add encryption & decryption for the sensitive identity & mnemonic in SQL DB

2 weeks ago · 0bfc18c385
8 changed files with 105 additions and 48 deletions
--- a/src/components/DataExportSection.vue
+++ b/src/components/DataExportSection.vue
@ -62,7 +62,7 @@ backup and database export, with platform-specific download instructions. * *

 <script lang="ts">
 import { Component, Prop, Vue } from "vue-facing-decorator";
-import { NotificationIface } from "../constants/app";
+import { AppString, NotificationIface } from "../constants/app";
 import { db } from "../db/index";
 import { logger } from "../utils/logger";
 import { PlatformServiceFactory } from "../services/PlatformServiceFactory";
@ -145,7 +145,7 @@ export default class DataExportSection extends Vue {
          return { value, key };
        },
      });
-      const fileName = `${db.name}-backup.json`;
+      const fileName = `${AppString.APP_NAME_NO_SPACES}-backup.json`;

      if (this.platformCapabilities.hasFileDownload) {
        // Web platform: Use download link
@ -159,6 +159,8 @@ export default class DataExportSection extends Vue {
        // Native platform: Write to app directory
        const content = await blob.text();
        await this.platformService.writeAndShareFile(fileName, content);
+      } else {
+        throw new Error("This platform does not support file downloads.");
      }

      this.$notify(
--- a/src/constants/app.ts
+++ b/src/constants/app.ts
@ -51,7 +51,7 @@ export const IMAGE_TYPE_PROFILE = "profile";
 export const PASSKEYS_ENABLED =
  !!import.meta.env.VITE_PASSKEYS_ENABLED || false;

-export const USE_DEXIE_DB = false;
+export const USE_DEXIE_DB = true;

 /**
 * The possible values for "group" and "type" are in App.vue.
--- a/src/db-sql/migration.ts
+++ b/src/db-sql/migration.ts
@ -1,6 +1,7 @@
 import migrationService from "../services/migrationService";
 import type { QueryExecResult, SqlValue } from "../interfaces/database";
 import { DEFAULT_ENDORSER_API_SERVER } from "@/constants/app";
+import { arrayBufferToBase64 } from "@/libs/crypto";

 // Generate a random secret for the secret table

@ -25,7 +26,7 @@ import { DEFAULT_ENDORSER_API_SERVER } from "@/constants/app";
 // where they couldn't take action because they couldn't unlock that identity.)

 const randomBytes = crypto.getRandomValues(new Uint8Array(32));
-const secret = btoa(String.fromCharCode(...randomBytes));
+const secretBase64 = arrayBufferToBase64(randomBytes);

 // Each migration can include multiple SQL statements (with semicolons)
 const MIGRATIONS = [
@ -51,7 +52,7 @@ const MIGRATIONS = [
        secretBase64 TEXT NOT NULL
      );

-      INSERT INTO secret (id, secretBase64) VALUES (1, '${secret}');
+      INSERT INTO secret (id, secretBase64) VALUES (1, '${secretBase64}');

      CREATE TABLE IF NOT EXISTS settings (
        id INTEGER PRIMARY KEY AUTOINCREMENT,
--- a/src/db/tables/accounts.ts
+++ b/src/db/tables/accounts.ts
@ -45,6 +45,11 @@ export type Account = {
  publicKeyHex: string;
 };

+export type AccountEncrypted = Account & {
+  identityEncrBase64: string;
+  mnemonicEncrBase64: string;
+};
+
 /**
 * Schema for the accounts table in the database.
 * Fields starting with a $ character are encrypted.
--- a/src/libs/crypto/index.ts
+++ b/src/libs/crypto/index.ts
@ -159,7 +159,7 @@ export const nextDerivationPath = (origDerivPath: string) => {
 };

 // Base64 encoding/decoding utilities for browser
-function base64ToArrayBuffer(base64: string): Uint8Array {
+export function base64ToArrayBuffer(base64: string): Uint8Array {
  const binaryString = atob(base64);
  const bytes = new Uint8Array(binaryString.length);
  for (let i = 0; i < binaryString.length; i++) {
@ -168,7 +168,7 @@ function base64ToArrayBuffer(base64: string): Uint8Array {
  return bytes;
 }

