diff --git a/README.md b/README.md
index c3be50b7..3d0747e7 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
[](https://travis-ci.org/oblador/react-native-keychain) [](https://npmjs.com/package/react-native-keychain) [](https://npmjs.com/package/react-native-keychain)
-Keychain/Keystore Access for React Native.
+Keychain/Keystore Access for React Native.
## Installation
@@ -91,9 +91,9 @@ Inquire if the type of local authentication policy is supported on this device w
Get what type of hardware biometry support the device has. Resolves to a `Keychain.BIOMETRY_TYPE` value when supported, otherwise `null`.
> This method returns `null`, if the device haven't enrolled into fingerprint/FaceId. Even though it has hardware for it.
-### `getSecurityLevel()` (Android only)
+### `getSecurityLevel({ accessControl })` (Android only)
-Get security level that is supported on the current device with the current OS.
+Get security level that is supported on the current device with the current OS for the `accessControl` option.
### Security Levels (Android only)
@@ -107,11 +107,11 @@ If set, `securityLevel` parameter specifies minimum security level that the encr
| Key | Platform | Description | Default |
|---|---|---|---|
-|**`accessControl`**|iOS only|This dictates how a keychain item may be used, see possible values in `Keychain.ACCESS_CONTROL`. |*None*|
+|**`accessControl`**|All|This dictates how a keychain item may be used, see possible values in `Keychain.ACCESS_CONTROL`. |*None*|
|**`accessible`**|iOS only|This dictates when a keychain item is accessible, see possible values in `Keychain.ACCESSIBLE`. |*`Keychain.ACCESSIBLE.WHEN_UNLOCKED`*|
|**`accessGroup`**|iOS only|In which App Group to share the keychain. Requires additional setup with entitlements. |*None*|
|**`authenticationPrompt`**|iOS only|What to prompt the user when unlocking the keychain with biometry or device password. |`Authenticate to retrieve secret`|
-|**`authenticationType`**|iOS only|Policies specifying which forms of authentication are acceptable. |`Keychain.AUTHENTICATION_TYPE.DEVICE_PASSCODE_OR_BIOMETRICS`|
+|**`authenticationType`**|All|Policies specifying which forms of authentication are acceptable. |`Keychain.AUTHENTICATION_TYPE.DEVICE_PASSCODE_OR_BIOMETRICS`|
|**`service`**|All|Reverse domain name qualifier for the service associated with password. |*App bundle ID*|
#### `Keychain.ACCESS_CONTROL` enum
@@ -200,7 +200,7 @@ include ':app'
+ project(':react-native-keychain').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-keychain/android')
```
-* Edit `android/app/build.gradle` (note: **app** folder) to look like this:
+* Edit `android/app/build.gradle` (note: **app** folder) to look like this:
```diff
apply plugin: 'com.android.application'
@@ -238,7 +238,7 @@ public class MainActivity extends extends ReactActivity {
...
}
```
-
+
#### Proguard Rules
On Android builds that use proguard (like release), you may see the following error:
@@ -298,7 +298,7 @@ Now your tests should run successfully, though note that writing and reading to
## Notes
-### Android
+### Android
The module will automatically use the appropriate CipherStorage implementation based on API level:
diff --git a/RNKeychainManager/RNKeychainManager.m b/RNKeychainManager/RNKeychainManager.m
index c4ad7e59..da6d8b04 100644
--- a/RNKeychainManager/RNKeychainManager.m
+++ b/RNKeychainManager/RNKeychainManager.m
@@ -285,7 +285,7 @@ - (OSStatus)deleteCredentialsForServer:(NSString *)server
}
#endif
-RCT_EXPORT_METHOD(setGenericPasswordForOptions:(NSDictionary *)options withUsername:(NSString *)username withPassword:(NSString *)password withSecurityLevel:(__unused NSString *)level resolver:(RCTPromiseResolveBlock)resolve rejecter:(RCTPromiseRejectBlock)reject)
+RCT_EXPORT_METHOD(setGenericPasswordForOptions:(NSDictionary *)options withUsername:(NSString *)username withPassword:(NSString *)password withSecurityLevel:(__unused NSString *)level withAccessControl:(__unused NSString *)accessControl resolver:(RCTPromiseResolveBlock)resolve rejecter:(RCTPromiseRejectBlock)reject)
{
NSString *service = serviceValue(options);
NSDictionary *attributes = attributes = @{
@@ -359,7 +359,7 @@ - (OSStatus)deleteCredentialsForServer:(NSString *)server
return resolve(@(YES));
}
-RCT_EXPORT_METHOD(setInternetCredentialsForServer:(NSString *)server withUsername:(NSString*)username withPassword:(NSString*)password withSecurityLevel:(__unused NSString *)level withOptions:(NSDictionary *)options resolver:(RCTPromiseResolveBlock)resolve rejecter:(RCTPromiseRejectBlock)reject)
+RCT_EXPORT_METHOD(setInternetCredentialsForServer:(NSString *)server withUsername:(NSString*)username withPassword:(NSString*)password withSecurityLevel:(__unused NSString *)level withAccessControl:(__unused NSString *)accessControl withOptions:(NSDictionary *)options resolver:(RCTPromiseResolveBlock)resolve rejecter:(RCTPromiseRejectBlock)reject)
{
[self deleteCredentialsForServer:server];
diff --git a/android/build.gradle b/android/build.gradle
index bd2fe043..2cb95242 100755
--- a/android/build.gradle
+++ b/android/build.gradle
@@ -52,4 +52,5 @@ dependencies {
implementation 'com.facebook.react:react-native:+' // From node_modules
implementation 'androidx.annotation:annotation:1.1.0'
implementation 'com.facebook.conceal:conceal:1.1.3@aar'
+ implementation "androidx.biometric:biometric:1.0.0-rc01"
}
diff --git a/android/gradle/wrapper/gradle-wrapper.jar b/android/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 00000000..f6b961fd
Binary files /dev/null and b/android/gradle/wrapper/gradle-wrapper.jar differ
diff --git a/android/gradle/wrapper/gradle-wrapper.properties b/android/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 00000000..2d5100df
--- /dev/null
+++ b/android/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,6 @@
+#Sat Oct 19 13:24:56 BST 2019
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-5.4.1-all.zip
diff --git a/android/gradlew b/android/gradlew
new file mode 100644
index 00000000..cccdd3d5
--- /dev/null
+++ b/android/gradlew
@@ -0,0 +1,172 @@
+#!/usr/bin/env sh
+
+##############################################################################
+##
+## Gradle start up script for UN*X
+##
+##############################################################################
+
+# Attempt to set APP_HOME
+# Resolve links: $0 may be a link
+PRG="$0"
+# Need this for relative symlinks.
