security: replace SHA-256 with PBKDF2-HMAC-SHA256 for key derivation
Some checks failed
API Endpoint Tests / test-api-endpoints (push) Successful in 10s
Blockchain Synchronization Verification / sync-verification (push) Failing after 3s
CLI Tests / test-cli (push) Failing after 2s
Integration Tests / test-service-integration (push) Successful in 38s
Multi-Node Blockchain Health Monitoring / health-check (push) Successful in 2s
P2P Network Verification / p2p-verification (push) Successful in 2s
Production Tests / Production Integration Tests (push) Failing after 6s
Python Tests / test-python (push) Successful in 8s
Security Scanning / security-scan (push) Failing after 9s
Some checks failed
API Endpoint Tests / test-api-endpoints (push) Successful in 10s
Blockchain Synchronization Verification / sync-verification (push) Failing after 3s
CLI Tests / test-cli (push) Failing after 2s
Integration Tests / test-service-integration (push) Successful in 38s
Multi-Node Blockchain Health Monitoring / health-check (push) Successful in 2s
P2P Network Verification / p2p-verification (push) Successful in 2s
Production Tests / Production Integration Tests (push) Failing after 6s
Python Tests / test-python (push) Successful in 8s
Security Scanning / security-scan (push) Failing after 9s
- scripts/utils/keystore.py: use PBKDF2 with 100,000 iterations - cli/keystore_auth.py: use PBKDF2 with 100,000 iterations - cli/aitbc_cli.py: use PBKDF2 with 100,000 iterations - apps/agent-coordinator/scripts/agent_daemon.py: use PBKDF2 with 100,000 iterations Fixes 4/25 CodeQL alerts related to weak cryptographic hashing. Note: cli/utils/__init__.py already uses Argon2 which is more secure.
This commit is contained in:
aitbc
@@ -77,8 +77,8 @@ def decrypt_private_key(keystore_path: Path, password: str) -> str:
|
||||
# Fallback for older format
|
||||
salt = bytes.fromhex(kdfparams.get('salt', ''))
|
||||
|
||||
# Simple KDF: hash(password + salt) - matches scripts/utils/keystore.py
|
||||
dk = hashlib.sha256(password.encode() + salt).digest()
|
||||
# Use PBKDF2 for secure key derivation (100,000 iterations for security)
|
||||
dk = hashlib.pbkdf2_hmac('sha256', password.encode(), salt, 100000, dklen=32)
|
||||
fernet_key = base64.urlsafe_b64encode(dk)
|
||||
|
||||
f = Fernet(fernet_key)
|
||||
|
||||
@@ -17,11 +17,12 @@ from cryptography.fernet import Fernet
|
||||
|
||||
|
||||
def derive_key(password: str, salt: bytes = b"") -> tuple[bytes, bytes]:
|
||||
"""Derive a 32-byte key from the password using SHA-256."""
|
||||
"""Derive a 32-byte key from the password using PBKDF2-HMAC-SHA256."""
|
||||
if not salt:
|
||||
import secrets
|
||||
salt = secrets.token_bytes(16)
|
||||
dk = hashlib.sha256(password.encode() + salt).digest()
|
||||
# Use PBKDF2 for secure key derivation (100,000 iterations for security)
|
||||
dk = hashlib.pbkdf2_hmac('sha256', password.encode(), salt, 100000, dklen=32)
|
||||
return base64.urlsafe_b64encode(dk), salt
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user