chore: integrate libp2p-keychain into js-libp2p (#633)

Integrates the libp2p-keychain codebase into this repo

Author: vasco-santos

.aegir.js

@@ -45,7 +45,7 @@ const after = async () => {
 }
 
 module.exports = {
-  bundlesize: { maxSize: '185kB' },
+  bundlesize: { maxSize: '200kB' },
   hooks: {
     pre: before,
     post: after

doc/API.md

@@ -44,6 +44,17 @@
   * [`connectionManager.get`](#connectionmanagerget)
   * [`connectionManager.setPeerValue`](#connectionmanagersetpeervalue)
   * [`connectionManager.size`](#connectionmanagersize)
+  * [`keychain.createKey`](#keychaincreatekey)
+  * [`keychain.renameKey`](#keychainrenamekey)
+  * [`keychain.removeKey`](#keychainremovekey)
+  * [`keychain.exportKey`](#keychainexportkey)
+  * [`keychain.importKey`](#keychainimportkey)
+  * [`keychain.importPeer`](#keychainimportpeer)
+  * [`keychain.listKeys`](#keychainlistkeys)
+  * [`keychain.findKeyById`](#keychainfindkeybyid)
+  * [`keychain.findKeyByName`](#keychainfindkeybyname)
+  * [`keychain.cms.encrypt`](#keychaincmsencrypt)
+  * [`keychain.cms.decrypt`](#keychaincmsdecrypt)
   * [`metrics.global`](#metricsglobal)
   * [`metrics.peers`](#metricspeers)
   * [`metrics.protocols`](#metricsprotocols)
@@ -75,6 +86,7 @@ Creates an instance of Libp2p.
 | [options.connectionManager] | `object` | libp2p Connection Manager configuration |
 | [options.datastore] | `object` | must implement [ipfs/interface-datastore](https://github.com/ipfs/interface-datastore) (in memory datastore will be used if not provided) |
 | [options.dialer] | `object` | libp2p Dialer configuration
+| [options.keychain] | [`object`](./CONFIGURATION.md#setup-with-keychain) | keychain configuration |
 | [options.metrics] | `object` | libp2p Metrics configuration
 | [options.peerId] | [`PeerId`][peer-id] | peerId instance (it will be created if not provided) |
 | [options.peerStore] | `object` | libp2p PeerStore configuration |
@@ -125,6 +137,36 @@ Required keys in the `options` object:
 
 ## Libp2p Instance Methods
 
+### loadKeychain
+
+Load keychain keys from the datastore, importing the private key as 'self', if needed.
+
+`libp2p.loadKeychain()`
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise` | Promise resolves when the keychain is ready |
+
+#### Example
+
+```js
+const Libp2p = require('libp2p')
+
+// ...
+
+const libp2p = await Libp2p.create({
+  // ...
+  keychain: {
+    pass: '0123456789pass1234567890'
+  }
+})
+
+// load keychain
+await libp2p.loadKeychain()
+```
+
 ### start
 
