react-native-secreton 2.3.0 → 2.3.1

package/README.md

@@ -46,7 +46,7 @@ $ react-native link react-native-secreton
 
 ### Using Consul
 ```bash
-export ENV_SECRET_KEY=my-secret
+export ENV_SECRET_KEY=secret-key-32-bytes
 export FETCH_ENV=consul
 export CONSUL_ADDR=http://consul.mycompany.com:8500
 export CONSUL_PATH=mobile/myapp
@@ -57,7 +57,7 @@ rn-secreton-cli .env
 
 ### Using Vault
 ```bash
-export ENV_SECRET_KEY=my-secret
+export ENV_SECRET_KEY=secret-key-32-bytes
 export FETCH_ENV=vault
 export VAULT_ADDR=http://vault.mycompany.com:8200
 export VAULT_PATH=secret/data/mobile/myapp

package/android/build.gradle

@@ -18,9 +18,10 @@ buildscript {
 
 apply plugin: "com.android.library"
 apply plugin: "kotlin-android"
-
 apply plugin: "com.facebook.react"
 
+apply from: "secreton.gradle"
+
 def getExtOrIntegerDefault(name) {
   return rootProject.ext.has(name) ? rootProject.ext.get(name) : (project.properties["Secreton_" + name]).toInteger()
 }
@@ -33,6 +34,7 @@ android {
   defaultConfig {
     minSdkVersion getExtOrIntegerDefault("minSdkVersion")
     targetSdkVersion getExtOrIntegerDefault("targetSdkVersion")
+    buildConfigField "String", "ENV_SECRET_KEY", "\"${getSecretKeyFromEnv(project)}\""
   }
 
   buildFeatures {

package/android/secreton.gradle

@@ -38,18 +38,30 @@ ext.loadEnvFile = { File file ->
     return map
 }
 
+ext.getEnvFile = { appProject ->
+    def androidDir = appProject.rootProject.projectDir
+    def workspaceRoot = findWorkspaceRoot(androidDir)
+
+    def envFileName = appProject.findProperty("ENVFILE") ?: System.getenv("ENVFILE") ?: ".env"
+    def envFile = new File(workspaceRoot, envFileName)
+
+    return envFile
+}
+
+ext.getSecretKeyFromEnv = { appProject ->
+    def envFile = getEnvFile(appProject)
+    def envMap = loadEnvFile(envFile)
+    
+    return envMap["ENV_SECRET_KEY"] ?: ""
+}
+
 ext.ensureLocalEnv = { appProject ->
     if (appProject.ext.has("localEnv")) return
 
     appProject.ext.localEnv = [:]
     appProject.ext.env = [:]
-
-    def androidDir = appProject.rootProject.projectDir
-    def workspaceRoot = findWorkspaceRoot(androidDir)
-    def rootDir = workspaceRoot
-
-    def envFileName = appProject.findProperty("ENVFILE") ?: System.getenv("ENVFILE") ?: ".env"
-    def envFile = new File(rootDir, envFileName)
+    
+    def envFile = getEnvFile(appProject)
 
     if (envFile.exists()) {
         appProject.ext.localEnv.putAll(loadEnvFile(envFile))
@@ -85,15 +97,8 @@ ext.decryptValue = { String encrypted, String secretKey ->
 
 ext.loadAndDecryptEnv = { appProject ->
     ensureLocalEnv(appProject)
-
-    def androidDir = appProject.rootProject.projectDir
-    def rootDir = findWorkspaceRoot(androidDir)
-
-    def envFileName =
-        appProject.findProperty("ENVFILE")
-        ?: System.getenv("ENVFILE")
-        ?: ".env"
-    def envFile = new File(rootDir, envFileName)
+    
+    def envFile = getEnvFile(appProject)
     if (!envFile.exists()) return
 
     def secretKey = getSecretKey(appProject)
@@ -102,7 +107,7 @@ ext.loadAndDecryptEnv = { appProject ->
     def envMap = loadEnvFile(envFile)
     envMap.each { k, v ->
         def value = v
-        if (v instanceof String && v.startsWith("secreton:")) {
+        if (v instanceof String && v.startsWith("Secreton:")) {
             value = decryptValue(v.substring(9), secretKey)
         }
         if (value == null) {

package/android/src/main/java/com/secreton/SecretonModule.kt

@@ -2,8 +2,8 @@ package com.secreton
 
 import com.facebook.react.bridge.ReactApplicationContext
 import com.facebook.react.module.annotations.ReactModule
-
 import android.util.Base64
+import java.security.SecureRandom
 import javax.crypto.Cipher
 import javax.crypto.SecretKeyFactory
 import javax.crypto.spec.IvParameterSpec
@@ -11,46 +11,87 @@ import javax.crypto.spec.PBEKeySpec
 import javax.crypto.spec.SecretKeySpec
 
