Skip to content

test(storage): SecureStorage static crypto helpers (+14 tests)#353

Merged
TaprootFreak merged 1 commit into
developfrom
test/secure-storage-helpers
May 15, 2026
Merged

test(storage): SecureStorage static crypto helpers (+14 tests)#353
TaprootFreak merged 1 commit into
developfrom
test/secure-storage-helpers

Conversation

@TaprootFreak
Copy link
Copy Markdown
Contributor

@TaprootFreak TaprootFreak commented May 15, 2026

Summary

Stage 29 of the coverage push. Pure-Dart static methods on `SecureStorage` — pinning the on-disk crypto contract for PIN-hashing and seed-encryption.

Helper Cases
`generatePinSalt` 3
`hashPin` 5
`encryptSeed / decryptSeed` round-trip 6

What's pinned

  • generatePinSalt: returns a 16-byte `Uint8List`; consecutive calls return distinct salts (CSPRNG); every byte falls in 0..255.
  • hashPin: returns a 64-char lowercase-hex string (32 bytes); deterministic for the same `(pin, salt, iterations)` triple; sensitive to each axis individually — including the iteration-count variation that exists for the legacy-migration path (10k → 600k).
  • encryptSeed / decryptSeed: round-trips a typical 12-word mnemonic, an empty string, and unicode content; GCM nonce randomisation gives distinct ciphertexts for the same plaintext (privacy property); decrypt with the wrong key throws; output format is pinned as `:` (load-bearing for storage forward-compat).

Notes

  • Tests use `iterations: 1` on the synchronous `hashPin` to avoid the 600k-iter PBKDF2 cost. The deterministic / sensitivity properties hold for any iteration count.
  • These helpers are exercised indirectly in the existing PIN cubit tests, but a direct contract for them lets a crypto-edge-case regression (e.g. someone "optimising" the IV size) surface immediately.

Test plan

  • `flutter analyze` clean
  • `flutter test` — 14 / 14 passing locally
  • CI green

@TaprootFreak
test(storage): SecureStorage static crypto helpers (+14 tests)
8c1832f 
Stage 29 of the coverage push. Pure-Dart static methods on
SecureStorage — pin the on-disk crypto contract.

- generatePinSalt (3): 16-byte Uint8List; distinct on consecutive
  calls (CSPRNG); every byte in 0..255
- hashPin (5): 64-char hex (32 bytes); deterministic for same
  pin+salt; sensitive to pin / salt / iterations (legacy migration
  path also pinned)
- encryptSeed / decryptSeed round-trip (6): 12-word mnemonic;
  empty string; unicode; GCM nonce gives distinct ciphertexts for
  the same plaintext; wrong key throws; output format pinned as
  '<base64-iv>:<base64-ciphertext>'
@TaprootFreak TaprootFreak marked this pull request as ready for review May 15, 2026 17:49
@TaprootFreak TaprootFreak merged commit e60b1e4 into develop May 15, 2026
1 check passed
@TaprootFreak TaprootFreak deleted the test/secure-storage-helpers branch May 15, 2026 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TaprootFreak