 Starts the libp2p node.
@@ -1254,6 +1296,283 @@ libp2p.connectionManager.size
 // 10
 ```
 
+### keychain.createKey
+
+Create a key in the keychain.
+
+`libp2p.keychain.createKey(name, type, size)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| name | `string` | The local key name. It cannot already exist. |
+| type | `string` | One of the key types; 'rsa' |
+| size | `number` | The key size in bits. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<{ id, name }>` | Key info object |
+
+#### Example
+
+```js
+const keyInfo = await libp2p.keychain.createKey('keyTest', 'rsa', 4096)
+```
+
+### keychain.renameKey
+
+Rename a key in the keychain.
+
+`libp2p.keychain.renameKey(oldName, newName)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| name | `string` | The old local key name. It must already exist. |
+| type | `string` | The new local key name. It must not already exist. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<{ id, name }>` | Key info object |
+
+#### Example
+
+```js
+await libp2p.keychain.createKey('keyTest', 'rsa', 4096)
+const keyInfo = await libp2p.keychain.renameKey('keyTest', 'keyNewNtest')
+```
+
+### keychain.removeKey
+
+Removes a key from the keychain.
+
+`libp2p.keychain.removeKey(name)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| name | `string` | The local key name. It must already exist. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<{ id, name }>` | Key info object |
+
+#### Example
+
+```js
+await libp2p.keychain.createKey('keyTest', 'rsa', 4096)
+const keyInfo = await libp2p.keychain.removeKey('keyTest')
+```
+
+### keychain.exportKey
+
+Export an existing key as a PEM encrypted PKCS #8 string.
+
+`libp2p.keychain.exportKey(name, password)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| name | `string` | The local key name. It must already exist. |
+| password | `string` | The password to use. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<string>` | Key as a PEM encrypted PKCS #8 |
+
+#### Example
+
+```js
+await libp2p.keychain.createKey('keyTest', 'rsa', 4096)
+const pemKey = await libp2p.keychain.exportKey('keyTest', 'password123')
+```
+
+### keychain.importKey
+
+Import a new key from a PEM encoded PKCS #8 string.
+
+`libp2p.keychain.importKey(name, pem, password)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| name | `string` | The local key name. It must not exist. |
+| pem | `string` | The PEM encoded PKCS #8 string. |
+| password | `string` | The password to use. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<{ id, name }>` | Key info object |
+
+#### Example
+
+```js
+await libp2p.keychain.createKey('keyTest', 'rsa', 4096)
+const pemKey = await libp2p.keychain.exportKey('keyTest', 'password123')
+const keyInfo = await libp2p.keychain.importKey('keyTestImport', pemKey, 'password123')
+```
+
+### keychain.importPeer
+
+Import a new key from a PeerId.
+
+`libp2p.keychain.importPeer(name, peerId)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| name | `string` | The local key name. It must not exist. |
+| peerId | ['PeerId'][peer-id] | The PEM encoded PKCS #8 string. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<{ id, name }>` | Key info object |
+
+#### Example
+
+```js
+const keyInfo = await libp2p.keychain.importPeer('keyTestImport', peerId)
+```
+
+### keychain.listKeys
+
+List all the keys.
+
+`libp2p.keychain.listKeys()`
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<Array<{ id, name }>>` | Array of Key info |
+
+#### Example
+
+```js
+const keyInfos = await libp2p.keychain.listKeys()
+```
+
+### keychain.findKeyById
+
+Find a key by it's id.
+
+`libp2p.keychain.findKeyById(id)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| id | `string` | The universally unique key identifier. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<{ id, name }>` | Key info object |
+
+#### Example
+
+```js
+const keyInfo = await libp2p.keychain.createKey('keyTest', 'rsa', 4096)
+const keyInfo2 = await libp2p.keychain.findKeyById(keyInfo.id)
+```
+
+### keychain.findKeyByName
+
+Find a key by it's name.
+
+`libp2p.keychain.findKeyByName(id)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| id | `string` | The local key name. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<{ id, name }>` | Key info object |
+
+#### Example
+
+```js
+const keyInfo = await libp2p.keychain.createKey('keyTest', 'rsa', 4096)
+const keyInfo2 = await libp2p.keychain.findKeyByName('keyTest')
+```
+
+### keychain.cms.encrypt
+
+Encrypt protected data using the Cryptographic Message Syntax (CMS).
+
+`libp2p.keychain.cms.encrypt(name, data)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| name | `string` | The local key name. |
+| data | `Buffer` | The data to encrypt. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<Buffer>` | Encrypted data as a PKCS #7 message in DER. |
+
+#### Example
+
+```js
+const keyInfo = await libp2p.keychain.createKey('keyTest', 'rsa', 4096)
+const enc = await libp2p.keychain.cms.encrypt('keyTest', Buffer.from('data'))
+```
+
+### keychain.cms.decrypt
+
+Decrypt protected data using the Cryptographic Message Syntax (CMS).
+The keychain must contain one of the keys used to encrypt the data.  If none of the keys exists, an Error is returned with the property 'missingKeys'.
+
+`libp2p.keychain.cms.decrypt(cmsData)`
+
+#### Parameters
+
+| Name | Type | Description |
+|------|------|-------------|
+| cmsData | `string` | The CMS encrypted data to decrypt. |
+
+#### Returns
+
+| Type | Description |
+|------|-------------|
+| `Promise<Buffer>` | Decrypted data. |
+
+#### Example
+
+```js
+const keyInfo = await libp2p.keychain.createKey('keyTest', 'rsa', 4096)
+const enc = await libp2p.keychain.cms.encrypt('keyTest', Buffer.from('data'))
+const decData = await libp2p.keychain.cms.decrypt(enc)
+```
+
 ### metrics.global
 
 A [`Stats`](#stats) object of tracking the global bandwidth of the libp2p node.

doc/CONFIGURATION.md

@@ -20,6 +20,7 @@
       - [Customizing DHT](#customizing-dht)
       - [Setup with Content and Peer Routing](#setup-with-content-and-peer-routing)
       - [Setup with Relay](#setup-with-relay)
+      - [Setup with Keychain](#setup-with-keychain)
       - [Configuring Dialing](#configuring-dialing)
       - [Configuring Connection Manager](#configuring-connection-manager)
       - [Configuring Metrics](#configuring-metrics)
@@ -422,6 +423,37 @@ const node = await Libp2p.create({
 })
 ```
 
