the rest of golden - salt used 2

cardano-foundation · Apr 25, 2024 · 0e74ac3 · 0e74ac3
1 parent 8590dc9
commit 0e74ac3
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 7 deletions.
diff --git a/lib/api/src/Cardano/Wallet/Api/Http/Shelley/Server.hs b/lib/api/src/Cardano/Wallet/Api/Http/Shelley/Server.hs
@@ -2749,7 +2749,7 @@ constructTransaction api argGenChange knownPools poolStatus apiWalletId body = d
 
     metadata <- case (body ^. #encryptMetadata, body ^. #metadata) of
             (Just apiEncrypt, Just metadataWithSchema) ->
-                case toMetadataEncrypted apiEncrypt metadataWithSchema of
+                case toMetadataEncrypted apiEncrypt metadataWithSchema Nothing of
                     Left err ->
                         liftHandler $ throwE err
                     Right meta ->
@@ -3164,8 +3164,9 @@ constructTransaction api argGenChange knownPools poolStatus apiWalletId body = d
 toMetadataEncrypted
     :: ApiEncryptMetadata
     -> TxMetadataWithSchema
+    -> Maybe ByteString
     -> Either ErrConstructTx Cardano.TxMetadata
-toMetadataEncrypted apiEncrypt payload = do
+toMetadataEncrypted apiEncrypt payload saltM = do
     msgValues <- findMsgValues
     msgValues' <- mapM encryptingMsg msgValues
     pure $ updateTxMetadata msgValues'
@@ -3176,7 +3177,7 @@ toMetadataEncrypted apiEncrypt payload = do
         , iterations = 10000
         , keyLength = 32
         , ivLength = 16
-        } pwd Nothing
+        } pwd saltM
     getMsgValue (Cardano.TxMetaText metaField, metaValue) =
         if metaField == "msg" then
             Just metaValue
@@ -3201,7 +3202,7 @@ toMetadataEncrypted apiEncrypt payload = do
     encryptPairIfQualifies pair@(Cardano.TxMetaText metaField, metaValue) =
         if metaField == "msg" then
             let encrypted =
-                    AES256CBC.encrypt WithPadding secretKey iv Nothing $
+                    AES256CBC.encrypt WithPadding secretKey iv saltM $
                     BL.toStrict $
                     Aeson.encode $
                     Cardano.metadataValueToJsonNoSchema metaValue

diff --git a/lib/unit/test/unit/Cardano/Wallet/Api/TypesSpec.hs b/lib/unit/test/unit/Cardano/Wallet/Api/TypesSpec.hs
@@ -501,6 +501,9 @@ import Data.Aeson.QQ
 import Data.Bifunctor
     ( Bifunctor (..)
     )
+import Data.ByteArray.Encoding
+    ( convertFromBase
+    )
 import Data.ByteString
     ( ByteString
     )
@@ -514,6 +517,7 @@ import Data.Either
     )
 import Data.Either.Combinators
     ( fromRight'
+    , rightToMaybe
     )
 import Data.FileEmbed
     ( embedFile
@@ -1198,7 +1202,8 @@ spec = do
                           , (Cardano.TxMetaText "enc", Cardano.TxMetaText "basic")
                           ])
                     ]
-            toMetadataEncrypted apiEncrypt schemaBefore `shouldBe` Right schemaAfter
+            toMetadataEncrypted apiEncrypt schemaBefore Nothing
+                `shouldBe` Right schemaAfter
 
         -- $ echo -n '"secret data that is long enough to produce more than 64 bytes"' | openssl enc -e -aes-256-cbc -pbkdf2 -iter 10000 -a -k "cardano" -nosalt
         -- OLSOdRF+P56rW9gUopHcs0HHcdmPP5ujhSuB+r84VJgvsMOsqmIZx2etosnkyOc8
@@ -1223,7 +1228,8 @@ spec = do
                           , (Cardano.TxMetaText "enc", Cardano.TxMetaText "basic")
                           ])
                     ]
-            toMetadataEncrypted apiEncrypt schemaBefore `shouldBe` Right schemaAfter
+            toMetadataEncrypted apiEncrypt schemaBefore Nothing
+                `shouldBe` Right schemaAfter
 
