fix: allow certain keychain operations without a password (#726)

* fix: allow certain keychain operations without a password

Listing, removing, renaming etc keys do not require a password so
the user should not be required to provide one.

This means we don't have to prompt the user to create a password
when they aren't going to do any operations that require a password.

* fix: make keychain pass optional

* fix: support libp2p creation without keychain pass

Co-authored-by: Jacob Heun <jacobheun@gmail.com>

Author: achingbrain

src/index.js

@@ -82,7 +82,7 @@ class Libp2p extends EventEmitter {
     }
 
     // Create keychain
-    if (this._options.keychain && this._options.keychain.pass && this._options.keychain.datastore) {
+    if (this._options.keychain && this._options.keychain.datastore) {
       log('creating keychain')
 
       const keychainOpts = Keychain.generateOptions()

src/keychain/index.js

@@ -110,7 +110,7 @@ class Keychain {
     this.opts = mergeOptions(defaultOptions, options)
 
     // Enforce NIST SP 800-132
-    if (!this.opts.passPhrase || this.opts.passPhrase.length < 20) {
+    if (this.opts.passPhrase && this.opts.passPhrase.length < 20) {
       throw new Error('passPhrase must be least 20 characters')
     }
     if (this.opts.dek.keyLength < NIST.minKeyLength) {
@@ -123,13 +123,13 @@ class Keychain {
       throw new Error(`dek.iterationCount must be least ${NIST.minIterationCount}`)
     }
 
-    // Create the derived encrypting key
-    const dek = crypto.pbkdf2(
+    const dek = this.opts.passPhrase ? crypto.pbkdf2(
       this.opts.passPhrase,
       this.opts.dek.salt,
       this.opts.dek.iterationCount,
       this.opts.dek.keyLength,
-      this.opts.dek.hash)
+      this.opts.dek.hash) : ''
+
     Object.defineProperty(this, '_', { value: () => dek })
   }
 

test/keychain/keychain.spec.js

@@ -2,10 +2,8 @@
 /* eslint-env mocha */
 'use strict'
 
-const chai = require('chai')
-const { expect } = chai
+const { chai, expect } = require('aegir/utils/chai')
 const fail = expect.fail
-chai.use(require('dirty-chai'))
 chai.use(require('chai-string'))
 
 const peerUtils = require('../utils/creators/peer')
@@ -40,8 +38,8 @@ describe('keychain', () => {
     emptyKeystore = new Keychain(datastore1, { passPhrase: passPhrase })
   })
 
-  it('needs a pass phrase to encrypt a key', () => {
-    expect(() => new Keychain(datastore2)).to.throw()
+  it('can start without a password', () => {
+    expect(() => new Keychain(datastore2)).to.not.throw()
   })
 
   it('needs a NIST SP 800-132 non-weak pass phrase', () => {
@@ -56,12 +54,48 @@ describe('keychain', () => {
     expect(Keychain.options).to.exist()
   })
 
-  it('needs a supported hashing alorithm', () => {
+  it('supports supported hashing alorithms', () => {
     const ok = new Keychain(datastore2, { passPhrase: passPhrase, dek: { hash: 'sha2-256' } })
     expect(ok).to.exist()
+  })
+
+  it('does not support unsupported hashing alorithms', () => {
     expect(() => new Keychain(datastore2, { passPhrase: passPhrase, dek: { hash: 'my-hash' } })).to.throw()
   })
 
+  it('can list keys without a password', async () => {
+    const keychain = new Keychain(datastore2)
+
+    expect(await keychain.listKeys()).to.have.lengthOf(0)
+  })
+
+  it('can find a key without a password', async () => {
+    const keychain = new Keychain(datastore2)
+    const keychainWithPassword = new Keychain(datastore2, { passPhrase: `hello-${Date.now()}-${Date.now()}` })
+    const id = `key-${Math.random()}`
+
+    await keychainWithPassword.createKey(id, 'rsa', 2048)
+
+    await expect(keychain.findKeyById(id)).to.eventually.be.ok()
+  })
+
+  it('can remove a key without a password', async () => {
+    const keychainWithoutPassword = new Keychain(datastore2)
+    const keychainWithPassword = new Keychain(datastore2, { passPhrase: `hello-${Date.now()}-${Date.now()}` })
+    const name = `key-${Math.random()}`
+
+    expect(await keychainWithPassword.createKey(name, 'rsa', 2048)).to.have.property('name', name)
+    expect(await keychainWithoutPassword.findKeyByName(name)).to.have.property('name', name)
+    await keychainWithoutPassword.removeKey(name)
+    await expect(keychainWithoutPassword.findKeyByName(name)).to.be.rejectedWith(/does not exist/)
+  })
+
+  it('requires a key to create a password', async () => {
+    const keychain = new Keychain(datastore2)
+
+    await expect(keychain.createKey('derp')).to.be.rejected()
+  })
+
   it('can generate options', () => {
     const options = Keychain.generateOptions()
     options.passPhrase = passPhrase
@@ -475,7 +509,7 @@ describe('libp2p.keychain', () => {
     throw new Error('should throw an error using the keychain if no passphrase provided')
   })
 
-  it('can be used if a passphrase is provided', async () => {
+  it('can be used when a passphrase is provided', async () => {
     const [libp2p] = await peerUtils.createPeer({
       started: false,
       config: {
@@ -492,6 +526,22 @@ describe('libp2p.keychain', () => {
     expect(kInfo).to.exist()
   })
 
+  it('does not require a keychain passphrase', async () => {
+    const [libp2p] = await peerUtils.createPeer({
+      started: false,
+      config: {
+        keychain: {
+          datastore: new MemoryDatastore()
+        }
+      }
+    })
+
+    await libp2p.loadKeychain()
+
+    const kInfo = await libp2p.keychain.createKey('keyName', 'ed25519')
+    expect(kInfo).to.exist()
+  })
+
   it('can reload keys', async () => {
     const datastore = new MemoryDatastore()
     const [libp2p] = await peerUtils.createPeer({