+while [ -h "$PRG" ] ; do
+ ls=`ls -ld "$PRG"`
+ link=`expr "$ls" : '.*-> \(.*\)$'`
+ if expr "$link" : '/.*' > /dev/null; then
+ PRG="$link"
+ else
+ PRG=`dirname "$PRG"`"/$link"
+ fi
+done
+SAVED="`pwd`"
+cd "`dirname \"$PRG\"`/" >/dev/null
+APP_HOME="`pwd -P`"
+cd "$SAVED" >/dev/null
+
+APP_NAME="Gradle"
+APP_BASE_NAME=`basename "$0"`
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS=""
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD="maximum"
+
+warn () {
+ echo "$*"
+}
+
+die () {
+ echo
+ echo "$*"
+ echo
+ exit 1
+}
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "`uname`" in
+ CYGWIN* )
+ cygwin=true
+ ;;
+ Darwin* )
+ darwin=true
+ ;;
+ MINGW* )
+ msys=true
+ ;;
+ NONSTOP* )
+ nonstop=true
+ ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+ if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+ # IBM's JDK on AIX uses strange locations for the executables
+ JAVACMD="$JAVA_HOME/jre/sh/java"
+ else
+ JAVACMD="$JAVA_HOME/bin/java"
+ fi
+ if [ ! -x "$JAVACMD" ] ; then
+ die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+ fi
+else
+ JAVACMD="java"
+ which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
+ MAX_FD_LIMIT=`ulimit -H -n`
+ if [ $? -eq 0 ] ; then
+ if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
+ MAX_FD="$MAX_FD_LIMIT"
+ fi
+ ulimit -n $MAX_FD
+ if [ $? -ne 0 ] ; then
+ warn "Could not set maximum file descriptor limit: $MAX_FD"
+ fi
+ else
+ warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
+ fi
+fi
+
+# For Darwin, add options to specify how the application appears in the dock
+if $darwin; then
+ GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
+fi
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin ; then
+ APP_HOME=`cygpath --path --mixed "$APP_HOME"`
+ CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+ JAVACMD=`cygpath --unix "$JAVACMD"`
+
+ # We build the pattern for arguments to be converted via cygpath
+ ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
+ SEP=""
+ for dir in $ROOTDIRSRAW ; do
+ ROOTDIRS="$ROOTDIRS$SEP$dir"
+ SEP="|"
+ done
+ OURCYGPATTERN="(^($ROOTDIRS))"
+ # Add a user-defined pattern to the cygpath arguments
+ if [ "$GRADLE_CYGPATTERN" != "" ] ; then
+ OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
+ fi
+ # Now convert the arguments - kludge to limit ourselves to /bin/sh
+ i=0
+ for arg in "$@" ; do
+ CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
+ CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
+
+ if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
+ eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
+ else
+ eval `echo args$i`="\"$arg\""
+ fi
+ i=$((i+1))
+ done
+ case $i in
+ (0) set -- ;;
+ (1) set -- "$args0" ;;
+ (2) set -- "$args0" "$args1" ;;
+ (3) set -- "$args0" "$args1" "$args2" ;;
+ (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+ (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+ (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+ (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+ (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+ (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+ esac
+fi
+
+# Escape application args
+save () {
+ for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
+ echo " "
+}
+APP_ARGS=$(save "$@")
+
+# Collect all arguments for the java command, following the shell quoting and substitution rules
+eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
+
+# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
+if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
+ cd "$(dirname "$0")"
+fi
+
+exec "$JAVACMD" "$@"
diff --git a/android/gradlew.bat b/android/gradlew.bat
new file mode 100644
index 00000000..e95643d6
--- /dev/null
+++ b/android/gradlew.bat
@@ -0,0 +1,84 @@
+@if "%DEBUG%" == "" @echo off
+@rem ##########################################################################
+@rem
+@rem Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%" == "" set DIRNAME=.
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS=
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if "%ERRORLEVEL%" == "0" goto init
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto init
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:init
+@rem Get command-line arguments, handling Windows variants
+
+if not "%OS%" == "Windows_NT" goto win9xME_args
+
+:win9xME_args
+@rem Slurp the command line arguments.
+set CMD_LINE_ARGS=
+set _SKIP=2
+
+:win9xME_args_slurp
+if "x%~1" == "x" goto execute
+
+set CMD_LINE_ARGS=%*
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
+
+:end
+@rem End local scope for the variables with windows NT shell
+if "%ERRORLEVEL%"=="0" goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
+exit /b 1
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/android/src/main/AndroidManifest.xml b/android/src/main/AndroidManifest.xml
index ddbe5066..dbefd667 100644
--- a/android/src/main/AndroidManifest.xml
+++ b/android/src/main/AndroidManifest.xml
@@ -1,4 +1,6 @@
-
+
+
+
diff --git a/android/src/main/java/com/oblador/keychain/DeviceAvailability.java b/android/src/main/java/com/oblador/keychain/DeviceAvailability.java
index 090d47bb..e42dc100 100644
--- a/android/src/main/java/com/oblador/keychain/DeviceAvailability.java
+++ b/android/src/main/java/com/oblador/keychain/DeviceAvailability.java
@@ -1,5 +1,7 @@
package com.oblador.keychain;
+import android.Manifest;
+import android.content.pm.PackageManager;
import android.os.Build;
import android.content.Context;
import android.app.KeyguardManager;
@@ -10,7 +12,9 @@ public static boolean isFingerprintAuthAvailable(Context context) {
if (android.os.Build.VERSION.SDK_INT >= 23) {
FingerprintManager fingerprintManager =
(FingerprintManager) context.getSystemService(Context.FINGERPRINT_SERVICE);
- return fingerprintManager != null && fingerprintManager.isHardwareDetected() &&
+ return fingerprintManager != null &&
+ context.checkSelfPermission(Manifest.permission.USE_FINGERPRINT) == PackageManager.PERMISSION_GRANTED &&
+ fingerprintManager.isHardwareDetected() &&
fingerprintManager.hasEnrolledFingerprints();
}
return false;
diff --git a/android/src/main/java/com/oblador/keychain/KeychainModule.java b/android/src/main/java/com/oblador/keychain/KeychainModule.java
index 61d061e8..39044022 100644
--- a/android/src/main/java/com/oblador/keychain/KeychainModule.java
+++ b/android/src/main/java/com/oblador/keychain/KeychainModule.java
@@ -11,23 +11,28 @@
import com.facebook.react.bridge.ReactMethod;