+#### Setup with Keychain
+
+Libp2p allows you to setup a secure key chain to manage your keys. The keychain configuration object should have the following properties:
+
+| Name | Type | Description |
+|------|------|-------------|
+| pass | `string` | Passphrase to use in the keychain (minimum of 20 characters). |
+| datastore | `object` | must implement [ipfs/interface-datastore](https://github.com/ipfs/interface-datastore) |
+
+```js
+const Libp2p = require('libp2p')
+const TCP = require('libp2p-tcp')
+const MPLEX = require('libp2p-mplex')
+const SECIO = require('libp2p-secio')
+const LevelStore = require('datastore-level')
+
+const node = await Libp2p.create({
+  modules: {
+    transport: [TCP],
+    streamMuxer: [MPLEX],
+    connEncryption: [SECIO]
+  },
+  keychain: {
+    pass: 'notsafepassword123456789',
+    datastore: new LevelStore('path/to/store')
+  }
+})
+
+await libp2p.loadKeychain()
+```
+
 #### Configuring Dialing
 
 Dialing in libp2p can be configured to limit the rate of dialing, and how long dials are allowed to take. The below configuration example shows the default values for the dialer.

src/config.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const { MemoryDatastore } = require('interface-datastore')
 const mergeOptions = require('merge-options')
 const Constants = require('./constants')
 
@@ -17,6 +18,9 @@ const DefaultConfig = {
     maxDialsPerPeer: Constants.MAX_PER_PEER_DIALS,
     dialTimeout: Constants.DIAL_TIMEOUT
   },
+  keychain: {
+    datastore: new MemoryDatastore()
+  },
   metrics: {
     enabled: false
   },

src/index.js

@@ -19,6 +19,7 @@ const AddressManager = require('./address-manager')
 const ConnectionManager = require('./connection-manager')
 const Circuit = require('./circuit')
 const Dialer = require('./dialer')
+const Keychain = require('./keychain')
 const Metrics = require('./metrics')
 const TransportManager = require('./transport-manager')
 const Upgrader = require('./upgrader')
@@ -74,6 +75,22 @@ class Libp2p extends EventEmitter {
       })
     }
 
+    // Create keychain
+    if (this._options.keychain.pass) {
+      log('creating keychain')
+
+      const datastore = this._options.keychain.datastore
+      const keychainOpts = Keychain.generateOptions()
+
+      this.keychain = new Keychain(datastore, {
+        passPhrase: this._options.keychain.pass,
+        ...keychainOpts,
+        ...this._options.keychain
+      })
+
+      log('keychain constructed')
+    }
+
     // Setup the Upgrader
     this.upgrader = new Upgrader({
       localPeer: this.peerId,
@@ -249,6 +266,20 @@ class Libp2p extends EventEmitter {
     log('libp2p has stopped')
   }
 
