  112. def sign_typed_data(self, data: Dict[str, Any], binary=True) -> bytes:
  113. """
  114. Implements :meth:`autobahn.wamp.interfaces.IEthereumKey.sign_typed_data`.
  115. """
  116. if self._security_module:
  117. assert self._security_module.is_open and not self._security_module.is_locked, 'security module must be open and unlocked'
  118. try:
  119. # encode typed data dict and return message hash
  120. msg_hash = encode_typed_data(data)
  121. # ECDSA signatures in Ethereum consist of three parameters: v, r and s.
  122. # The signature is always 65-bytes in length.
  123. # r = first 32 bytes of signature
  124. # s = second 32 bytes of signature
  125. # v = final 1 byte of signature
  126. signature_vrs = ecsign(msg_hash, self._key.key)
  127. # concatenate signature components into byte string
  128. signature = v_r_s_to_signature(*signature_vrs)
  129. except Exception as e:
  130. return txaio.create_future_error(e)
  131. else:
  132. if binary:
  133. return txaio.create_future_success(signature)
  134. else:
  135. return txaio.create_future_success(binascii.b2a_hex(signature).decode())
  136. def verify_typed_data(self, data: Dict[str, Any], signature: bytes) -> bool:
  137. """
  138. Implements :meth:`autobahn.wamp.interfaces.IEthereumKey.verify_typed_data`.
  139. """
  140. if self._security_module:
  141. assert self._security_module.is_open and not self._security_module.is_locked, 'security module must be open and unlocked'
  142. try:
  143. msg_hash = encode_typed_data(data)
  144. signature_vrs = signature_to_v_r_s(signature)
  145. public_key = ecrecover_to_pub(msg_hash, *signature_vrs)
  146. address_bytes = sha3(public_key)[-20:]
  147. address = checksum_encode(address_bytes)
  148. except Exception as e:
  149. return txaio.create_future_error(e)
  150. else:
  151. return txaio.create_future_success(address == self._address)
  152. @classmethod
  153. def from_address(cls, address: Union[str, bytes]) -> 'EthereumKey':
  154. """
  155. Create a public key from an address, which can be used to verify signatures.
  156. :param address: The Ethereum address (20 octets).
  157. :return: New instance of :class:`EthereumKey`
  158. """
  159. return EthereumKey(key_or_address=address, can_sign=False)
  160. @classmethod
  161. def from_bytes(cls, key: bytes) -> 'EthereumKey':
  162. """
  163. Create a private key from seed bytes, which can be used to sign and create signatures.
  164. :param key: The Ethereum private key seed (32 octets).
  165. :return: New instance of :class:`EthereumKey`
  166. """
  167. if type(key) != bytes:
  168. raise ValueError("invalid seed type {} (expected binary)".format(type(key)))
  169. if len(key) != 32:
  170. raise ValueError("invalid seed length {} (expected 32)".format(len(key)))
  171. account: LocalAccount = Account.from_key(key)
  172. return EthereumKey(key_or_address=account, can_sign=True)
  173. @classmethod
  174. def from_seedphrase(cls, seedphrase: str, index: int = 0) -> 'EthereumKey':
  175. """
  176. Create a private key from the given BIP-39 mnemonic seed phrase and index,
  177. which can be used to sign and create signatures.
  178. :param seedphrase: The BIP-39 seedphrase ("Mnemonic") from which to derive the account.
  179. :param index: The account index in account hierarchy defined by the seedphrase.
  180. :return: New instance of :class:`EthereumKey`
  181. """
  182. # Base HD Path: m/44'/60'/0'/0/{account_index}
  183. derivation_path = "m/44'/60'/0'/0/{}".format(index)
  184. key = mnemonic_to_private_key(seedphrase, str_derivation_path=derivation_path)
  185. assert type(key) == bytes
  186. assert len(key) == 32
  187. account: LocalAccount = Account.from_key(key)
  188. return EthereumKey(key_or_address=account, can_sign=True)
  189. @classmethod
  190. def from_keyfile(cls, keyfile: str) -> 'EthereumKey':
  191. """
  192. Create a public or private key from reading the given public or private key file.
  193. Here is an example key file that includes an Ethereum private key ``private-key-eth``, which
  194. is loaded in this function, and other fields, which are ignored by this function:
  195. .. code-block::
