feat: encrypt log files

Author: MrCyjaneK

.github/workflows/automated_integration_test.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Fix github actions messing up $HOME...
-        run: 'echo HOME=/root | sudo tee -a $GITHUB_ENV'
+        run: "echo HOME=/root | sudo tee -a $GITHUB_ENV"
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -134,6 +134,8 @@ jobs:
           echo "const polygonScanApiKey = '${{ secrets.POLYGON_SCAN_API_KEY }}';" >> cw_evm/lib/.secrets.g.dart
           echo "const ankrApiKey = '${{ secrets.ANKR_API_KEY }}';" >> cw_solana/lib/.secrets.g.dart
           echo "const chainStackApiKey = '${{ secrets.CHAIN_STACK_API_KEY }}';" >> cw_solana/lib/.secrets.g.dart
+          echo "const logPassword = '${{ secrets.LOG_PASSWORD }}';" >> cw_core/lib/.secrets.g.dart
+          echo "const logSalt = '${{ secrets.LOG_SALT }}';" >> cw_core/lib/.secrets.g.dart
           echo "const testCakePayApiKey = '${{ secrets.TEST_CAKE_PAY_API_KEY }}';" >> lib/.secrets.g.dart
           echo "const cakePayApiKey = '${{ secrets.CAKE_PAY_API_KEY }}';" >> lib/.secrets.g.dart
           echo "const authorization = '${{ secrets.CAKE_PAY_AUTHORIZATION }}';" >> lib/.secrets.g.dart
@@ -232,7 +234,7 @@ jobs:
             wget https://github.com/MrCyjaneK/monero_c/releases/download/v0.18.4.0-RC9/release-bundle.zip
             unzip release-bundle.zip
             rm release-bundle.zip
-            unxz -fv release/*/*.xz 
+            unxz -fv release/*/*.xz
           popd
 
       - name: Build Bitbox Flutter
@@ -324,10 +326,10 @@ jobs:
         with:
           path: ${{ github.workspace }}/build/app/outputs/flutter-apk
           name: "android apk"
-      
+
       - name: 16KB align
         run: |
           cd build/app/outputs/flutter-apk
           for i in arm64-v8a x86_64; do
             ../../../../scripts/android/check_16kb_align.sh app-$i-release.apk
-          done
+          done

.github/workflows/pr_test_build_android.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Fix github actions messing up $HOME...
-        run: 'echo HOME=/root | sudo tee -a $GITHUB_ENV'
+        run: "echo HOME=/root | sudo tee -a $GITHUB_ENV"
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -127,6 +127,8 @@ jobs:
           echo "const polygonScanApiKey = '${{ secrets.POLYGON_SCAN_API_KEY }}';" >> cw_evm/lib/.secrets.g.dart
           echo "const ankrApiKey = '${{ secrets.ANKR_API_KEY }}';" >> cw_solana/lib/.secrets.g.dart
           echo "const chainStackApiKey = '${{ secrets.CHAIN_STACK_API_KEY }}';" >> cw_solana/lib/.secrets.g.dart
+          echo "const logPassword = '${{ secrets.LOG_PASSWORD }}';" >> cw_core/lib/.secrets.g.dart
+          echo "const logSalt = '${{ secrets.LOG_SALT }}';" >> cw_core/lib/.secrets.g.dart
           echo "const testCakePayApiKey = '${{ secrets.TEST_CAKE_PAY_API_KEY }}';" >> lib/.secrets.g.dart
           echo "const cakePayApiKey = '${{ secrets.CAKE_PAY_API_KEY }}';" >> lib/.secrets.g.dart
           echo "const authorization = '${{ secrets.CAKE_PAY_AUTHORIZATION }}';" >> lib/.secrets.g.dart
@@ -216,7 +218,7 @@ jobs:
             wget https://github.com/MrCyjaneK/monero_c/releases/download/v0.18.4.0-RC9/release-bundle.zip
             unzip release-bundle.zip
             rm release-bundle.zip
-            unxz -fv release/*/*.xz 
+            unxz -fv release/*/*.xz
           popd
 
       - name: Build Bitbox Flutter
@@ -266,11 +268,11 @@ jobs:
       - name: Prepare virtual desktop
         if: ${{ contains(env.message, 'run tests') }}
         run: |
-            nohup Xvfb :99 -screen 0 720x1280x16 &
-            echo DISPLAY=:99 | sudo tee -a $GITHUB_ENV
-            dbus-daemon --system --fork
-            nohup NetworkManager &
-            nohup ffmpeg -framerate 60 -video_size 720x1280 -f x11grab -i :99 -c:v libx264 -c:a aac /opt/screen_grab.mkv &
+          nohup Xvfb :99 -screen 0 720x1280x16 &
+          echo DISPLAY=:99 | sudo tee -a $GITHUB_ENV
+          dbus-daemon --system --fork
+          nohup NetworkManager &
+          nohup ffmpeg -framerate 60 -video_size 720x1280 -f x11grab -i :99 -c:v libx264 -c:a aac /opt/screen_grab.mkv &
 