-function arrayBufferToBase64(buffer: ArrayBuffer): string {
+export function arrayBufferToBase64(buffer: ArrayBuffer): string {
  const binary = String.fromCharCode(...new Uint8Array(buffer));
  return btoa(binary);
 }
@ -178,7 +178,7 @@ const IV_LENGTH = 12;
 const KEY_LENGTH = 256;
 const ITERATIONS = 100000;

-// Encryption helper function
+// Message encryption helper function, used for onboarding meeting messages
 export async function encryptMessage(message: string, password: string) {
  const encoder = new TextEncoder();
  const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
@ -226,7 +226,7 @@ export async function encryptMessage(message: string, password: string) {
  return btoa(JSON.stringify(result));
 }

-// Decryption helper function
+// Message decryption helper function, used for onboarding meeting messages
 export async function decryptMessage(encryptedJson: string, password: string) {
  const decoder = new TextDecoder();
  const { salt, iv, encrypted } = JSON.parse(atob(encryptedJson));
@ -311,17 +311,17 @@ export async function testMessageEncryptionDecryption() {
  }
 }

-// Simple encryption/decryption using Node's crypto
+// Simple encryption using Node's crypto, used for the initial encryption of the identity and mnemonic
 export async function simpleEncrypt(
  text: string,
-  secret: string,
-): Promise<string> {
+  secret: ArrayBuffer,
+): Promise<ArrayBuffer> {
  const iv = crypto.getRandomValues(new Uint8Array(16));

  // Derive a 256-bit key from the secret using SHA-256
  const keyData = await crypto.subtle.digest(
    "SHA-256",
-    new TextEncoder().encode(secret),
+    secret,
  );
  const key = await crypto.subtle.importKey(
    "raw",
@ -342,14 +342,15 @@ export async function simpleEncrypt(
  result.set(iv);
  result.set(new Uint8Array(encrypted), iv.length);

-  return btoa(String.fromCharCode(...result));
+  return result.buffer;
 }

+// Simple decryption using Node's crypto, used for the default decryption of identity and mnemonic
 export async function simpleDecrypt(
-  encryptedText: string,
-  secret: string,
+  encryptedText: ArrayBuffer,
+  secret: ArrayBuffer,
 ): Promise<string> {
-  const data = Uint8Array.from(atob(encryptedText), (c) => c.charCodeAt(0));
+  const data = new Uint8Array(encryptedText);

  // Extract IV and encrypted data
  const iv = data.slice(0, 16);
@ -358,7 +359,7 @@ export async function simpleDecrypt(
  // Derive the same 256-bit key from the secret using SHA-256
  const keyData = await crypto.subtle.digest(
    "SHA-256",
-    new TextEncoder().encode(secret),
+    secret,
  );
  const key = await crypto.subtle.importKey(
    "raw",
@ -381,18 +382,20 @@ export async function simpleDecrypt(
 export async function testSimpleEncryptionDecryption() {
  try {
    const testMessage = "Hello, this is a test message! 🚀";
-    const testSecret = "myTestSecret123";
+    const testSecret = crypto.getRandomValues(new Uint8Array(32));

    logger.log("Original message:", testMessage);

    // Test encryption
    logger.log("Encrypting...");
    const encrypted = await simpleEncrypt(testMessage, testSecret);
-    logger.log("Encrypted result:", encrypted);
+    const encryptedBase64 = arrayBufferToBase64(encrypted);
+    logger.log("Encrypted result:", encryptedBase64);

    // Test decryption
    logger.log("Decrypting...");
-    const decrypted = await simpleDecrypt(encrypted, testSecret);
+    const encryptedArrayBuffer = base64ToArrayBuffer(encryptedBase64);
+    const decrypted = await simpleDecrypt(encryptedArrayBuffer, testSecret);
    logger.log("Decrypted result:", decrypted);

