Encryption support for the statement store (#14440)

* Added ECIES encryption * tweaks * fmt * Make clippy happy * Use local keystore * qed
2026-06-12 05:21:08 +00:00 · 2023-07-17 20:41:41 +02:00
parent c761d4c39e
commit d6d9bd9ea3
28 changed files with 351 additions and 71 deletions
@@ -88,9 +88,7 @@ pub fn generate_decl_runtime_metadata(decl: &ItemTrait) -> TokenStream2 {
 	let mut where_clause = Vec::new();
 	for item in &decl.items {
 		// Collect metadata for methods only.
-		let syn::TraitItem::Fn(method) = item else {
-			continue
-		};
+		let syn::TraitItem::Fn(method) = item else { continue };

 		// Collect metadata only for the latest methods.
 		let is_changed_in =
@@ -103,9 +101,7 @@ pub fn generate_decl_runtime_metadata(decl: &ItemTrait) -> TokenStream2 {
 		let signature = &method.sig;
 		for input in &signature.inputs {
 			// Exclude `self` from metadata collection.
-			let syn::FnArg::Typed(typed) = input else {
-				continue
-			};
+			let syn::FnArg::Typed(typed) = input else { continue };

 			let pat = &typed.pat;
 			let name = quote!(#pat).to_string();
@@ -153,9 +149,7 @@ pub fn generate_decl_runtime_metadata(decl: &ItemTrait) -> TokenStream2 {
 	// The trait generics where already extended with `Block: BlockT`.
 	let mut generics = decl.generics.clone();
 	for generic_param in generics.params.iter_mut() {
-		let syn::GenericParam::Type(ty) = generic_param else {
-			continue
-		};
+		let syn::GenericParam::Type(ty) = generic_param else { continue };

 		// Default type parameters are not allowed in functions.
 		ty.eq_token = None;
@@ -266,9 +266,7 @@ pub fn get_doc_literals(attrs: &[syn::Attribute]) -> Vec<syn::Lit> {
 	attrs
 		.iter()
 		.filter_map(|attr| {
-			let syn::Meta::NameValue(meta) = &attr.meta else {
-				return None
-			};
+			let syn::Meta::NameValue(meta) = &attr.meta else { return None };
 			let Ok(lit) = syn::parse2::<syn::Lit>(meta.value.to_token_stream()) else {
 				unreachable!("non-lit doc attribute values do not exist");
 			};
@@ -179,6 +179,13 @@ macro_rules! app_crypto_pair {
 		impl $crate::AppPair for Pair {
 			type Generic = $pair;
 		}
+
+		impl Pair {
+			/// Convert into wrapped generic key pair type.
+			pub fn into_inner(self) -> $pair {
+				self.0
+			}
+		}
 	};
 }

@@ -52,9 +52,7 @@ fn check<N>(f: N, n: N, d: N, r: Rounding)
 where
 	N: MultiplyRational + Into<u128> + Copy + core::fmt::Debug,
 {
-	let Some(got) = f.multiply_rational(n, d, r) else {
-		return;
-	};
+	let Some(got) = f.multiply_rational(n, d, r) else { return };

 	let (ae, be, ce) =
 		(Fraction::from(f.into()), Fraction::from(n.into()), Fraction::from(d.into()));
@@ -196,9 +196,7 @@ pub trait Backend<Block: BlockT>:
 		base_hash: Block::Hash,
 		import_lock: &RwLock<()>,
 	) -> Result<Option<Block::Hash>> {
-		let Some(base_header) = self.header(base_hash)? else {
-			return Ok(None)
-		};
+		let Some(base_header) = self.header(base_hash)? else { return Ok(None) };

 		let leaves = {
 			// ensure no blocks are imported during this code block.
@@ -57,7 +57,6 @@ sp-runtime-interface = { version = "17.0.0", default-features = false, path = ".
 w3f-bls = { version = "0.1.3", default-features = false, optional = true}

 [dev-dependencies]
-rand = "0.8.5"
 criterion = "0.4.0"
 serde_json = "1.0"
 sp-core-hashing-proc-macro = { version = "9.0.0", path = "./hashing/proc-macro" }
@@ -422,12 +422,8 @@ impl TraitPair for Pair {
 	///
 	/// Returns true if the signature is good.
 	fn verify<M: AsRef<[u8]>>(sig: &Self::Signature, message: M, public: &Self::Public) -> bool {
-		let Ok(public) = VerificationKey::try_from(public.as_slice()) else {
-			return false
-		};
-		let Ok(signature) = ed25519_zebra::Signature::try_from(sig.as_ref()) else {
-			return false
-		};
+		let Ok(public) = VerificationKey::try_from(public.as_slice()) else { return false };
+		let Ok(signature) = ed25519_zebra::Signature::try_from(sig.as_ref()) else { return false };
 		public.verify(&signature, message.as_ref()).is_ok()
 	}

