diff --git a/changelog.md b/changelog.md index 67f62a348a..c7924f7e78 100644 --- a/changelog.md +++ b/changelog.md @@ -1,6 +1,9 @@ # CHANGELOG ## Unreleased +* [1574](https://github.com/zeta-chain/node/pull/1574) added password prompts for hotkey and tss keyshare in zetaclient +Starting zetaclient now requires two passwords to be input; one for the hotkey and another for the tss key-share. +* `zetaclientd start` : 2 inputs required from stdin ### Features diff --git a/cmd/zetaclientd/keygen_tss.go b/cmd/zetaclientd/keygen_tss.go index 0b21f880ff..1c77086f59 100644 --- a/cmd/zetaclientd/keygen_tss.go +++ b/cmd/zetaclientd/keygen_tss.go @@ -27,7 +27,9 @@ func GenerateTss(logger zerolog.Logger, priKey secp256k1.PrivKey, ts *mc.TelemetryServer, tssHistoricalList []observertypes.TSS, - metrics *metrics.Metrics) (*mc.TSS, error) { + metrics *metrics.Metrics, + tssPassword string, + hotkeyPassword string) (*mc.TSS, error) { keygenLogger := logger.With().Str("module", "keygen").Logger() // Bitcoin chain ID is currently used for using the correct signature format @@ -47,6 +49,8 @@ func GenerateTss(logger zerolog.Logger, tssHistoricalList, metrics, bitcoinChainID, + tssPassword, + hotkeyPassword, ) if err != nil { keygenLogger.Error().Err(err).Msg("NewTSS error") diff --git a/cmd/zetaclientd/start.go b/cmd/zetaclientd/start.go index f0528fb9d1..1f60a8f44c 100644 --- a/cmd/zetaclientd/start.go +++ b/cmd/zetaclientd/start.go @@ -1,6 +1,7 @@ package main import ( + "bufio" "encoding/json" "fmt" "io" @@ -45,6 +46,12 @@ func start(_ *cobra.Command, _ []string) error { SetupConfigForTest() + //Prompt for Hotkey and TSS key-share passwords + hotkeyPass, tssKeyPass, err := promptPasswords() + if err != nil { + return err + } + //Load Config file given path cfg, err := config.Load(rootArgs.zetaCoreHome) if err != nil { @@ -77,7 +84,7 @@ func start(_ *cobra.Command, _ []string) error { // CreateZetaBridge: Zetabridge is used for all communication to zetacore , which this client connects to. // Zetacore accumulates votes , and provides a centralized source of truth for all clients - zetaBridge, err := CreateZetaBridge(cfg, telemetryServer) + zetaBridge, err := CreateZetaBridge(cfg, telemetryServer, hotkeyPass) if err != nil { panic(err) } @@ -120,7 +127,7 @@ func start(_ *cobra.Command, _ []string) error { // The bridgePk is private key for the Hotkey. The Hotkey is used to sign all inbound transactions // Each node processes a portion of the key stored in ~/.tss by default . Custom location can be specified in config file during init. // After generating the key , the address is set on the zetacore - bridgePk, err := zetaBridge.GetKeys().GetPrivateKey() + bridgePk, err := zetaBridge.GetKeys().GetPrivateKey(hotkeyPass) if err != nil { startLogger.Error().Err(err).Msg("zetabridge getPrivateKey error") } @@ -160,7 +167,7 @@ func start(_ *cobra.Command, _ []string) error { } telemetryServer.SetIPAddress(cfg.PublicIP) - tss, err := GenerateTss(masterLogger, cfg, zetaBridge, peers, priKey, telemetryServer, tssHistoricalList, metrics) + tss, err := GenerateTss(masterLogger, cfg, zetaBridge, peers, priKey, telemetryServer, tssHistoricalList, metrics, tssKeyPass, hotkeyPass) if err != nil { return err } @@ -309,3 +316,26 @@ func initPreParams(path string) { } } } + +// promptPasswords() This function will prompt for passwords which will be used to decrypt two key files: +// 1. HotKey +// 2. TSS key-share +func promptPasswords() (string, string, error) { + reader := bufio.NewReader(os.Stdin) + fmt.Print("HotKey Password: ") + hotKeyPass, err := reader.ReadString('\n') + if err != nil { + return "", "", err + } + fmt.Print("TSS Password: ") + TSSKeyPass, err := reader.ReadString('\n') + if err != nil { + return "", "", err + } + + if TSSKeyPass == "" { + return "", "", errors.New("hotkey and tss passwords are required to start zetaclient") + } + + return hotKeyPass, TSSKeyPass, err +} diff --git a/cmd/zetaclientd/utils.go b/cmd/zetaclientd/utils.go index 9b17b1ef80..c1a4dfa069 100644 --- a/cmd/zetaclientd/utils.go +++ b/cmd/zetaclientd/utils.go @@ -15,7 +15,7 @@ func CreateAuthzSigner(granter string, grantee sdk.AccAddress) { zetaclient.SetupAuthZSignerList(granter, grantee) } -func CreateZetaBridge(cfg *config.Config, telemetry *zetaclient.TelemetryServer) (*zetaclient.ZetaCoreBridge, error) { +func CreateZetaBridge(cfg *config.Config, telemetry *zetaclient.TelemetryServer, hotkeyPassword string) (*zetaclient.ZetaCoreBridge, error) { hotKey := cfg.AuthzHotkey if cfg.HsmMode { hotKey = cfg.HsmHotKey @@ -23,7 +23,7 @@ func CreateZetaBridge(cfg *config.Config, telemetry *zetaclient.TelemetryServer) chainIP := cfg.ZetaCoreURL - kb, _, err := zetaclient.GetKeyringKeybase(cfg) + kb, _, err := zetaclient.GetKeyringKeybase(cfg, hotkeyPassword) if err != nil { return nil, err } @@ -33,7 +33,7 @@ func CreateZetaBridge(cfg *config.Config, telemetry *zetaclient.TelemetryServer) return nil, err } - k := zetaclient.NewKeysWithKeybase(kb, granterAddreess, cfg.AuthzHotkey) + k := zetaclient.NewKeysWithKeybase(kb, granterAddreess, cfg.AuthzHotkey, hotkeyPassword) bridge, err := zetaclient.NewZetaCoreBridge(k, chainIP, hotKey, cfg.ChainID, cfg.HsmMode, telemetry) if err != nil { diff --git a/contrib/localnet/scripts/password.file b/contrib/localnet/scripts/password.file new file mode 100644 index 0000000000..96b3814661 --- /dev/null +++ b/contrib/localnet/scripts/password.file @@ -0,0 +1,2 @@ +password +pass2 diff --git a/contrib/localnet/scripts/start-zetaclientd-background.sh b/contrib/localnet/scripts/start-zetaclientd-background.sh index 74ee897fdf..d217369e35 100644 --- a/contrib/localnet/scripts/start-zetaclientd-background.sh +++ b/contrib/localnet/scripts/start-zetaclientd-background.sh @@ -4,12 +4,18 @@ HOSTNAME=$(hostname) +# read HOTKEY_BACKEND env var for hotkey keyring backend and set default to test +BACKEND="test" +if [ "$HOTKEY_BACKEND" == "file" ]; then + BACKEND="file" +fi + cp /root/preparams/PreParams_$HOSTNAME.json /root/preParams.json num=$(echo $HOSTNAME | tr -dc '0-9') node="zetacore$num" echo "Wait for zetacore to exchange genesis file" -sleep 30 +sleep 40 operator=$(cat $HOME/.zetacored/os.json | jq '.ObserverAddress' ) operatorAddress=$(echo "$operator" | tr -d '"') echo "operatorAddress: $operatorAddress" @@ -18,8 +24,8 @@ if [ $HOSTNAME == "zetaclient0" ] then rm ~/.tss/* MYIP=$(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) - zetaclientd init --zetacore-url zetacore0 --chain-id athens_101-1 --operator "$operatorAddress" --log-format=text --public-ip "$MYIP" - zetaclientd start > $HOME/zetaclient.log 2>&1 & + zetaclientd init --zetacore-url zetacore0 --chain-id athens_101-1 --operator "$operatorAddress" --log-format=text --public-ip "$MYIP" --keyring-backend "$BACKEND" + zetaclientd start < /root/password.file > $HOME/zetaclient.log 2>&1 & else num=$(echo $HOSTNAME | tr -dc '0-9') node="zetacore$num" @@ -30,8 +36,8 @@ else SEED=$(curl --retry 10 --retry-delay 5 --retry-connrefused -s zetaclient0:8123/p2p) done rm ~/.tss/* - zetaclientd init --peer /ip4/172.20.0.21/tcp/6668/p2p/"$SEED" --zetacore-url "$node" --chain-id athens_101-1 --operator "$operatorAddress" --log-format=text --public-ip "$MYIP" --log-level 0 - zetaclientd start > $HOME/zetaclient.log 2>&1 & + zetaclientd init --peer /ip4/172.20.0.21/tcp/6668/p2p/"$SEED" --zetacore-url "$node" --chain-id athens_101-1 --operator "$operatorAddress" --log-format=text --public-ip "$MYIP" --log-level 1 --keyring-backend "$BACKEND" + zetaclientd start < /root/password.file > $HOME/zetaclient.log 2>&1 & fi sleep 3 diff --git a/contrib/localnet/scripts/start-zetaclientd-genesis.sh b/contrib/localnet/scripts/start-zetaclientd-genesis.sh index 5f2cadceab..4716973fc8 100755 --- a/contrib/localnet/scripts/start-zetaclientd-genesis.sh +++ b/contrib/localnet/scripts/start-zetaclientd-genesis.sh @@ -25,7 +25,7 @@ then rm ~/.tss/* MYIP=$(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) zetaclientd init --zetacore-url zetacore0 --chain-id athens_101-1 --operator "$operatorAddress" --log-format=text --public-ip "$MYIP" --keyring-backend "$BACKEND" - zetaclientd start + zetaclientd start < /root/password.file else num=$(echo $HOSTNAME | tr -dc '0-9') node="zetacore$num" @@ -37,5 +37,5 @@ else done rm ~/.tss/* zetaclientd init --peer /ip4/172.20.0.21/tcp/6668/p2p/"$SEED" --zetacore-url "$node" --chain-id athens_101-1 --operator "$operatorAddress" --log-format=text --public-ip "$MYIP" --log-level 1 --keyring-backend "$BACKEND" - zetaclientd start + zetaclientd start < /root/password.file fi diff --git a/contrib/localnet/scripts/start-zetaclientd-p2p-diag.sh b/contrib/localnet/scripts/start-zetaclientd-p2p-diag.sh index a1fc3358f7..310e245878 100644 --- a/contrib/localnet/scripts/start-zetaclientd-p2p-diag.sh +++ b/contrib/localnet/scripts/start-zetaclientd-p2p-diag.sh @@ -17,7 +17,7 @@ then --pre-params ~/preParams.json --zetacore-url zetacore0 \ --chain-id athens_101-1 --dev --operator zeta1z46tdw75jvh4h39y3vu758ctv34rw5z9kmyhgz --log-level 0 --hotkey=val_grantee_observer \ --p2p-diagnostic - zetaclientd start + zetaclientd start < /root/password.file else num=$(echo $HOSTNAME | tr -dc '0-9') node="zetacore$num" @@ -29,5 +29,5 @@ else --pre-params ~/preParams.json --zetacore-url $node \ --chain-id athens_101-1 --dev --operator zeta1lz2fqwzjnk6qy48fgj753h48444fxtt7hekp52 --log-level 0 --hotkey=val_grantee_observer \ --p2p-diagnostic - zetaclientd start + zetaclientd start < /root/password.file fi diff --git a/go.mod b/go.mod index 942af7d565..bf7ce72687 100644 --- a/go.mod +++ b/go.mod @@ -335,6 +335,7 @@ replace ( // use cometbft github.com/tendermint/tendermint => github.com/cometbft/cometbft v0.34.28 github.com/tendermint/tm-db => github.com/BlockPILabs/cosmos-db v0.0.3 + github.com/zeta-chain/go-tss => github.com/zeta-chain/go-tss v0.1.1-0.20240115203400-a5b80e5da933 ) diff --git a/go.sum b/go.sum index 6d1e76aba3..9e22c43e9f 100644 --- a/go.sum +++ b/go.sum @@ -3030,8 +3030,8 @@ github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQ github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= -github.com/zeta-chain/go-tss v0.1.1-0.20240103170132-35850edf5dbd h1:wv+VGLFX8IhPuoqAVQGAQjlEPWqYjowJgJVNReolJTM= -github.com/zeta-chain/go-tss v0.1.1-0.20240103170132-35850edf5dbd/go.mod h1:+lJfk/qqt+oxXeVuJV+PzpUoxftUfoTRf2eF3qlbyFI= +github.com/zeta-chain/go-tss v0.1.1-0.20240115203400-a5b80e5da933 h1:cx6ZXVmV9LpkYRQER7+sTgu56wdmaU1U5VJcx3rsCwc= +github.com/zeta-chain/go-tss v0.1.1-0.20240115203400-a5b80e5da933/go.mod h1:+lJfk/qqt+oxXeVuJV+PzpUoxftUfoTRf2eF3qlbyFI= github.com/zeta-chain/keystone/keys v0.0.0-20231105174229-903bc9405da2 