  196. This is a comment (all lines until the first empty line are comments indeed).
  197. creator: oberstet@intel-nuci7
  198. created-at: 2022-07-05T12:29:48.832Z
  199. user-id: oberstet@intel-nuci7
  200. public-key-ed25519: 7326d9dc0307681cc6940fde0e60eb31a6e4d642a81e55c434462ce31f95deed
  201. public-adr-eth: 0x10848feBdf7f200Ba989CDf7E3eEB3EC03ae7768
  202. private-key-ed25519: f750f42b0430e28a2e272c3cedcae4dcc4a1cf33bc345c35099d3322626ab666
  203. private-key-eth: 4d787714dcb0ae52e1c5d2144648c255d660b9a55eac9deeb80d9f506f501025
  204. :param keyfile: Path (relative or absolute) to a public or private keys file.
  205. :return: New instance of :class:`EthereumKey`
  206. """
  207. if not os.path.exists(keyfile) or not os.path.isfile(keyfile):
  208. raise RuntimeError('keyfile "{}" is not a file'.format(keyfile))
  209. # now load the private or public key file - this returns a dict which should
  210. # include (for a private key):
  211. #
  212. # private-key-eth: 6b08b6e186bd2a3b9b2f36e6ece3f8031fe788ab3dc4a1cfd3a489ea387c496b
  213. #
  214. # or (for a public key only):
  215. #
  216. # public-adr-eth: 0x10848feBdf7f200Ba989CDf7E3eEB3EC03ae7768
  217. #
  218. data = parse_keyfile(keyfile)
  219. privkey_eth_hex = data.get('private-key-eth', None)
  220. if privkey_eth_hex is None:
  221. pub_adr_eth = data.get('public-adr-eth', None)
  222. if pub_adr_eth is None:
  223. raise RuntimeError('neither "private-key-eth" nor "public-adr-eth" found in keyfile {}'.format(keyfile))
  224. else:
  225. return EthereumKey.from_address(pub_adr_eth)
  226. else:
  227. return EthereumKey.from_bytes(binascii.a2b_hex(privkey_eth_hex))
  228. IEthereumKey.register(EthereumKey)
  229. class SecurityModuleMemory(MutableMapping):
  230. """
  231. A transient, memory-based implementation of :class:`ISecurityModule`.
  232. """
  233. def __init__(self, keys: Optional[List[Union[CryptosignKey, EthereumKey]]] = None):
  234. self._mutex = Lock()
  235. self._is_open = False
  236. self._is_locked = True
  237. self._keys: Dict[int, Union[CryptosignKey, EthereumKey]] = {}
  238. self._counters: Dict[int, int] = {}
  239. if keys:
  240. for i, key in enumerate(keys):
  241. self._keys[i] = key
  242. def __len__(self) -> int:
  243. """
  244. Implements :meth:`ISecurityModule.__len__`
  245. """
  246. assert self._is_open, 'security module not open'
  247. return len(self._keys)
  248. def __contains__(self, key_no: int) -> bool:
  249. assert self._is_open, 'security module not open'
  250. return key_no in self._keys
  251. def __iter__(self) -> Iterator[int]:
  252. """
  253. Implements :meth:`ISecurityModule.__iter__`
  254. """
  255. assert self._is_open, 'security module not open'
  256. yield from self._keys
  257. def __getitem__(self, key_no: int) -> Union[CryptosignKey, EthereumKey]:
  258. """
  259. Implements :meth:`ISecurityModule.__getitem__`
  260. """
  261. assert self._is_open, 'security module not open'
  262. if key_no in self._keys:
  263. return self._keys[key_no]
  264. else:
  265. raise IndexError('key_no {} not found'.format(key_no))
  266. def __setitem__(self, key_no: int, key: Union[CryptosignKey, EthereumKey]) -> None:
  267. assert self._is_open, 'security module not open'
  268. assert key_no >= 0
  269. if key_no in self._keys:
  270. # FIXME
  271. pass
  272. self._keys[key_no] = key
  273. def __delitem__(self, key_no: int) -> None:
  274. assert self._is_open, 'security module not open'
  275. if key_no in self._keys:
  276. del self._keys[key_no]
  277. else:
  278. raise IndexError()
  279. def open(self):
  280. """
  281. Implements :meth:`ISecurityModule.open`
  282. """
  283. assert not self._is_open, 'security module already open'
  284. self._is_open = True
  285. return txaio.create_future_success(None)
  286. def close(self):
  287. """
  288. Implements :meth:`ISecurityModule.close`
  289. """
  290. assert self._is_open, 'security module not open'
  291. self._is_open = False
  292. self._is_locked = True
