-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Secure atKeys with pass-phrase #703
Open
sitaram-kalluri
wants to merge
6
commits into
trunk
Choose a base branch
from
604-support-password-protected-encryption-ofatkeys-files
base: trunk
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
feat: Secure atKeys with pass-phrase #703
sitaram-kalluri
wants to merge
6
commits into
trunk
from
604-support-password-protected-encryption-ofatkeys-files
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gkc
requested changes
Nov 1, 2024
murali-shris
requested changes
Nov 5, 2024
Verified backward compatibility of at_auth and at_chops packages with at_client_sdk and looks fine.
|
murali-shris
requested changes
Nov 7, 2024
packages/at_chops/lib/src/algorithm/at_hashing_algo_factory.dart
Outdated
Show resolved
Hide resolved
gkc
reviewed
Nov 11, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - will leave final approval to Murali
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
Support the password protected of atKeys file.
- How I did it
Changes in at_chops package :
In algo_type.dart, the
HashingAlgoType
enum has been updated to include the argon2id algorithm for hashing user-provided passphrases.A
fromString
method has been added to the HashingAlgoType enum to return a HashingAlgoType instance from its string representation.In AtEncryptionAlgorithm, the encrypt and decrypt methods currently accept and return Uint8List, which necessitates converting AtKeys between String and Uint8List. To optimize this, generics have been added to AtEncryptionAlgorithm, enabling a String implementation while preserving backward compatibility.
Similarly, in AtHashingAlgorithm, the hash method previously accepted a Uint8List and returned a String. As passphrases are now provided as String, and since the argon2id algorithm also works with String, generics have been added to AtHashingAlgorithm. This update allows the hash method to accept and return String while maintaining backward compatibility. Additionally, because the existing implementation returns a String and argon2id returns a Future, the return type has been changed to FutureOr, enabling the method to return either a String or Future.
An optional parameter, HashParams, has been added to the hash method to configure the hashing algorithm. The covariant keyword is used to enable classes implementing AtHashingAlgorithm to accept subclasses of HashParams.
A new class, Argon2idHashingAlgo, has been created, which implements AtHashingAlgorithm and provides functionality for hashing passphrases using the argon2id algorithm.
The StringAESEncryptor class has been introduced, which implements SymmetricEncryptionAlgorithm, offering encryption and decryption of Strings using a provided AES key.
An abstract class, AtKeysCrypto, has been added, containing encrypt and decrypt methods. The encrypt method accepts plain AtKeys and a passphrase, generates a hash from the passphrase, and uses the hash key to encrypt the plaintext. Similarly, the decrypt method accepts encrypted AtKeys and a passphrase, and returns the decrypted AtKeys. The fromHashingAlgorithm method returns an instance of AtKeysCrypto based on the provided HashingAlgoType.
The AtEncrypted model class has been introduced, which stores the encrypted AtKeys, the initialization vector (IV) used during encryption, and the hashing algorithm used.
Changes in at_auth package :
In at_auth_impl.dart, rename the method "_decryptAtKeysFile" to "_decryptAtKeysWithSelfEncKey" and modified the behaviour as below:
a. If the content contains "iv", then it encrypted with the pass phrase. So decrypt it the atKeys with the given pass phrase. The encrypted AtKeys is passed to "AtKeysCrypto.decrypt" in "AtChops" package to decryption. Then again decrypt with the self encryption key to get the original keys.
b. If the content does not contain "iv", then directly decrypt with self encryption key to get the original keys.
In the at_auth_request.dart, add "passPhrase" field to hold the pass phrase supplied by the user.
Changes in at_onboarding_cli package:
Add pass phrase to the AtOnboardingPreference to capture the pass phrase and propagate it the at_auth and at_chops package to decrypt the atKeys.
In auth_cli_args, add parser options to capture "pass phrase" and "hashing algo type"
In at_onboarding_service_impl.dart, in "_generateAtKeysFile", check if the passPhrase is supplied. If supplied, encrypt the keys with the passphrase.
- How to verify it
Added a test to verify the encryption and decryption of atKeys using a passphrase with the argon2id algorithm
A functional test to verify password protected of atKeys file
- Description for the changelog