diff --git a/tools/walletextension/encryption/encryption.go b/tools/walletextension/encryption/encryption.go index 31a41fd1fd..c4e8de7c22 100644 --- a/tools/walletextension/encryption/encryption.go +++ b/tools/walletextension/encryption/encryption.go @@ -11,6 +11,16 @@ import ( "io" ) +// Encryptor provides AES-GCM encryption/decryption with the following characteristics: +// - Uses AES-256-GCM (Galois/Counter Mode) with a 32-byte key +// - Generates a random 12-byte nonce for each encryption operation using crypto/rand +// - The nonce is prepended to the ciphertext output from Encrypt() and is generated +// using crypto/rand.Reader for cryptographically secure random values +// +// Additionally provides HMAC-SHA256 hashing functionality: +// - Uses the same 32-byte key as the encryption operations +// - Generates a 32-byte (256-bit) message authentication code +// - Suitable for creating secure message digests and verifying data integrity type Encryptor struct { gcm cipher.AEAD key []byte diff --git a/tools/walletextension/storage/storage_test.go b/tools/walletextension/storage/storage_test.go index 4c61a065a3..2053fc37c5 100644 --- a/tools/walletextension/storage/storage_test.go +++ b/tools/walletextension/storage/storage_test.go @@ -27,7 +27,7 @@ func TestGatewayStorage(t *testing.T) { for name, test := range tests { t.Run(name, func(t *testing.T) { storage, err := New("sqlite", "", "", randomKey) - //storage, err := New("cosmosDB", "", "", randomKey) + // storage, err := New("cosmosDB", "", "", randomKey) require.NoError(t, err) test(storage, t) diff --git a/tools/walletextension/walletextension_container.go b/tools/walletextension/walletextension_container.go index aa7318da22..a306e3a99a 100644 --- a/tools/walletextension/walletextension_container.go +++ b/tools/walletextension/walletextension_container.go @@ -2,11 +2,9 @@ package walletextension import ( "os" - "path/filepath" "time" "github.com/ten-protocol/go-ten/go/common/subscription" - "github.com/ten-protocol/go-ten/go/enclave/core/egoutils" "github.com/ten-protocol/go-ten/tools/walletextension/httpapi" @@ -36,33 +34,14 @@ func NewContainerFromConfig(config wecommon.Config, logger gethlog.Logger) *Cont hostRPCBindAddrHTTP := wecommon.HTTPProtocol + config.NodeRPCHTTPAddress // Database encryption key handling - // First we try to unseal the encryption key from the file - // If we fail to unseal the key, we generate a new one and seal it to the file + // TODO: Check if encryption key is already sealed and unseal it and generate new one if not (part of the next PR) // TODO: We should have a mechanism to get the key from an enclave that already runs (part of the next PR) // TODO: Move this to a separate file along with key exchange logic (part of the next PR) - encryptionKeyFilepath := filepath.Join(".", "encryption_key.json") - // try to read and unseal the encryption key - encryptionKey, err := egoutils.ReadAndUnseal(encryptionKeyFilepath) + encryptionKey, err := wecommon.GenerateRandomKey() if err != nil { - // we were not able to unseal the key, generate a new one - logger.Info("unable to read and unseal encryption key", log.ErrKey, err) - encryptionKey, err = wecommon.GenerateRandomKey() - if err != nil { - logger.Crit("unable to generate random encryption key", log.ErrKey, err) - os.Exit(1) - } - logger.Info("generated new encryption key", log.ErrKey, err) - } - - // try to seal the encryption key to the file - // debug mode is used for testing purposes when we don't run inside an enclave, but we still want to test gateway functionality - if !config.Debug { - err = egoutils.SealAndPersist(string(encryptionKey), encryptionKeyFilepath, true) - if err != nil { - logger.Error("unable to seal and persist encryption key", log.ErrKey, err) - // os.Exit(1) - } + logger.Crit("unable to generate random encryption key", log.ErrKey, err) + os.Exit(1) } // start the database with the encryption key