Use Argon2 for encrypted vaults

background/package.json

@@ -49,7 +49,9 @@
     "@walletconnect/utils": "^2.1.4",
     "ajv": "^8.6.2",
     "ajv-formats": "^2.1.0",
+    "argon2-browser": "^1.18.0",
     "assert": "^2.0.0",
+    "base64-loader": "^1.0.0",
     "bnc-sdk": "^3.4.1",
     "dayjs": "^1.10.7",
     "dexie": "^3.0.3",
@@ -64,6 +66,7 @@
   },
   "devDependencies": {
     "@reduxjs/toolkit": "^1.6.1",
+    "@types/argon2-browser": "^1.18.1",
     "@types/sinon": "^10.0.12",
     "@types/uuid": "^8.3.4",
     "@types/webextension-polyfill": "^0.8.0",

background/services/internal-signer/encryption.ts

@@ -1,3 +1,4 @@
+import argon2 from "argon2-browser"
 /**
  * An encrypted vault which can be safely serialized and stored.
  */
@@ -64,7 +65,7 @@ function requireCryptoGlobal(message?: string) {
  *          material using AES GCM mode, as well as the salt required to derive
  *          the key again later.
  */
-export async function deriveSymmetricKeyFromPassword(
+export async function depricatedDeriveSymmetricKeyFromPassword(
   password: string,
   existingSalt?: string
 ): Promise<SaltedKey> {
@@ -101,6 +102,34 @@ export async function deriveSymmetricKeyFromPassword(
   }
 }
 
+export async function deriveSymmetricKeyFromPassword(
+  password: string,
+  existingSalt?: string
+): Promise<SaltedKey> {
+  const { crypto } = global
+
+  const salt = existingSalt || (await generateSalt())
+
+  // Argon2 returns hash which is 24 bytes long, we need 16 bytes for AES-GCM
+  const { hash } = await argon2.hash({
+    pass: password,
+    salt,
+  })
+
+  const key = await crypto.subtle.importKey(
+    "raw",
+    hash.slice(0, 16),
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  )
+
+  return {
+    key,
+    salt,
+  }
+}
+
 /**
  * Encrypt a JSON-serializable object with a supplied password using AES GCM
  * mode.

manifest/manifest.development.json

@@ -1,5 +1,5 @@
 {
-  "content_security_policy": "object-src 'self'; script-src 'self' http://localhost:*;",
+  "content_security_policy": "object-src 'self'; script-src 'self' 'wasm-eval' http://localhost:*;",
   "background": {
     "scripts": ["dev-utils/extension-reload.js"]
   }

manifest/manifest.json

@@ -5,7 +5,7 @@
   "homepage_url": "https://taho.xyz",
   "author": "https://taho.xyz",
   "manifest_version": 2,
-  "content_security_policy": "object-src 'self'; script-src 'self';",
+  "content_security_policy": "object-src 'self'; script-src 'self' 'wasm-eval';",
   "web_accessible_resources": ["*.js", "*.json"],
   "content_scripts": [
     {

webpack.config.ts

@@ -31,7 +31,13 @@ const baseConfig: Configuration = {
     "provider-bridge": "./src/provider-bridge.ts",
   },
   module: {
+    noParse: /\.wasm$/,
     rules: [
+      {
+        test: /\.wasm$/,
+        loader: "base64-loader",
+        type: "javascript/auto",
+      },
       {
         test: /\.(tsx|ts|jsx)?$/,
         exclude: /node_modules(?!\/@tallyho)|webpack/,
@@ -53,6 +59,8 @@ const baseConfig: Configuration = {
   resolve: {
     extensions: [".tsx", ".ts", ".js", ".jsx"],
     fallback: {
+      fs: false,
+      path: false,
       stream: require.resolve("stream-browserify"),
       process: require.resolve("process/browser"),
       // these are required for @tallyho/keyring-controller

yarn.lock

@@ -3396,6 +3396,11 @@
   dependencies:
     "@types/glob" "*"
 
+"@types/argon2-browser@^1.18.1":
+  version "1.18.1"
+  resolved "https://registry.yarnpkg.com/@types/argon2-browser/-/argon2-browser-1.18.1.tgz#39bc2bf2fbe86d4854005730ace3b8015758adfb"
+  integrity sha512-PZffP/CqH9m2kovDSRQMfMMxUC3V98I7i7/caa0RB0/nvsXzYbL9bKyqZpNMFmLFGZslROlG1R60ONt7abrwlA==
+
 "@types/aria-query@^4.2.0":
   version "4.2.2"
   resolved "https://registry.yarnpkg.com/@types/aria-query/-/aria-query-4.2.2.tgz#ed4e0ad92306a704f9fb132a0cfcf77486dbe2bc"
@@ -4908,6 +4913,11 @@ arg@^4.1.0:
   resolved "https://registry.yarnpkg.com/arg/-/arg-4.1.3.tgz#269fc7ad5b8e42cb63c896d5666017261c144089"
   integrity sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==
 
+argon2-browser@^1.18.0:
+  version "1.18.0"
+  resolved "https://registry.yarnpkg.com/argon2-browser/-/argon2-browser-1.18.0.tgz#f35820211e0a431aed7f82b9348477234be69bec"
+  integrity sha512-ImVAGIItnFnvET1exhsQB7apRztcoC5TnlSqernMJDUjbc/DLq3UEYeXFrLPrlaIl8cVfwnXb6wX2KpFf2zxHw==
+
 argparse@^1.0.7:
   version "1.0.10"
   resolved "https://registry.yarnpkg.com/argparse/-/argparse-1.0.10.tgz#bcd6791ea5ae09725e17e5ad988134cd40b3d911"
@@ -5286,6 +5296,11 @@ base64-js@^1.3.1:
   resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.5.1.tgz#1b1b440160a5bf7ad40b650f095963481903930a"
   integrity sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==
 
+base64-loader@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/base64-loader/-/base64-loader-1.0.0.tgz#e530bad88e906dd2a1fad0af2d9e683fa8bd92a8"
+  integrity sha512-p32+F8dg+ANGx7s8QsZS74ZPHfIycmC2yZcoerzFgbersIYWitPbbF39G6SBx3gyvzyLH5nt1ooocxr0IHuWKA==
+
 base64id@1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/base64id/-/base64id-1.0.0.tgz#47688cb99bb6804f0e06d3e763b1c32e57d8e6b6"