h1:gd2uE0X+ZbdFJ8DubxNqLbOVlCB12EgWdzSNRAR82tM= github.com/zeta-chain/keystone/keys v0.0.0-20231105174229-903bc9405da2/go.mod h1:x7Bkwbzt2W2lQfjOirnff0Dj+tykdbTG1FMJPVPZsvE= github.com/zeta-chain/protocol-contracts v1.0.2-athens3.0.20230816152528-db7d2bf9144b h1:aZRt5BtXdoDdyrUKwcv3B7mS30m/B854cjKjmnXBE5A= diff --git a/zetaclient/broadcast.go b/zetaclient/broadcast.go index c4fee8c1c9..2dd9ddfc15 100644 --- a/zetaclient/broadcast.go +++ b/zetaclient/broadcast.go @@ -132,10 +132,7 @@ func (b *ZetaCoreBridge) GetContext() (client.Context, error) { } // if password is needed, set it as input - password, err := b.keys.GetHotkeyPassword() - if err != nil { - return ctx, err - } + password := b.keys.GetHotkeyPassword() if password != "" { ctx = ctx.WithInput(strings.NewReader(fmt.Sprintf("%[1]s\n%[1]s\n", password))) } diff --git a/zetaclient/keys.go b/zetaclient/keys.go index 6eae47850f..77f424eac7 100644 --- a/zetaclient/keys.go +++ b/zetaclient/keys.go @@ -2,7 +2,6 @@ package zetaclient import ( "bytes" - "errors" "fmt" "io" "os" @@ -20,22 +19,21 @@ import ( "github.com/zeta-chain/zetacore/zetaclient/config" ) -// HotkeyPasswordEnvVar is the environment variable used to retrieve the password for the hotkey -const HotkeyPasswordEnvVar = "HOTKEY_PASSWORD" - // Keys manages all the keys used by zeta client type Keys struct { signerName string kb ckeys.Keyring OperatorAddress sdk.AccAddress + hotkeyPassword string } // NewKeysWithKeybase create a new instance of Keys -func NewKeysWithKeybase(kb ckeys.Keyring, granterAddress sdk.AccAddress, granteeName string) *Keys { +func NewKeysWithKeybase(kb ckeys.Keyring, granterAddress sdk.AccAddress, granteeName string, hotkeyPassword string) *Keys { return &Keys{ signerName: granteeName, kb: kb, OperatorAddress: granterAddress, + hotkeyPassword: hotkeyPassword, } } @@ -44,7 +42,7 @@ func GetGranteeKeyName(signerName string) string { } // GetKeyringKeybase return keyring and key info -func GetKeyringKeybase(cfg *config.Config) (ckeys.Keyring, string, error) { +func GetKeyringKeybase(cfg *config.Config, hotkeyPassword string) (ckeys.Keyring, string, error) { granteeName := cfg.AuthzHotkey chainHomeFolder := cfg.ZetaCoreHome logger := log.Logger.With().Str("module", "GetKeyringKeybase").Logger() @@ -55,13 +53,9 @@ func GetKeyringKeybase(cfg *config.Config) (ckeys.Keyring, string, error) { // read password from env if using keyring backend file buf := bytes.NewBufferString("") if cfg.KeyringBackend == config.KeyringBackendFile { - password, err := getHotkeyPassword() - if err != nil { - return nil, "", err - } - buf.WriteString(password) + buf.WriteString(hotkeyPassword) buf.WriteByte('\n') // the library used by keyring is using ReadLine , which expect a new line - buf.WriteString(password) + buf.WriteString(hotkeyPassword) buf.WriteByte('\n') } @@ -137,12 +131,7 @@ func (k *Keys) GetAddress() sdk.AccAddress { } // GetPrivateKey return the private key -func (k *Keys) GetPrivateKey() (cryptotypes.PrivKey, error) { - password, err := k.GetHotkeyPassword() - if err != nil { - return nil, err - } - +func (k *Keys) GetPrivateKey(password string) (cryptotypes.PrivKey, error) { signer := GetGranteeKeyName(k.signerName) privKeyArmor, err := k.kb.ExportPrivKeyArmor(signer, password) if err != nil { @@ -160,13 +149,13 @@ func (k *Keys) GetKeybase() ckeys.Keyring { return k.kb } -func (k *Keys) GetPubKeySet() (common.PubKeySet, error) { +func (k *Keys) GetPubKeySet(password string) (common.PubKeySet, error) { pubkeySet := common.PubKeySet{ Secp256k1: "", Ed25519: "", } - pK, err := k.GetPrivateKey() + pK, err := k.GetPrivateKey(password) if err != nil { return pubkeySet, err } @@ -185,25 +174,9 @@ func (k *Keys) GetPubKeySet() (common.PubKeySet, error) { // GetHotkeyPassword returns the password to be used // returns empty if no password is needed -func (k *Keys) GetHotkeyPassword() (string, error) { +func (k *Keys) GetHotkeyPassword() string { if k.GetKeybase().Backend() == ckeys.BackendFile { - return getHotkeyPassword() - } - return "", nil -} - -// getHotkeyPassword retrieves the HOTKEY_PASSWORD environment variable -// and returns an error if it's not defined or shorter than 8 characters. -func getHotkeyPassword() (string, error) { - password := os.Getenv(HotkeyPasswordEnvVar) - - if password == "" { - return "", errors.New("HOTKEY_PASSWORD environment variable is not defined, use --keyring-backend-test to use the test keyring") + return k.hotkeyPassword } - - if len(password) < 8 { - return "", errors.New("HOTKEY_PASSWORD should be at least 8 characters long") - } - - return password, nil + return "" } diff --git a/zetaclient/keys_test.go b/zetaclient/keys_test.go index a2bd2fdcd5..74bb9b970b 100644 --- a/zetaclient/keys_test.go +++ b/zetaclient/keys_test.go @@ -80,7 +80,7 @@ func (ks *KeysSuite) TestGetKeyringKeybase(c *C) { AuthzHotkey: "bob", ZetaCoreHome: "/Users/test/.zetacored/", } - _, _, err := GetKeyringKeybase(cfg) + _, _, err := GetKeyringKeybase(cfg, "") c.Assert(err, NotNil) } @@ -101,15 +101,15 @@ func (ks *KeysSuite) TestNewKeys(c *C) { ZetaCoreHome: folder, } - k, _, err := GetKeyringKeybase(cfg) + k, _, err := GetKeyringKeybase(cfg, "") c.Assert(err, IsNil) c.Assert(k, NotNil) granter := cosmos.AccAddress(crypto.AddressHash([]byte("granter"))) - ki := NewKeysWithKeybase(k, granter, signerNameForTest) + ki := NewKeysWithKeybase(k, granter, signerNameForTest, "") kInfo := ki.GetSignerInfo() c.Assert(kInfo, NotNil) //c.Assert(kInfo.G, Equals, signerNameForTest) - priKey, err := ki.GetPrivateKey() + priKey, err := ki.GetPrivateKey("") c.Assert(err, IsNil) c.Assert(priKey, NotNil) c.Assert(priKey.Bytes(), HasLen, 32) diff --git a/zetaclient/tss_signer.go b/zetaclient/tss_signer.go index dd75835024..237faf496a 100644 --- a/zetaclient/tss_signer.go +++ b/zetaclient/tss_signer.go @@ -83,8 +83,10 @@ func NewTSS( tssHistoricalList []observertypes.TSS, metrics *metrics.Metrics, bitcoinChainID int64, + tssPassword string, + hotkeyPassword string, ) (*TSS, error) { - server, err := SetupTSSServer(peer, privkey, preParams, cfg) + server, err := SetupTSSServer(peer, privkey, preParams, cfg, tssPassword) if err != nil { return nil, fmt.Errorf("SetupTSSServer error: %w", err) } @@ -101,7 +103,7 @@ func NewTSS( if err != nil { return nil, err } - _, pubkeyInBech32, err := GetKeyringKeybase(cfg) + _, pubkeyInBech32, err := GetKeyringKeybase(cfg, hotkeyPassword) if err != nil { return nil, err } @@ -118,7 +120,7 @@ func NewTSS( return &newTss, nil } -func SetupTSSServer(peer p2p.AddrList, privkey tmcrypto.PrivKey, preParams *keygen.LocalPreParams, cfg *config.Config) (*tss.TssServer, error) { +func SetupTSSServer(peer p2p.AddrList, privkey tmcrypto.PrivKey, preParams *keygen.LocalPreParams, cfg *config.Config, tssPassword string) (*tss.TssServer, error) { bootstrapPeers := peer log.Info().Msgf("Peers AddrList %v", bootstrapPeers) @@ -152,6 +154,7 @@ func SetupTSSServer(peer p2p.AddrList, privkey tmcrypto.PrivKey, preParams *keyg }, preParams, // use pre-generated pre-params if non-nil IP, // for docker test + tssPassword, ) if err != nil { log.Error().Err(err).Msg("NewTSS error")