MOSIP-24522 (#234)

Signed-off-by: HimajaDhanyamraju2 <[email protected]>
mosip · Jan 30, 2024 · 56b5f4b · 56b5f4b
1 parent 20cfdff
commit 56b5f4b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 5 deletions.
diff --git a/hub/hub_service.bal b/hub/hub_service.bal
@@ -24,6 +24,7 @@ import kafkaHub.util;
 import kafkaHub.health_check as healthcheck;
 import ballerina/jballerina.java;
 import ballerina/crypto;
+import ballerina/random;
 
 http:Service healthCheckService = service object {
 
@@ -173,6 +174,8 @@ service object {
         if config:SECURITY_ON {
             check security:authorizeSubscriber(headers, message.hubTopic);
         }
+        byte[] hash = crypto:hashSha256((<string> message.hubSecret).toBytes());
+        message.hubSecret = hash.toBase64();
         log:printInfo("Subscription request received", payload = message);
         return websubhub:SUBSCRIPTION_ACCEPTED;
     }
@@ -198,6 +201,8 @@ service object {
             log:printError("Subscriber has already registered with the Hub", topic = topicName, callback = message.hubCallback);
             return error websubhub:SubscriptionDeniedError("Subscriber has already registered with the Hub");
         } else {
+            byte[] hash = crypto:hashSha256((<string> message.hubSecret).toBytes());
+            message.hubSecret = hash.toBase64();
             log:printInfo("Validation done before sending intent verification", payload = message);
         }
     }
@@ -213,10 +218,17 @@ service object {
 
         if (message.hubSecret is string) {
             string hubSecret = <string> message.hubSecret;
-            byte[] data = hubSecret.toBytes();
+            log:printInfo("Secret before Encryption", secret = hubSecret);
             string encryptionKey = config:HUB_SECRET_ENCRYPTION_KEY;
-            byte[] cipherText = check crypto:encryptAesEcb(data, encryptionKey.toBytes());
-            message.hubSecret = check string:fromBytes(cipherText);
+            log:printInfo("Encryption of the hubsecret with configured key", encryptionKey = encryptionKey);
+            byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
+            foreach int i in 0...15 {
+                initialVector[i] = <byte>(check random:createIntInRange(0, 255));
+            }
+            log:printInfo("Random generated iv value", iv = initialVector);
+            byte[] cipherText = check crypto:encryptAesGcm(hubSecret.toBytes(), encryptionKey.toBytes(), initialVector);
+            cipherText.push(...initialVector);
+            message.hubSecret = cipherText.toBase64();
         }
 
         error? persistingResult = persist:addSubscription(message.cloneReadOnly());

diff --git a/hub/start_hub.bal b/hub/start_hub.bal
@@ -25,6 +25,7 @@ import ballerina/mime;
 import kafkaHub.config;
 import kafkaHub.internal_topic_helper as internalTopicHelper;
 import ballerina/crypto;
+import ballerina/lang.array;
 
 isolated map<websubhub:TopicRegistration> registeredTopicsCache = {};
 isolated map<websubhub:VerifiedSubscription> subscribersCache = {};
@@ -180,10 +181,16 @@ function startMissingSubscribers(websubhub:VerifiedSubscription[] persistedSubsc
 
             if (subscriber.hubSecret is string) {
                 string hubSecret = <string>subscriber.hubSecret;
-                byte[] cipherText = hubSecret.toBytes();
+                byte[] ivAppendedCipherText = check array:fromBase64(hubSecret);
+                int cipherLength = ivAppendedCipherText.length();
+                byte[] cipher = ivAppendedCipherText.slice(0, cipherLength-16);
+                byte[] iv = ivAppendedCipherText.slice(cipherLength-16, cipherLength);
+                log:printInfo("Extracted iv before decryption", iv = iv);
                 string encryptionKey = config:HUB_SECRET_ENCRYPTION_KEY;
-                byte[] plainText = check crypto:decryptAesEcb(cipherText, encryptionKey.toBytes());
+                log:printInfo("Key used for decryption", key = encryptionKey);
+                byte[] plainText = check crypto:decryptAesGcm(cipher, encryptionKey.toBytes(), iv);
                 subscriber.hubSecret = check string:fromBytes(plainText);
+                log:printInfo("secret after decryption", secret = subscriber.hubSecret);
             }
 
             websubhub:HubClient hubClientEp = check new (subscriber, {