    // Verify
@ -403,7 +406,7 @@ export async function testSimpleEncryptionDecryption() {
    // Test with wrong secret
    logger.log("\nTesting with wrong secret...");
    try {
-      await simpleDecrypt(encrypted, "wrongSecret");
+      await simpleDecrypt(encryptedArrayBuffer, new Uint8Array(32));
      logger.log("Incorrectly decrypted with wrong secret ❌");
    } catch (error) {
      logger.log("Correctly failed to decrypt with wrong secret ✅");
--- a/src/libs/util.ts
+++ b/src/libs/util.ts
@ -16,11 +16,11 @@ import {
  updateAccountSettings,
  updateDefaultSettings,
 } from "../db/index";
-import { Account } from "../db/tables/accounts";
+import { Account, AccountEncrypted } from "../db/tables/accounts";
 import { Contact } from "../db/tables/contacts";
 import * as databaseUtil from "../db/databaseUtil";
 import { DEFAULT_PASSKEY_EXPIRATION_MINUTES } from "../db/tables/settings";
-import { deriveAddress, generateSeed, newIdentifier } from "../libs/crypto";
+import { arrayBufferToBase64, base64ToArrayBuffer, deriveAddress, generateSeed, newIdentifier, simpleDecrypt, simpleEncrypt } from "../libs/crypto";
 import * as serverUtil from "../libs/endorserServer";
 import {
  containsHiddenDid,
@ -466,9 +466,17 @@ export function findAllVisibleToDids(
 export interface AccountKeyInfo extends Account, KeyMeta {}

 export const retrieveAccountCount = async (): Promise<number> => {
-  // one of the few times we use accountsDBPromise directly; try to avoid more usage
-  const accountsDB = await accountsDBPromise;
-  return await accountsDB.accounts.count();
+  let result;
+  const platformService = PlatformServiceFactory.getInstance();
+  const dbResult = await platformService.dbQuery(`SELECT COUNT(*) FROM accounts`);
+  result = dbResult.values[0][0] as number;
+
+  if (USE_DEXIE_DB) {
+    // one of the few times we use accountsDBPromise directly; try to avoid more usage
+    const accountsDB = await accountsDBPromise;
+    result = await accountsDB.accounts.count();
+  }
+  return result;
 };

 export const retrieveAccountDids = async (): Promise<string[]> => {
@ -513,13 +521,35 @@ export const retrieveAllAccountsMetadata = async (): Promise<Account[]> => {
 export const retrieveFullyDecryptedAccount = async (
  activeDid: string,
 ): Promise<AccountKeyInfo | undefined> => {
-  // one of the few times we use accountsDBPromise directly; try to avoid more usage
-  const accountsDB = await accountsDBPromise;
-  const account = (await accountsDB.accounts
-    .where("did")
-    .equals(activeDid)
-    .first()) as Account;
-  return account;
+  let result: AccountKeyInfo | undefined = undefined;
+  const platformService = PlatformServiceFactory.getInstance();
+  const dbSecrets = await platformService.dbQuery(`SELECT secretBase64 from secret`);
+  if (!dbSecrets || dbSecrets.values.length === 0 || dbSecrets.values[0].length === 0) {
+    throw new Error("No secret found. We recommend you clear your data and start over.");
+  }
+  const secretBase64 = dbSecrets.values[0][0] as string;
+  const secret = base64ToArrayBuffer(secretBase64);
+  const dbAccount = await platformService.dbQuery(`SELECT * FROM accounts WHERE did = ?`, [activeDid]);
+  if (!dbAccount || dbAccount.values.length === 0 || dbAccount.values[0].length === 0) {
+    throw new Error("Account not found.");
+  }
+  const fullAccountData = databaseUtil.mapColumnsToValues(dbAccount.columns, dbAccount.values)[0] as AccountEncrypted;
+  const identityEncr = base64ToArrayBuffer(fullAccountData.identityEncrBase64);
+  const mnemonicEncr = base64ToArrayBuffer(fullAccountData.mnemonicEncrBase64);
+  fullAccountData.identity = await simpleDecrypt(identityEncr, secret);
+  fullAccountData.mnemonic = await simpleDecrypt(mnemonicEncr, secret);
+  result = fullAccountData;
+  
+  if (USE_DEXIE_DB) {
+    // one of the few times we use accountsDBPromise directly; try to avoid more usage
+    const accountsDB = await accountsDBPromise;
+    const account = (await accountsDB.accounts
+      .where("did")
+      .equals(activeDid)
+      .first()) as Account;
+    result = account;
+  }
+  return result;
 };

