Merge pull request #21 from TrustWallet/mig-key

Migrate away from compromised key and initialized vector
pull/2/head
Philipp Rieger 7 years ago committed by GitHub
commit e8552f72e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 4
      app/src/main/cpp/native-lib.c
  2. 19
      app/src/main/java/com/wallet/crypto/trustapp/controller/PasswordManager.java

@ -8,7 +8,7 @@ JNIEXPORT jstring JNICALL
Java_com_wallet_crypto_trustapp_controller_PasswordManager_getKeyStringFromNative( JNIEnv* env, jobject thiz )
{
// TODO: fill in your key - must be 32 bytes
const jstring key = "35TheTru5tWa11ets3cr3tK3y377123!";
const jstring key = "ThisIsNotTheKeyYoureLookingFor!!";
return (*env)->NewStringUTF(env, key);
}
@ -16,6 +16,6 @@ JNIEXPORT jbyteArray JNICALL
Java_com_wallet_crypto_trustapp_controller_PasswordManager_getIvStringFromNative( JNIEnv* env, jobject thiz )
{
// TODO: fill in your iv - must be 16 bytes
const jstring iv = "8201va0184a0md8i";
const jstring iv = "NorTheInitVector";
return (*env)->NewStringUTF(env, iv);
}

@ -4,6 +4,7 @@ import android.content.Context;
import android.content.SharedPreferences;
import android.preference.PreferenceManager;
import android.util.Base64;
import android.util.Log;
import java.io.UnsupportedEncodingException;
import java.security.InvalidAlgorithmParameterException;
@ -59,6 +60,12 @@ public final class PasswordManager {
System.loadLibrary("native-lib");
}
// These key and iv were compromised after being committed to the public github repo.
// To migrate old clients, we will first attempt to decrypt using these keys.
// TODO: remove once all 1.3.2 clients have upgraded
private final static String legacyKey = "35TheTru5tWa11ets3cr3tK3y377123!";
private final static String legacyIv = "8201va0184a0md8i";
public static native String getKeyStringFromNative();
public static native String getIvStringFromNative();
@ -121,6 +128,18 @@ public final class PasswordManager {
SharedPreferences sharedPreferences = PreferenceManager.getDefaultSharedPreferences(context);
final byte[] encryptedPassword = Base64.decode(sharedPreferences.getString(address + "-pwd", null), Base64.DEFAULT);
// Attempt to decrypt using legacy key/iv to migrate old clients
// TODO: remove once all clients have upgraded from 1.3.2
SecretKey oldKey = new SecretKeySpec(legacyKey.getBytes("UTF-8"), "AES");
IvParameterSpec oldIv = new IvParameterSpec(legacyIv.getBytes("UTF-8"));
try {
final String decryptedPassword = decrypt(encryptedPassword, oldKey, oldIv);
return decryptedPassword;
} catch (Exception e) {
Log.e("PASSMAN", e.getMessage());
}
// If decryption fails, it is most likely because this is a new client
// decrypt password
SecretKey key = new SecretKeySpec(getKeyStringFromNative().getBytes("UTF-8"), "AES");
IvParameterSpec iv = new IvParameterSpec(getIvStringFromNative().getBytes("UTF-8"));

Loading…
Cancel
Save