import com.facebook.react.bridge.ReadableMap;
import com.facebook.react.bridge.WritableMap;
+
import com.oblador.keychain.PrefsStorage.ResultSet;
import com.oblador.keychain.cipherStorage.CipherStorage;
import com.oblador.keychain.cipherStorage.CipherStorage.DecryptionResult;
import com.oblador.keychain.cipherStorage.CipherStorage.EncryptionResult;
+import com.oblador.keychain.cipherStorage.CipherStorage.DecryptionResultHandler;
import com.oblador.keychain.cipherStorage.CipherStorageFacebookConceal;
import com.oblador.keychain.cipherStorage.CipherStorageKeystoreAESCBC;
+import com.oblador.keychain.cipherStorage.CipherStorageKeystoreRSAECB;
import com.oblador.keychain.exceptions.CryptoFailedException;
import com.oblador.keychain.exceptions.EmptyParameterException;
import com.oblador.keychain.exceptions.KeyStoreAccessException;
+import java.security.InvalidKeyException;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Nullable;
-public class KeychainModule extends ReactContextBaseJavaModule {
+import androidx.fragment.app.FragmentActivity;
+public class KeychainModule extends ReactContextBaseJavaModule {
public static final String E_EMPTY_PARAMETERS = "E_EMPTY_PARAMETERS";
public static final String E_CRYPTO_FAILED = "E_CRYPTO_FAILED";
public static final String E_KEYSTORE_ACCESS_ERROR = "E_KEYSTORE_ACCESS_ERROR";
@@ -36,6 +41,14 @@ public class KeychainModule extends ReactContextBaseJavaModule {
public static final String FINGERPRINT_SUPPORTED_NAME = "Fingerprint";
public static final String EMPTY_STRING = "";
+
+ public static final String AUTHENTICATION_TYPE_KEY = "authenticationType";
+ public static final String AUTHENTICATION_TYPE_DEVICE_PASSCODE_OR_BIOMETRICS = "AuthenticationWithBiometricsDevicePasscode";
+ public static final String AUTHENTICATION_TYPE_BIOMETRICS = "AuthenticationWithBiometrics";
+
+ public static final String ACCESS_CONTROL_BIOMETRY_ANY = "BiometryAny";
+ public static final String ACCESS_CONTROL_BIOMETRY_CURRENT_SET = "BiometryCurrentSet";
+
private final Map cipherStorageMap = new HashMap<>();
private final PrefsStorage prefsStorage;
@@ -50,6 +63,9 @@ public KeychainModule(ReactApplicationContext reactContext) {
addCipherStorageToMap(new CipherStorageFacebookConceal(reactContext));
addCipherStorageToMap(new CipherStorageKeystoreAESCBC());
+ if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+ addCipherStorageToMap(new CipherStorageKeystoreRSAECB());
+ }
}
private void addCipherStorageToMap(CipherStorage cipherStorage) {
@@ -67,20 +83,22 @@ public Map getConstants() {
}
@ReactMethod
- public void getSecurityLevel(Promise promise) {
- promise.resolve(getSecurityLevel().name());
- }
+ public void getSecurityLevel(String accessControl, Promise promise) {
+ boolean useBiometry = getUseBiometry(accessControl);
+ promise.resolve(getSecurityLevel(useBiometry).name());
+ }
@ReactMethod
- public void setGenericPasswordForOptions(String service, String username, String password, String minimumSecurityLevel, Promise promise) {
+ public void setGenericPasswordForOptions(String service, String username, String password, String minimumSecurityLevel, String accessControl, Promise promise) {
try {
SecurityLevel level = SecurityLevel.valueOf(minimumSecurityLevel);
if (username == null || username.isEmpty() || password == null || password.isEmpty()) {
throw new EmptyParameterException("you passed empty or null username/password");
}
+
service = getDefaultServiceIfNull(service);
- CipherStorage currentCipherStorage = getCipherStorageForCurrentAPILevel();
+ CipherStorage currentCipherStorage = getCipherStorageForCurrentAPILevel(getUseBiometry(accessControl));
validateCipherStorageSecurityLevel(currentCipherStorage, level);
EncryptionResult result = currentCipherStorage.encrypt(service, username, password, level);
@@ -97,59 +115,96 @@ public void setGenericPasswordForOptions(String service, String username, String
}
@ReactMethod
- public void getGenericPasswordForOptions(String service, Promise promise) {
+ public void getGenericPasswordForOptions(String service, final Promise promise) {
+ final String serviceOrDefault = getDefaultServiceIfNull(service);
+ CipherStorage cipherStorage = null;
try {
- service = getDefaultServiceIfNull(service);
-
- CipherStorage currentCipherStorage = getCipherStorageForCurrentAPILevel();
-
- ResultSet resultSet = prefsStorage.getEncryptedEntry(service);
+ ResultSet resultSet = prefsStorage.getEncryptedEntry(serviceOrDefault);
if (resultSet == null) {
- Log.e(KEYCHAIN_MODULE, "No entry found for service: " + service);
+ Log.e(KEYCHAIN_MODULE, "No entry found for service: " + serviceOrDefault);
promise.resolve(false);
return;
}
- final DecryptionResult decryptionResult = decryptCredentials(service, currentCipherStorage, resultSet);
-
- WritableMap credentials = Arguments.createMap();
-
- credentials.putString("service", service);
- credentials.putString("username", decryptionResult.username);
- credentials.putString("password", decryptionResult.password);
+ // Android < M will throw an exception as biometry is not supported.
+ CipherStorage biometryCipherStorage = null;
+ try {
+ biometryCipherStorage = getCipherStorageForCurrentAPILevel(true);
+ } catch(Exception e) { }
+ final CipherStorage nonBiometryCipherStorage = getCipherStorageForCurrentAPILevel(false);
+ if (biometryCipherStorage != null && resultSet.cipherStorageName.equals(biometryCipherStorage.getCipherStorageName())) {
+ cipherStorage = biometryCipherStorage;
+ } else if (nonBiometryCipherStorage != null && resultSet.cipherStorageName.equals(nonBiometryCipherStorage.getCipherStorageName())) {
+ cipherStorage = nonBiometryCipherStorage;
+ }
- promise.resolve(credentials);
- } catch (KeyStoreAccessException e) {
- Log.e(KEYCHAIN_MODULE, e.getMessage());
- promise.reject(E_KEYSTORE_ACCESS_ERROR, e);
+ final CipherStorage currentCipherStorage = cipherStorage;
+ if (currentCipherStorage != null) {
+ DecryptionResultHandler decryptionHandler = new DecryptionResultHandler() {
+ @Override
+ public void onDecrypt(DecryptionResult decryptionResult, String error) {
+ if (decryptionResult != null) {
+ WritableMap credentials = Arguments.createMap();
+
+ credentials.putString("service", serviceOrDefault);
+ credentials.putString("username", decryptionResult.username);
+ credentials.putString("password", decryptionResult.password);
+
+ promise.resolve(credentials);
+ } else {
+ promise.reject(E_CRYPTO_FAILED, error);
+ }
+ }
