dan/Portfolio
1
0
Fork 0
mirror of https://github.com/danbulant/Portfolio synced 2026-05-22 22:08:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #13 from EETagent/aes_age

Browse source 
Async + Age encryption
This commit is contained in:
Sebastian Pravda 2022-10-28 18:12:19 +02:00 committed by GitHub
commit 98236708ad
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 335 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
core/Cargo.toml
View file

@ -7,10 +7,17 @@ edition = "2021"
serde = { version = "1.0", features = ["derive"] }
portfolio-entity = { path = "../entity" }
rand = "0.8.5"
argon2 = "0.4.1"
chrono = "0.4.22"
jsonwebtoken = "8.1.1"
dotenv = "0.15.0"
tokio = "1.21.2"
futures = "0.3.25"
# crypto
argon2 = { version = "0.4", features = ["std"] }
age = { version = "0.9", features = ["async"] }
secrecy = { version = "0.8.0" }
base64 = "0.13"
[dependencies.sea-orm]
version = "^0.10.0"

346
core/src/crypto.rs
View file

@ -1,8 +1,11 @@
use argon2::{
Argon2, PasswordHasher as ArgonPasswordHasher, PasswordVerifier as ArgonPasswordVerifier,
};
use secrecy::ExposeSecret;
use futures::io::{AsyncReadExt, AsyncWriteExt};
use rand::Rng;
use std::iter;
use std::str::FromStr;
/// Foolproof random 8 char string
/// only uppercase letters (except for 0 and O) and numbers
@ -11,14 +14,11 @@ pub fn random_8_char_string() -> String {
let iterator = rand::thread_rng()
.sample_iter(&rand::distributions::Alphanumeric)
.map(char::from);
let mut s = String::new();
for c in iterator { // add all characters except for: lowercase chars, 0 and O
if ('1'..='9').contains(&c) ||
('A'..='N').contains(&c) ||
('P'..'Z').contains(&c)
{
for c in iterator {
// add all characters except for: lowercase chars, 0 and O
if ('1'..='9').contains(&c) || ('A'..='N').contains(&c) || ('P'..'Z').contains(&c) {
s.push(c);
if s.len() == 8 {
break;
@ -28,26 +28,330 @@ pub fn random_8_char_string() -> String {
s
}
pub fn hash_password(password_plaint_text: &str) -> Result<String, argon2::password_hash::Error> {
let password = password_plaint_text.as_bytes();
let salt = "c2VjcmV0bHl0ZXN0aW5nZXZlcnl0aGluZw";
pub async fn hash_password(
password_plain_text: String,
) -> Result<String, Box<dyn std::error::Error>> {
let argon_config = Argon2::default();
let hash = argon_config.hash_password(password, salt)?;
let hash = tokio::task::spawn_blocking(move || {
let password = password_plain_text.as_bytes();
return Ok(hash.to_string());
let salt_str = argon2::password_hash::SaltString::generate(rand::thread_rng());
let salt = salt_str.as_salt();
return argon_config.hash_password(password, &salt).map(|x| x.serialize().to_string());
});
let hash_string = hash.await??;
return Ok(hash_string);
}
pub fn verify_password(
password_plaint_text: &str,
hash: &str,
) -> Result<bool, argon2::password_hash::Error> {
pub async fn verify_password<'a>(
password_plaint_text: String,
hash: String,
) -> Result<bool, Box<dyn std::error::Error>> {
let argon_config = Argon2::default();
let parsed_hash = argon2::PasswordHash::new(&hash)?;
let result: Result<bool, argon2::password_hash::Error> =
tokio::task::spawn_blocking(move || {
let parsed_hash = argon2::PasswordHash::new(&hash);
