Improve bls::SecretKey privacy (#1164)

* Improve bls::SecretKey privacy * Add missed file * Remove more methods from bls::SecretKey * Add as_bytes() to SecretKey, remove as_raw * Remove as_raw * Add back as_raw * Address review comments
2026-06-29 19:04:27 +00:00 · 2020-05-19 11:23:08 +10:00
parent 314fae41fe
commit c93f9c351b
26 changed files with 102 additions and 295 deletions
--- a/crypto/eth2_keystore/src/keystore.rs
+++ b/crypto/eth2_keystore/src/keystore.rs
@@ -6,7 +6,7 @@ use crate::json_keystore::{
    Aes128Ctr, ChecksumModule, Cipher, CipherModule, Crypto, EmptyMap, EmptyString, JsonKeystore,
    Kdf, KdfModule, Scrypt, Sha256Checksum, Version,
 };
-use crate::plain_text::PlainText;
+use crate::PlainText;
 use crate::Uuid;
 use bls::{Keypair, PublicKey, SecretKey};
 use crypto::{digest::Digest, sha2::Sha256};
@@ -130,7 +130,7 @@ impl Keystore {
        uuid: Uuid,
        path: String,
    ) -> Result<Self, Error> {
-        let secret = PlainText::from(keypair.sk.as_raw().as_bytes());
+        let secret: PlainText = keypair.sk.as_bytes();

        let (cipher_text, checksum) = encrypt(secret.as_bytes(), password, &kdf, &cipher)?;

--- a/crypto/eth2_keystore/src/lib.rs
+++ b/crypto/eth2_keystore/src/lib.rs
@@ -3,13 +3,12 @@

 mod derived_key;
 mod keystore;
-mod plain_text;

 pub mod json_keystore;

+pub use bls::PlainText;
 pub use keystore::{
    decrypt, default_kdf, encrypt, keypair_from_secret, Error, Keystore, KeystoreBuilder, DKLEN,
    HASH_SIZE, IV_SIZE, SALT_SIZE,
 };
-pub use plain_text::PlainText;
 pub use uuid::Uuid;
--- a/crypto/eth2_keystore/src/plain_text.rs
+++ b/crypto/eth2_keystore/src/plain_text.rs
@@ -1,34 +0,0 @@
-use zeroize::Zeroize;
-
-/// Provides wrapper around `Vec<u8>` that implements `Zeroize`.
-#[derive(Zeroize, Clone, PartialEq)]
-#[zeroize(drop)]
-pub struct PlainText(Vec<u8>);
-
-impl PlainText {
-    /// Instantiate self with `len` zeros.
-    pub fn zero(len: usize) -> Self {
-        Self(vec![0; len])
-    }
-
-    /// The byte-length of `self`
-    pub fn len(&self) -> usize {
-        self.0.len()
-    }
-
-    /// Returns a reference to the underlying bytes.
-    pub fn as_bytes(&self) -> &[u8] {
-        &self.0
-    }
-
-    /// Returns a mutable reference to the underlying bytes.
-    pub fn as_mut_bytes(&mut self) -> &mut [u8] {
-        &mut self.0
-    }
-}
-
-impl From<Vec<u8>> for PlainText {
-    fn from(vec: Vec<u8>) -> Self {
-        Self(vec)
-    }
-}
--- a/crypto/eth2_keystore/tests/eip2335_vectors.rs
+++ b/crypto/eth2_keystore/tests/eip2335_vectors.rs
@@ -14,7 +14,7 @@ pub fn decode_and_check_sk(json: &str) -> Keystore {
    let keystore = Keystore::from_json_str(json).expect("should decode keystore json");
    let expected_sk = hex::decode(EXPECTED_SECRET).unwrap();
    let keypair = keystore.decrypt_keypair(PASSWORD.as_bytes()).unwrap();
-    assert_eq!(keypair.sk.as_raw().as_bytes(), expected_sk);
+    assert_eq!(keypair.sk.as_bytes().as_ref(), &expected_sk[..]);
    keystore
 }

--- a/crypto/eth2_keystore/tests/tests.rs
+++ b/crypto/eth2_keystore/tests/tests.rs
@@ -38,8 +38,8 @@ fn string_round_trip() {
    );

    assert_eq!(
-        decoded.decrypt_keypair(GOOD_PASSWORD).unwrap(),
-        keypair,
+        decoded.decrypt_keypair(GOOD_PASSWORD).unwrap().pk,
+        keypair.pk,
        "should decrypt with good password"
    );
 }
@@ -77,8 +77,8 @@ fn file() {
    );

    assert_eq!(
-        decoded.decrypt_keypair(GOOD_PASSWORD).unwrap(),
-        keypair,
+        decoded.decrypt_keypair(GOOD_PASSWORD).unwrap().pk,
+        keypair.pk,
        "should decrypt with good password"
    );
 }
@@ -102,8 +102,8 @@ fn scrypt_params() {
    );

    assert_eq!(
-        decoded.decrypt_keypair(GOOD_PASSWORD).unwrap(),
-        keypair,
+        decoded.decrypt_keypair(GOOD_PASSWORD).unwrap().pk,
+        keypair.pk,
        "should decrypt with good password"
    );
 }