  293. return txaio.create_future_success(None)
  294. @property
  295. def is_open(self) -> bool:
  296. """
  297. Implements :meth:`ISecurityModule.is_open`
  298. """
  299. return self._is_open
  300. @property
  301. def can_lock(self) -> bool:
  302. """
  303. Implements :meth:`ISecurityModule.can_lock`
  304. """
  305. return True
  306. @property
  307. def is_locked(self) -> bool:
  308. """
  309. Implements :meth:`ISecurityModule.is_locked`
  310. """
  311. return self._is_locked
  312. def lock(self):
  313. """
  314. Implements :meth:`ISecurityModule.lock`
  315. """
  316. assert self._is_open, 'security module not open'
  317. assert not self._is_locked
  318. self._is_locked = True
  319. return txaio.create_future_success(None)
  320. def unlock(self):
  321. """
  322. Implements :meth:`ISecurityModule.unlock`
  323. """
  324. assert self._is_open, 'security module not open'
  325. assert self._is_locked
  326. self._is_locked = False
  327. return txaio.create_future_success(None)
  328. def create_key(self, key_type: str) -> int:
  329. assert self._is_open, 'security module not open'
  330. key_no = len(self._keys)
  331. if key_type == 'cryptosign':
  332. key = CryptosignKey(key=nacl.signing.SigningKey(os.urandom(32)),
  333. can_sign=True,
  334. security_module=self,
  335. key_no=key_no)
  336. elif key_type == 'ethereum':
  337. key = EthereumKey(key_or_address=Account.from_key(os.urandom(32)),
  338. can_sign=True,
  339. security_module=self,
  340. key_no=key_no)
  341. else:
  342. raise ValueError('invalid key_type "{}"'.format(key_type))
  343. self._keys[key_no] = key
  344. return txaio.create_future_success(key_no)
  345. def delete_key(self, key_no: int):
  346. assert self._is_open, 'security module not open'
  347. if key_no in self._keys:
  348. del self._keys[key_no]
  349. return txaio.create_future_success(key_no)
  350. else:
  351. return txaio.create_future_success(None)
  352. def get_random(self, octets: int) -> bytes:
  353. """
  354. Implements :meth:`ISecurityModule.get_random`
  355. """
  356. assert self._is_open, 'security module not open'
  357. data = os.urandom(octets)
  358. return txaio.create_future_success(data)
  359. def get_counter(self, counter_no: int) -> int:
  360. """
  361. Implements :meth:`ISecurityModule.get_counter`
  362. """
  363. assert self._is_open, 'security module not open'
  364. self._mutex.acquire()
  365. res = self._counters.get(counter_no, 0)
  366. self._mutex.release()
  367. return txaio.create_future_success(res)
  368. def increment_counter(self, counter_no: int) -> int:
  369. """
  370. Implements :meth:`ISecurityModule.increment_counter`
  371. """
  372. assert self._is_open, 'security module not open'
  373. self._mutex.acquire()
  374. if counter_no not in self._counters:
  375. self._counters[counter_no] = 0
  376. self._counters[counter_no] += 1
  377. res = self._counters[counter_no]
  378. self._mutex.release()
  379. return txaio.create_future_success(res)
  380. @classmethod
  381. def from_seedphrase(cls, seedphrase: str, num_eth_keys: int = 1,
  382. num_cs_keys: int = 1) -> 'SecurityModuleMemory':
  383. """
  384. Create a new memory-backed security module with
  385. 1. ``num_eth_keys`` keys of type :class:`EthereumKey`, followed by
  386. 2. ``num_cs_keys`` keys of type :class:`CryptosignKey`
  387. computed from a (common) BIP44 seedphrase.
  388. :param seedphrase: BIP44 seedphrase to use.
  389. :param num_eth_keys: Number of Ethereum keys to derive.
  390. :param num_cs_keys: Number of Cryptosign keys to derive.
  391. :return: New memory-backed security module instance.
  392. """
  393. keys: List[Union[EthereumKey, CryptosignKey]] = []
  394. # first, add num_eth_keys EthereumKey(s), numbering starting at 0
  395. for i in range(num_eth_keys):
  396. key = EthereumKey.from_seedphrase(seedphrase, i)
  397. keys.append(key)
  398. # second, add num_cs_keys CryptosignKey(s), numbering starting at num_eth_keys (!)