match parsed_hash {
Ok(parsed) => {
return Ok(argon_config
.verify_password(password_plaint_text.as_bytes(), &parsed)
.is_ok())
}
Err(error) => return Err(error),
}
})
.await?;
return Ok(argon_config
.verify_password(password_plaint_text.as_bytes(), &parsed_hash)
.is_ok());
Ok(result?)
}
pub async fn encrypt_password(
password_plain_text: &str,
key: &str,
) -> Result<String, age::EncryptError> {
let encryptor = age::Encryptor::with_user_passphrase(age::secrecy::Secret::new(key.to_owned()));
let mut encrypt_buffer = Vec::new();
let mut encrypt_writer = encryptor.wrap_async_output(&mut encrypt_buffer).await?;
encrypt_writer
.write_all(password_plain_text.as_bytes())
.await?;
encrypt_writer.flush().await?;
encrypt_writer.close().await?;
Ok(base64::encode(encrypt_buffer))
}
pub async fn decrypt_password(
password_encrypted: &str,
key: &str,
) -> Result<String, Box<dyn std::error::Error>> {
let encrypted = base64::decode(password_encrypted)?;
let decryptor = match age::Decryptor::new_async(&encrypted[..]).await? {
age::Decryptor::Passphrase(d) => d,
_ => unreachable!(),
};
let mut decrypt_buffer = Vec::new();
let mut decrypt_writer =
decryptor.decrypt_async(&age::secrecy::Secret::new(key.to_owned()), None)?;
decrypt_writer.read_to_end(&mut decrypt_buffer).await?;
Ok(String::from_utf8(decrypt_buffer)?)
}
pub fn create_identity() -> (String, String){
let identity = age::x25519::Identity::generate();
// Public Key & Private Key
(identity.to_public().to_string(), identity.to_string().expose_secret().to_string())
}
pub async fn encrypt_password_with_recipients(
password_plain_text: &str,
recipients: Vec<&str>,
) -> Result<String, age::EncryptError> {
let public_keys = recipients
.into_iter()
.map(|recipient| {
//TODO: No unwrap
Box::new(age::x25519::Recipient::from_str(recipient).unwrap()) as _
})
.collect();
let encryptor_option = age::Encryptor::with_recipients(public_keys);
if let Some(encryptor) = encryptor_option {
let mut encrypt_buffer = Vec::new();
let mut encrypt_writer = encryptor.wrap_async_output(&mut encrypt_buffer).await?;
encrypt_writer
.write_all(password_plain_text.as_bytes())
.await?;
encrypt_writer.flush().await?;
encrypt_writer.close().await?;
Ok(base64::encode(encrypt_buffer))
} else {
// TODO: Error handling
unreachable!("No recipients provided");
}
}
pub async fn decrypt_password_with_private_key(
password_encrypted: &str,
key: &str,
) -> Result<String, Box<dyn std::error::Error>> {
let encrypted = base64::decode(password_encrypted)?;
let decryptor = match age::Decryptor::new_async(&encrypted[..]).await? {
age::Decryptor::Recipients(d) => d,
_ => unreachable!(),
};
let mut decrypt_buffer = Vec::new();
let mut decrypt_writer = decryptor.decrypt_async(iter::once(
&age::x25519::Identity::from_str(key)? as &dyn age::Identity,
))?;
decrypt_writer.read_to_end(&mut decrypt_buffer).await?;
Ok(String::from_utf8(decrypt_buffer)?)
}
// TODO: Massive refactor of encrypt_file_with_recipients required
pub async fn encrypt_file_with_recipients(
plain_file_path: &str,
cipher_file_path: &str,
recipients: Vec<&str>,
) -> Result<(), age::EncryptError> {
let public_keys = recipients
.into_iter()
.map(|recipient| {
//TODO: No unwrap