+ };
+ // The encrypted data is encrypted using the current CipherStorage, so we just decrypt and return
+ currentCipherStorage.decrypt(decryptionHandler, serviceOrDefault, resultSet.usernameBytes, resultSet.passwordBytes, (FragmentActivity) this.getCurrentActivity());
+ }
+ else {
+ // The encrypted data is encrypted using an older CipherStorage, so we need to decrypt the data first, then encrypt it using the current CipherStorage, then store it again and return
+ final CipherStorage oldCipherStorage = getCipherStorageByName(resultSet.cipherStorageName);
+
+ DecryptionResultHandler decryptionHandler = new DecryptionResultHandler() {
+ @Override
+ public void onDecrypt(DecryptionResult decryptionResult, String error) {
+ if (decryptionResult != null) {
+ WritableMap credentials = Arguments.createMap();
+
+ credentials.putString("service", serviceOrDefault);
+ credentials.putString("username", decryptionResult.username);
+ credentials.putString("password", decryptionResult.password);
+
+ try {
+ migrateCipherStorage(serviceOrDefault, nonBiometryCipherStorage, oldCipherStorage, decryptionResult);
+ } catch (CryptoFailedException e) {
+ Log.e(KEYCHAIN_MODULE, "Migrating to a less safe storage is not allowed. Keeping the old one");
+ } catch (KeyStoreAccessException e) {
+ Log.e(KEYCHAIN_MODULE, e.getMessage());
+ promise.reject(E_KEYSTORE_ACCESS_ERROR, e);
+ }
+
+ promise.resolve(credentials);
+ } else {
+ promise.reject(E_CRYPTO_FAILED, error);
+ }
+ }
+ };
+ // decrypt using the older cipher storage
+ oldCipherStorage.decrypt(decryptionHandler, serviceOrDefault, resultSet.usernameBytes, resultSet.passwordBytes, (FragmentActivity) this.getCurrentActivity());
+ }
+ } catch (InvalidKeyException e) {
+ Log.e(KEYCHAIN_MODULE, String.format("Key for service %s permanently invalidated", serviceOrDefault));
+ try {
+ cipherStorage.removeKey(serviceOrDefault);
+ } catch (Exception error) {
+ Log.e(KEYCHAIN_MODULE, "Failed removing invalidated key: " + error.getMessage());
+ }
+ promise.resolve(false);
} catch (CryptoFailedException e) {
Log.e(KEYCHAIN_MODULE, e.getMessage());
promise.reject(E_CRYPTO_FAILED, e);
}
}
- private DecryptionResult decryptCredentials(String service, CipherStorage currentCipherStorage, ResultSet resultSet) throws CryptoFailedException, KeyStoreAccessException {
- if (resultSet.cipherStorageName.equals(currentCipherStorage.getCipherStorageName())) {
- // The encrypted data is encrypted using the current CipherStorage, so we just decrypt and return
- return currentCipherStorage.decrypt(service, resultSet.usernameBytes, resultSet.passwordBytes);
- }
-
- // The encrypted data is encrypted using an older CipherStorage, so we need to decrypt the data first, then encrypt it using the current CipherStorage, then store it again and return
- CipherStorage oldCipherStorage = getCipherStorageByName(resultSet.cipherStorageName);
- // decrypt using the older cipher storage
-
- DecryptionResult decryptionResult = oldCipherStorage.decrypt(service, resultSet.usernameBytes, resultSet.passwordBytes);
- // encrypt using the current cipher storage
-
- try {
- migrateCipherStorage(service, currentCipherStorage, oldCipherStorage, decryptionResult);
- } catch (CryptoFailedException e) {
- Log.e(KEYCHAIN_MODULE, "Migrating to a less safe storage is not allowed. Keeping the old one");
- }
-
- return decryptionResult;
- }
-
private void migrateCipherStorage(String service, CipherStorage newCipherStorage, CipherStorage oldCipherStorage, DecryptionResult decryptionResult) throws KeyStoreAccessException, CryptoFailedException {
// don't allow to degrade security level when transferring, the new storage should be as safe as the old one.
EncryptionResult encryptionResult = newCipherStorage.encrypt(service, decryptionResult.username, decryptionResult.password, decryptionResult.getSecurityLevel());
@@ -197,8 +252,8 @@ public void hasInternetCredentialsForServer(@NonNull String server, Promise prom
}
@ReactMethod
- public void setInternetCredentialsForServer(@NonNull String server, String username, String password, String minimumSecurityLevel, ReadableMap unusedOptions, Promise promise) {
- setGenericPasswordForOptions(server, username, password, minimumSecurityLevel, promise);
+ public void setInternetCredentialsForServer(@NonNull String server, String username, String password, String minimumSecurityLevel, String accessControl, ReadableMap unusedOptions, Promise promise) {
+ setGenericPasswordForOptions(server, username, password, minimumSecurityLevel, accessControl, promise);
}
@ReactMethod
@@ -211,6 +266,28 @@ public void resetInternetCredentialsForServer(@NonNull String server, ReadableMa
resetGenericPasswordForOptions(server, promise);
}
+ @ReactMethod
+ public void canCheckAuthentication(ReadableMap options, Promise promise) {
+ String authenticationType = null;
+ if (options != null && options.hasKey(AUTHENTICATION_TYPE_KEY)) {
+ authenticationType = options.getString(AUTHENTICATION_TYPE_KEY);
+ }
+
+ if (authenticationType == null
+ || (!authenticationType.equals(AUTHENTICATION_TYPE_DEVICE_PASSCODE_OR_BIOMETRICS)
+ && !authenticationType.equals(AUTHENTICATION_TYPE_BIOMETRICS))) {
+ promise.resolve(false);
+ return;
+ }
+
+ try {
+ boolean fingerprintAuthAvailable = isFingerprintAuthAvailable();
+ promise.resolve(fingerprintAuthAvailable);
+ } catch (Exception e) {
+ promise.resolve(false);
+ }
+ }
+
@ReactMethod
public void getSupportedBiometryType(Promise promise) {
try {
@@ -226,14 +303,22 @@ public void getSupportedBiometryType(Promise promise) {
}
}
+ private boolean getUseBiometry(String accessControl) {
+ return accessControl != null
+ && (accessControl.equals(ACCESS_CONTROL_BIOMETRY_ANY)
+ || accessControl.equals(ACCESS_CONTROL_BIOMETRY_CURRENT_SET));
+ }
+
// The "Current" CipherStorage is the cipherStorage with the highest API level that is lower than or equal to the current API level
- private CipherStorage getCipherStorageForCurrentAPILevel() throws CryptoFailedException {
+ private CipherStorage getCipherStorageForCurrentAPILevel(boolean useBiometry) throws CryptoFailedException {
int currentAPILevel = Build.VERSION.SDK_INT;
CipherStorage currentCipherStorage = null;
for (CipherStorage cipherStorage : cipherStorageMap.values()) {
int cipherStorageAPILevel = cipherStorage.getMinSupportedApiLevel();
+ boolean biometrySupported = cipherStorage.getCipherBiometrySupported();
// Is the cipherStorage supported on the current API level?
