PR review fixes

tools/walletextension/encryption/encryption.go

@@ -11,6 +11,16 @@ import (
 	"io"
 )
 
+// Encryptor provides AES-GCM encryption/decryption with the following characteristics:
+//   - Uses AES-256-GCM (Galois/Counter Mode) with a 32-byte key
+//   - Generates a random 12-byte nonce for each encryption operation using crypto/rand
+//   - The nonce is prepended to the ciphertext output from Encrypt() and is generated
+//     using crypto/rand.Reader for cryptographically secure random values
+//
+// Additionally provides HMAC-SHA256 hashing functionality:
+// - Uses the same 32-byte key as the encryption operations
+// - Generates a 32-byte (256-bit) message authentication code
+// - Suitable for creating secure message digests and verifying data integrity
 type Encryptor struct {
 	gcm cipher.AEAD
 	key []byte

tools/walletextension/storage/storage_test.go

@@ -27,7 +27,7 @@ func TestGatewayStorage(t *testing.T) {
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
 			storage, err := New("sqlite", "", "", randomKey)
-			//storage, err := New("cosmosDB", "", "", randomKey)
+			// storage, err := New("cosmosDB", "", "", randomKey)
 			require.NoError(t, err)
 
 			test(storage, t)

tools/walletextension/walletextension_container.go

@@ -2,11 +2,9 @@ package walletextension
 
 import (
 	"os"
-	"path/filepath"
 	"time"
 
 	"github.com/ten-protocol/go-ten/go/common/subscription"
-	"github.com/ten-protocol/go-ten/go/enclave/core/egoutils"
 
 	"github.com/ten-protocol/go-ten/tools/walletextension/httpapi"
 
@@ -36,33 +34,14 @@ func NewContainerFromConfig(config wecommon.Config, logger gethlog.Logger) *Cont
 	hostRPCBindAddrHTTP := wecommon.HTTPProtocol + config.NodeRPCHTTPAddress
 
 	// Database encryption key handling
-	// First we try to unseal the encryption key from the file
-	// If we fail to unseal the key, we generate a new one and seal it to the file
+	// TODO: Check if encryption key is already sealed and unseal it and generate new one if not (part of the next PR)
 	// TODO: We should have a mechanism to get the key from an enclave that already runs (part of the next PR)
 	// TODO: Move this to a separate file along with key exchange logic (part of the next PR)
-	encryptionKeyFilepath := filepath.Join(".", "encryption_key.json")
 
-	// try to read and unseal the encryption key
-	encryptionKey, err := egoutils.ReadAndUnseal(encryptionKeyFilepath)
+	encryptionKey, err := wecommon.GenerateRandomKey()
 	if err != nil {
-		// we were not able to unseal the key, generate a new one
-		logger.Info("unable to read and unseal encryption key", log.ErrKey, err)
-		encryptionKey, err = wecommon.GenerateRandomKey()
-		if err != nil {
-			logger.Crit("unable to generate random encryption key", log.ErrKey, err)
-			os.Exit(1)
-		}
-		logger.Info("generated new encryption key", log.ErrKey, err)
-	}
-
-	// try to seal the encryption key to the file
-	// debug mode is used for testing purposes when we don't run inside an enclave, but we still want to test gateway functionality
-	if !config.Debug {
-		err = egoutils.SealAndPersist(string(encryptionKey), encryptionKeyFilepath, true)
-		if err != nil {
-			logger.Error("unable to seal and persist encryption key", log.ErrKey, err)
-			// os.Exit(1)
-		}
+		logger.Crit("unable to generate random encryption key", log.ErrKey, err)
+		os.Exit(1)
 	}
 
 	// start the database with the encryption key