fix: xsalsa20 decryptsimmetric (#15000)

cosmos · Feb 13, 2023 · cee91a5 · cee91a5
1 parent a90569c
commit cee91a5
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/crypto/armor.go b/crypto/armor.go
@@ -200,7 +200,7 @@ func decryptPrivKey(saltBytes []byte, encBytes []byte, passphrase string) (privK
 	key = crypto.Sha256(key) // Get 32 bytes
 
 	privKeyBytes, err := xsalsa20symmetric.DecryptSymmetric(encBytes, key)
-	if err != nil && err.Error() == "Ciphertext decryption failed" {
+	if err != nil && err == xsalsa20symmetric.ErrCiphertextDecrypt {
 		return privKey, sdkerrors.ErrWrongPassword
 	} else if err != nil {
 		return privKey, err

diff --git a/crypto/keyring/keyring_test.go b/crypto/keyring/keyring_test.go
@@ -23,6 +23,7 @@ import (
 	"github.com/cosmos/cosmos-sdk/crypto/keys/secp256k1"
 	"github.com/cosmos/cosmos-sdk/crypto/types"
 	sdk "github.com/cosmos/cosmos-sdk/types"
+	sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
 	"github.com/cosmos/cosmos-sdk/types/tx/signing"
 )
 
@@ -436,7 +437,7 @@ func TestKeyringKeybaseExportImportPrivKey(t *testing.T) {
 
 	// try import the key - wrong password
 	err = kb.ImportPrivKey("john2", keystr, "bad pass")
-	require.Equal(t, "failed to decrypt private key: ciphertext decryption failed", err.Error())
+	require.True(t, errors.Is(err, sdkerrors.ErrWrongPassword))
 
 	// try import the key with the correct password
 	require.NoError(t, kb.ImportPrivKey("john2", keystr, "somepassword"))
@@ -1248,7 +1249,7 @@ func TestAltKeyring_ImportExportPrivKey(t *testing.T) {
 	newUID := otherID
 	// Should fail importing with wrong password
 	err = kr.ImportPrivKey(newUID, armor, "wrongPass")
-	require.EqualError(t, err, "failed to decrypt private key: ciphertext decryption failed")
+	require.True(t, errors.Is(err, sdkerrors.ErrWrongPassword))
 
 	err = kr.ImportPrivKey(newUID, armor, passphrase)
 	require.NoError(t, err)
@@ -1278,7 +1279,7 @@ func TestAltKeyring_ImportExportPrivKey_ByAddress(t *testing.T) {
 	newUID := otherID
 	// Should fail importing with wrong password
 	err = kr.ImportPrivKey(newUID, armor, "wrongPass")
-	require.EqualError(t, err, "failed to decrypt private key: ciphertext decryption failed")
+	require.True(t, errors.Is(err, sdkerrors.ErrWrongPassword))
 
 	err = kr.ImportPrivKey(newUID, armor, passphrase)
 	require.NoError(t, err)

diff --git a/crypto/xsalsa20symmetric/symmetric.go b/crypto/xsalsa20symmetric/symmetric.go
@@ -15,6 +15,8 @@ const (
 	secretLen = 32
 )
 
+var ErrCiphertextDecrypt = errors.New("ciphertext decryption failed")
+
 // secret must be 32 bytes long. Use something like Sha256(Bcrypt(passphrase))
 // The ciphertext is (secretbox.Overhead + 24) bytes longer than the plaintext.
 func EncryptSymmetric(plaintext []byte, secret []byte) (ciphertext []byte) {
@@ -49,7 +51,7 @@ func DecryptSymmetric(ciphertext []byte, secret []byte) (plaintext []byte, err e
 	plaintext = make([]byte, len(ciphertext)-nonceLen-secretbox.Overhead)
 	_, ok := secretbox.Open(plaintext[:0], ciphertext[nonceLen:], &nonceArr, &secretArr)
 	if !ok {
-		return nil, errors.New("ciphertext decryption failed")
+		return nil, ErrCiphertextDecrypt
 	}
 	return plaintext, nil
 }