- boolean isSupported = (cipherStorageAPILevel <= currentAPILevel);
+ boolean isSupported = (cipherStorageAPILevel <= currentAPILevel)
+ && (biometrySupported == useBiometry);
if (!isSupported) {
continue;
}
@@ -245,6 +330,7 @@ private CipherStorage getCipherStorageForCurrentAPILevel() throws CryptoFailedEx
if (currentCipherStorage == null) {
throw new CryptoFailedException("Unsupported Android SDK " + Build.VERSION.SDK_INT);
}
+
return currentCipherStorage;
}
@@ -262,29 +348,31 @@ private void validateCipherStorageSecurityLevel(CipherStorage cipherStorage, Sec
private CipherStorage getCipherStorageByName(String cipherStorageName) {
- return cipherStorageMap.get(cipherStorageName);
+ CipherStorage storage = cipherStorageMap.get(cipherStorageName);
+
+ return storage;
}
private boolean isFingerprintAuthAvailable() {
return DeviceAvailability.isFingerprintAuthAvailable(getReactApplicationContext());
}
- private boolean isSecureHardwareAvailable() {
+ private boolean isSecureHardwareAvailable(boolean useBiometry) {
try {
- return getCipherStorageForCurrentAPILevel().supportsSecureHardware();
+ return getCipherStorageForCurrentAPILevel(useBiometry).supportsSecureHardware();
} catch (CryptoFailedException e) {
return false;
}
}
- private SecurityLevel getSecurityLevel() {
+ private SecurityLevel getSecurityLevel(boolean useBiometry) {
try {
- CipherStorage storage = getCipherStorageForCurrentAPILevel();
+ CipherStorage storage = getCipherStorageForCurrentAPILevel(useBiometry);
if (!storage.securityLevel().satisfiesSafetyThreshold(SecurityLevel.SECURE_SOFTWARE)) {
return SecurityLevel.ANY;
}
- if (isSecureHardwareAvailable()) {
+ if (isSecureHardwareAvailable(useBiometry)) {
return SecurityLevel.SECURE_HARDWARE;
} else {
return SecurityLevel.SECURE_SOFTWARE;
diff --git a/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorage.java b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorage.java
index 7557ce16..2e26d5a8 100644
--- a/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorage.java
+++ b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorage.java
@@ -1,11 +1,15 @@
package com.oblador.keychain.cipherStorage;
-import androidx.annotation.NonNull;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
import com.oblador.keychain.SecurityLevel;
import com.oblador.keychain.exceptions.CryptoFailedException;
import com.oblador.keychain.exceptions.KeyStoreAccessException;
+import androidx.annotation.NonNull;
+import androidx.fragment.app.Fragment;
+import androidx.fragment.app.FragmentActivity;
+
public interface CipherStorage {
abstract class CipherResult {
public final T username;
@@ -39,14 +43,20 @@ public SecurityLevel getSecurityLevel() {
}
}
+ interface DecryptionResultHandler {
+ void onDecrypt(DecryptionResult decryptionResult, String error);
+ }
+
EncryptionResult encrypt(@NonNull String service, @NonNull String username, @NonNull String password, SecurityLevel level) throws CryptoFailedException;
- DecryptionResult decrypt(@NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException;
+ void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password, FragmentActivity activity) throws CryptoFailedException, KeyPermanentlyInvalidatedException;
void removeKey(@NonNull String service) throws KeyStoreAccessException;
String getCipherStorageName();
+ boolean getCipherBiometrySupported();
+
int getMinSupportedApiLevel();
SecurityLevel securityLevel();
diff --git a/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageFacebookConceal.java b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageFacebookConceal.java
index 3162f994..587ae325 100644
--- a/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageFacebookConceal.java
+++ b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageFacebookConceal.java
@@ -1,7 +1,7 @@
package com.oblador.keychain.cipherStorage;
import android.os.Build;
-import androidx.annotation.NonNull;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
import com.facebook.android.crypto.keychain.AndroidConceal;
import com.facebook.android.crypto.keychain.SharedPrefsBackedKeyChain;
@@ -15,6 +15,9 @@
import java.nio.charset.Charset;
+import androidx.annotation.NonNull;
+import androidx.fragment.app.FragmentActivity;
+
public class CipherStorageFacebookConceal implements CipherStorage {
public static final String CIPHER_STORAGE_NAME = "FacebookConceal";
public static final String KEYCHAIN_DATA = "RN_KEYCHAIN";
@@ -30,11 +33,17 @@ public String getCipherStorageName() {
return CIPHER_STORAGE_NAME;
}
+ @Override
+ public boolean getCipherBiometrySupported() {
+ return false;
+ }
+
@Override
public int getMinSupportedApiLevel() {
return Build.VERSION_CODES.JELLY_BEAN;
}
+
@Override
public SecurityLevel securityLevel() {
return SecurityLevel.ANY;
@@ -69,7 +78,7 @@ public EncryptionResult encrypt(@NonNull String service, @NonNull String usernam
}
@Override
- public DecryptionResult decrypt(@NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException {
+ public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password, FragmentActivity activity) throws CryptoFailedException, KeyPermanentlyInvalidatedException {
if (!crypto.isAvailable()) {
throw new CryptoFailedException("Crypto is missing");
}
@@ -80,10 +89,9 @@ public DecryptionResult decrypt(@NonNull String service, @NonNull byte[] usernam
byte[] decryptedUsername = crypto.decrypt(username, usernameEntity);
byte[] decryptedPassword = crypto.decrypt(password, passwordEntity);
- return new DecryptionResult(
+ decryptionResultHandler.onDecrypt(new DecryptionResult(
new String(decryptedUsername, Charset.forName("UTF-8")),
- new String(decryptedPassword, Charset.forName("UTF-8")),
- SecurityLevel.ANY);
+ new String(decryptedPassword, Charset.forName("UTF-8")), SecurityLevel.ANY), null);
} catch (Exception e) {
throw new CryptoFailedException("Decryption failed for service " + service, e);
}
diff --git a/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreAESCBC.java b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreAESCBC.java
index d7c9ab5a..4ae160b6 100644
--- a/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreAESCBC.java
+++ b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreAESCBC.java
@@ -4,8 +4,11 @@
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.security.keystore.KeyProperties;
import androidx.annotation.NonNull;
+import androidx.fragment.app.FragmentActivity;
+
import android.util.Log;
import com.oblador.keychain.SecurityLevel;
@@ -55,6 +58,11 @@ public String getCipherStorageName() {
return CIPHER_STORAGE_NAME;
}
+ @Override
+ public boolean getCipherBiometrySupported() {
+ return false;
+ }
+
@Override
public int getMinSupportedApiLevel() {
return Build.VERSION_CODES.M;
@@ -165,7 +173,7 @@ private void generateKeyAndStoreUnderAlias(@NonNull String service, SecurityLeve
}
@Override
- public DecryptionResult decrypt(@NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException {
+ public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password, FragmentActivity activity) throws CryptoFailedException, KeyPermanentlyInvalidatedException {
service = getDefaultServiceIfEmpty(service);
try {
@@ -179,7 +187,9 @@ public DecryptionResult decrypt(@NonNull String service, @NonNull byte[] usernam
