Skip to content

Commit

Permalink
GH-461 Mask out only the private key when logging signature-provider
Browse files Browse the repository at this point in the history
  • Loading branch information
heifner committed Aug 8, 2024
1 parent 4ee6383 commit a4948b5
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 24 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,11 @@ class signature_provider_plugin : public appbase::plugin<signature_provider_plug

const char* const signature_provider_help_text() const;

/// public_key spec_type spec_data
/// Note: spec_data is private_key if spec_type is KEY
static std::tuple<std::string, std::string, std::string> parse_signature_provider_spec(const std::string& spec);


using signature_provider_type = std::function<chain::signature_type(chain::digest_type)>;

// @return empty optional for BLS specs
Expand Down
42 changes: 21 additions & 21 deletions plugins/signature_provider_plugin/signature_provider_plugin.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -38,28 +38,9 @@ class signature_provider_plugin_impl {
};
}

// public_key spec_type spec_data
std::tuple<std::string, std::string, std::string> parse_spec(const std::string& spec) const {
auto delim = spec.find("=");
EOS_ASSERT(delim != std::string::npos, chain::plugin_config_exception, "Missing \"=\" in the key spec pair");
// public_key can be base64 encoded with trailing `=`
// e.g. --signature-provider PUB_BLS_Fmgk<snip>iuA===KEY:PVT_BLS_NZhJ<snip>ZHFu
while( spec.size() > delim+1 && spec[delim+1] == '=' )
++delim;
EOS_ASSERT(delim < spec.size() + 1, chain::plugin_config_exception, "Missing spec data in the key spec pair");
auto pub_key_str = spec.substr(0, delim);
auto spec_str = spec.substr(delim + 1);

auto spec_delim = spec_str.find(":");
EOS_ASSERT(spec_delim != std::string::npos, chain::plugin_config_exception, "Missing \":\" in the key spec pair");
auto spec_type_str = spec_str.substr(0, spec_delim);
auto spec_data = spec_str.substr(spec_delim + 1);
return {std::move(pub_key_str), std::move(spec_type_str), std::move(spec_data)};
}

std::optional<std::pair<chain::public_key_type,signature_provider_plugin::signature_provider_type>>
signature_provider_for_specification(const std::string& spec) const {
auto [pub_key_str, spec_type_str, spec_data] = parse_spec(spec);
auto [pub_key_str, spec_type_str, spec_data] = signature_provider_plugin::parse_signature_provider_spec(spec);
if( pub_key_str.starts_with("PUB_BLS") && spec_type_str == "KEY" )
return {};

Expand Down Expand Up @@ -115,11 +96,30 @@ signature_provider_plugin::signature_provider_for_private_key(const chain::priva

std::optional<std::pair<fc::crypto::blslib::bls_public_key, fc::crypto::blslib::bls_private_key>>
signature_provider_plugin::bls_public_key_for_specification(const std::string& spec) const {
auto [pub_key_str, spec_type_str, spec_data] = my->parse_spec(spec);
auto [pub_key_str, spec_type_str, spec_data] = parse_signature_provider_spec(spec);
if( pub_key_str.starts_with("PUB_BLS") && spec_type_str == "KEY" ) {
return std::make_pair(fc::crypto::blslib::bls_public_key{pub_key_str}, fc::crypto::blslib::bls_private_key{spec_data});
}
return {};
}

// public_key spec_type spec_data
std::tuple<std::string, std::string, std::string> signature_provider_plugin::parse_signature_provider_spec(const std::string& spec) {
auto delim = spec.find("=");
EOS_ASSERT(delim != std::string::npos, chain::plugin_config_exception, "Missing \"=\" in the key spec pair");
// public_key can be base64 encoded with trailing `=`
// e.g. --signature-provider PUB_BLS_Fmgk<snip>iuA===KEY:PVT_BLS_NZhJ<snip>ZHFu
while( spec.size() > delim+1 && spec[delim+1] == '=' )
++delim;
EOS_ASSERT(delim < spec.size() + 1, chain::plugin_config_exception, "Missing spec data in the key spec pair");
auto pub_key_str = spec.substr(0, delim);
auto spec_str = spec.substr(delim + 1);

auto spec_delim = spec_str.find(":");
EOS_ASSERT(spec_delim != std::string::npos, chain::plugin_config_exception, "Missing \":\" in the key spec pair");
auto spec_type_str = spec_str.substr(0, spec_delim);
auto spec_data = spec_str.substr(spec_delim + 1);
return {std::move(pub_key_str), std::move(spec_type_str), std::move(spec_data)};
}

} // namespace eosio
13 changes: 10 additions & 3 deletions programs/nodeos/main.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
#include <eosio/http_plugin/http_plugin.hpp>
#include <eosio/net_plugin/net_plugin.hpp>
#include <eosio/producer_plugin/producer_plugin.hpp>
#include <eosio/signature_provider_plugin/signature_provider_plugin.hpp>
#include <eosio/resource_monitor_plugin/resource_monitor_plugin.hpp>
#include <eosio/version/version.hpp>

Expand All @@ -30,19 +31,25 @@ namespace detail {

void log_non_default_options(const std::vector<bpo::basic_option<char>>& options) {
using namespace std::string_literals;
auto mask_private = [](const string& v) {
auto [pub_key_str, spec_type_str, spec_data] = signature_provider_plugin::parse_signature_provider_spec(v);
return pub_key_str + "=" + spec_type_str + ":***";
};

string result;
for (const auto& op : options) {
bool mask = false;
if (op.string_key == "signature-provider"s
|| op.string_key == "peer-private-key"s
if (op.string_key == "peer-private-key"s
|| op.string_key == "p2p-auto-bp-peer"s) {
mask = true;
}
std::string v;
for (auto i = op.value.cbegin(), b = op.value.cbegin(), e = op.value.cend(); i != e; ++i) {
if (i != b)
v += ", ";
if (mask)
if (op.string_key == "signature-provider"s)
v += mask_private(*i);
else if (mask)
v += "***";
else
v += *i;
Expand Down

0 comments on commit a4948b5

Please sign in to comment.