@@ -505,12 +505,8 @@ impl TraitPair for Pair {
 	}

 	fn verify<M: AsRef<[u8]>>(sig: &Self::Signature, message: M, pubkey: &Self::Public) -> bool {
-		let Ok(signature) = schnorrkel::Signature::from_bytes(sig.as_ref()) else {
-			return false
-		};
-		let Ok(public) = PublicKey::from_bytes(pubkey.as_ref()) else {
-			return false
-		};
+		let Ok(signature) = schnorrkel::Signature::from_bytes(sig.as_ref()) else { return false };
+		let Ok(public) = PublicKey::from_bytes(pubkey.as_ref()) else { return false };
 		public.verify_simple(SIGNING_CTX, message.as_ref(), &signature).is_ok()
 	}

@@ -776,9 +776,7 @@ pub trait Crypto {
 				return false
 			};

-			let Ok(sig) = ed25519_dalek::Signature::from_bytes(&sig.0) else {
-				return false
-			};
+			let Ok(sig) = ed25519_dalek::Signature::from_bytes(&sig.0) else { return false };

 			public_key.verify(msg, &sig).is_ok()
 		} else {
@@ -24,6 +24,15 @@ sp-runtime-interface = { version = "17.0.0", default-features = false, path = ".
 sp-externalities = { version = "0.19.0", default-features = false, path = "../externalities" }
 thiserror = { version = "1.0", optional = true }