String decryptedUsername = decryptBytes(key, username);
String decryptedPassword = decryptBytes(key, password);
- return new DecryptionResult(decryptedUsername, decryptedPassword, getSecurityLevel((SecretKey) key));
+ decryptionResultHandler.onDecrypt(new DecryptionResult(
+ decryptedUsername,
+ decryptedPassword, SecurityLevel.ANY), null);
} catch (KeyStoreException | UnrecoverableKeyException | NoSuchAlgorithmException e) {
throw new CryptoFailedException("Could not get key from Keystore", e);
} catch (KeyStoreAccessException e) {
diff --git a/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreMarshmallowBase.java b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreMarshmallowBase.java
new file mode 100644
index 00000000..52402124
--- /dev/null
+++ b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreMarshmallowBase.java
@@ -0,0 +1,158 @@
+package com.oblador.keychain.cipherStorage;
+
+import android.annotation.TargetApi;
+import android.os.Build;
+import android.security.keystore.KeyGenParameterSpec;
+import android.security.keystore.KeyInfo;
+import android.security.keystore.StrongBoxUnavailableException;
+import androidx.annotation.NonNull;
+import android.util.Log;
+
+import com.oblador.keychain.SecurityLevel;
+import com.oblador.keychain.exceptions.CryptoFailedException;
+import com.oblador.keychain.exceptions.KeyStoreAccessException;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.cert.CertificateException;
+import java.security.spec.InvalidKeySpecException;
+
+import androidx.biometric.BiometricPrompt;
+
+@TargetApi(Build.VERSION_CODES.M)
+public abstract class CipherStorageKeystoreMarshmallowBase implements CipherStorage {
+ public static final String TAG = "Keystore";
+ public static final String DEFAULT_SERVICE = "RN_KEYCHAIN_DEFAULT_ALIAS";
+ public static final String KEYSTORE_TYPE = "AndroidKeyStore";
+
+ @Override
+ public int getMinSupportedApiLevel() {
+ return Build.VERSION_CODES.M;
+ }
+
+ @Override
+ public SecurityLevel securityLevel() {
+ // it can guarantee security levels up to SECURE_HARDWARE/SE/StrongBox
+ return SecurityLevel.SECURE_HARDWARE;
+ }
+
+ @Override
+ public boolean supportsSecureHardware() {
+ final String testKeyAlias = "AndroidKeyStore#supportsSecureHardware";
+
+ try {
+ Key key = tryGenerateRegularSecurityKey(testKeyAlias);
+ return validateKeySecurityLevel(SecurityLevel.SECURE_HARDWARE, key);
+ } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException | NoSuchProviderException e) {
+ return false;
+ } finally {
+ try {
+ removeKey(testKeyAlias);
+ } catch (KeyStoreAccessException e) {
+ Log.e(TAG, "Unable to remove temp key from keychain", e);
+ }
+ }
+ }
+
+ @TargetApi(Build.VERSION_CODES.M)
+ protected boolean validateKeySecurityLevel(SecurityLevel level, Key generatedKey) {
+ return getSecurityLevel(generatedKey).satisfiesSafetyThreshold(level);
+ }
+
+ @TargetApi(Build.VERSION_CODES.M)
+ protected SecurityLevel getSecurityLevel(Key key) {
+ try {
+ KeyInfo keyInfo = getKeyInfo(key);
+ return keyInfo.isInsideSecureHardware() ? SecurityLevel.SECURE_HARDWARE : SecurityLevel.SECURE_SOFTWARE;
+ } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException e) {
+ return SecurityLevel.ANY;
+ }
+ }
+
+ protected abstract KeyInfo getKeyInfo(Key key) throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeySpecException;
+
+ @Override
+ public void removeKey(@NonNull String service) throws KeyStoreAccessException {
+ service = getDefaultServiceIfEmpty(service);
+
+ try {
+ KeyStore keyStore = getKeyStoreAndLoad();
+
+ if (keyStore.containsAlias(service)) {
+ keyStore.deleteEntry(service);
+ }
+ } catch (KeyStoreException e) {
+ throw new KeyStoreAccessException("Failed to access Keystore", e);
+ } catch (Exception e) {
+ throw new KeyStoreAccessException("Unknown error " + e.getMessage(), e);
+ }
+ }
+
+ protected KeyStore getKeyStoreAndLoad() throws KeyStoreException, KeyStoreAccessException {
+ try {
+ KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
+ keyStore.load(null);
+ return keyStore;
+ } catch (NoSuchAlgorithmException | CertificateException | IOException e) {
+ throw new KeyStoreAccessException("Could not access Keystore", e);
+ }
+ }
+
+ @NonNull
+ protected String getDefaultServiceIfEmpty(@NonNull String service) {
+ return service.isEmpty() ? DEFAULT_SERVICE : service;
+ }
+
+ protected void generateKeyAndStoreUnderAlias(@NonNull String service, SecurityLevel requiredLevel) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, CryptoFailedException {
+ // Firstly, try to generate the key as safe as possible (strongbox).
+ // see https://developer.android.com/training/articles/keystore#HardwareSecurityModule
+ Key key = tryGenerateStrongBoxSecurityKey(service);
+ if (key == null) {
+ // If that is not possible, we generate the key in a regular way
+ // (it still might be generated in hardware, but not in StrongBox)
+ key = tryGenerateRegularSecurityKey(service);
+ }
+
+ if(!validateKeySecurityLevel(requiredLevel, key)) {
+ throw new CryptoFailedException("Cannot generate keys with required security guarantees");
+ }
+ }
+
+ @TargetApi(Build.VERSION_CODES.P)
+ protected Key tryGenerateStrongBoxSecurityKey(String service) throws NoSuchAlgorithmException,
+ InvalidAlgorithmParameterException, NoSuchProviderException {
+ // StrongBox is only supported on Android P and higher
+ if (Build.VERSION.SDK_INT < Build.VERSION_CODES.P) {
+ return null;
+ }
+ try {
+ return generateKey(getKeyGenSpecBuilder(service).setIsStrongBoxBacked(true).build());
+ } catch (Exception e) {
+ if (e instanceof StrongBoxUnavailableException) {
+ Log.i(TAG, "StrongBox is unavailable on this device");
+ } else {
+ Log.e(TAG, "An error occurred when trying to generate a StrongBoxSecurityKey: " + e.getMessage());
+ }
+ return null;
+ }
+ }
+
+ @TargetApi(Build.VERSION_CODES.M)
+ protected Key tryGenerateRegularSecurityKey(String service) throws NoSuchAlgorithmException,
+ InvalidAlgorithmParameterException, NoSuchProviderException {
+ return generateKey(getKeyGenSpecBuilder(service).build());
+ }
+
+ // returns true if the key was generated successfully
+ @TargetApi(Build.VERSION_CODES.M)
+ protected abstract Key generateKey(KeyGenParameterSpec spec) throws NoSuchProviderException,
+ NoSuchAlgorithmException, InvalidAlgorithmParameterException;
+
+ @TargetApi(Build.VERSION_CODES.M)
+ protected abstract KeyGenParameterSpec.Builder getKeyGenSpecBuilder(String service);
+}
diff --git a/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreRSAECB.java b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreRSAECB.java
new file mode 100644
index 00000000..a501adc4
--- /dev/null
+++ b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreRSAECB.java
@@ -0,0 +1,270 @@
+package com.oblador.keychain.cipherStorage;
+
+import android.Manifest;
+import android.annotation.TargetApi;
+import android.app.KeyguardManager;
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.os.Build;
+import android.os.CancellationSignal;
+import android.security.keystore.KeyGenParameterSpec;
+import android.security.keystore.KeyInfo;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
+import android.security.keystore.KeyProperties;