Box::new(age::x25519::Recipient::from_str(recipient).unwrap()) as _
})
.collect();
let encryptor_option = age::Encryptor::with_recipients(public_keys);
if let Some(encryptor) = encryptor_option {
let mut cipher_file = tokio::fs::File::create(cipher_file_path).await?;
let mut plain_file = tokio::fs::File::open(plain_file_path).await?;
let mut plain_file_contents = Vec::new();
tokio::io::AsyncReadExt::read_to_end(&mut plain_file, &mut plain_file_contents).await?;
let mut encrypt_buffer = Vec::new();
let mut encrypt_writer = encryptor.wrap_async_output(&mut encrypt_buffer).await?;
encrypt_writer.write_all(&plain_file_contents).await?;
encrypt_writer.flush().await?;
encrypt_writer.close().await?;
tokio::io::AsyncWriteExt::write_all(&mut cipher_file, &encrypt_buffer).await?;
return Ok(());
} else {
// TODO: Error handling
unreachable!("No recipients provided");
}
}
#[cfg(test)]
mod tests {
#[test]
fn test_random_8_char_string() {
let s = super::random_8_char_string();
// Is 8 chars long
assert_eq!(s.len(), 8);
// Does not contain possibly confusing characters
assert!(!s.contains('0'));
assert!(!s.contains('O'));
}
#[tokio::test]
async fn test_hash_password() {
const PASSWORD: &str = "test";
let hash = super::hash_password(PASSWORD.to_string()).await.unwrap();
assert!(hash.contains("$argon2"));
}
#[tokio::test]
async fn test_verify_password() {
const HASH: &str = "$argon2id$v=19$m=4096,t=3,p=1$c2VjcmV0bHl0ZXN0aW5nZXZlcnl0aGluZw$xEzH8wD/ZjzgZTDTl3YtzMFCfcVa5M5m9y6NfSyB1n4";
const PASSWORD: &str = "test";
let result = super::verify_password(PASSWORD.to_string(), HASH.to_string())
.await
.unwrap();
assert!(result);
}
#[tokio::test]
async fn test_hash_and_verify_password() {
const PASSWORD: &str = "test";
let hash = super::hash_password(PASSWORD.to_string()).await.unwrap();
let result = super::verify_password(PASSWORD.to_string(), hash)
.await
.unwrap();
assert!(result);
}
#[tokio::test]
async fn test_encrypt_password_is_valid_base64() {
const PASSWORD: &str = "test";
const KEY: &str = "test";
let encrypted = super::encrypt_password(PASSWORD, KEY).await.unwrap();
assert!(base64::decode(encrypted).is_ok());
}
#[tokio::test]
async fn test_encrypt_decrypt_password() {
const PASSWORD: &str = "test";
const KEY: &str = "test";
let encrypted = super::encrypt_password(PASSWORD, KEY).await.unwrap();
let decrypted = super::decrypt_password(&encrypted, KEY).await.unwrap();
assert_eq!(PASSWORD, decrypted);
}
#[test]
fn test_create_identity() {
let identity = super::create_identity();
assert!(identity.0.contains("age"));
assert!(identity.1.contains("AGE-SECRET-KEY-"));
}
#[tokio::test]
async fn test_encrypt_password_with_recipients_is_valid_base64() {
const PASSWORD: &str = "test";
const PUBLIC_KEY: &str = "age1t220v5c8ye0pjx99kw8nr57y7a5qlw4ke0wchjuxnr2gcvfzt3hq7fufz0";
let encrypted = super::encrypt_password_with_recipients(PASSWORD, vec![PUBLIC_KEY])
.await
.unwrap();
assert!(base64::decode(encrypted).is_ok());
}
#[tokio::test]
async fn test_encrypt_password_with_recipients_multiple_is_valid_base64() {
const PASSWORD: &str = "test";
const PUBLIC_KEY_1: &str = "age1t220v5c8ye0pjx99kw8nr57y7a5qlw4ke0wchjuxnr2gcvfzt3hq7fufz0";
