Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Secure atKeys with pass-phrase #703

Open
wants to merge 6 commits into
base: trunk
Choose a base branch
from

Conversation

sitaram-kalluri
Copy link
Member

- What I did
Support the password protected of atKeys file.

- How I did it
Changes in at_chops package :

  1. In algo_type.dart, the HashingAlgoType enum has been updated to include the argon2id algorithm for hashing user-provided passphrases.

  2. A fromString method has been added to the HashingAlgoType enum to return a HashingAlgoType instance from its string representation.

  3. In AtEncryptionAlgorithm, the encrypt and decrypt methods currently accept and return Uint8List, which necessitates converting AtKeys between String and Uint8List. To optimize this, generics have been added to AtEncryptionAlgorithm, enabling a String implementation while preserving backward compatibility.

  4. Similarly, in AtHashingAlgorithm, the hash method previously accepted a Uint8List and returned a String. As passphrases are now provided as String, and since the argon2id algorithm also works with String, generics have been added to AtHashingAlgorithm. This update allows the hash method to accept and return String while maintaining backward compatibility. Additionally, because the existing implementation returns a String and argon2id returns a Future, the return type has been changed to FutureOr, enabling the method to return either a String or Future.

  5. An optional parameter, HashParams, has been added to the hash method to configure the hashing algorithm. The covariant keyword is used to enable classes implementing AtHashingAlgorithm to accept subclasses of HashParams.

  6. A new class, Argon2idHashingAlgo, has been created, which implements AtHashingAlgorithm and provides functionality for hashing passphrases using the argon2id algorithm.

  7. The StringAESEncryptor class has been introduced, which implements SymmetricEncryptionAlgorithm, offering encryption and decryption of Strings using a provided AES key.

  8. An abstract class, AtKeysCrypto, has been added, containing encrypt and decrypt methods. The encrypt method accepts plain AtKeys and a passphrase, generates a hash from the passphrase, and uses the hash key to encrypt the plaintext. Similarly, the decrypt method accepts encrypted AtKeys and a passphrase, and returns the decrypted AtKeys. The fromHashingAlgorithm method returns an instance of AtKeysCrypto based on the provided HashingAlgoType.

  9. The AtEncrypted model class has been introduced, which stores the encrypted AtKeys, the initialization vector (IV) used during encryption, and the hashing algorithm used.

Changes in at_auth package :

  1. In at_auth_impl.dart, rename the method "_decryptAtKeysFile" to "_decryptAtKeysWithSelfEncKey" and modified the behaviour as below:

    a. If the content contains "iv", then it encrypted with the pass phrase. So decrypt it the atKeys with the given pass phrase. The encrypted AtKeys is passed to "AtKeysCrypto.decrypt" in "AtChops" package to decryption. Then again decrypt with the self encryption key to get the original keys.

    b. If the content does not contain "iv", then directly decrypt with self encryption key to get the original keys.

  2. In the at_auth_request.dart, add "passPhrase" field to hold the pass phrase supplied by the user.

Changes in at_onboarding_cli package:

  1. Add pass phrase to the AtOnboardingPreference to capture the pass phrase and propagate it the at_auth and at_chops package to decrypt the atKeys.

  2. In auth_cli_args, add parser options to capture "pass phrase" and "hashing algo type"

  3. In at_onboarding_service_impl.dart, in "_generateAtKeysFile", check if the passPhrase is supplied. If supplied, encrypt the keys with the passphrase.

- How to verify it

  1. Added a test to verify the encryption and decryption of atKeys using a passphrase with the argon2id algorithm

  2. A functional test to verify password protected of atKeys file

- Description for the changelog

  • feat: Support password protected of atKeys

packages/at_chops/lib/src/algorithm/algo_type.dart Outdated Show resolved Hide resolved
packages/at_chops/lib/src/at_keys_crypto.dart Outdated Show resolved Hide resolved
packages/at_chops/lib/src/at_keys_crypto.dart Outdated Show resolved Hide resolved
@sitaram-kalluri
Copy link
Member Author

Verified backward compatibility of at_auth and at_chops packages with at_client_sdk and looks fine.

Copy link
Contributor

@gkc gkc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - will leave final approval to Murali

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add Encryption Password Option to CLI Commands in at_onboarding_cli for Onboard/Enroll**
3 participants