Generate authSalt and contractSalt

okTurtles · Dec 7, 2024 · 140c826 · 140c826
1 parent 6a5a0d5
commit 140c826
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 20 deletions.
diff --git a/backend/zkppSalt.js b/backend/zkppSalt.js
@@ -303,21 +303,17 @@ export const updateContractSalt = async (contract: string, r: string, s: string,
   }
 
   try {
-    const argsObj = JSON.parse(Buffer.from(args).toString())
-
-    if (!Array.isArray(argsObj) || argsObj.length !== 3 || !argsObj.reduce((acc, cv) => acc && typeof cv === 'string', true)) {
-      console.error(`update: Error validating the encrypted arguments for contract ID ${contract} (${JSON.stringify({ r, s, hc })})`)
-      return false
-    }
-
-    const [hashedPassword, authSalt, contractSalt] = argsObj
+    const hashedPassword = Buffer.from(args).toString()
 
     const recordId = await computeZkppSaltRecordId(contract)
     if (!recordId) {
       console.error(`update: Error obtaining record ID for contract ID ${contract}`)
       return false
     }
 
+    const authSalt = Buffer.from(hashStringArray('AUTHSALT', c)).slice(0, 18).toString('base64')
+    const contractSalt = Buffer.from(hashStringArray('CONTRACTSALT', c)).slice(0, 18).toString('base64')
+
     const token = encryptSaltUpdate(
       hashUpdateSecret,
       recordId,

diff --git a/shared/zkpp.js b/shared/zkpp.js
@@ -137,27 +137,22 @@ export const buildRegisterSaltRequest = async (publicKey: string, secretKey: Uin
 }
 
 export const buildUpdateSaltRequestEa = async (password: string, c: Uint8Array): Promise<[string, string]> => {
-  // TODO: Derive S_A and S_C as follows:
-  //   -> q -< random
-  //   -> r -< SHA-512(SHA-512('SU') + SHA-512(q))
-  //   -> b -< SHA-512(r) // as it's now
-  // Then,
-  //   -> S_T -< BASE64(SHA-512(SHA-512(T) + SHA-512(q))[0..18]) with T being
+  // Derive S_A and S_C as follows:
+  //   -> S_T -< BASE64(SHA-512(SHA-512(T) + SHA-512(c))[0..18]) with T being
   //     `AUTHSALT` or `CONTRACTSALT`
   // This way, we ensure both the server and the client contribute to the
   //   salts' entropy.
   // When sending the encrypted data, the encrypted information would be
-  // `[hashedPassword, q]`, which needs to be verified server-side to verify
+  // `hashedPassword`, which needs to be verified server-side to verify
   // it matches p and would be used to derive S_A and S_C.
-  const [authSalt, contractSalt] = ['a', 'b']
+  const authSalt = Buffer.from(hashStringArray('AUTHSALT', c)).slice(0, 18).toString('base64')
+  const contractSalt = Buffer.from(hashStringArray('CONTRACTSALT', c)).slice(0, 18).toString('base64')
 
-  const encryptionKey = nacl.hash(Buffer.concat([
-    Buffer.from('SU'), Buffer.from(c)
-  ])).slice(0, nacl.secretbox.keyLength)
+  const encryptionKey = hashRawStringArray('SU', c).slice(0, nacl.secretbox.keyLength)
   const nonce = nacl.randomBytes(nacl.secretbox.nonceLength)
 
   const hashedPassword = await hashPassword(password, authSalt)
-  const encryptedArgsCiphertext = nacl.secretbox(Buffer.from(JSON.stringify([hashedPassword, authSalt, contractSalt])), nonce, encryptionKey)
+  const encryptedArgsCiphertext = nacl.secretbox(Buffer.from(hashedPassword), nonce, encryptionKey)
 
   const encryptedArgs = Buffer.concat([nonce, encryptedArgsCiphertext])