1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
defmodule Shard.Keys do
@moduledoc"""
Module for saving private keys.
"""
use Agent
require Logger
@key_db [Application.get_env(:shard, :data_path), "key_db"] |> Path.join |> String.to_atom
def start_link(_) do
Agent.start_link(__MODULE__, :init, [], name: __MODULE__)
end
def init() do
:dets.start
{:ok, @key_db} = :dets.open_file(@key_db, [type: :set])
nil
end
defp gen_keypair(suffix, n \\ 0) do
%{public: pk, secret: sk} = :enacl.sign_keypair
if rem(n, 10000) == 0 do
Logger.info "#{n}... expected #{:math.pow(256, byte_size(suffix))}"
end
if check_suffix(pk, suffix) do
{pk, sk}
else
gen_keypair(suffix, n+1)
end
end
defp check_suffix(pk, suffix) do
:binary.longest_common_suffix([pk, suffix]) == byte_size(suffix)
end
def get_any_identity() do
Agent.get(__MODULE__, fn _ ->
case list_identities() do
[x|_] -> x
[] -> new_identity()
end
end)
end
@doc"""
Generate a new keypair for a user identity, and start an Identity Shard for it.
"""
def new_identity() do
{pk, sk} = gen_keypair(Application.get_env(:shard, :identity_suffix))
Logger.info "New identity: #{pk|>Base.encode16}"
:dets.insert @key_db, {pk, sk}
Shard.Manifest.start %SApp.Identity.Manifest{pk: pk}
pk
end
@doc"""
List the public keys of all identities for which we have a secret key
"""
def list_identities() do
for [pk, _sk] <- :dets.match(@key_db, {:"$1", :"$2"}), do: pk
end
@doc"""
Lookup the secret key for a pk and sign a message with it.
Returns the input value alongside its signature.
Answer is {:ok, signed} if it worked, or :not_found if we didn't find the key.
"""
def sign(pk, bin) do
case :dets.lookup @key_db, pk do
[{^pk, sk}] ->
:enacl.sign(bin, sk)
_ -> {:error, :not_found}
end
end
@doc"""
Checks the signature appended to a signed message corresponds to a public key.
If correct, returns {:ok, original_message}
"""
def open(pk, signed) do
if valid_identity_pk? pk do
:enacl.sign_open(signed, pk)
else
{:error, :invalid_pk_suffix}
end
end
def have_sk?(pk) do
case :dets.lookup @key_db, pk do
[{^pk, _sk}] -> true
_ -> false
end
end
def get_sk(pk) do
case :dets.lookup @key_db, pk do
[{^pk, sk}] -> sk
_ -> nil
end
end
@doc"""
Lookup the secret key for a pk and generate a detached signature for a message.
The original message is not returned.
Answer is {:ok, signature} if it worked, or :not_found if we didn't find the key.
"""
def sign_detached(pk, bin) do
case :dets.lookup @key_db, pk do
[{^pk, sk}] ->
:enacl.sign_detached(bin, sk)
_ -> {:error, :not_found}
end
end
@doc"""
Verify a detached signature for a message
Returns :ok if the signature was correct.
"""
def verify(pk, bin, sign) do
if valid_identity_pk? pk do
:enacl.sign_verify_detached(sign, bin, pk)
else
{:error, :invalid_pk_suffix}
end
end
@doc"""
Check if a public key is a valid identity pk. Requirement: have the correct suffix.
"""
def valid_identity_pk?(pk) do
check_suffix(pk, Application.get_env(:shard, :identity_suffix))
end
def pk_display(pk) do
pk
|> binary_part(0, 4)
|> Base.encode16
|> String.downcase
end
end
|
