"use strict"; import aes from "aes-js"; import scrypt from "scrypt-js"; import uuid from "uuid"; import { ExternallyOwnedAccount } from "@ethersproject/abstract-signer"; import { getAddress } from "@ethersproject/address"; import { arrayify, Bytes, BytesLike, concat, hexlify } from "@ethersproject/bytes"; import { defaultPath, entropyToMnemonic, HDNode, mnemonicToEntropy } from "@ethersproject/hdnode"; import { keccak256 } from "@ethersproject/keccak256"; import { pbkdf2 } from "@ethersproject/pbkdf2"; import { randomBytes } from "@ethersproject/random"; import { Description } from "@ethersproject/properties"; import { computeAddress } from "@ethersproject/transactions"; import { getPassword, looseArrayify, searchPath, zpad } from "./utils"; // Exported Types export class KeystoreAccount extends Description implements ExternallyOwnedAccount { readonly address: string; readonly privateKey: string; readonly mnemonic?: string; readonly path?: string; readonly _isKeystoreAccount: boolean; isKeystoreAccount(value: any): value is KeystoreAccount { return !!(value && value._isKeystoreAccount); } } export type ProgressCallback = (percent: number) => void; export type EncryptOptions = { iv?: BytesLike; entropy?: BytesLike; client?: string; salt?: BytesLike; uuid?: string; scrypt?: { N?: number; r?: number; p?: number; } } export function decrypt(json: string, password: Bytes | string, progressCallback?: ProgressCallback): Promise { let data = JSON.parse(json); let passwordBytes = getPassword(password); let decrypt = function(key: Uint8Array, ciphertext: Uint8Array): Uint8Array { let cipher = searchPath(data, "crypto/cipher"); if (cipher === "aes-128-ctr") { let iv = looseArrayify(searchPath(data, "crypto/cipherparams/iv")) let counter = new aes.Counter(iv); let aesCtr = new aes.ModeOfOperation.ctr(key, counter); return arrayify(aesCtr.decrypt(ciphertext)); } return null; }; let computeMAC = function(derivedHalf: Uint8Array, ciphertext: Uint8Array) { return keccak256(concat([ derivedHalf, ciphertext ])); } let getAccount = function(key: Uint8Array, reject: (error?: Error) => void) { let ciphertext = looseArrayify(searchPath(data, "crypto/ciphertext")); let computedMAC = hexlify(computeMAC(key.slice(16, 32), ciphertext)).substring(2); if (computedMAC !== searchPath(data, "crypto/mac").toLowerCase()) { reject(new Error("invalid password")); return null; } let privateKey = decrypt(key.slice(0, 16), ciphertext); let mnemonicKey = key.slice(32, 64); if (!privateKey) { reject(new Error("unsupported cipher")); return null; } let address = data.address.toLowerCase(); if (address.substring(0, 2) !== "0x") { address = "0x" + address; } try { if (getAddress(address) !== computeAddress(privateKey)) { reject(new Error("address mismatch")); return null; } } catch (e) { } let account: any = { _isKeystoreAccount: true, address: address, privateKey: hexlify(privateKey) }; // Version 0.1 x-ethers metadata must contain an encrypted mnemonic phrase if (searchPath(data, "x-ethers/version") === "0.1") { let mnemonicCiphertext = looseArrayify(searchPath(data, "x-ethers/mnemonicCiphertext")); let mnemonicIv = looseArrayify(searchPath(data, "x-ethers/mnemonicCounter")); let mnemonicCounter = new aes.Counter(mnemonicIv); let mnemonicAesCtr = new aes.ModeOfOperation.ctr(mnemonicKey, mnemonicCounter); let path = searchPath(data, "x-ethers/path") || defaultPath; let entropy = arrayify(mnemonicAesCtr.decrypt(mnemonicCiphertext)); let mnemonic = entropyToMnemonic(entropy); let node = HDNode.fromMnemonic(mnemonic).derivePath(path); if (node.privateKey != account.privateKey) { reject(new Error("mnemonic mismatch")); return null; } account.mnemonic = node.mnemonic; account.path = node.path; } return new KeystoreAccount(account); } return new Promise(function(resolve, reject) { let kdf = searchPath(data, "crypto/kdf"); if (kdf && typeof(kdf) === "string") { if (kdf.toLowerCase() === "scrypt") { let salt = looseArrayify(searchPath(data, "crypto/kdfparams/salt")); let N = parseInt(searchPath(data, "crypto/kdfparams/n")); let r = parseInt(searchPath(data, "crypto/kdfparams/r")); let p = parseInt(searchPath(data, "crypto/kdfparams/p")); if (!N || !r || !p) { reject(new Error("unsupported key-derivation function parameters")); return; } // Make sure N is a power of 2 if ((N & (N - 1)) !== 0) { reject(new Error("unsupported key-derivation function parameter value for N")); return; } let dkLen = parseInt(searchPath(data, "crypto/kdfparams/dklen")); if (dkLen !== 32) { reject( new Error("unsupported key-derivation derived-key length")); return; } if (progressCallback) { progressCallback(0); } scrypt(passwordBytes, salt, N, r, p, 64, function(error, progress, key) { if (error) { error.progress = progress; reject(error); } else if (key) { key = arrayify(key); let account = getAccount(key, reject); if (!account) { return; } if (progressCallback) { progressCallback(1); } resolve(account); } else if (progressCallback) { return progressCallback(progress); } }); } else if (kdf.toLowerCase() === "pbkdf2") { let salt = looseArrayify(searchPath(data, "crypto/kdfparams/salt")); let prfFunc = null; let prf = searchPath(data, "crypto/kdfparams/prf"); if (prf === "hmac-sha256") { prfFunc = "sha256"; } else if (prf === "hmac-sha512") { prfFunc = "sha512"; } else { reject(new Error("unsupported prf")); return; } let c = parseInt(searchPath(data, "crypto/kdfparams/c")); let dkLen = parseInt(searchPath(data, "crypto/kdfparams/dklen")); if (dkLen !== 32) { reject( new Error("unsupported key-derivation derived-key length")); return; } let key = arrayify(pbkdf2(passwordBytes, salt, c, dkLen, prfFunc)); let account = getAccount(key, reject); if (!account) { return; } resolve(account); } else { reject(new Error("unsupported key-derivation function")); } } else { reject(new Error("unsupported key-derivation function")); } }); } export function encrypt(account: ExternallyOwnedAccount, password: Bytes | string, options?: EncryptOptions, progressCallback?: ProgressCallback): Promise { try { if (getAddress(account.address) !== computeAddress(account.privateKey)) { throw new Error("address/privateKey mismatch"); } if (account.mnemonic != null){ let node = HDNode.fromMnemonic(account.mnemonic).derivePath(account.path || defaultPath); if (node.privateKey != account.privateKey) { throw new Error("mnemonic mismatch"); } } else if (account.path != null) { throw new Error("cannot specify path without mnemonic"); } } catch (e) { return Promise.reject(e); } // the options are optional, so adjust the call as needed if (typeof(options) === "function" && !progressCallback) { progressCallback = options; options = {}; } if (!options) { options = {}; } let privateKey: Uint8Array = arrayify(account.privateKey); let passwordBytes = getPassword(password); let entropy: Uint8Array = null let path: string = account.path; if (account.mnemonic) { entropy = arrayify(mnemonicToEntropy(account.mnemonic)); if (!path) { path = defaultPath; } } let client = options.client; if (!client) { client = "ethers.js"; } // Check/generate the salt let salt: Uint8Array = null; if (options.salt) { salt = arrayify(options.salt); } else { salt = randomBytes(32);; } // Override initialization vector let iv: Uint8Array = null; if (options.iv) { iv = arrayify(options.iv); if (iv.length !== 16) { throw new Error("invalid iv"); } } else { iv = randomBytes(16); } // Override the uuid let uuidRandom: Uint8Array = null; if (options.uuid) { uuidRandom = arrayify(options.uuid); if (uuidRandom.length !== 16) { throw new Error("invalid uuid"); } } else { uuidRandom = randomBytes(16); } // Override the scrypt password-based key derivation function parameters let N = (1 << 17), r = 8, p = 1; if (options.scrypt) { if (options.scrypt.N) { N = options.scrypt.N; } if (options.scrypt.r) { r = options.scrypt.r; } if (options.scrypt.p) { p = options.scrypt.p; } } return new Promise(function(resolve, reject) { if (progressCallback) { progressCallback(0); } // We take 64 bytes: // - 32 bytes As normal for the Web3 secret storage (derivedKey, macPrefix) // - 32 bytes AES key to encrypt mnemonic with (required here to be Ethers Wallet) scrypt(passwordBytes, salt, N, r, p, 64, function(error, progress, key) { if (error) { error.progress = progress; reject(error); } else if (key) { key = arrayify(key); // This will be used to encrypt the wallet (as per Web3 secret storage) let derivedKey = key.slice(0, 16); let macPrefix = key.slice(16, 32); // This will be used to encrypt the mnemonic phrase (if any) let mnemonicKey = key.slice(32, 64); // Encrypt the private key let counter = new aes.Counter(iv); let aesCtr = new aes.ModeOfOperation.ctr(derivedKey, counter); let ciphertext = arrayify(aesCtr.encrypt(privateKey)); // Compute the message authentication code, used to check the password let mac = keccak256(concat([macPrefix, ciphertext])) // See: https://github.com/ethereum/wiki/wiki/Web3-Secret-Storage-Definition let data: { [key: string]: any } = { address: account.address.substring(2).toLowerCase(), id: uuid.v4({ random: uuidRandom }), version: 3, Crypto: { cipher: "aes-128-ctr", cipherparams: { iv: hexlify(iv).substring(2), }, ciphertext: hexlify(ciphertext).substring(2), kdf: "scrypt", kdfparams: { salt: hexlify(salt).substring(2), n: N, dklen: 32, p: p, r: r }, mac: mac.substring(2) } }; // If we have a mnemonic, encrypt it into the JSON wallet if (entropy) { let mnemonicIv = randomBytes(16); let mnemonicCounter = new aes.Counter(mnemonicIv); let mnemonicAesCtr = new aes.ModeOfOperation.ctr(mnemonicKey, mnemonicCounter); let mnemonicCiphertext = arrayify(mnemonicAesCtr.encrypt(entropy)); let now = new Date(); let timestamp = (now.getUTCFullYear() + "-" + zpad(now.getUTCMonth() + 1, 2) + "-" + zpad(now.getUTCDate(), 2) + "T" + zpad(now.getUTCHours(), 2) + "-" + zpad(now.getUTCMinutes(), 2) + "-" + zpad(now.getUTCSeconds(), 2) + ".0Z" ); data["x-ethers"] = { client: client, gethFilename: ("UTC--" + timestamp + "--" + data.address), mnemonicCounter: hexlify(mnemonicIv).substring(2), mnemonicCiphertext: hexlify(mnemonicCiphertext).substring(2), path: path, version: "0.1" }; } if (progressCallback) { progressCallback(1); } resolve(JSON.stringify(data)); } else if (progressCallback) { return progressCallback(progress); } }); }); }