Merge pull request #118 from star-collector/keystore

Android <= 5 encryption support

Author: mCodex

android/src/main/java/br/com/classapp/RNSensitiveInfo/RNSensitiveInfoModule.java

@@ -7,7 +7,7 @@
 import android.os.CancellationSignal;
 import android.security.keystore.KeyGenParameterSpec;
 import android.security.keystore.KeyInfo;
-import java.security.InvalidKeyException;
+import android.security.KeyPairGeneratorSpec;
 import android.security.keystore.KeyProperties;
 import android.support.annotation.NonNull;
 import android.util.Base64;
@@ -22,8 +22,14 @@
 import com.facebook.react.bridge.WritableNativeMap;
 import com.facebook.react.modules.core.DeviceEventManagerModule;
 
+import java.math.BigInteger;
 import java.security.Key;
+import java.security.KeyPairGenerator;
 import java.security.KeyStore;
+import java.security.InvalidKeyException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.Calendar;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -34,6 +40,8 @@
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.IvParameterSpec;
 
+import javax.security.auth.x500.X500Principal;
+
 import br.com.classapp.RNSensitiveInfo.utils.AppConstants;
 import br.com.classapp.RNSensitiveInfo.view.Fragments.FingerprintAuthenticationDialogFragment;
 import br.com.classapp.RNSensitiveInfo.view.Fragments.FingerprintUiHelper;
@@ -50,7 +58,7 @@ public class RNSensitiveInfoModule extends ReactContextBaseJavaModule {
                     KeyProperties.ENCRYPTION_PADDING_PKCS7;
 
     private static final String AES_GCM = "AES/GCM/NoPadding";
-    private static final String AES_ECB = "AES/ECB/PKCS7Padding";
+    private static final String RSA_ECB = "RSA/ECB/PKCS1Padding";
     private static final String DELIMITER = "]";
     private static final byte[] FIXED_IV = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1};
     private static final String KEY_ALIAS = "MySharedPreferenceKeyAlias";
@@ -62,13 +70,28 @@ public class RNSensitiveInfoModule extends ReactContextBaseJavaModule {
 
     public RNSensitiveInfoModule(ReactApplicationContext reactContext) {
         super(reactContext);
+        
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.JELLY_BEAN_MR2) {
+            Exception cause = new RuntimeException("Keystore is not supported!");
+            throw new RuntimeException("Android version is too low", cause);
+        }
+        
+        try {
+            mKeyStore = KeyStore.getInstance(ANDROID_KEYSTORE_PROVIDER);
+            mKeyStore.load(null);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        
+        initKeyStore();
+        
         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
             try {
                 mFingerprintManager = (FingerprintManager) reactContext.getSystemService(Context.FINGERPRINT_SERVICE);
+                initFingerprintKeyStore();
             } catch (Exception e) {
                 Log.d("RNSensitiveInfo", "Fingerprint not supported");
             }
-            initKeyStore();
         }
     }
 