       # Note for people adding tests:
       # - Tests are ran on Linux, with some things being mocked out.

.github/workflows/pr_test_build_linux.yml

@@ -706,6 +706,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "5.4.5"
+  mutex:
+    dependency: transitive
+    description:
+      name: mutex
+      sha256: "8827da25de792088eb33e572115a5eb0d61d61a3c01acbc8bcbe76ed78f1a1f2"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.1.0"
   nested:
     dependency: transitive
     description:

cw_bitcoin/pubspec.lock

@@ -0,0 +1,86 @@
+import 'dart:convert';
+import 'dart:io';
+import 'package:cryptography/cryptography.dart';
+import 'package:mutex/mutex.dart';
+import 'package:cw_core/.secrets.g.dart' as secrets;
+
+final logMutex = Mutex();
+final password = secrets.logPassword.isEmpty ? ':)' : secrets.logPassword;
+final salt = secrets.logSalt.isEmpty ? '(:' : secrets.logSalt;
+
+class EncryptionLogUtil {
+  static final _algorithm = AesGcm.with256bits();
+  static SecretKey? cachedKey = null;
+  static Future<SecretKey> _deriveKey() async {
+    if (cachedKey != null) {
+      return cachedKey!;
+    }
+    final pbkdf2 = Pbkdf2(
+      macAlgorithm: Hmac.sha256(),
+      iterations: 120000, // OWASP recommendation: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
+      bits: 256,
+    );
+    final key = await pbkdf2.deriveKey(
+      secretKey: SecretKey(utf8.encode(password)),
+      nonce: utf8.encode(salt),
+    );
+    cachedKey = key;
+    return key;
+  }
+
+  static Future<void> write({required String path, required String data}) async {
+    await logMutex.acquire();
+    try {
+      final key = await _deriveKey();
+      final secretKey = await _algorithm.newSecretKey();
+      final iv = await secretKey.extractBytes();
+      
+      final nonce = iv.sublist(0, 12);
+
+      final secretBox = await _algorithm.encrypt(
+        utf8.encode(data),
+        secretKey: key,
+        nonce: nonce,
+      );
+
+      final line = base64.encode([...nonce, ...secretBox.cipherText, ...secretBox.mac.bytes]);
+      File(path).writeAsStringSync("$line\n", mode: FileMode.append);
+    } finally {
+      logMutex.release();
+    }
+  }
+
+  static Future<String> read({required String path}) async {
+    await logMutex.acquire();
+    try {
+      final key = await _deriveKey();
+      final file = File(path);
+      final lines = file.readAsLinesSync();
+      final sb = StringBuffer();
+
+      for (final line in lines) {
+        try {
+          final bytes = base64.decode(line);
+          final nonce = bytes.sublist(0, 12);
+          final cipherText = bytes.sublist(12, bytes.length - 16);
+          final macBytes = bytes.sublist(bytes.length - 16);
+
+          final secretBox = SecretBox(
+            cipherText,
+            nonce: nonce,
+            mac: Mac(macBytes),
+          );
+
+          final decrypted = await _algorithm.decrypt(secretBox, secretKey: key);
+          sb.write(utf8.decode(decrypted));
+        } catch (_) {
+          sb.writeln(line);
+        }
+      }
+
+      return sb.toString();
+    } finally {
+      logMutex.release();
+    }
+  }
+}

cw_core/lib/encryption_log_utils.dart

@@ -1,5 +1,7 @@
+import 'dart:async';
 import 'dart:io';
 import 'dart:math';
+import 'package:cw_core/encryption_log_utils.dart';
 import 'package:flutter/foundation.dart';
 
 enum LogLevel { info, debug, warn, error }
@@ -21,7 +23,10 @@ void printV(
     if (!logFile.existsSync()) {
       logFile.createSync(recursive: true);
     }
-    logFile.writeAsStringSync("$logLine\n", mode: FileMode.append, flush: true);
+    unawaited(EncryptionLogUtil.write(
+      path: logFile.path,
+      data: "$logLine\n",
+    ));
   }
 }
 

cw_core/lib/utils/print_verbose.dart

@@ -466,6 +466,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "2.7.1"
+  mutex:
+    dependency: "direct main"
+    description:
+      name: mutex
+      sha256: "8827da25de792088eb33e572115a5eb0d61d61a3c01acbc8bcbe76ed78f1a1f2"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.1.0"
   nested:
     dependency: transitive
     description:

cw_core/pubspec.lock

@@ -44,6 +44,7 @@ dependencies:
     git:
       url: https://github.com/cake-tech/blockchain_utils
       ref: cake-update-v2
+  mutex: ^3.1.0
 
 dev_dependencies:
   flutter_test:

cw_core/pubspec.yaml

@@ -489,6 +489,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "2.7.0"
+  mutex:
+    dependency: transitive
+    description:
+      name: mutex
+      sha256: "8827da25de792088eb33e572115a5eb0d61d61a3c01acbc8bcbe76ed78f1a1f2"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.1.0"
   nested:
     dependency: transitive
     description:

cw_decred/pubspec.lock

@@ -534,6 +534,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "2.7.1"
+  mutex:
+    dependency: transitive
+    description:
+      name: mutex
+      sha256: "8827da25de792088eb33e572115a5eb0d61d61a3c01acbc8bcbe76ed78f1a1f2"
+      url: "https://pub.dev"
+    source: hosted
+    version: "3.1.0"
   nanodart:
     dependency: transitive
     description: