Skip to content

security: validate genesis JSON and keystore file permissions#5

Open
owenwahlgren wants to merge 1 commit intomainfrom
security/audit-fixes
Open

security: validate genesis JSON and keystore file permissions#5
owenwahlgren wants to merge 1 commit intomainfrom
security/audit-fixes

Conversation

@owenwahlgren
Copy link
Collaborator

@owenwahlgren owenwahlgren commented Feb 9, 2026
edited
Loading

Summary

Two security hardening fixes from production readiness audit:

  • Genesis JSON validation (cmd/chain.go): Validates JSON structure with json.Valid() before submitting to P-Chain, preventing wasted transaction fees on malformed input
  • Keystore permission check (pkg/keystore/keystore.go): Validates file permissions (0600) when loading key files, refusing to read keys with insecure permissions and providing actionable fix instructions (no-op on Windows)

Test plan

  • go vet ./... passes
  • go test ./pkg/... ./cmd/... all pass
  • Test genesis validation: create chain with invalid JSON file, expect clear error
  • Test permission check: chmod 644 a key file, expect refusal with fix instruction

@owenwahlgren
security: validate genesis JSON and keystore file permissions
2b2a6c6 
- Add json.Valid() check before passing genesis data to P-Chain
  transaction builder, preventing wasted fees on malformed input
- Add file permission validation when loading keystore files,
  refusing to read keys with insecure permissions (e.g. 0644)
  and providing actionable fix instructions
- Skip permission check on Windows where POSIX perms don't apply
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@owenwahlgren