+  /**
+   * Load keychain keys from the datastore.
+   * Imports the private key as 'self', if needed.
+   * @async
+   * @returns {void}
+   */
+  async loadKeychain () {
+    try {
+      await this.keychain.findKeyByName('self')
+    } catch (err) {
+      await this.keychain.importPeer('self', this.peerId)
+    }
+  }
+
   isStarted () {
     return this._isStarted
   }

src/keychain/README.md

@@ -1,20 +1,7 @@
 # js-libp2p-keychain
 
-[![](https://img.shields.io/badge/made%20by-Protocol%20Labs-blue.svg?style=flat-square)](http://protocol.ai)
-[![](https://img.shields.io/badge/project-libp2p-yellow.svg?style=flat-square)](http://libp2p.io/)
-[![](https://img.shields.io/badge/freenode-%23libp2p-yellow.svg?style=flat-square)](http://webchat.freenode.net/?channels=%23libp2p)
-[![Discourse posts](https://img.shields.io/discourse/https/discuss.libp2p.io/posts.svg)](https://discuss.libp2p.io)
-[![](https://img.shields.io/codecov/c/github/libp2p/js-libp2p-keychain.svg?style=flat-square)](https://codecov.io/gh/libp2p/js-libp2p-keychain)
-[![](https://img.shields.io/travis/libp2p/js-libp2p-keychain.svg?style=flat-square)](https://travis-ci.com/libp2p/js-libp2p-keychain)
-[![Dependency Status](https://david-dm.org/libp2p/js-libp2p-keychain.svg?style=flat-square)](https://david-dm.org/libp2p/js-libp2p-keychain)
-[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/feross/standard)
-
 > A secure key chain for libp2p in JavaScript
 
-## Lead Maintainer
-
-[Vasco Santos](https://github.com/vasco-santos).
-
 ## Features
 
 - Manages the lifecycle of a key
@@ -26,49 +13,6 @@
 - Uses PKCS 7: CMS (aka RFC 5652) to provide cryptographically protected messages
 - Delays reporting errors to slow down brute force attacks
 
-## Table of Contents
-
-## Install
-
-```sh
-npm install --save libp2p-keychain
-```
-
-### Usage
-
-```js
-const Keychain = require('libp2p-keychain')
-const FsStore = require('datastore-fs')
-
-const datastore = new FsStore('./a-keystore')
-const opts = {
-  passPhrase: 'some long easily remembered phrase'
-}
-const keychain = new Keychain(datastore, opts)
-```
-
-## API
-
-Managing a key
-
-- `async createKey (name, type, size)`
-- `async renameKey (oldName, newName)`
-- `async removeKey (name)`
-- `async exportKey (name, password)`
-- `async importKey (name, pem, password)`
-- `async importPeer (name, peer)`
-
-A naming service for a key
-
-- `async listKeys ()`
-- `async findKeyById (id)`
-- `async findKeyByName (name)`
-
-Cryptographically protected messages
-
-- `async cms.encrypt (name, plain)`
-- `async cms.decrypt (cmsData)`
-
 ### KeyInfo
 
 The key management and naming service API all return a `KeyInfo` object.  The `id` is a universally unique identifier for the key.  The `name` is local to the key chain.
@@ -109,15 +53,3 @@ The actual physical storage of an encrypted key is left to implementations of [i
 ### Cryptographic Message Syntax (CMS)
 
 CMS, aka [PKCS #7](https://en.wikipedia.org/wiki/PKCS) and [RFC 5652](https://tools.ietf.org/html/rfc5652), describes an encapsulation syntax for data protection. It is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. Basically, `cms.encrypt` creates a DER message that can be only be read by someone holding the private key.
-
-## Contribute
-
-Feel free to join in. All welcome. Open an [issue](https://github.com/libp2p/js-libp2p-keychain/issues)!
-
-This repository falls under the IPFS [Code of Conduct](https://github.com/ipfs/community/blob/master/code-of-conduct.md).
-
-[![](https://cdn.rawgit.com/jbenet/contribute-ipfs-gif/master/img/contribute.gif)](https://github.com/ipfs/community/blob/master/CONTRIBUTING.md)
-
-## License
-
-[MIT](LICENSE)

src/keychain/index.js

@@ -7,24 +7,33 @@ const dirtyChai = require('dirty-chai')
 const expect = chai.expect
 chai.use(dirtyChai)
 chai.use(require('chai-string'))
+
+const os = require('os')
+const path = require('path')
+const { isNode } = require('ipfs-utils/src/env')
+const FsStore = require('datastore-fs')
+const LevelStore = require('datastore-level')
+
 const Keychain = require('../../src/keychain')
 
