Removes hash/cipher configuration and changes AESGCM128 for CHACHA20POLY1305

Updates tests accordingly
2025-12-18 06:34:19 +01:00 · 2019-12-04 17:46:07 +01:00
parent c679d59451
commit f0150ce585
22 changed files with 78 additions and 351 deletions
--- a/apps/cli/init.py
+++ b/apps/cli/init.py
@@ -9,10 +9,6 @@ DEFAULT_PISA_API_PORT = 9814
 CLIENT_LOG_FILE = "pisa-cli.log"
 APPOINTMENTS_FOLDER_NAME = "appointments"

-# CRYPTO
-SUPPORTED_HASH_FUNCTIONS = ["SHA256"]
-SUPPORTED_CIPHERS = ["AES-GCM-128"]
-
 CLI_PUBLIC_KEY = "cli_pk.pem"
 CLI_PRIVATE_KEY = "cli_sk.pem"
 PISA_PUBLIC_KEY = "pisa_pk.pem"
--- a/apps/cli/blob.py
+++ b/apps/cli/blob.py
@@ -1,34 +1,17 @@
 import re
 from hashlib import sha256
 from binascii import hexlify, unhexlify
-from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305

-from apps.cli import SUPPORTED_HASH_FUNCTIONS, SUPPORTED_CIPHERS
 from apps.cli import logger


 class Blob:
-    def __init__(self, data, cipher, hash_function):
+    def __init__(self, data):
        if type(data) is not str or re.search(r"^[0-9A-Fa-f]+$", data) is None:
            raise ValueError("Non-Hex character found in txid.")

        self.data = data
-        self.cipher = cipher
-        self.hash_function = hash_function
-
-        # FIXME: We only support SHA256 for now
-        if self.hash_function.upper() not in SUPPORTED_HASH_FUNCTIONS:
-            raise ValueError(
-                "Hash function not supported ({}). Supported Hash functions: {}".format(
-                    self.hash_function, SUPPORTED_HASH_FUNCTIONS
-                )
-            )
-
-        # FIXME: We only support AES-GCM-128 for now
-        if self.cipher.upper() not in SUPPORTED_CIPHERS:
-            raise ValueError(
-                "Cipher not supported ({}). Supported ciphers: {}".format(self.hash_function, SUPPORTED_CIPHERS)
-            )

    def encrypt(self, tx_id):
        if len(tx_id) != 64:
@@ -40,26 +23,18 @@ class Blob:
        # Transaction to be encrypted
        # FIXME: The blob data should contain more things that just the transaction. Leaving like this for now.
        tx = unhexlify(self.data)
-        tx_id = unhexlify(tx_id)

-        # master_key = H(tx_id | tx_id)
-        master_key = sha256(tx_id + tx_id).digest()
-
-        # The 16 MSB of the master key will serve as the AES GCM 128 secret key. The 16 LSB will serve as the IV.
-        sk = master_key[:16]
-        nonce = master_key[16:]
+        # sk is the H(txid) (32-byte) and nonce is set to 0 (12-byte)
+        sk = sha256(unhexlify(tx_id)).digest()
+        nonce = bytearray(12)

        # Encrypt the data
-        aesgcm = AESGCM(sk)
-        encrypted_blob = aesgcm.encrypt(nonce=nonce, data=tx, associated_data=None)
+        cipher = ChaCha20Poly1305(sk)
+        encrypted_blob = cipher.encrypt(nonce=nonce, data=tx, associated_data=None)
        encrypted_blob = hexlify(encrypted_blob).decode()

        logger.info(
-            "Creating new blob",
-            master_key=hexlify(master_key).decode(),
-            sk=hexlify(sk).decode(),
-            nonce=hexlify(nonce).decode(),
-            encrypted_blob=encrypted_blob,
+            "Creating new blob", sk=hexlify(sk).decode(), nonce=hexlify(nonce).decode(), encrypted_blob=encrypted_blob
        )

        return encrypted_blob
--- a/apps/cli/pisa_cli.py
+++ b/apps/cli/pisa_cli.py
@@ -5,7 +5,6 @@ import json
 import requests
 import time
 from sys import argv
-from hashlib import sha256
 from binascii import hexlify, unhexlify
 from getopt import getopt, GetoptError
 from requests import ConnectTimeout, ConnectionError
@@ -91,6 +90,10 @@ def load_private_key(sk_pem):
        raise ValueError("Could not deserialize the private key (unsupported algorithm).")


+def compute_locator(tx_id):
+    return tx_id[:32]
+
+
 # returning True or False accordingly.
 def is_appointment_signature_valid(appointment, signature, pk):
    try:
@@ -308,13 +311,10 @@ def get_appointment(args):


 def build_appointment(tx, tx_id, start_time, end_time, dispute_delta):
-    locator = sha256(unhexlify(tx_id)).hexdigest()
-
-    cipher = "AES-GCM-128"
-    hash_function = "SHA256"
+    locator = compute_locator(tx_id)

    # FIXME: The blob data should contain more things that just the transaction. Leaving like this for now.
-    blob = Blob(tx, cipher, hash_function)
+    blob = Blob(tx)
    encrypted_blob = blob.encrypt(tx_id)

    appointment = {
@@ -323,8 +323,6 @@ def build_appointment(tx, tx_id, start_time, end_time, dispute_delta):
        "end_time": end_time,
        "dispute_delta": dispute_delta,
        "encrypted_blob": encrypted_blob,
-        "cipher": cipher,
-        "hash_function": hash_function,
    }

    return appointment