 @ReactModule(name = SecretonModule.NAME)
-class SecretonModule(reactContext: ReactApplicationContext) :
-  NativeSecretonSpec(reactContext) {
+class SecretonModule(
+  reactContext: ReactApplicationContext
+) : NativeSecretonSpec(reactContext) {
 
   companion object {
     const val NAME = "Secreton"
+    private const val PREFIX = "$NAME:"
+    private const val ITERATIONS = 100_000
   }
 
-  override fun getName(): String {
-    return NAME
+  override fun getName() = NAME
+
+  override fun encrypt(value: String): String {
+    val encrypted = encryptOpenSSL(value, getSecretKey())
+    return PREFIX + encrypted
   }
 
-  override fun encrypt(value: String, key: String): String {
-    val salt = ByteArray(16)
-    val iv = ByteArray(16)
+  override fun decrypt(value: String): String {
+    if (!value.startsWith(PREFIX)) return value
+    return decryptOpenSSL(value.removePrefix(PREFIX), getSecretKey())
+  }
+
+  private fun getSecretKey(): String {
+    return BuildConfig.ENV_SECRET_KEY
+  }
+
+  private fun encryptOpenSSL(value: String, key: String): String {
+    val salt = ByteArray(8)
+    SecureRandom().nextBytes(salt)
 
     val factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256")
-    val spec = PBEKeySpec(key.toCharArray(), salt, 100000, 256)
-    val tmp = factory.generateSecret(spec)
-    val secretKey = SecretKeySpec(tmp.encoded, "AES")
+    val spec = PBEKeySpec(
+      key.toCharArray(),
+      salt,
+      ITERATIONS,
+      (32 + 16) * 8 // key + iv in bits
+    )
+
+    val keyIv = factory.generateSecret(spec).encoded
+    val aesKey = SecretKeySpec(keyIv.copyOfRange(0, 32), "AES")
+    val iv = IvParameterSpec(keyIv.copyOfRange(32, 48))
 
     val cipher = Cipher.getInstance("AES/CBC/PKCS7Padding")
-    cipher.init(Cipher.ENCRYPT_MODE, secretKey, IvParameterSpec(iv))
+    cipher.init(Cipher.ENCRYPT_MODE, aesKey, iv)
 
-    val encrypted = cipher.doFinal(value.toByteArray())
-    return Base64.encodeToString(encrypted, Base64.NO_WRAP)
+    val encrypted = cipher.doFinal(value.toByteArray(Charsets.UTF_8))
+
+    val output = ByteArray(16 + encrypted.size)
+    System.arraycopy("Salted__".toByteArray(), 0, output, 0, 8)
+    System.arraycopy(salt, 0, output, 8, 8)
+    System.arraycopy(encrypted, 0, output, 16, encrypted.size)
+
+    return Base64.encodeToString(output, Base64.NO_WRAP)
   }
 
-  override fun decrypt(encrypted: String, key: String): String {
-    val salt = ByteArray(16)
-    val iv = ByteArray(16)
+  private fun decryptOpenSSL(encrypted: String, key: String): String {
+    val decoded = Base64.decode(encrypted, Base64.NO_WRAP)
+
+    val magic = String(decoded.copyOfRange(0, 8))
+    if (magic != "Salted__") {
+      throw IllegalArgumentException("Invalid OpenSSL salt header")
+    }
+
+    val salt = decoded.copyOfRange(8, 16)
+    val cipherText = decoded.copyOfRange(16, decoded.size)
 
     val factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256")
-    val spec = PBEKeySpec(key.toCharArray(), salt, 100000, 256)
-    val tmp = factory.generateSecret(spec)
-    val secretKey = SecretKeySpec(tmp.encoded, "AES")
+    val spec = PBEKeySpec(
+      key.toCharArray(),
+      salt,
+      ITERATIONS,
+      (32 + 16) * 8
+    )
+
+    val keyIv = factory.generateSecret(spec).encoded
+    val aesKey = SecretKeySpec(keyIv.copyOfRange(0, 32), "AES")
+    val iv = IvParameterSpec(keyIv.copyOfRange(32, 48))
 
     val cipher = Cipher.getInstance("AES/CBC/PKCS7Padding")
-    cipher.init(Cipher.DECRYPT_MODE, secretKey, IvParameterSpec(iv))
+    cipher.init(Cipher.DECRYPT_MODE, aesKey, iv)
 
