Merge pull request #395 from bsv-blockchain/feature/decrypt-validation

ty-everett · web-flow · commit ad7e5e3ef739 · 2025-12-01T13:39:50.000-08:00
Feature/decrypt validation
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file. The format
 ## Table of Contents
 
 - [Unreleased](#unreleased)
+- [1.9.12 - 2025-12-01](#1912---2025-12-01)
 - [1.9.11 - 2025-11-24](#1911---2025-11-24)
 - [1.9.10 - 2025-11-17](#1910---2025-11-17)
 - [1.9.9 - 2025-11-15](#199---2025-11-15)
@@ -182,6 +183,13 @@ All notable changes to this project will be documented in this file. The format
 
 ### Security
 
+---
+### [1.9.12] - 2025-12-01
+
+### Added
+
+- Added decryption validation to SymmetricKey.
+
 ---
 ### [1.9.11] - 2025-11-24
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.9.11",
+  "version": "1.9.12",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",
diff --git a/src/primitives/SymmetricKey.ts b/src/primitives/SymmetricKey.ts
@@ -44,12 +44,7 @@ export default class SymmetricKey extends BigNumber {
     const iv = Random(32)
     msg = toArray(msg, enc)
     const keyBytes = this.toArray('be', 32)
-    const { result, authenticationTag } = AESGCM(
-      msg,
-      [],
-      iv,
-      keyBytes
-    )
+    const { result, authenticationTag } = AESGCM(msg, [], iv, keyBytes)
     const totalLength = iv.length + result.length + authenticationTag.length
     const combined = new Array(totalLength)
     let offset = 0
@@ -79,10 +74,23 @@ export default class SymmetricKey extends BigNumber {
    */
   decrypt (msg: number[] | string, enc?: 'hex' | 'utf8'): string | number[] {
     msg = toArray(msg, enc)
-    const iv = msg.slice(0, 32)
-    const tagStart = msg.length - 16
-    const ciphertext = msg.slice(32, tagStart)
+
+    const ivLength = 32
+    const tagLength = 16
+
+    if (msg.length < ivLength + tagLength) {
+      throw new Error('Ciphertext too short')
+    }
+
+    const iv = msg.slice(0, ivLength)
+    const tagStart = msg.length - tagLength
+    const ciphertext = msg.slice(ivLength, tagStart)
     const messageTag = msg.slice(tagStart)
+
+    if (tagStart < ivLength) {
+      throw new Error('Malformed ciphertext')
+    }
+
     const result = AESGCMDecrypt(
       ciphertext,
       [],
diff --git a/src/primitives/__tests/SymmetricKey.test.ts b/src/primitives/__tests/SymmetricKey.test.ts
@@ -102,5 +102,27 @@ describe('SymmetricKey', () => {
 
       expect(decrypted).toBe(plaintext)
     })
+    
+    it('throws "Ciphertext too short" for inputs shorter than IV + tag', () => {
+      const shortCipherArray = new Array(47).fill(0)
+      expect(() => {
+        KEYS[0].decrypt(shortCipherArray)
+      }).toThrow(new Error('Ciphertext too short'))
+    })
+
+    it('throws "Ciphertext too short" for hex-encoded inputs shorter than IV + tag', () => {
+      const shortBuffer = Buffer.alloc(47, 0)
+      const shortHex = shortBuffer.toString('hex')
+
+      expect(() => {
+        KEYS[0].decrypt(shortHex, 'hex')
+      }).toThrow(new Error('Ciphertext too short'))
+    })
+
+    it('still throws "Decryption failed!" for structurally valid but wrong ciphertext', () => {
+      expect(() => {
+        KEYS[2].decrypt(CIPHERTEXT_1, 'hex')
+      }).toThrow(new Error('Decryption failed!'))
+    })
   })
 })

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@bsv/sdk",`
`3`		`- "version": "1.9.11",`
	`3`	`+ "version": "1.9.12",`
`4`	`4`	`"type": "module",`
`5`	`5`	`"description": "BSV Blockchain Software Development Kit",`
`6`	`6`	`"main": "dist/cjs/mod.js",`