crypto: Correctly generate a random nonce for pickling of the signing objects.

master
Damir Jelić 2020-10-21 12:55:45 +02:00
parent 7cab7cadc9
commit 6a7da5a8b6
1 changed files with 8 additions and 1 deletions

View File

@ -19,6 +19,7 @@ use aes_gcm::{
Aes256Gcm, Aes256Gcm,
}; };
use base64::{decode_config, encode_config, DecodeError, URL_SAFE_NO_PAD}; use base64::{decode_config, encode_config, DecodeError, URL_SAFE_NO_PAD};
use getrandom::getrandom;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use std::{ use std::{
collections::BTreeMap, collections::BTreeMap,
@ -42,6 +43,8 @@ use crate::{
requests::UploadSigningKeysRequest, requests::UploadSigningKeysRequest,
}; };
const NONCE_SIZE: usize = 12;
fn encode<T: AsRef<[u8]>>(input: T) -> String { fn encode<T: AsRef<[u8]>>(input: T) -> String {
encode_config(input, URL_SAFE_NO_PAD) encode_config(input, URL_SAFE_NO_PAD)
} }
@ -276,7 +279,11 @@ impl Signing {
async fn pickle(&self, pickle_key: &[u8]) -> PickledSigning { async fn pickle(&self, pickle_key: &[u8]) -> PickledSigning {
let key = GenericArray::from_slice(pickle_key); let key = GenericArray::from_slice(pickle_key);
let cipher = Aes256Gcm::new(key); let cipher = Aes256Gcm::new(key);
let nonce = GenericArray::from_slice(b"unique nonce");
let mut nonce = vec![0u8; NONCE_SIZE];
getrandom(&mut nonce).expect("Can't generate nonce to pickle the signing object");
let nonce = GenericArray::from_slice(nonce.as_slice());
let ciphertext = cipher let ciphertext = cipher
.encrypt(nonce, self.seed.as_slice()) .encrypt(nonce, self.seed.as_slice())
.expect("Can't encrypt signing pickle"); .expect("Can't encrypt signing pickle");