truechain-consensus-core icon indicating copy to clipboard operation
truechain-consensus-core copied to clipboard

Published 20 hours ago verified publisher icon truechain

pemkey save in clear text is insecure

Open ghost opened this issue 5 years ago • 0 comments

in trueconsensus/fastchain/genkeys.go WriteNewKeys function. (which called in pbftserverengine.go -> main() -> cfg.GenerateKeysToFile() -> WriteNewKeys(cfg.Network.NumKeys, cfg.Logistics.KD))

func WriteNewKeys(kcount int, kdir string) {
	for k := 0; k < kcount; k++ {
		privateKey, _ := ecdsa.GenerateKey(ethcrypto.S256(), rand.Reader)
		publicKey := &privateKey.PublicKey

		pemEncoded := hex.EncodeToString(ethcrypto.FromECDSA(privateKey))
		pemEncodedPub := hex.EncodeToString(ethcrypto.FromECDSAPub(publicKey))

		pemkeyFname := fmt.Sprintf("sign%v.pem", k)
		err1 := ioutil.WriteFile(path.Join(kdir, pemkeyFname), []byte(pemEncoded), 0600)
		common.CheckErr(err1)
		pubkeyFname := fmt.Sprintf("sign%v.pub", k)
		err2 := ioutil.WriteFile(path.Join(kdir, pubkeyFname), []byte(pemEncodedPub), 0644)
		common.CheckErr(err2)
	}
}

ethcrypto.FromECDSA just make privatekey to byte type. function save the pemkey as pemEncoded which Unencrypted.

If some node be attacked, the attacker can steal pemkey of users with a malicious software.

ghost avatar Nov 12 '19 14:11 ghost