diff --git a/hub/hub_service.bal b/hub/hub_service.bal index 90cce8a..d065715 100644 --- a/hub/hub_service.bal +++ b/hub/hub_service.bal @@ -24,6 +24,7 @@ import kafkaHub.util; import kafkaHub.health_check as healthcheck; import ballerina/jballerina.java; import ballerina/crypto; +import ballerina/random; http:Service healthCheckService = service object { @@ -173,6 +174,8 @@ service object { if config:SECURITY_ON { check security:authorizeSubscriber(headers, message.hubTopic); } + byte[] hash = crypto:hashSha256(( message.hubSecret).toBytes()); + message.hubSecret = hash.toBase64(); log:printInfo("Subscription request received", payload = message); return websubhub:SUBSCRIPTION_ACCEPTED; } @@ -198,6 +201,8 @@ service object { log:printError("Subscriber has already registered with the Hub", topic = topicName, callback = message.hubCallback); return error websubhub:SubscriptionDeniedError("Subscriber has already registered with the Hub"); } else { + byte[] hash = crypto:hashSha256(( message.hubSecret).toBytes()); + message.hubSecret = hash.toBase64(); log:printInfo("Validation done before sending intent verification", payload = message); } } @@ -213,10 +218,17 @@ service object { if (message.hubSecret is string) { string hubSecret = message.hubSecret; - byte[] data = hubSecret.toBytes(); + log:printInfo("Secret before Encryption", secret = hubSecret); string encryptionKey = config:HUB_SECRET_ENCRYPTION_KEY; - byte[] cipherText = check crypto:encryptAesEcb(data, encryptionKey.toBytes()); - message.hubSecret = check string:fromBytes(cipherText); + log:printInfo("Encryption of the hubsecret with configured key", encryptionKey = encryptionKey); + byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; + foreach int i in 0...15 { + initialVector[i] = (check random:createIntInRange(0, 255)); + } + log:printInfo("Random generated iv value", iv = initialVector); + byte[] cipherText = check crypto:encryptAesGcm(hubSecret.toBytes(), encryptionKey.toBytes(), initialVector); + cipherText.push(...initialVector); + message.hubSecret = cipherText.toBase64(); } error? persistingResult = persist:addSubscription(message.cloneReadOnly()); diff --git a/hub/start_hub.bal b/hub/start_hub.bal index 8c858da..9dc4b39 100644 --- a/hub/start_hub.bal +++ b/hub/start_hub.bal @@ -25,6 +25,7 @@ import ballerina/mime; import kafkaHub.config; import kafkaHub.internal_topic_helper as internalTopicHelper; import ballerina/crypto; +import ballerina/lang.array; isolated map registeredTopicsCache = {}; isolated map subscribersCache = {}; @@ -180,10 +181,16 @@ function startMissingSubscribers(websubhub:VerifiedSubscription[] persistedSubsc if (subscriber.hubSecret is string) { string hubSecret = subscriber.hubSecret; - byte[] cipherText = hubSecret.toBytes(); + byte[] ivAppendedCipherText = check array:fromBase64(hubSecret); + int cipherLength = ivAppendedCipherText.length(); + byte[] cipher = ivAppendedCipherText.slice(0, cipherLength-16); + byte[] iv = ivAppendedCipherText.slice(cipherLength-16, cipherLength); + log:printInfo("Extracted iv before decryption", iv = iv); string encryptionKey = config:HUB_SECRET_ENCRYPTION_KEY; - byte[] plainText = check crypto:decryptAesEcb(cipherText, encryptionKey.toBytes()); + log:printInfo("Key used for decryption", key = encryptionKey); + byte[] plainText = check crypto:decryptAesGcm(cipher, encryptionKey.toBytes(), iv); subscriber.hubSecret = check string:fromBytes(plainText); + log:printInfo("secret after decryption", secret = subscriber.hubSecret); } websubhub:HubClient hubClientEp = check new (subscriber, {