 // let's try and eliminate this
@ -548,15 +578,25 @@ export const generateSaveAndActivateIdentity = async (): Promise<string> => {
  try {
    // add to the new sql db
    const platformService = PlatformServiceFactory.getInstance();
+    const secrets = await platformService.dbQuery(`SELECT secretBase64 FROM secret`);
+    if (secrets.values.length === 0 || secrets.values[0].length === 0) {
+      throw new Error("No initial encryption supported. We recommend you clear your data and start over.");
+    }
+    const secretBase64 = secrets.values[0][0] as string;
+    const secret = base64ToArrayBuffer(secretBase64);
+    const encryptedIdentity = await simpleEncrypt(identity, secret);
+    const encryptedMnemonic = await simpleEncrypt(mnemonic, secret);
+    const encryptedIdentityBase64 = arrayBufferToBase64(encryptedIdentity);
+    const encryptedMnemonicBase64 = arrayBufferToBase64(encryptedMnemonic);
    await platformService.dbExec(
-      `INSERT INTO accounts (dateCreated, derivationPath, did, identity, mnemonic, publicKeyHex) 
+      `INSERT INTO accounts (dateCreated, derivationPath, did, identityEncrBase64, mnemonicEncrBase64, publicKeyHex)
       VALUES (?, ?, ?, ?, ?, ?)`,
      [
        new Date().toISOString(),
        derivationPath,
        newId.did,
-        identity,
-        mnemonic,
+        encryptedIdentityBase64,
+        encryptedMnemonicBase64,
        newId.keys[0].publicKeyHex,
      ],
    );
--- a/src/views/SeedBackupView.vue
+++ b/src/views/SeedBackupView.vue
@ -109,9 +109,10 @@ import { Component, Vue } from "vue-facing-decorator";
 import { useClipboard } from "@vueuse/core";

 import QuickNav from "../components/QuickNav.vue";
-import { NotificationIface } from "../constants/app";
+import { NotificationIface, USE_DEXIE_DB } from "../constants/app";
 import { retrieveSettingsForActiveAccount } from "../db/index";
 import { Account } from "../db/tables/accounts";
+import * as databaseUtil from "../db/databaseUtil";
 import {
  retrieveAccountCount,
  retrieveFullyDecryptedAccount,
@ -131,8 +132,14 @@ export default class SeedBackupView extends Vue {
  // 'created' hook runs when the Vue instance is first created
  async created() {
    try {
-      const settings = await retrieveSettingsForActiveAccount();
-      const activeDid = settings.activeDid || "";
+      let activeDid = "";
+      const settings = await databaseUtil.retrieveSettingsForActiveAccount();
+      activeDid = settings.activeDid || "";
+
+      if (USE_DEXIE_DB) {
+        const settings = await retrieveSettingsForActiveAccount();
+        activeDid = settings.activeDid || "";
+      }

      this.numAccounts = await retrieveAccountCount();
      this.activeAccount = await retrieveFullyDecryptedAccount(activeDid);
--- a/src/views/TestView.vue
+++ b/src/views/TestView.vue
@ -163,13 +163,6 @@

    <div class="mt-8">
      <h2 class="text-xl font-bold mb-4">SQL Operations</h2>
-      <div>
-        <textarea
-          v-model="sqlQuery"
-          class="w-full h-32 p-2 border border-gray-300 rounded-md font-mono"
-          placeholder="Enter your SQL query here..."
-        ></textarea>
-      </div>
      <div class="flex gap-2 mt-2">
        <button
          class="text-sm text-blue-600 hover:text-blue-800 underline"
@ -180,7 +173,13 @@
          All Tables
        </button>
      </div>
-
+      <div>
+        <textarea
+          v-model="sqlQuery"
+          class="w-full h-32 p-2 border border-gray-300 rounded-md font-mono"
+          placeholder="Enter your SQL query here..."
+        ></textarea>
+      </div>
      <div class="mt-4">
        <button
          class="font-bold capitalize bg-slate-500 text-white px-3 py-2 rounded-md mr-2"