@@ -162,7 +185,7 @@ public void setItem(String key, String value, ReadableMap options, Promise pm) {
                 putExtra(key, encrypt(value), prefs(name));
                 pm.resolve(value);
             } catch (Exception e) {
-                Log.d("RNSensitiveInfo", e.getCause().getMessage());
+                e.printStackTrace();
                 pm.reject(e);
             }
         }
@@ -227,40 +250,61 @@ private void putExtra(String key, String value, SharedPreferences mSharedPrefere
         SharedPreferences.Editor editor = mSharedPreferences.edit();
         editor.putString(key, value).apply();
     }
-
+    
     /**
-     * Generates a new AES key and stores it under the { @code KEY_ALIAS_AES } in the
+     * Generates a new AES key and stores it under the { @code KEY_ALIAS } in the
      * Android Keystore.
      */
     private void initKeyStore() {
         try {
-            mKeyStore = KeyStore.getInstance(ANDROID_KEYSTORE_PROVIDER);
-            mKeyStore.load(null);
-
-            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M && !mKeyStore.containsAlias(KEY_ALIAS)) {
-                KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, ANDROID_KEYSTORE_PROVIDER);
-                keyGenerator.init(
-                        new KeyGenParameterSpec.Builder(KEY_ALIAS,
-                                KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
-                                .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
-                                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
-                                .setRandomizedEncryptionRequired(false)
-                                .build());
-                keyGenerator.generateKey();
+            if (!mKeyStore.containsAlias(KEY_ALIAS)) {
+                if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+                    KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, ANDROID_KEYSTORE_PROVIDER);
+                    keyGenerator.init(
+                            new KeyGenParameterSpec.Builder(KEY_ALIAS,
+                                    KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+                                    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+                                    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+                                    .setRandomizedEncryptionRequired(false)
+                                    .build());
+                    keyGenerator.generateKey();
+                } else {
+                    Calendar notBefore = Calendar.getInstance();
+                    Calendar notAfter = Calendar.getInstance();
+                    notAfter.add(Calendar.YEAR, 10);
+                    KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(getReactApplicationContext())
+                    .setAlias(KEY_ALIAS)
+                    .setSubject(new X500Principal("CN=" + KEY_ALIAS))
+                    .setSerialNumber(BigInteger.valueOf(1337))
+                    .setStartDate(notBefore.getTime())
+                    .setEndDate(notAfter.getTime())
+                    .build();
+                    KeyPairGenerator kpGenerator = KeyPairGenerator.getInstance("RSA", ANDROID_KEYSTORE_PROVIDER);   
+                    kpGenerator.initialize(spec);
+                    kpGenerator.generateKeyPair();
+                }
             }
-            
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    /**
+     * Generates a new AES key and stores it under the { @code KEY_ALIAS_AES } in the
+     * Android Keystore.
+     */
+    private void initFingerprintKeyStore() {
+        try {
             // Check if a generated key exists under the KEY_ALIAS_AES .
             if (!mKeyStore.containsAlias(KEY_ALIAS_AES)) {
                 prepareKey();
             }
         } catch (Exception e) {
+            e.printStackTrace();
         }
     }
 
     private void prepareKey() throws Exception {
-        if (android.os.Build.VERSION.SDK_INT < android.os.Build.VERSION_CODES.M) {
-            return;
-        }
 
         KeyGenerator keyGenerator = KeyGenerator.getInstance(
                 KeyProperties.KEY_ALGORITHM_AES, ANDROID_KEYSTORE_PROVIDER);
@@ -497,17 +541,17 @@ public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult re
     }
 
     public String encrypt(String input) throws Exception {
-        
-        Key secretKey = ((KeyStore.SecretKeyEntry) mKeyStore.getEntry(KEY_ALIAS, null)).getSecretKey();
         byte[] bytes = input.getBytes();
 
         Cipher c;
         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+            Key secretKey = ((KeyStore.SecretKeyEntry) mKeyStore.getEntry(KEY_ALIAS, null)).getSecretKey();
             c = Cipher.getInstance(AES_GCM);
             c.init(Cipher.ENCRYPT_MODE, secretKey, new GCMParameterSpec(128, FIXED_IV));
         } else {
-            c = Cipher.getInstance(AES_ECB, "BC");
-            c.init(Cipher.ENCRYPT_MODE, secretKey);
+            PublicKey publicKey = ((KeyStore.PrivateKeyEntry)mKeyStore.getEntry(KEY_ALIAS, null)).getCertificate().getPublicKey();
+            c = Cipher.getInstance(RSA_ECB);
+            c.init(Cipher.ENCRYPT_MODE, publicKey);
         }
         byte[] encodedBytes = c.doFinal(bytes);
         String encryptedBase64Encoded = Base64.encodeToString(encodedBytes, Base64.DEFAULT);
@@ -522,14 +566,15 @@ public String decrypt(String encrypted) throws Exception {
         }
 
         Cipher c;
-        Key secretKey = ((KeyStore.SecretKeyEntry) mKeyStore.getEntry(KEY_ALIAS, null)).getSecretKey();
 
         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+            Key secretKey = ((KeyStore.SecretKeyEntry) mKeyStore.getEntry(KEY_ALIAS, null)).getSecretKey();
             c = Cipher.getInstance(AES_GCM);
             c.init(Cipher.DECRYPT_MODE, secretKey, new GCMParameterSpec(128, FIXED_IV));
         } else {
-            c = Cipher.getInstance(AES_ECB, "BC");
-            c.init(Cipher.DECRYPT_MODE, secretKey);
+            PrivateKey privateKey = ((KeyStore.PrivateKeyEntry)mKeyStore.getEntry(KEY_ALIAS, null)).getPrivateKey();
+            c = Cipher.getInstance(RSA_ECB);
+            c.init(Cipher.DECRYPT_MODE, privateKey);
         }
         byte[] decodedBytes = c.doFinal(Base64.decode(encrypted, Base64.DEFAULT));
         return new String(decodedBytes);