-    val decoded = Base64.decode(encrypted, Base64.NO_WRAP)
-    return String(cipher.doFinal(decoded))
+    return String(cipher.doFinal(cipherText), Charsets.UTF_8)
   }
 }

package/dist/NodeSecreton.js

@@ -64,7 +64,7 @@ export async function generateEnv(options) {
     }
     const newLines = entries
         .filter(({ key }) => !existingKeys.has(key))
-        .map(({ key, value }) => `${key}=secreton:${encrypt(value, secretKey)}`);
+        .map(({ key, value }) => `${key}=Secreton:${encrypt(value, secretKey)}`);
     if (newLines.length === 0) {
         console.log('ℹ️ [Node] Secreton no new env keys to add');
         return;

package/ios/Secreton.mm

@@ -4,6 +4,8 @@
 
 @implementation Secreton
 
+static NSString * const kPrefix = @"Secreton:";
+
 + (NSString *)moduleName
 {
   return @"Secreton";
@@ -11,14 +13,30 @@
 
 #pragma mark - TurboModule methods
 
-- (NSString *)encrypt:(NSString *)value key:(NSString *)key
+- (NSString *)encrypt:(NSString *)value
 {
-    return [self aes:kCCEncrypt value:value key:key];
+  NSString *key = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"ENV_SECRET_KEY"];
+  if (!key || key.length == 0) {
+    return nil;
+  }
+
+  NSString *encrypted = [self aes:kCCEncrypt value:value key:key];
+  return [kPrefix stringByAppendingString:encrypted];
 }
 
-- (NSString *)decrypt:(NSString *)value key:(NSString *)key
+- (NSString *)decrypt:(NSString *)value
 {
-    return [self aes:kCCDecrypt value:value key:key];
+  if (![value hasPrefix:kPrefix]) {
+    return value;
+  }
+  
+  NSString *key = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"ENV_SECRET_KEY"];
+  if (!key || key.length == 0) {
+    return nil;
+  }
+
+  NSString *raw = [value substringFromIndex:kPrefix.length];
+  return [self aes:kCCDecrypt value:raw key:key];
 }
 
 #pragma mark - AES core
@@ -27,13 +45,19 @@
             value:(NSString *)value
               key:(NSString *)key
 {
-  NSData *data = [value dataUsingEncoding:NSUTF8StringEncoding];
+  NSData *data = nil;
+
+  if (operation == kCCEncrypt) {
+    data = [value dataUsingEncoding:NSUTF8StringEncoding];
+  } else {
+    data = [[NSData alloc] initWithBase64EncodedString:value options:0];
+    if (!data) return nil;
+  }
 
-  // FIX: key 32 byte (AES-256)
+  // Key 32 byte (AES-256)
   NSMutableData *keyData = [NSMutableData dataWithLength:kCCKeySizeAES256];
   NSData *rawKey = [key dataUsingEncoding:NSUTF8StringEncoding];
-  NSUInteger copyLen = MIN(rawKey.length, kCCKeySizeAES256);
-  memcpy(keyData.mutableBytes, rawKey.bytes, copyLen);
+  memcpy(keyData.mutableBytes, rawKey.bytes, MIN(rawKey.length, kCCKeySizeAES256));
 
   size_t outLength = 0;
   NSMutableData *outData = [NSMutableData dataWithLength:data.length + kCCBlockSizeAES128];
@@ -44,7 +68,7 @@
     kCCOptionPKCS7Padding,
     keyData.bytes,
     kCCKeySizeAES256,
-    NULL, // IV = zero (compat Swift)
+    NULL, // IV zero
     data.bytes,
     data.length,
     outData.mutableBytes,

package/lib/module/NodeSecreton.js

@@ -71,7 +71,7 @@ export async function generateEnv(options) {
   }) => !existingKeys.has(key)).map(({
     key,
     value
-  }) => `${key}=secreton:${encrypt(value, secretKey)}`);
+  }) => `${key}=Secreton:${encrypt(value, secretKey)}`);
   if (newLines.length === 0) {
     console.log('ℹ️ [Node] Secreton no new env keys to add');
     return;

package/lib/module/index.js

@@ -1,10 +1,10 @@
 "use strict";
 
 import Secreton from "./NativeSecreton.js";
-export function encrypt(value, key) {
-  return Secreton.encrypt(value, key);
+export function encrypt(value) {
+  return Secreton.encrypt(value);
 }
-export function decrypt(encrypted, key) {
-  return Secreton.decrypt(encrypted, key);
+export function decrypt(encrypted) {
+  return Secreton.decrypt(encrypted);
 }
 //# sourceMappingURL=index.js.map

