Use Sodium for secret encryption and decryption

Fixes an openSSL warning: ``` openssl aes-256-cbc -md sha256 -d -in .circleci/.firebase.secrets.json.enc -out .circleci/.firebase.secrets.json -k “${FIREBASE_SECRETS_ENCRYPTION_KEY}” *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. ``` Also gets us out of manual crypto. This is a breaking change and should be carefully merged to avoid breaking projects.
wordpress-mobile · Jun 8, 2020 · 7bd4d49 · 7bd4d49
1 parent 1105ba5
commit 7bd4d49
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 64 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    fastlane-plugin-wpmreleasetoolkit (0.9.2)
+    fastlane-plugin-wpmreleasetoolkit (0.9.5)
       activesupport (~> 4)
       chroma (= 0.2.0)
       diffy (~> 3.3)
@@ -13,12 +13,13 @@ PATH
       progress_bar (~> 1.3)
       rake (~> 12.3)
       rake-compiler (~> 1.0)
+      rbnacl (~> 7)
 
 GEM
   remote: https://rubygems.org/
   specs:
     CFPropertyList (3.0.1)
-    activesupport (4.2.11.1)
+    activesupport (4.2.11.3)
       i18n (~> 0.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
@@ -96,6 +97,7 @@ GEM
       xcodeproj (>= 1.8.1, < 2.0.0)
       xcpretty (~> 0.3.0)
       xcpretty-travis-formatter (>= 0.0.3)
+    ffi (1.13.0)
     gh_inspector (1.1.3)
     git (1.7.0)
       rchardet (~> 1.8)
@@ -142,7 +144,7 @@ GEM
     mime-types-data (3.2019.0904)
     mini_magick (4.9.5)
     mini_portile2 (2.4.0)
-    minitest (5.14.0)
+    minitest (5.14.1)
     multi_json (1.13.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
@@ -172,6 +174,8 @@ GEM
     rake (12.3.3)
     rake-compiler (1.1.0)
       rake
+    rbnacl (7.1.1)
+      ffi
     rchardet (1.8.0)
     representable (3.0.4)
       declarative (< 0.1.0)

diff --git a/fastlane-plugin-wpmreleasetoolkit.gemspec b/fastlane-plugin-wpmreleasetoolkit.gemspec
@@ -44,6 +44,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency('parallel', '~> 1.14')
   spec.add_dependency('chroma', '0.2.0')
   spec.add_dependency('activesupport', '~> 4')
+  spec.add_dependency('rbnacl', '~> 7')
 
   spec.add_development_dependency('pry', '~> 0.12.2')
   spec.add_development_dependency('bundler', '>= 1.17')

diff --git a/lib/fastlane/plugin/wpmreleasetoolkit/helper/encryption_helper.rb b/lib/fastlane/plugin/wpmreleasetoolkit/helper/encryption_helper.rb
@@ -1,50 +1,22 @@
-require 'openssl'
-
 module Fastlane
   module Helper
     class EncryptionHelper    
-      module OperationType
-        ENCRYPT = 1
-        DECRYPT = 2
-      end
-
-      def self.cipher(op_type)
-        cipher = OpenSSL::Cipher::AES256.new :CBC
-
-        cipher.encrypt if op_type == OperationType::ENCRYPT
-        cipher.decrypt if op_type == OperationType::DECRYPT
-
-        cipher
-      end
 
       def self.encrypt(plain_text, key)
         # Ensure consistent encoding
         plain_text.force_encoding(Encoding::UTF_8)
 
-        cipher = cipher(OperationType::ENCRYPT)
-        cipher.key = key
-
-        encrypted = cipher.update(plain_text)
-        encrypted << cipher.final
-
-        encrypted
+        box = RbNaCl::SimpleBox.from_secret_key(key)
+        box.encrypt(plain_text)
       end
 
       def self.decrypt(encrypted, key)
-        cipher = cipher(OperationType::DECRYPT)
-        cipher.key = key
-
-        decrypted = cipher.update(encrypted)
-        decrypted << cipher.final
-
-        # Ensure consistent encoding
-        decrypted.force_encoding(Encoding::UTF_8)
-
-        decrypted
+        box = RbNaCl::SimpleBox.from_secret_key(key)
+        box.decrypt(encrypted)
       end
 
       def self.generate_key
-        cipher(OperationType::ENCRYPT).random_key
+        RbNaCl::Random.random_bytes(RbNaCl::SecretBox.key_bytes)
       end
     end
   end

diff --git a/spec/encryption_helper_spec.rb b/spec/encryption_helper_spec.rb
@@ -1,36 +1,17 @@
 require 'spec_helper.rb'
+require 'securerandom'
 
 describe Fastlane::Helper::EncryptionHelper do
-  let(:cipher) { double('cipher') }
 
-  before(:each) do
-    allow(OpenSSL::Cipher::AES256).to receive(:new).with(:CBC).and_return(cipher)
+  it 'can encrypt and decrypt data' do
+    string = SecureRandom.hex
+    key = Fastlane::Helper::EncryptionHelper.generate_key
+    encrypted = Fastlane::Helper::EncryptionHelper.encrypt(string, key)
+    decrypted = Fastlane::Helper::EncryptionHelper.decrypt(encrypted, key)
+    expect(string).to eq decrypted
   end
 
-  it 'encrypts the input' do
-    expect(cipher).to receive(:encrypt)
-    expect(cipher).to receive(:key=).with('key')
-
-    expect(cipher).to receive(:update).with('plain text').and_return('encrypted')
-    expect(cipher).to receive(:final).and_return('!')
-
-    expect(Fastlane::Helper::EncryptionHelper.encrypt('plain text', 'key')).to eq('encrypted!')
-  end
-
-  it 'decrypts the input' do
-    expect(cipher).to receive(:decrypt)
-    expect(cipher).to receive(:key=).with('key')
-
-    expect(cipher).to receive(:update).with('encrypted').and_return('plain text')
-    expect(cipher).to receive(:final).and_return('!')
-
-    expect(Fastlane::Helper::EncryptionHelper.decrypt('encrypted', 'key')).to eq('plain text!')
-  end
-
-  it 'generates a random key' do
-    expect(cipher).to receive(:encrypt)
-    expect(cipher).to receive(:random_key).and_return('random key')
-
-    expect(Fastlane::Helper::EncryptionHelper.generate_key).to eq('random key')
+  it 'generates a random key that is 32 bytes long' do
+    expect(Fastlane::Helper::EncryptionHelper.generate_key.length).to eq(32)
   end
 end