+# ECIES dependencies
+ed25519-dalek = { version = "1.0", optional = true }
+x25519-dalek = { version = "2.0.0-pre.1", optional = true }
+curve25519-dalek = { version = "3.2", optional = true }
+aes-gcm = { version = "0.10", optional = true }
+hkdf = { version = "0.12.0", optional = true }
+sha2 = { version = "0.10.0", optional = true }
+rand = { version = "0.8.5", features = ["small_rng"],  optional = true }
+
 [features]
 default = ["std"]
 std = [
@@ -36,6 +45,14 @@ std = [
 	"sp-api/std",
 	"sp-application-crypto/std",
 	"thiserror",
+
+	"ed25519-dalek",
+	"x25519-dalek",
+	"curve25519-dalek",
+	"aes-gcm",
+	"hkdf",
+	"sha2",
+	"rand",
 ]
 serde = [
        "scale-info/serde",
@@ -0,0 +1,174 @@
+// This file is part of Substrate.
+
+// Copyright (C) Parity Technologies (UK) Ltd.
+// SPDX-License-Identifier: Apache-2.0
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// 	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// tag::description[]
+//! ECIES encryption scheme using x25519 key exchange and AEAD.
+// end::description[]
+
+use aes_gcm::{aead::Aead, AeadCore, KeyInit};
+use rand::rngs::OsRng;
+use sha2::Digest;
+use sp_core::crypto::Pair;
+
+/// x25519 secret key.
+pub type SecretKey = x25519_dalek::StaticSecret;
+/// x25519 public key.
+pub type PublicKey = x25519_dalek::PublicKey;
+
+/// Encryption or decryption error.
+#[derive(Debug, PartialEq, Eq, thiserror::Error)]
+pub enum Error {
+	/// Generic AES encryption error.
+	#[error("Encryption error")]
+	Encryption,
+	/// Generic AES decryption error.
+	#[error("Decryption error")]
+	Decryption,
+	/// Error reading key data. Not enough data in the buffer.
+	#[error("Bad cypher text")]
+	BadData,
+}
+
+const NONCE_LEN: usize = 12;
+const PK_LEN: usize = 32;
+const AES_KEY_LEN: usize = 32;
+
+fn aes_encrypt(key: &[u8; AES_KEY_LEN], nonce: &[u8], plaintext: &[u8]) -> Result<Vec<u8>, Error> {
+	let enc = aes_gcm::Aes256Gcm::new(key.into());
+
+	enc.encrypt(nonce.into(), aes_gcm::aead::Payload { msg: plaintext, aad: b"" })
+		.map_err(|_| Error::Encryption)
+}
+
+fn aes_decrypt(key: &[u8; AES_KEY_LEN], nonce: &[u8], ciphertext: &[u8]) -> Result<Vec<u8>, Error> {
+	let dec = aes_gcm::Aes256Gcm::new(key.into());
+	dec.decrypt(nonce.into(), aes_gcm::aead::Payload { msg: ciphertext, aad: b"" })
+		.map_err(|_| Error::Decryption)
+}
+
+fn kdf(shared_secret: &[u8]) -> [u8; AES_KEY_LEN] {
+	let hkdf = hkdf::Hkdf::<sha2::Sha256>::new(None, shared_secret);
+	let mut aes_key = [0u8; AES_KEY_LEN];
+	hkdf.expand(b"", &mut aes_key)
+		.expect("There's always enough data for derivation. qed.");
+	aes_key
+}
+
+/// Encrypt `plaintext` with the given public x25519 public key. Decryption can be performed with
+/// the matching secret key.
+pub fn encrypt_x25519(pk: &PublicKey, plaintext: &[u8]) -> Result<Vec<u8>, Error> {
+	let ephemeral_sk = x25519_dalek::StaticSecret::new(OsRng);
+	let ephemeral_pk = x25519_dalek::PublicKey::from(&ephemeral_sk);
+
+	let mut shared_secret = ephemeral_sk.diffie_hellman(pk).to_bytes().to_vec();
+	shared_secret.extend_from_slice(ephemeral_pk.as_bytes());
+
+	let aes_key = kdf(&shared_secret);
+
+	let nonce = aes_gcm::Aes256Gcm::generate_nonce(OsRng);
+	let ciphertext = aes_encrypt(&aes_key, &nonce, plaintext)?;
+
+	let mut out = Vec::with_capacity(ciphertext.len() + PK_LEN + NONCE_LEN);
+	out.extend_from_slice(ephemeral_pk.as_bytes());
+	out.extend_from_slice(nonce.as_slice());
+	out.extend_from_slice(ciphertext.as_slice());
+
+	Ok(out)
+}
+
+/// Encrypt `plaintext` with the given ed25519 public key. Decryption can be performed with the
+/// matching secret key.
+pub fn encrypt_ed25519(pk: &sp_core::ed25519::Public, plaintext: &[u8]) -> Result<Vec<u8>, Error> {
+	let ed25519 = curve25519_dalek::edwards::CompressedEdwardsY(pk.0);
+	let x25519 = ed25519.decompress().ok_or(Error::BadData)?.to_montgomery();
+	let montgomery = x25519_dalek::PublicKey::from(x25519.to_bytes());
+	encrypt_x25519(&montgomery, plaintext)
+}
+
+/// Decrypt with the given x25519 secret key.
+pub fn decrypt_x25519(sk: &SecretKey, encrypted: &[u8]) -> Result<Vec<u8>, Error> {
+	if encrypted.len() < PK_LEN + NONCE_LEN {
+		return Err(Error::BadData)
+	}
+	let mut ephemeral_pk: [u8; PK_LEN] = Default::default();
+	ephemeral_pk.copy_from_slice(&encrypted[0..PK_LEN]);
+	let ephemeral_pk = PublicKey::from(ephemeral_pk);
+
+	let mut shared_secret = sk.diffie_hellman(&ephemeral_pk).to_bytes().to_vec();
+	shared_secret.extend_from_slice(ephemeral_pk.as_bytes());
+
+	let aes_key = kdf(&shared_secret);
+
+	let nonce = &encrypted[PK_LEN..PK_LEN + NONCE_LEN];
+	aes_decrypt(&aes_key, &nonce, &encrypted[PK_LEN + NONCE_LEN..])
+}
+
+/// Decrypt with the given ed25519 key pair.
+pub fn decrypt_ed25519(pair: &sp_core::ed25519::Pair, encrypted: &[u8]) -> Result<Vec<u8>, Error> {
+	let raw = pair.to_raw_vec();
+	let hash: [u8; 32] = sha2::Sha512::digest(&raw).as_slice()[..32]
+		.try_into()
+		.map_err(|_| Error::Decryption)?;
+	let secret = x25519_dalek::StaticSecret::from(hash);
+	decrypt_x25519(&secret, encrypted)
+}
+
+#[cfg(test)]
+mod test {
+	use super::*;
+	use rand::rngs::OsRng;
+	use sp_core::crypto::Pair;
+
+	#[test]
+	fn basic_x25519_encryption() {
+		let sk = SecretKey::new(OsRng);
+		let pk = PublicKey::from(&sk);
+
+		let plain_message = b"An important secret message";
+		let encrypted = encrypt_x25519(&pk, plain_message).unwrap();
+
+		let decrypted = decrypt_x25519(&sk, &encrypted).unwrap();
+		assert_eq!(plain_message, decrypted.as_slice());
+	}
+
+	#[test]
+	fn basic_ed25519_encryption() {
+		let (pair, _) = sp_core::ed25519::Pair::generate();
+		let pk = pair.into();
+
+		let plain_message = b"An important secret message";
+		let encrypted = encrypt_ed25519(&pk, plain_message).unwrap();
+
+		let decrypted = decrypt_ed25519(&pair, &encrypted).unwrap();
+		assert_eq!(plain_message, decrypted.as_slice());
+	}
+
+	#[test]
+	fn fails_on_bad_data() {
+		let sk = SecretKey::new(OsRng);
+		let pk = PublicKey::from(&sk);
+
+		let plain_message = b"An important secret message";
+		let encrypted = encrypt_x25519(&pk, plain_message).unwrap();
+
+		assert_eq!(decrypt_x25519(&sk, &[]), Err(Error::BadData));
+		assert_eq!(
+			decrypt_x25519(&sk, &encrypted[0..super::PK_LEN + super::NONCE_LEN - 1]),
+			Err(Error::BadData)
+		);
+	}
+}
@@ -49,6 +49,8 @@ pub use store_api::{
 	Error, NetworkPriority, Result, StatementSource, StatementStore, SubmitResult,
 };

