Skip to content

Commit

Permalink
seed encrypt: init mint with encrypted keys after migration
Browse files Browse the repository at this point in the history
  • Loading branch information
callebtc committed Mar 14, 2024
1 parent 752ab3c commit 3f4d2bf
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 23 deletions.
18 changes: 8 additions & 10 deletions cashu/core/crypto/keys.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,35 +16,33 @@ def derive_keys(mnemonic: str, derivation_path: str):
bip32 = BIP32.from_seed(mnemonic.encode())
orders_str = [f"/{i}'" for i in range(settings.max_order)]
return {
2
** i: PrivateKey(
2**i: PrivateKey(
bip32.get_privkey_from_path(derivation_path + orders_str[i]),
raw=True,
)
for i in range(settings.max_order)
}


def derive_keys_sha256(master_key: str, derivation_path: str = ""):
def derive_keys_sha256(seed: str, derivation_path: str = ""):
"""
Deterministic derivation of keys for 2^n values.
TODO: Implement BIP32.
"""
return {
2
** i: PrivateKey(
hashlib.sha256(
(master_key + derivation_path + str(i)).encode("utf-8")
).digest()[:32],
2**i: PrivateKey(
hashlib.sha256((seed + derivation_path + str(i)).encode("utf-8")).digest()[
:32
],
raw=True,
)
for i in range(settings.max_order)
}


def derive_pubkey(master_key: str):
def derive_pubkey(seed: str):
return PrivateKey(
hashlib.sha256((master_key).encode("utf-8")).digest()[:32],
hashlib.sha256((seed).encode("utf-8")).digest()[:32],
raw=True,
).pubkey

Expand Down
7 changes: 3 additions & 4 deletions cashu/core/legacy.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,14 @@


def derive_keys_backwards_compatible_insecure_pre_0_12(
master_key: str, derivation_path: str = ""
seed: str, derivation_path: str = ""
):
"""
WARNING: Broken key derivation for backwards compatibility with 0.11.
"""
return {
2
** i: PrivateKey(
hashlib.sha256((master_key + derivation_path + str(i)).encode("utf-8"))
2**i: PrivateKey(
hashlib.sha256((seed + derivation_path + str(i)).encode("utf-8"))
.hexdigest()
.encode("utf-8")[:32],
raw=True,
Expand Down
11 changes: 11 additions & 0 deletions cashu/mint/decrypt.py → cashu/mint/encrypt.py
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,17 @@ async def migrate(no_dry_run):
keyset_dict["id"],
),
)

click.echo("Initializing mint with encrypted seeds.")
encrypted_mint_private_key = aes.encrypt(settings.mint_private_key.encode())
ledger = Ledger(
db=Database("mint", settings.mint_database),
seed=encrypted_mint_private_key,
seed_decryption_key=settings.mint_seed_decryption_key,
derivation_path=settings.mint_derivation_path,
backends={},
crud=LedgerCrudSqlite(),
)
click.echo("✅ Migration complete.")


Expand Down
23 changes: 14 additions & 9 deletions cashu/mint/ledger.py
Original file line number Diff line number Diff line change
Expand Up @@ -76,17 +76,22 @@ def __init__(
assert seed, "seed not set"

# decrypt seed if seed_decryption_key is set
self.master_key = (
AESCipher(seed_decryption_key).decrypt(seed)
if seed_decryption_key
else seed
)
try:
self.seed = (
AESCipher(seed_decryption_key).decrypt(seed)
if seed_decryption_key
else seed
)
except Exception as e:
raise Exception(
f"Could not decrypt seed. Make sure that the seed is correct and the decryption key is set. {e}"
)
self.derivation_path = derivation_path

self.db = db
self.crud = crud
self.backends = backends
self.pubkey = derive_pubkey(self.master_key)
self.pubkey = derive_pubkey(self.seed)
self.spent_proofs: Dict[str, Proof] = {}

# ------- KEYS -------
Expand All @@ -109,7 +114,7 @@ async def activate_keyset(
MintKeyset: Keyset
"""
assert derivation_path, "derivation path not set"
seed = seed or self.master_key
seed = seed or self.seed
tmp_keyset_local = MintKeyset(
seed=seed,
derivation_path=derivation_path,
Expand All @@ -132,7 +137,7 @@ async def activate_keyset(
# no keyset for this derivation path yet
# we create a new keyset (keys will be generated at instantiation)
keyset = MintKeyset(
seed=seed or self.master_key,
seed=seed or self.seed,
derivation_path=derivation_path,
version=version or settings.version,
)
Expand Down Expand Up @@ -503,7 +508,7 @@ async def melt_quote(
melt_quote.request
)
assert payment_quote.checking_id, "quote has no checking id"

expiry = None
if invoice_obj.expiry is not None:
expiry = invoice_obj.date + invoice_obj.expiry
Expand Down

0 comments on commit 3f4d2bf

Please sign in to comment.