         -- $ echo -n '["Invoice-No: 123456789","Order-No: 7654321","Email: john@doe.com"]' | openssl enc -e -aes-256-cbc -pbkdf2 -iter 10000 -a -k "cardano" -nosalt
         -- IBcjjGQ7akr/CV2Zb0HtCvEPQNndZujCZ7iaFGMjOX3q3PJg5aRUvHgO3gPnDzYE
@@ -1252,7 +1258,94 @@ spec = do
                           , (Cardano.TxMetaText "enc", Cardano.TxMetaText "basic")
                           ])
                     ]
-            toMetadataEncrypted apiEncrypt schemaBefore `shouldBe` Right schemaAfter
+            toMetadataEncrypted apiEncrypt schemaBefore Nothing
+                `shouldBe` Right schemaAfter
+
+        -- $ $ echo -n '"secret data"' | openssl enc -e -aes-256-cbc -pbkdf2 -iter 10000 -a -k "cardano" -S 3030303030303030
+        -- U2FsdGVkX18wMDAwMDAwMF0ea/2sHeptB3SvZtgc600=
+        it "msg is 0-level deep short - salted" $ do
+            let apiEncrypt = ApiEncryptMetadata
+                    { passphrase = ApiT $ Passphrase "cardano"
+                    , enc = Nothing
+                    }
+                schemaBefore = TxMetadataWithSchema TxMetadataNoSchema $ Cardano.TxMetadata $ Map.fromList
+                    [( 0, Cardano.TxMetaMap
+                        [ (Cardano.TxMetaText "field", Cardano.TxMetaNumber 123)
+                        , (Cardano.TxMetaText "msg", Cardano.TxMetaText "secret data")
+                        ])
+                    ]
+                schemaAfter = Cardano.TxMetadata $ Map.fromList $
+                    [ (0, Cardano.TxMetaMap
+                          [ (Cardano.TxMetaText "field", Cardano.TxMetaNumber 123)
+                          , (Cardano.TxMetaText "msg", Cardano.TxMetaList
+                                [Cardano.TxMetaText "U2FsdGVkX18wMDAwMDAwMF0ea/2sHeptB3SvZtgc600="])
+                          , (Cardano.TxMetaText "enc", Cardano.TxMetaText "basic")
+                          ])
+                    ]
+                saltM = fromHexToM "3030303030303030"
+            toMetadataEncrypted apiEncrypt schemaBefore saltM
+                `shouldBe` Right schemaAfter
+
+        -- $ echo -n '"secret data that is long enough to produce more than 64 bytes"' | openssl enc -e -aes-256-cbc -pbkdf2 -iter 10000 -a -k "cardano" -S 3030303030303030
+        -- U2FsdGVkX18wMDAwMDAwMPNdhZQON/Hlwqvk4+sNRCa90QrAVpIGUlWgZhgNlwKh
+        -- PbR/qyT2q0tejHQmsHdORif5rvZYTzJGsTutA0RIcFU=
+        it "msg is 0-level deep long - salted" $ do
+            let apiEncrypt = ApiEncryptMetadata
+                    { passphrase = ApiT $ Passphrase "cardano"
+                    , enc = Nothing
+                    }
+                schemaBefore = TxMetadataWithSchema TxMetadataNoSchema $ Cardano.TxMetadata $ Map.fromList
+                    [( 0, Cardano.TxMetaMap
+                        [ (Cardano.TxMetaText "field", Cardano.TxMetaNumber 123)
+                        , (Cardano.TxMetaText "msg", Cardano.TxMetaText "secret data that is long enough to produce more than 64 bytes")
+                        ])
+                    ]
+                schemaAfter = Cardano.TxMetadata $ Map.fromList $
+                    [ (0, Cardano.TxMetaMap
+                          [ (Cardano.TxMetaText "field", Cardano.TxMetaNumber 123)
+                          , (Cardano.TxMetaText "msg", Cardano.TxMetaList
+                                [ Cardano.TxMetaText "U2FsdGVkX18wMDAwMDAwMPNdhZQON/Hlwqvk4+sNRCa90QrAVpIGUlWgZhgNlwKh"
+                                , Cardano.TxMetaText "PbR/qyT2q0tejHQmsHdORif5rvZYTzJGsTutA0RIcFU="])
+                          , (Cardano.TxMetaText "enc", Cardano.TxMetaText "basic")
+                          ])
+                    ]
+                saltM = fromHexToM "3030303030303030"
+            toMetadataEncrypted apiEncrypt schemaBefore saltM
+                `shouldBe` Right schemaAfter
+
+        -- $ $ echo -n '["Invoice-No: 123456789","Order-No: 7654321","Email: john@doe.com"]' | openssl enc -e -aes-256-cbc -pbkdf2 -iter 10000 -a -k "cardano" -S 3030303030303030
+        -- U2FsdGVkX18wMDAwMDAwMFlOS4b0tXrZA7U5aQaHeI/sP74h84EPEjGv0wl4D8Do
+        -- +SIXXn04a9xkoFHk4ZH281nIfH5lpClsO16p2vRpSsdBDFO78aTPX3bsHsRE0L2A
+        it "msg is 0-level deep complex - no salt" $ do
+            let apiEncrypt = ApiEncryptMetadata
+                    { passphrase = ApiT $ Passphrase "cardano"
+                    , enc = Nothing
+                    }
+                schemaBefore = TxMetadataWithSchema TxMetadataNoSchema $ Cardano.TxMetadata $ Map.fromList
+                    [( 0, Cardano.TxMetaMap
+                        [ (Cardano.TxMetaText "field", Cardano.TxMetaNumber 123)
+                        , (Cardano.TxMetaText "msg", Cardano.TxMetaList
+                              [ Cardano.TxMetaText "Invoice-No: 123456789"
+                              , Cardano.TxMetaText "Order-No: 7654321"
+                              , Cardano.TxMetaText "Email: john@doe.com"
+                              ])
+                        ])
+                    ]
+                schemaAfter = Cardano.TxMetadata $ Map.fromList $
+                    [ (0, Cardano.TxMetaMap
+                          [ (Cardano.TxMetaText "field", Cardano.TxMetaNumber 123)
+                          , (Cardano.TxMetaText "msg", Cardano.TxMetaList
+                                [ Cardano.TxMetaText "U2FsdGVkX18wMDAwMDAwMFlOS4b0tXrZA7U5aQaHeI/sP74h84EPEjGv0wl4D8Do"
+                                , Cardano.TxMetaText "+SIXXn04a9xkoFHk4ZH281nIfH5lpClsO16p2vRpSsdBDFO78aTPX3bsHsRE0L2A"])
+                          , (Cardano.TxMetaText "enc", Cardano.TxMetaText "basic")
+                          ])
+                    ]
+                saltM = fromHexToM "3030303030303030"
+            toMetadataEncrypted apiEncrypt schemaBefore saltM
+                `shouldBe` Right schemaAfter
+
+fromHexToM :: Text -> Maybe ByteString
+fromHexToM = rightToMaybe . convertFromBase Base16 . T.encodeUtf8
 
 {-------------------------------------------------------------------------------
                               Error type encoding