+#[cfg(feature = "std")]
+mod ecies;
 pub mod runtime_api;
 #[cfg(feature = "std")]
 mod store_api;
@@ -61,12 +63,17 @@ mod sr25519 {
 	pub type Public = app_sr25519::Public;
 }

-mod ed25519 {
+/// Statement-store specific ed25519 crypto primitives.
+pub mod ed25519 {
 	mod app_ed25519 {
 		use sp_application_crypto::{app_crypto, ed25519, key_types::STATEMENT};
 		app_crypto!(ed25519, STATEMENT);
 	}
+	/// Statement-store specific ed25519 public key.
 	pub type Public = app_ed25519::Public;
+	/// Statement-store specific ed25519 key pair.
+	#[cfg(feature = "std")]
+	pub type Pair = app_ed25519::Pair;
 }

 mod ecdsa {
@@ -507,6 +514,28 @@ impl Statement {
 		}
 		output
 	}
+
+	/// Encrypt give data with given key and store both in the statements.
+	#[cfg(feature = "std")]
+	pub fn encrypt(
+		&mut self,
+		data: &[u8],
+		key: &sp_core::ed25519::Public,
+	) -> core::result::Result<(), ecies::Error> {
+		let encrypted = ecies::encrypt_ed25519(key, data)?;
+		self.data = Some(encrypted);
+		self.decryption_key = Some((*key).into());
+		Ok(())
+	}
+
+	/// Decrypt data (if any) with the given private key.
+	#[cfg(feature = "std")]
+	pub fn decrypt_private(
+		&self,
+		key: &sp_core::ed25519::Pair,
+	) -> core::result::Result<Option<Vec<u8>>, ecies::Error> {
+		self.data.as_ref().map(|d| ecies::decrypt_ed25519(key, d)).transpose()
+	}
 }

 #[cfg(test)]
@@ -615,4 +644,18 @@ mod test {
 		statement.remove_proof();
 		assert_eq!(statement.verify_signature(), SignatureVerificationResult::NoSignature);
 	}
+
+	#[test]
+	fn encrypt_decrypt() {
+		let mut statement = Statement::new();
+		let (pair, _) = sp_core::ed25519::Pair::generate();
+		let plain = b"test data".to_vec();
+
+		//let sr25519_kp = sp_core::sr25519::Pair::from_string("//Alice", None).unwrap();
+		statement.encrypt(&plain, &pair.public()).unwrap();
+		assert_ne!(plain.as_slice(), statement.data().unwrap().as_slice());
+
+		let decrypted = statement.decrypt_private(&pair).unwrap();
+		assert_eq!(decrypted, Some(plain));
+	}
 }