Fix audit

app/src/test/scala/org/alephium/app/RestServerSpec.scala

@@ -1228,7 +1228,7 @@ trait RestServerFixture
   lazy val blocksExporter = new BlocksExporter(node.blockFlow, rootPath)
   val walletConfig: WalletConfig = WalletConfig(
     None,
-    (new java.io.File("")).toPath,
+    Files.tmpDir.resolve(Hash.random.shortHex),
     Duration.ofMinutesUnsafe(0),
     apiConfig.apiKey,
     WalletConfig.BlockFlow("host", 0, 0, Duration.ofMinutesUnsafe(0), apiConfig.apiKey)

crypto/src/main/scala/org/alephium/crypto/AES.scala

@@ -30,7 +30,7 @@ object AES {
   final case class Encrypted(encrypted: ByteString, salt: ByteString, iv: ByteString)
 
   private val saltByteLength       = 64
-  private val ivByteLength         = 64
+  private val ivByteLength         = 12
   private val authTagLength        = 128
   private val keyAlgorithm         = "PBKDF2WithHmacSHA256"
   private val iterationCount       = 10000

wallet/src/main/scala/org/alephium/wallet/WalletApp.scala

@@ -16,7 +16,7 @@
 
 package org.alephium.wallet
 
-import java.nio.file.Paths
+import java.nio.file.{Files, Path, Paths}
 
 import scala.collection.immutable.ArraySeq
 import scala.concurrent.{ExecutionContext, Future, Promise}
@@ -33,12 +33,14 @@ import org.alephium.protocol.config.GroupConfig
 import org.alephium.util.{AVector, Service}
 import org.alephium.wallet.config.WalletConfig
 import org.alephium.wallet.service.WalletService
+import org.alephium.wallet.storage.SecretStorage
 import org.alephium.wallet.web._
 
 class WalletApp(config: WalletConfig)(implicit
     val executionContext: ExecutionContext
 ) extends Service
     with StrictLogging {
+  WalletApp.checkSecretFilePermission(config.secretDir)
 
   implicit private val groupConfig = new GroupConfig {
     override def groups: Int = config.blockflow.groups
@@ -126,3 +128,13 @@ class WalletApp(config: WalletConfig)(implicit
         }
     }
 }
+
+object WalletApp {
+  def checkSecretFilePermission(walletDir: Path): Unit = {
+    if (Files.exists(walletDir)) {
+      Files.list(walletDir).forEach { path =>
+        SecretStorage.setPermission600(path.toFile)
+      }
+    }
+  }
+}

wallet/src/main/scala/org/alephium/wallet/storage/SecretStorage.scala

@@ -171,6 +171,7 @@ object SecretStorage {
         )
         state <- stateFromFile(file, password, path, mnemonicPassphrase)
       } yield {
+        SecretStorage.setPermission600(file)
         new Impl(file, Some(state), path)
       }
     }
@@ -404,4 +405,11 @@ object SecretStorage {
       .left
       .map(_ => SecretFileError)
   }
+
+  def setPermission600(file: File): Unit = {
+    file.setReadable(false, false) // This returns false on Windows CI
+    require(file.setReadable(true, true))
+    require(file.setWritable(false, false))
+    require(file.setWritable(true, true))
+  }
 }