refactor(ch-app): Remove openssl as cryptographical random number gen…

…erator
ids-basecamp · Aug 16, 2023 · a61ba68 · a61ba68
1 parent a2dd150
commit a61ba68
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 5 deletions.
diff --git a/clearing-house-app/Cargo.lock b/clearing-house-app/Cargo.lock
diff --git a/clearing-house-app/logging-service/Cargo.toml b/clearing-house-app/logging-service/Cargo.toml
@@ -27,7 +27,8 @@ aes-gcm-siv = "0.11.1"
 hkdf = "0.12.3"
 sha2 = "0.10.7"
 generic-array = "0.14.7"
-openssl = "0.10.56"
 config = { version = "0.13.3", default-features = false, features = ["toml"] }
 tracing = "0.1.37"
 tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }
+rand = "0.8.5"
+once_cell = "1.18.0"
diff --git a/clearing-house-app/logging-service/src/crypto.rs b/clearing-house-app/logging-service/src/crypto.rs
@@ -3,12 +3,14 @@ use aes_gcm_siv::aead::Aead;
 use core_lib::model::crypto::{KeyEntry, KeyMap};
 use generic_array::GenericArray;
 use hkdf::Hkdf;
-use openssl::rand::rand_bytes;
 use sha2::Sha256;
 use std::collections::HashMap;
+use std::sync::Mutex;
 use anyhow::anyhow;
+use once_cell::sync::Lazy;
 use crate::model::doc_type::DocumentType;
 use crate::model::crypto::MasterKey;
+use rand::{RngCore, SeedableRng};
 
 const EXP_KEY_SIZE: usize = 32;
 const EXP_NONCE_SIZE: usize = 12;
@@ -21,9 +23,20 @@ fn initialize_kdf() -> (String, Hkdf<Sha256>) {
     (hex::encode_upper(master_key), kdf)
 }
 
+/// Generates a random seed with 256 bytes.
 pub fn generate_random_seed() -> Vec<u8>{
+    // Init crypto RNG once lazy
+    static RNG: Lazy<Mutex<rand::rngs::StdRng>> = Lazy::new(|| Mutex::new(rand::rngs::StdRng::from_entropy()));
+    // Create a buffer to fill with random bytes
     let mut buf = [0u8; 256];
-    rand_bytes(&mut buf).unwrap(); // TODO: Replace with some other cryptographically secure random number generator
+
+    // Fill buffer with random bytes in a block, so the mutex is locked for a short time.
+    {
+        RNG.lock()
+            .expect("This mutex locking is fine, because it will be release immediately after use and this is the only place of usage ")
+            .fill_bytes(&mut buf);
+    }
+
     buf.to_vec()
 }
 
@@ -158,4 +171,18 @@ pub fn decrypt_secret(key: &[u8], nonce: &[u8], ct: &[u8]) -> anyhow::Result<Str
             Err(anyhow!("Error while decrypting: {}", e))
         }
     }
+}
+
+#[cfg(test)]
+mod test {
+    #[test]
+    fn test_generate_random_seed() {
+        for _ in 1..100 {
+            let seed = super::generate_random_seed();
+            // Check length of seed
+            assert_eq!(256, seed.len());
+            // Check that the seed is not all zeros
+            assert_ne!(0, seed.iter().map(|b| *b as usize).sum::<usize>());
+        }
+    }
 }
diff --git a/clearing-house-app/logging-service/src/main.rs b/clearing-house-app/logging-service/src/main.rs
@@ -6,7 +6,6 @@ extern crate tracing;
 use std::path::Path;
 use core_lib::util::{add_service_config};
 use rocket::fairing::AdHoc;
-use tracing::subscriber;
 use core_lib::constants::ENV_LOGGING_SERVICE_ID;
 use db::config::doc_store::DatastoreConfigurator;
 use db::config::keyring_store::KeyringDbConfigurator;