+import android.security.keystore.UserNotAuthenticatedException;
+import androidx.annotation.NonNull;
+import androidx.annotation.Nullable;
+import androidx.annotation.RequiresApi;
+
+import com.facebook.react.bridge.ReactApplicationContext;
+
+import com.facebook.react.bridge.ReactContext;
+import com.oblador.keychain.SecurityLevel;
+import com.oblador.keychain.components.BiometricPromptHelper;
+import com.oblador.keychain.exceptions.CryptoFailedException;
+import com.oblador.keychain.exceptions.KeyStoreAccessException;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.Key;
+import java.security.KeyFactory;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.UnrecoverableKeyException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.concurrent.Executors;
+
+import javax.crypto.Cipher;
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+
+import androidx.fragment.app.Fragment;
+import androidx.fragment.app.FragmentActivity;
+
+@RequiresApi(Build.VERSION_CODES.M)
+public class CipherStorageKeystoreRSAECB extends CipherStorageKeystoreMarshmallowBase implements BiometricPromptHelper.BiometricAuthenticationResult {
+ private static final String CIPHER_STORAGE_NAME = "KeystoreRSAECB";
+ private static final String KEYSTORE_TYPE = "AndroidKeyStore";
+ private static final String ENCRYPTION_ALGORITHM = KeyProperties.KEY_ALGORITHM_RSA;
+ private static final String ENCRYPTION_BLOCK_MODE = KeyProperties.BLOCK_MODE_ECB;
+ private static final String ENCRYPTION_PADDING = KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1;
+ private static final String ENCRYPTION_TRANSFORMATION =
+ ENCRYPTION_ALGORITHM + "/" +
+ ENCRYPTION_BLOCK_MODE + "/" +
+ ENCRYPTION_PADDING;
+ private static final int ENCRYPTION_KEY_SIZE = 3072;
+
+ private class CipherDecryptionParams {
+ private final DecryptionResultHandler resultHandler;
+ private final Key key;
+ private final byte[] username;
+ private final byte[] password;
+
+ private CipherDecryptionParams(DecryptionResultHandler handler, Key key, byte[] username, byte[] password) {
+ this.resultHandler = handler;
+ this.key = key;
+ this.username = username;
+ this.password = password;
+ }
+ }
+
+ private CipherDecryptionParams mDecryptParams;
+
+ @Override
+ public void onError(int errorCode, @Nullable CharSequence errString) {
+ if (mDecryptParams != null && mDecryptParams.resultHandler != null) {
+ mDecryptParams.resultHandler.onDecrypt(null, errString != null ? errString.toString() : "Impossible to authenticate");
+ mDecryptParams = null;
+ }
+ }
+
+ @Override
+ public void onSuccess() {
+ if (mDecryptParams != null && mDecryptParams.resultHandler != null) {
+ try {
+ String decryptedUsername = decryptBytes(mDecryptParams.key, mDecryptParams.username);
+ String decryptedPassword = decryptBytes(mDecryptParams.key, mDecryptParams.password);
+ mDecryptParams.resultHandler.onDecrypt(new DecryptionResult(decryptedUsername, decryptedPassword, SecurityLevel.ANY), null);
+ } catch (Exception e) {
+ mDecryptParams.resultHandler.onDecrypt(null, e.getMessage());
+ }
+ mDecryptParams = null;
+ }
+ }
+
+ // returns true if the key was generated successfully
+ @TargetApi(Build.VERSION_CODES.M)
+ protected Key generateKey(KeyGenParameterSpec spec) throws NoSuchProviderException,
+ NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+ KeyPairGenerator generator = KeyPairGenerator.getInstance(ENCRYPTION_ALGORITHM, KEYSTORE_TYPE);
+ generator.initialize(spec);
+ return generator.generateKeyPair().getPrivate();
+ }
+
+ protected KeyInfo getKeyInfo(Key key) throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeySpecException {
+ KeyFactory factory = KeyFactory.getInstance(key.getAlgorithm(), KEYSTORE_TYPE);
+ KeyInfo keyInfo = factory.getKeySpec(key, KeyInfo.class);
+ return keyInfo;
+ }
+
+ @Override
+ public String getCipherStorageName() {
+ return CIPHER_STORAGE_NAME;
+ }
+
+ @Override
+ public boolean getCipherBiometrySupported() {
+ return true;
+ }
+
+ @Override
+ public int getMinSupportedApiLevel() {
+ return Build.VERSION_CODES.M;
+ }
+
+ @Override
+ public EncryptionResult encrypt(@NonNull String service, @NonNull String username, @NonNull String password, SecurityLevel level) throws CryptoFailedException {
+ service = getDefaultServiceIfEmpty(service);
+
+ try {
+ KeyStore keyStore = getKeyStoreAndLoad();
+
+ if (!keyStore.containsAlias(service)) {
+ generateKeyAndStoreUnderAlias(service, level);
+ }
+
+ KeyFactory keyFactory = KeyFactory.getInstance(ENCRYPTION_ALGORITHM);
+ PublicKey publicKey = keyStore.getCertificate(service).getPublicKey();
+ KeySpec spec = new X509EncodedKeySpec(publicKey.getEncoded());
+ Key key = keyFactory.generatePublic(spec);
+
+ byte[] encryptedUsername = encryptString(key, service, username);
+ byte[] encryptedPassword = encryptString(key, service, password);
+
+ return new EncryptionResult(encryptedUsername, encryptedPassword, this);
+ } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException | NoSuchProviderException e) {
+ throw new CryptoFailedException("Could not encrypt data for service " + service, e);
+ } catch (KeyStoreException | KeyStoreAccessException e) {
+ throw new CryptoFailedException("Could not access Keystore for service " + service, e);
+ } catch (Exception e) {
+ throw new CryptoFailedException("Unknown error: " + e.getMessage(), e);
+ }
+ }
+
+ @TargetApi(Build.VERSION_CODES.M)
+ protected KeyGenParameterSpec.Builder getKeyGenSpecBuilder(String service) {
+ return new KeyGenParameterSpec.Builder(
+ service,
+ KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT)
+ .setBlockModes(ENCRYPTION_BLOCK_MODE)
+ .setEncryptionPaddings(ENCRYPTION_PADDING)
+ .setRandomizedEncryptionRequired(true)
+ .setUserAuthenticationRequired(true)
+ .setUserAuthenticationValidityDurationSeconds(1)
+ .setKeySize(ENCRYPTION_KEY_SIZE);
+ }
+
+ @Override
+ public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password, FragmentActivity activity) throws CryptoFailedException, KeyPermanentlyInvalidatedException {
+ service = getDefaultServiceIfEmpty(service);
+
+ BiometricPromptHelper mBiometricHelper = new BiometricPromptHelper(activity);
+ KeyStore keyStore;
+ Key key;
+
+ try {
+ keyStore = getKeyStoreAndLoad();
+ key = keyStore.getKey(service, null);
+ } catch (KeyStoreException | UnrecoverableKeyException | NoSuchAlgorithmException e) {
+ throw new CryptoFailedException("Could not get key from Keystore", e);
+ } catch (KeyStoreAccessException e) {
+ throw new CryptoFailedException("Could not access Keystore", e);
+ } catch (Exception e) {
+ throw new CryptoFailedException("Unknown error: " + e.getMessage(), e);
+ }
+
+ String decryptedUsername;
+ String decryptedPassword;
+ try {
+ // try to get a Cipher, if exception is thrown, authentication is needed
+ decryptedUsername = decryptBytes(key, username);
+ decryptedPassword = decryptBytes(key, password);
+ } catch (UserNotAuthenticatedException e) {
+ mDecryptParams = new CipherDecryptionParams(decryptionResultHandler, key, username, password);
+ if (!mBiometricHelper.canStartFingerprintAuthentication()) {
+ throw new CryptoFailedException("Could not start fingerprint Authentication");
+ }
+ try {
+ // The Cipher is locked, we will decrypt once fingerprint is recognised.