const PUBLIC_KEY_2: &str = "age1ygswsk38cq9r64um5klqxyvzemfdvx6qe5zed99pdexakwwhpatsgatgpw";
let encrypted =
super::encrypt_password_with_recipients(PASSWORD, vec![PUBLIC_KEY_1, PUBLIC_KEY_2])
.await
.unwrap();
println!("{}", encrypted);
assert!(base64::decode(encrypted).is_ok());
}
#[tokio::test]
async fn test_decrypt_password_with_private_key() {
const PASSWORD: &str = "test";
//const PUBLIC_KEY: &str = "age1t220v5c8ye0pjx99kw8nr57y7a5qlw4ke0wchjuxnr2gcvfzt3hq7fufz0";
const PRIVATE_KEY: &str =
"AGE-SECRET-KEY-1WPDHL2FLJ23T6RK5KCX8KS8DNLX0CGXMNZG0XNUAH4QP5C8ZZ46QGD3STV";
const CIPHER: &str = "YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWUNCY0RielVCaThLbGlIR1NZa0p6MlNiS0x5L3B2Y3B2b21XZHNaZUVjClpsVTRvUGVVQVYzS205VTVVMDlXYjFHVE5ZZzJOSEpyN1ZyT0tocFpIbUUKLT4gPy1ncmVhc2UgLltXKT9MJyBLQGouLWcgfCBQSm12JQp3bDhRTDd0ZGZWbU9mQ2FYVU9Cb2FjM3AwR243OGJNCi0tLSBSSzRxV3E2d0VscERvM3VHVUhOL3dPaGVBRHE3WkZrdzYxYUgyQVl6elh3CiFQOr28YvbEAkx0YgFnIxwvPNjjYZV6THArcMPM8i5flnmKPw==";
let decrypted = super::decrypt_password_with_private_key(CIPHER, PRIVATE_KEY)
.await
.unwrap();
assert_eq!(PASSWORD, decrypted);
}
#[tokio::test]
async fn test_decrypt_password_with_private_key_multiple() {
const PASSWORD: &str = "test";
// const PUBLIC_KEY_1: &str = "age1t220v5c8ye0pjx99kw8nr57y7a5qlw4ke0wchjuxnr2gcvfzt3hq7fufz0";
// const PUBLIC_KEY_2: &str = "age1ygswsk38cq9r64um5klqxyvzemfdvx6qe5zed99pdexakwwhpatsgatgpw";
const PRIVATE_KEY_1: &str =
"AGE-SECRET-KEY-1WPDHL2FLJ23T6RK5KCX8KS8DNLX0CGXMNZG0XNUAH4QP5C8ZZ46QGD3STV";
const PRIVATE_KEY_2: &str =
"AGE-SECRET-KEY-19RT6Z6TR0TE465EMJFDVXAFZ00YE65THLSS5LAY4W85L587DF95SPPDVND";
const CIPHER: &str = "YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBQ1BuSi9VMWIzeHg1TjQwMDNSUzlpZ0pGRWMxU2pFenVBekxGQTM0WGkwClkycytsNXNMbmVJTm5GT3VDRFBGQXE1ZFU5MzNzV0NXRWhmV1VGSjVNbU0KLT4gWDI1NTE5IHAvUjRLc3ROd2FkalZWTVIxRnBjaEluMXNtYWVScTVxdWxHY0x6ajZtUmMKYXkyNTExakZ0NWt5Vm85YUJSRlRmZTh4VEEyVEVrOFRyWDMxckNDVGkzOAotPiBbNVhfKS1ncmVhc2UgcysxIChlLTsKYU43T0lXUlUxZDFRVUpacXdJcm02Y3VzSjNMTVBtcy9pNm9yOEdETVplYjJrY1VsemRZU00rZ3NrSFZvUTBoSQovcEVrcmRmYlBPdzN3WWZTR0t1a1VFY0VTWXlIR1VPSUJRCi0tLSBYbmpxUHpVQzl5YnowdktIcTRjTklERXRDYVAxb0FmaWQwazgzRkp0U2pNCiAVlCPJ1+jroWQ7HBqjRUOcCBMyYvi9xIaklX2XDYPB2rd7Fw==";
let decrypted_1 = super::decrypt_password_with_private_key(CIPHER, PRIVATE_KEY_1)
.await
.unwrap();
assert_eq!(PASSWORD, decrypted_1);
let decrypted_2 = super::decrypt_password_with_private_key(CIPHER, PRIVATE_KEY_2)
.await
.unwrap();
assert_eq!(PASSWORD, decrypted_2);
}
}

2
core/src/mutation.rs
View file

@ -11,7 +11,7 @@ impl Mutation {
plain_text_password: &String,
) -> Result<candidate::Model, DbErr> {
// TODO: unwrap pro testing..
let hashed_password = hash_password(plain_text_password).unwrap();
let hashed_password = hash_password(plain_text_password.to_string()).await.unwrap();
candidate::ActiveModel {
application: Set(form_data.application),
code: Set(hashed_password),

2
core/src/services/candidate_service.rs
View file

@ -17,7 +17,7 @@ impl CandidateService {
};
let valid = crypto::verify_password(&password,&candidate.code )
let valid = crypto::verify_password(password,candidate.code.clone()).await
.expect("Invalid password");
if !valid {