-module.exports = (datastore) => {
-  describe('cms interop', () => {
-    const passPhrase = 'this is not a secure phrase'
-    const aliceKeyName = 'cms-interop-alice'
-    let ks
+describe('cms interop', () => {
+  const passPhrase = 'this is not a secure phrase'
+  const aliceKeyName = 'cms-interop-alice'
+  let ks
 
-    before(() => {
-      ks = new Keychain(datastore, { passPhrase: passPhrase })
-    })
+  before(() => {
+    const datastore = isNode
+      ? new FsStore(path.join(os.tmpdir(), 'test-keystore-1-' + Date.now()))
+      : new LevelStore('test-keystore-1', { db: require('level') })
+    ks = new Keychain(datastore, { passPhrase: passPhrase })
+  })
 
-    const plainData = Buffer.from('This is a message from Alice to Bob')
+  const plainData = Buffer.from('This is a message from Alice to Bob')
 
-    it('imports openssl key', async function () {
-      this.timeout(10 * 1000)
-      const aliceKid = 'QmNzBqPwp42HZJccsLtc4ok6LjZAspckgs2du5tTmjPfFA'
-      const alice = `-----BEGIN ENCRYPTED PRIVATE KEY-----
+  it('imports openssl key', async function () {
+    this.timeout(10 * 1000)
+    const aliceKid = 'QmNzBqPwp42HZJccsLtc4ok6LjZAspckgs2du5tTmjPfFA'
+    const alice = `-----BEGIN ENCRYPTED PRIVATE KEY-----
 MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIMhYqiVoLJMICAggA
 MBQGCCqGSIb3DQMHBAhU7J9bcJPLDQSCAoDzi0dP6z97wJBs3jK2hDvZYdoScknG
 QMPOnpG1LO3IZ7nFha1dta5liWX+xRFV04nmVYkkNTJAPS0xjJOG9B5Hm7wm8uTd
@@ -42,13 +51,13 @@ igg5jozKCW82JsuWSiW9tu0F/6DuvYiZwHS3OLiJP0CuLfbOaRw8Jia1RTvXEH7m
 cn4oisOvxCprs4aM9UVjtZTCjfyNpX8UWwT1W3rySV+KQNhxuMy3RzmL
 -----END ENCRYPTED PRIVATE KEY-----
 `
-      const key = await ks.importKey(aliceKeyName, alice, 'mypassword')
-      expect(key.name).to.equal(aliceKeyName)
-      expect(key.id).to.equal(aliceKid)
-    })
+    const key = await ks.importKey(aliceKeyName, alice, 'mypassword')
+    expect(key.name).to.equal(aliceKeyName)
+    expect(key.id).to.equal(aliceKid)
+  })
 
-    it('decrypts node-forge example', async () => {
-      const example = `
+  it('decrypts node-forge example', async () => {
+    const example = `
 MIIBcwYJKoZIhvcNAQcDoIIBZDCCAWACAQAxgfowgfcCAQAwYDBbMQ0wCwYDVQQK
 EwRpcGZzMREwDwYDVQQLEwhrZXlzdG9yZTE3MDUGA1UEAxMuUW1OekJxUHdwNDJI
 WkpjY3NMdGM0b2s2TGpaQXNwY2tnczJkdTV0VG1qUGZGQQIBATANBgkqhkiG9w0B
@@ -58,9 +67,8 @@ knU1yykWGkdlbclCuu0NaAfmb8o0OX50CbEKZB7xmsv8tnqn0H0jMF4GCSqGSIb3
 DQEHATAdBglghkgBZQMEASoEEP/PW1JWehQx6/dsLkp/Mf+gMgQwFM9liLTqC56B
 nHILFmhac/+a/StQOKuf9dx5qXeGvt9LnwKuGGSfNX4g+dTkoa6N
 `
-      const plain = await ks.cms.decrypt(Buffer.from(example, 'base64'))
-      expect(plain).to.exist()
-      expect(plain.toString()).to.equal(plainData.toString())
-    })
+    const plain = await ks.cms.decrypt(Buffer.from(example, 'base64'))
+    expect(plain).to.exist()
+    expect(plain.toString()).to.equal(plainData.toString())
   })
-}
+})