Skip to content

Commit

Permalink
refactor: reuse user storage encryption in profile sync SDK (#4649)
Browse files Browse the repository at this point in the history 
## Explanation

This was duplicated encryption logic used in controllers, this dedupes
the file changes

## References

<!--
Are there any issues that this pull request is tied to? Are there other
links that reviewers should consult to understand these changes better?

For example:

* Fixes #12345
* Related to #67890
-->

## Changelog

<!--
If you're making any consumer-facing changes, list those changes here as
if you were updating a changelog, using the template below as a guide.

(CATEGORY is one of BREAKING, ADDED, CHANGED, DEPRECATED, REMOVED, or
FIXED. For security-related issues, follow the Security Advisory
process.)

Please take care to name the exact pieces of the API you've added or
changed (e.g. types, interfaces, functions, or methods).

If there are any breaking changes, make sure to offer a solution for
consumers to follow once they upgrade to the changes.

Finally, if you're only making changes to development scripts or tests,
you may replace the template below with "None".
-->

### `@metamask/profile-sync-controller`

- **CHANGED**: Removed duplicate encryption logic in profile sync SDK
and used the Controller Encryption Logic.

## Checklist

- [x] I've updated the test suite for new or updated code as appropriate
- [x] I've updated documentation (JSDoc, Markdown, etc.) for new or
updated code as appropriate
- [x] I've highlighted breaking changes using the "BREAKING" category
above as appropriate
  • Loading branch information
@Prithpal-Sooriya
Prithpal-Sooriya authored Sep 2, 2024
1 parent ecb96d6 commit 78312b1
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 227 deletions.
51 changes: 0 additions & 51 deletions packages/profile-sync-controller/src/sdk/encryption.test.ts
View file

This file was deleted.

179 changes: 3 additions & 176 deletions packages/profile-sync-controller/src/sdk/encryption.ts
View file
Original file line number Diff line number Diff line change
@@ -1,177 +1,4 @@
import { gcm } from '@noble/ciphers/aes';
import { randomBytes } from '@noble/ciphers/webcrypto';
import { pbkdf2 } from '@noble/hashes/pbkdf2';
import { sha256 } from '@noble/hashes/sha256';
import { utf8ToBytes, concatBytes, bytesToHex } from '@noble/hashes/utils';
import encryption from '../controllers/user-storage/encryption/encryption';

export type EncryptedPayload = {
v: '1'; // version
d: string; // data
iterations: number;
};

/**
* Converts Byte Array to Base64 String
*
* @param byteArray - array of bytes
* @returns base64 string
*/
function byteArrayToBase64(byteArray: Uint8Array): string {
return Buffer.from(byteArray).toString('base64');
}

/**
* Converts Base64 String into Byte Array
*
* @param base64 - base64 encoded string
* @returns byte array
*/
function base64ToByteArray(base64: string): Uint8Array {
return new Uint8Array(Buffer.from(base64, 'base64'));
}

/**
* Converts Bytes into UTF-8 Encoded String
* @param byteArray - array of bytes
* @returns uft-8 encoded string
*/
function bytesToUtf8(byteArray: Uint8Array): string {
const decoder = new TextDecoder('utf-8');
return decoder.decode(byteArray);
}

class EncryptorDecryptor {
// TODO: Either fix this lint violation or explain why it's necessary to ignore.
// eslint-disable-next-line @typescript-eslint/naming-convention
#ALGORITHM_NONCE_SIZE = 12; // 12 bytes

// TODO: Either fix this lint violation or explain why it's necessary to ignore.
// eslint-disable-next-line @typescript-eslint/naming-convention
#ALGORITHM_KEY_SIZE = 16; // 16 bytes

// TODO: Either fix this lint violation or explain why it's necessary to ignore.
// eslint-disable-next-line @typescript-eslint/naming-convention
#PBKDF2_SALT_SIZE = 16; // 16 bytes

