From b9083b0c6595020ab9478f02e5262e1184a30c60 Mon Sep 17 00:00:00 2001 From: Jeremy Massel Date: Mon, 8 Jun 2020 15:14:46 -0600 Subject: [PATCH 1/2] Use Sodium for secret encryption and decryption MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes an openSSL warning: ``` openssl aes-256-cbc -md sha256 -d -in .circleci/.firebase.secrets.json.enc -out .circleci/.firebase.secrets.json -k “${FIREBASE_SECRETS_ENCRYPTION_KEY}” *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. ``` Also gets us out of manual crypto. This is a breaking change and should be carefully merged to avoid breaking projects. --- Gemfile.lock | 6 ++- fastlane-plugin-wpmreleasetoolkit.gemspec | 1 + .../helper/encryption_helper.rb | 38 +++---------------- spec/encryption_helper_spec.rb | 37 +++++------------- 4 files changed, 20 insertions(+), 62 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index f04c19cde..f084e349d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - fastlane-plugin-wpmreleasetoolkit (0.9.5) + fastlane-plugin-wpmreleasetoolkit (0.9.7) activesupport (~> 4) chroma (= 0.2.0) diffy (~> 3.3) @@ -13,6 +13,7 @@ PATH progress_bar (~> 1.3) rake (~> 12.3) rake-compiler (~> 1.0) + rbnacl (~> 7) GEM remote: https://rubygems.org/ @@ -113,6 +114,7 @@ GEM xcodeproj (>= 1.13.0, < 2.0.0) xcpretty (~> 0.3.0) xcpretty-travis-formatter (>= 0.0.3) + ffi (1.13.1) gh_inspector (1.1.3) git (1.7.0) rchardet (~> 1.8) @@ -192,6 +194,8 @@ GEM rake (12.3.3) rake-compiler (1.1.0) rake + rbnacl (7.1.1) + ffi rchardet (1.8.0) representable (3.0.4) declarative (< 0.1.0) diff --git a/fastlane-plugin-wpmreleasetoolkit.gemspec b/fastlane-plugin-wpmreleasetoolkit.gemspec index 104f1b1b3..210b6151f 100644 --- a/fastlane-plugin-wpmreleasetoolkit.gemspec +++ b/fastlane-plugin-wpmreleasetoolkit.gemspec @@ -44,6 +44,7 @@ Gem::Specification.new do |spec| spec.add_dependency('parallel', '~> 1.14') spec.add_dependency('chroma', '0.2.0') spec.add_dependency('activesupport', '~> 4') + spec.add_dependency('rbnacl', '~> 7') spec.add_development_dependency('pry', '~> 0.12.2') spec.add_development_dependency('bundler', '>= 1.17') diff --git a/lib/fastlane/plugin/wpmreleasetoolkit/helper/encryption_helper.rb b/lib/fastlane/plugin/wpmreleasetoolkit/helper/encryption_helper.rb index 1e0d835e6..6af583ece 100644 --- a/lib/fastlane/plugin/wpmreleasetoolkit/helper/encryption_helper.rb +++ b/lib/fastlane/plugin/wpmreleasetoolkit/helper/encryption_helper.rb @@ -1,50 +1,22 @@ -require 'openssl' - module Fastlane module Helper class EncryptionHelper - module OperationType - ENCRYPT = 1 - DECRYPT = 2 - end - - def self.cipher(op_type) - cipher = OpenSSL::Cipher::AES256.new :CBC - - cipher.encrypt if op_type == OperationType::ENCRYPT - cipher.decrypt if op_type == OperationType::DECRYPT - - cipher - end def self.encrypt(plain_text, key) # Ensure consistent encoding plain_text.force_encoding(Encoding::UTF_8) - cipher = cipher(OperationType::ENCRYPT) - cipher.key = key - - encrypted = cipher.update(plain_text) - encrypted << cipher.final - - encrypted + box = RbNaCl::SimpleBox.from_secret_key(key) + box.encrypt(plain_text) end def self.decrypt(encrypted, key) - cipher = cipher(OperationType::DECRYPT) - cipher.key = key - - decrypted = cipher.update(encrypted) - decrypted << cipher.final - - # Ensure consistent encoding - decrypted.force_encoding(Encoding::UTF_8) - - decrypted + box = RbNaCl::SimpleBox.from_secret_key(key) + box.decrypt(encrypted) end def self.generate_key - cipher(OperationType::ENCRYPT).random_key + RbNaCl::Random.random_bytes(RbNaCl::SecretBox.key_bytes) end end end diff --git a/spec/encryption_helper_spec.rb b/spec/encryption_helper_spec.rb index 47b4fb45c..671f2d3e0 100644 --- a/spec/encryption_helper_spec.rb +++ b/spec/encryption_helper_spec.rb @@ -1,36 +1,17 @@ require 'spec_helper.rb' +require 'securerandom' describe Fastlane::Helper::EncryptionHelper do - let(:cipher) { double('cipher') } - before(:each) do - allow(OpenSSL::Cipher::AES256).to receive(:new).with(:CBC).and_return(cipher) + it 'can encrypt and decrypt data' do + string = SecureRandom.hex + key = Fastlane::Helper::EncryptionHelper.generate_key + encrypted = Fastlane::Helper::EncryptionHelper.encrypt(string, key) + decrypted = Fastlane::Helper::EncryptionHelper.decrypt(encrypted, key) + expect(string).to eq decrypted end - it 'encrypts the input' do - expect(cipher).to receive(:encrypt) - expect(cipher).to receive(:key=).with('key') - - expect(cipher).to receive(:update).with('plain text').and_return('encrypted') - expect(cipher).to receive(:final).and_return('!') - - expect(Fastlane::Helper::EncryptionHelper.encrypt('plain text', 'key')).to eq('encrypted!') - end - - it 'decrypts the input' do - expect(cipher).to receive(:decrypt) - expect(cipher).to receive(:key=).with('key') - - expect(cipher).to receive(:update).with('encrypted').and_return('plain text') - expect(cipher).to receive(:final).and_return('!') - - expect(Fastlane::Helper::EncryptionHelper.decrypt('encrypted', 'key')).to eq('plain text!') - end - - it 'generates a random key' do - expect(cipher).to receive(:encrypt) - expect(cipher).to receive(:random_key).and_return('random key') - - expect(Fastlane::Helper::EncryptionHelper.generate_key).to eq('random key') + it 'generates a random key that is 32 bytes long' do + expect(Fastlane::Helper::EncryptionHelper.generate_key.length).to eq(32) end end From 9bab7ae106e13ba87b4d62080c7063172d68e5d7 Mon Sep 17 00:00:00 2001 From: Jeremy Massel Date: Mon, 8 Jun 2020 15:19:58 -0600 Subject: [PATCH 2/2] Require libsodium be installed --- .circleci/.brewfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.circleci/.brewfile b/.circleci/.brewfile index 5b7ff29d0..6a08e9c95 100644 --- a/.circleci/.brewfile +++ b/.circleci/.brewfile @@ -1,3 +1,4 @@ pkg-config libxml2 -imagemagick@6 \ No newline at end of file +imagemagick@6 +libsodium