Merge pull request #270 from gvolpe/fix/crypto-interpreter

Fix Crypto interpreter

Author: gvolpe

modules/core/src/main/scala/shop/algebras/crypto.scala

@@ -1,13 +1,16 @@
 package shop.algebras
 
-import javax.crypto.spec.{ PBEKeySpec, SecretKeySpec }
+import java.security.SecureRandom
+import java.util.Base64
+import javax.crypto.spec.{IvParameterSpec, PBEKeySpec, SecretKeySpec}
 import javax.crypto.{ Cipher, SecretKeyFactory }
 
 import shop.config.data.PasswordSalt
 import shop.domain.auth._
 
 import cats.effect.Sync
 import cats.syntax.all._
+import eu.timepit.refined.auto._
 
 trait Crypto {
   def encrypt(value: Password): EncryptedPassword
@@ -18,15 +21,19 @@ object LiveCrypto {
   def make[F[_]: Sync](secret: PasswordSalt): F[Crypto] =
     Sync[F]
       .delay {
-        val salt     = secret.value.value.value.getBytes("UTF-8")
+        val random  = new SecureRandom()
+        val ivBytes = new Array[Byte](16)
+        random.nextBytes(ivBytes)
+        val iv       = new IvParameterSpec(ivBytes);
+        val salt     = secret.value.value.getBytes("UTF-8")
         val keySpec  = new PBEKeySpec("password".toCharArray(), salt, 65536, 256)
         val factory  = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")
         val bytes    = factory.generateSecret(keySpec).getEncoded
         val sKeySpec = new SecretKeySpec(bytes, "AES")
-        val eCipher  = EncryptCipher(Cipher.getInstance("AES"))
-        eCipher.value.init(Cipher.ENCRYPT_MODE, sKeySpec)
-        val dCipher = DecryptCipher(Cipher.getInstance("AES"))
-        dCipher.value.init(Cipher.DECRYPT_MODE, sKeySpec)
+        val eCipher  = EncryptCipher(Cipher.getInstance("AES/CBC/PKCS5Padding"))
+        eCipher.value.init(Cipher.ENCRYPT_MODE, sKeySpec, iv)
+        val dCipher = DecryptCipher(Cipher.getInstance("AES/CBC/PKCS5Padding"))
+        dCipher.value.init(Cipher.DECRYPT_MODE, sKeySpec, iv)
         (eCipher, dCipher)
       }
       .map {
@@ -40,21 +47,18 @@ final class LiveCrypto private (
     dCipher: DecryptCipher
 ) extends Crypto {
 
-  // Workaround for PostgreSQL ERROR: invalid byte sequence for encoding "UTF8": 0x00
-  private val Key = "=DownInAHole="
-
   def encrypt(password: Password): EncryptedPassword = {
-    val bytes      = password.value.getBytes("UTF-8")
-    val result     = new String(eCipher.value.doFinal(bytes), "UTF-8")
-    val removeNull = result.replaceAll("\\u0000", Key)
-    EncryptedPassword(removeNull)
+    val base64 = Base64.getEncoder()
+    val bytes  = password.value.getBytes("UTF-8")
+    val result = new String(base64.encode(eCipher.value.doFinal(bytes)), "UTF-8")
+    EncryptedPassword(result)
   }
 
   def decrypt(password: EncryptedPassword): Password = {
-    val bytes      = password.value.getBytes("UTF-8")
-    val result     = new String(dCipher.value.doFinal(bytes), "UTF-8")
-    val insertNull = result.replaceAll(Key, "\\u0000")
-    Password(insertNull)
+    val base64 = Base64.getDecoder()
+    val bytes  = base64.decode(password.value.getBytes("UTF-8"))
+    val result = new String(dCipher.value.doFinal(bytes), "UTF-8")
+    Password(result)
   }
 
 }

modules/tests/src/test/scala/shop/interpreters/CryptoSuite.scala

@@ -0,0 +1,28 @@
+package shop.interpreters
+
+import shop.algebras.LiveCrypto
+import shop.config.data.PasswordSalt
+import shop.domain.auth.Password
+
+import cats.effect.IO
+import ciris.Secret
+import eu.timepit.refined.auto._
+import eu.timepit.refined.cats._
+import suite._
+
+final class CryptoSuite extends PureTestSuite {
+
+  private val salt = PasswordSalt(Secret("53kr3t"))
+
+  test("password encoding and decoding roundtrip") {
+    IOAssertion {
+      LiveCrypto.make[IO](salt).map { crypto =>
+        val ini = Password("simple123")
+        val enc = crypto.encrypt(ini)
+        val dec = crypto.decrypt(enc)
+        assertEquals(dec, ini)
+      }
+    }
+  }
+
+}