+ mBiometricHelper.startFingerprintAuthentication(this);
+ } catch (Exception e1) {
+ e1.printStackTrace();
+ throw new CryptoFailedException("Could not start fingerprint Authentication", e1);
+ }
+ return;
+ }
+
+ // The Cipher is unlocked, we can decrypt straight away.
+ decryptionResultHandler.onDecrypt(new DecryptionResult(decryptedUsername, decryptedPassword, SecurityLevel.ANY), null);
+ }
+
+ private byte[] encryptString(Key key, String service, String value) throws CryptoFailedException {
+ try {
+ Cipher cipher = Cipher.getInstance(ENCRYPTION_TRANSFORMATION);
+ cipher.init(Cipher.ENCRYPT_MODE, key);
+ ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ // encrypt the value using a CipherOutputStream
+ CipherOutputStream cipherOutputStream = new CipherOutputStream(outputStream, cipher);
+ cipherOutputStream.write(value.getBytes("UTF-8"));
+ cipherOutputStream.close();
+ return outputStream.toByteArray();
+ } catch (Exception e) {
+ throw new CryptoFailedException("Could not encrypt value for service " + service, e);
+ }
+ }
+
+ private Cipher getDecryptionCipher(Key key) throws CryptoFailedException, UserNotAuthenticatedException, KeyPermanentlyInvalidatedException {
+ try {
+ Cipher cipher = Cipher.getInstance(ENCRYPTION_TRANSFORMATION);
+ // read the initialization vector from the beginning of the stream
+ cipher.init(Cipher.DECRYPT_MODE, key);
+
+ return cipher;
+ } catch (UserNotAuthenticatedException | KeyPermanentlyInvalidatedException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new CryptoFailedException("Could not generate cipher", e);
+ }
+ }
+
+ private String decryptBytes(Key key, byte[] bytes) throws CryptoFailedException, UserNotAuthenticatedException, KeyPermanentlyInvalidatedException {
+ try {
+ Cipher cipher = getDecryptionCipher(key);
+ ByteArrayInputStream inputStream = new ByteArrayInputStream(bytes);
+ // decrypt the bytes using a CipherInputStream
+ CipherInputStream cipherInputStream = new CipherInputStream(
+ inputStream, cipher);
+ ByteArrayOutputStream output = new ByteArrayOutputStream();
+ byte[] buffer = new byte[1024];
+ while (true) {
+ int n = cipherInputStream.read(buffer, 0, buffer.length);
+ if (n <= 0) {
+ break;
+ }
+ output.write(buffer, 0, n);
+ }
+ return new String(output.toByteArray(), Charset.forName("UTF-8"));
+ } catch (IOException e) {
+ throw new CryptoFailedException("Could not decrypt bytes", e);
+ }
+ }
+}
diff --git a/android/src/main/java/com/oblador/keychain/components/BiometricPromptHelper.java b/android/src/main/java/com/oblador/keychain/components/BiometricPromptHelper.java
new file mode 100644
index 00000000..f4c39285
--- /dev/null
+++ b/android/src/main/java/com/oblador/keychain/components/BiometricPromptHelper.java
@@ -0,0 +1,83 @@
+package com.oblador.keychain.components;
+
+import android.Manifest;
+import android.annotation.TargetApi;
+import android.app.KeyguardManager;
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.os.Build;
+import android.os.CancellationSignal;
+
+import com.facebook.react.bridge.ReactApplicationContext;
+import com.facebook.react.bridge.ReactContext;
+import com.oblador.keychain.SecurityLevel;
+
+import java.security.Key;
+import java.util.concurrent.Executors;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.Nullable;
+import androidx.biometric.BiometricManager;
+import androidx.biometric.BiometricPrompt;
+import androidx.fragment.app.FragmentActivity;
+
+@TargetApi(Build.VERSION_CODES.M)
+public class BiometricPromptHelper extends BiometricPrompt.AuthenticationCallback {
+ private CancellationSignal mBiometricPromptCancellationSignal;
+ private BiometricPrompt mBiometricPrompt;
+ private FragmentActivity mActivity;
+ private BiometricAuthenticationResult mBiometricAuthenticationResult;
+
+ public interface BiometricAuthenticationResult {
+ void onError(int errorCode, @Nullable CharSequence errString);
+ void onSuccess ();
+ }
+
+ public BiometricPromptHelper(FragmentActivity activity) {
+ mActivity = activity;
+ }
+
+ // We don't really want to do anything here
+ // the error message is handled by the info view.
+ // And we don't want to throw an error, as the user can still retry.
+ @Override
+ public void onAuthenticationFailed() {}
+
+ @Override
+ public void onAuthenticationError(int errorCode, @Nullable CharSequence errString) {
+ mBiometricPromptCancellationSignal.cancel();
+ mBiometricAuthenticationResult.onError(errorCode, errString);
+ }
+
+ @Override
+ public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
+ mBiometricAuthenticationResult.onSuccess();
+ }
+
+ public boolean canStartFingerprintAuthentication() {
+ return BiometricManager.from(mActivity).canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS;
+ }
+
+ public void startFingerprintAuthentication(BiometricAuthenticationResult biometricAuthenticationResult) throws Exception {
+ mBiometricAuthenticationResult = biometricAuthenticationResult;
+ // If we have a previous cancellationSignal, cancel it.
+ if (mBiometricPromptCancellationSignal != null) {
+ mBiometricPromptCancellationSignal.cancel();
+ }
+
+ mBiometricPrompt = new BiometricPrompt(mActivity, Executors.newSingleThreadExecutor(), this);
+ mBiometricPromptCancellationSignal = new CancellationSignal();
+
+ final BiometricPrompt.PromptInfo promptInfo = new BiometricPrompt.PromptInfo.Builder()
+ .setTitle("Authentication required")
+ .setNegativeButtonText("Cancel")
+ .setSubtitle("Please use biometric authentication to unlock the app")
+ .build();
+
+ mActivity.runOnUiThread(new Runnable() {
+ public void run() {
+ mBiometricPrompt.authenticate(promptInfo);
+ }
+ });
+ }
+}
diff --git a/android/src/main/res/color-v26/biometric_error_color.xml b/android/src/main/res/color-v26/biometric_error_color.xml
new file mode 100644
index 00000000..443e7f5a
--- /dev/null
+++ b/android/src/main/res/color-v26/biometric_error_color.xml
@@ -0,0 +1,23 @@
+
+
+
+
+
+