// TODO: Either fix this lint violation or explain why it's necessary to ignore.
// eslint-disable-next-line @typescript-eslint/naming-convention
#PBKDF2_ITERATIONS = 900_000;

encryptString(plaintext: string, password: string): string {
try {
if (plaintext.trim().length === 0) {
throw new Error('No plain text provided');
}

return this.#encryptStringV1(plaintext, password);
} catch (e) {
/* istanbul ignore next */
const errorMessage = e instanceof Error ? e.message : String(e);
throw new Error(`Unable to encrypt string - ${errorMessage}`);
}
}

decryptString(encryptedDataStr: string, password: string): string {
try {
const encryptedData: EncryptedPayload = JSON.parse(encryptedDataStr);
if (encryptedData.v === '1') {
return this.#decryptStringV1(encryptedData, password);
}
throw new Error(
`Unsupported encrypted data payload - ${JSON.stringify(encryptedData)}`,
);
} catch (e) {
/* istanbul ignore next */
const errorMessage = e instanceof Error ? e.message : String(e);
throw new Error(`Unable to decrypt string - ${errorMessage}`);
}
}

#encryptStringV1(plaintext: string, password: string): string {
const salt = randomBytes(this.#PBKDF2_SALT_SIZE);

// Derive a key using PBKDF2.
const key = pbkdf2(sha256, password, salt, {
c: this.#PBKDF2_ITERATIONS,
dkLen: this.#ALGORITHM_KEY_SIZE,
});

// Encrypt and prepend salt.
const plaintextRaw = utf8ToBytes(plaintext);
const ciphertextAndNonceAndSalt = concatBytes(
salt,
this.#encrypt(plaintextRaw, key),
);

// Convert to Base64
const encryptedData = byteArrayToBase64(ciphertextAndNonceAndSalt);

const encryptedPayload: EncryptedPayload = {
v: '1',
d: encryptedData,
iterations: this.#PBKDF2_ITERATIONS,
};

return JSON.stringify(encryptedPayload);
}

#decryptStringV1(data: EncryptedPayload, password: string): string {
const { iterations, d: base64CiphertextAndNonceAndSalt } = data;

// Decode the base64.
const ciphertextAndNonceAndSalt = base64ToByteArray(
base64CiphertextAndNonceAndSalt,
);

// Create buffers of salt and ciphertextAndNonce.
const salt = ciphertextAndNonceAndSalt.slice(0, this.#PBKDF2_SALT_SIZE);
const ciphertextAndNonce = ciphertextAndNonceAndSalt.slice(
this.#PBKDF2_SALT_SIZE,
ciphertextAndNonceAndSalt.length,
);

// Derive the key using PBKDF2.
const key = pbkdf2(sha256, password, salt, {
c: iterations,
dkLen: this.#ALGORITHM_KEY_SIZE,
});

// Decrypt and return result.
return bytesToUtf8(this.#decrypt(ciphertextAndNonce, key));
}

#encrypt(plaintext: Uint8Array, key: Uint8Array): Uint8Array {
const nonce = randomBytes(this.#ALGORITHM_NONCE_SIZE);

// Encrypt and prepend nonce.
const ciphertext = gcm(key, nonce).encrypt(plaintext);

return concatBytes(nonce, ciphertext);
}

#decrypt(ciphertextAndNonce: Uint8Array, key: Uint8Array): Uint8Array {
// Create buffers of nonce and ciphertext.
const nonce = ciphertextAndNonce.slice(0, this.#ALGORITHM_NONCE_SIZE);
const ciphertext = ciphertextAndNonce.slice(
this.#ALGORITHM_NONCE_SIZE,
ciphertextAndNonce.length,
);

// Decrypt and return result.
return gcm(key, nonce).decrypt(ciphertext);
}
}

export const Encryption = new EncryptorDecryptor();
export default Encryption;

/**
* Create a SHA-256 hash from a given string.
*
* @param data - input
* @returns hash
*/
export function createSHA256Hash(data: string): string {
const hashedData = sha256(data);
return bytesToHex(hashedData);
}
export * from '../controllers/user-storage/encryption/encryption';
export default encryption;

0 comments on commit 78312b1

Please sign in to comment.