package/lib/module/index.js.map

@@ -1 +1 @@
-{"version":3,"names":["Secreton","encrypt","value","key","decrypt","encrypted"],"sourceRoot":"../../src","sources":["index.tsx"],"mappings":";;AAAA,OAAOA,QAAQ,MAAM,qBAAkB;AAEvC,OAAO,SAASC,OAAOA,CAACC,KAAa,EAAEC,GAAW,EAAU;EAC1D,OAAOH,QAAQ,CAACC,OAAO,CAACC,KAAK,EAAEC,GAAG,CAAC;AACrC;AAEA,OAAO,SAASC,OAAOA,CAACC,SAAiB,EAAEF,GAAW,EAAU;EAC9D,OAAOH,QAAQ,CAACI,OAAO,CAACC,SAAS,EAAEF,GAAG,CAAC;AACzC","ignoreList":[]}
+{"version":3,"names":["Secreton","encrypt","value","decrypt","encrypted"],"sourceRoot":"../../src","sources":["index.tsx"],"mappings":";;AAAA,OAAOA,QAAQ,MAAM,qBAAkB;AAEvC,OAAO,SAASC,OAAOA,CAACC,KAAa,EAAU;EAC7C,OAAOF,QAAQ,CAACC,OAAO,CAACC,KAAK,CAAC;AAChC;AAEA,OAAO,SAASC,OAAOA,CAACC,SAAiB,EAAU;EACjD,OAAOJ,QAAQ,CAACG,OAAO,CAACC,SAAS,CAAC;AACpC","ignoreList":[]}

package/lib/typescript/src/NativeSecreton.d.ts

@@ -1,7 +1,7 @@
 import { type TurboModule } from 'react-native';
 export interface Spec extends TurboModule {
-    encrypt(value: string, key: string): string;
-    decrypt(encrypted: string, key: string): string;
+    encrypt(value: string): string;
+    decrypt(encrypted: string): string;
 }
 declare const _default: Spec;
 export default _default;

package/lib/typescript/src/NativeSecreton.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"NativeSecreton.d.ts","sourceRoot":"","sources":["../../../src/NativeSecreton.ts"],"names":[],"mappings":"AAAA,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAErE,MAAM,WAAW,IAAK,SAAQ,WAAW;IACvC,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5C,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;CACjD;;AAED,wBAAkE"}
+{"version":3,"file":"NativeSecreton.d.ts","sourceRoot":"","sources":["../../../src/NativeSecreton.ts"],"names":[],"mappings":"AAAA,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAErE,MAAM,WAAW,IAAK,SAAQ,WAAW;IACvC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IAC/B,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;CACpC;;AAED,wBAAkE"}

package/lib/typescript/src/index.d.ts

@@ -1,3 +1,3 @@
-export declare function encrypt(value: string, key: string): string;
-export declare function decrypt(encrypted: string, key: string): string;
+export declare function encrypt(value: string): string;
+export declare function decrypt(encrypted: string): string;
 //# sourceMappingURL=index.d.ts.map

package/lib/typescript/src/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/index.tsx"],"names":[],"mappings":"AAEA,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAE1D;AAED,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/index.tsx"],"names":[],"mappings":"AAEA,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE7C;AAED,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEjD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-native-secreton",
-  "version": "2.3.0",
+  "version": "2.3.1",
   "description": "Config secret variables for React Native apps",
   "keywords": [
     "react-native",

package/src/NativeSecreton.ts

@@ -1,8 +1,8 @@
 import { TurboModuleRegistry, type TurboModule } from 'react-native';
 
 export interface Spec extends TurboModule {
-  encrypt(value: string, key: string): string;
-  decrypt(encrypted: string, key: string): string;
+  encrypt(value: string): string;
+  decrypt(encrypted: string): string;
 }
 
 export default TurboModuleRegistry.getEnforcing<Spec>('Secreton');

package/src/NodeSecreton.ts

@@ -118,7 +118,7 @@ export async function generateEnv(options: GenerateEnvOptions) {
 
   const newLines = entries
     .filter(({ key }) => !existingKeys.has(key))
-    .map(({ key, value }) => `${key}=secreton:${encrypt(value, secretKey)}`);
+    .map(({ key, value }) => `${key}=Secreton:${encrypt(value, secretKey)}`);
 
   if (newLines.length === 0) {
     console.log('ℹ️ [Node] Secreton no new env keys to add');

package/src/index.tsx

@@ -1,9 +1,9 @@
 import Secreton from './NativeSecreton';
 
-export function encrypt(value: string, key: string): string {
-  return Secreton.encrypt(value, key);
+export function encrypt(value: string): string {
+  return Secreton.encrypt(value);
 }
 
-export function decrypt(encrypted: string, key: string): string {
-  return Secreton.decrypt(encrypted, key);
+export function decrypt(encrypted: string): string {
+  return Secreton.decrypt(encrypted);
 }