  399. for i in range(num_cs_keys):
  400. key = CryptosignKey.from_seedphrase(seedphrase, i + num_eth_keys)
  401. keys.append(key)
  402. # initialize security module from collected keys
  403. sm = SecurityModuleMemory(keys=keys)
  404. return sm
  405. @classmethod
  406. def from_config(cls, config: str, profile: str = 'default') -> 'SecurityModuleMemory':
  407. """
  408. Create a new memory-backed security module with keys referred from a profile in
  409. the given configuration file.
  410. :param config: Path (relative or absolute) to an INI configuration file.
  411. :param profile: Name of the profile within the given INI configuration file.
  412. :return: New memory-backed security module instance.
  413. """
  414. keys: List[Union[EthereumKey, CryptosignKey]] = []
  415. cfg = configparser.ConfigParser()
  416. cfg.read(config)
  417. if not cfg.has_section(profile):
  418. raise RuntimeError('profile "{}" not found in configuration file "{}"'.format(profile, config))
  419. if not cfg.has_option(profile, 'privkey'):
  420. raise RuntimeError('missing option "privkey" in profile "{}" of configuration file "{}"'.format(profile, config))
  421. privkey = os.path.join(os.path.dirname(config), cfg.get(profile, 'privkey'))
  422. if not os.path.exists(privkey) or not os.path.isfile(privkey):
  423. raise RuntimeError('privkey "{}" is not a file in profile "{}" of configuration file "{}"'.format(privkey, profile, config))
  424. # now load the private key file - this returns a dict which should include:
  425. # private-key-eth: 6b08b6e186bd2a3b9b2f36e6ece3f8031fe788ab3dc4a1cfd3a489ea387c496b
  426. # private-key-ed25519: 20e8c05d0ede9506462bb049c4843032b18e8e75b314583d0c8d8a4942f9be40
  427. data = parse_keyfile(privkey)
  428. # first, add Ethereum key
  429. privkey_eth_hex = data.get('private-key-eth', None)
  430. keys.append(EthereumKey.from_bytes(binascii.a2b_hex(privkey_eth_hex)))
  431. # second, add Cryptosign key
  432. privkey_ed25519_hex = data.get('private-key-ed25519', None)
  433. keys.append(CryptosignKey.from_bytes(binascii.a2b_hex(privkey_ed25519_hex)))
  434. # initialize security module from collected keys
  435. sm = SecurityModuleMemory(keys=keys)
  436. return sm
  437. @classmethod
  438. def from_keyfile(cls, keyfile: str) -> 'SecurityModuleMemory':
  439. """
  440. Create a new memory-backed security module with keys referred from a profile in
  441. the given configuration file.
  442. :param keyfile: Path (relative or absolute) to a private keys file.
  443. :return: New memory-backed security module instance.
  444. """
  445. keys: List[Union[EthereumKey, CryptosignKey]] = []
  446. if not os.path.exists(keyfile) or not os.path.isfile(keyfile):
  447. raise RuntimeError('keyfile "{}" is not a file'.format(keyfile))
  448. # now load the private key file - this returns a dict which should include:
  449. # private-key-eth: 6b08b6e186bd2a3b9b2f36e6ece3f8031fe788ab3dc4a1cfd3a489ea387c496b
  450. # private-key-ed25519: 20e8c05d0ede9506462bb049c4843032b18e8e75b314583d0c8d8a4942f9be40
  451. data = parse_keyfile(keyfile)
  452. # first, add Ethereum key
  453. privkey_eth_hex = data.get('private-key-eth', None)
  454. if privkey_eth_hex is None:
  455. raise RuntimeError('"private-key-eth" not found in keyfile {}'.format(keyfile))
  456. keys.append(EthereumKey.from_bytes(binascii.a2b_hex(privkey_eth_hex)))
  457. # second, add Cryptosign key
  458. privkey_ed25519_hex = data.get('private-key-ed25519', None)
  459. if privkey_ed25519_hex is None:
  460. raise RuntimeError('"private-key-ed25519" not found in keyfile {}'.format(keyfile))
  461. keys.append(CryptosignKey.from_bytes(binascii.a2b_hex(privkey_ed25519_hex)))
  462. # initialize security module from collected keys
  463. sm = SecurityModuleMemory(keys=keys)
  464. return sm
  465. ISecurityModule.register(SecurityModuleMemory)