Fix/hardware crypto context logic (#425)

* fix: hardware crypto context logic

* fix: hardware crypto context logic

* fix: remove useless log

* fix: hardware key problem

* feat: final safety checks for hardware keys

---------

Co-authored-by: Merul Dhiman <[email protected]>

Author: sosweetham

infrastructure/eid-wallet/src-tauri/gen/android/.idea/deviceManager.xml

@@ -15,17 +15,17 @@ export class KeyManagerFactory {
      * Get a key manager instance based on the configuration
      */
     static async getKeyManager(config: KeyManagerConfig): Promise<KeyManager> {
-        // If explicitly requesting hardware and not in pre-verification mode
-        if (config.useHardware && !config.preVerificationMode) {
-            return KeyManagerFactory.getHardwareKeyManager();
-        }
-
-        // If in pre-verification mode, always use software keys
+        // If in pre-verification mode, ALWAYS use software keys (never hardware)
         if (config.preVerificationMode) {
             console.log("Using software key manager for pre-verification mode");
             return KeyManagerFactory.getSoftwareKeyManager();
         }
 
+        // If explicitly requesting hardware and not in pre-verification mode
+        if (config.useHardware) {
+            return KeyManagerFactory.getHardwareKeyManager();
+        }
+
         // Default behavior: try hardware first, fallback to software
         try {
             const hardwareManager = KeyManagerFactory.getHardwareKeyManager();
@@ -82,11 +82,18 @@ export class KeyManagerFactory {
     static async getKeyManagerForContext(
         keyId: string,
         context: "onboarding" | "signing" | "verification" | "pre-verification",
+        isFake: boolean,
     ): Promise<KeyManager> {
+        // Pre-verification users (isFake=true) or pre-verification context should NEVER use hardware
+        const shouldUseHardware =
+            !isFake &&
+            context !== "pre-verification" &&
+            (await KeyManagerFactory.isHardwareAvailable());
+
         const config: KeyManagerConfig = {
             keyId,
-            useHardware: context !== "pre-verification",
-            preVerificationMode: context === "pre-verification",
+            useHardware: shouldUseHardware,
+            preVerificationMode: context === "pre-verification" || isFake,
         };
 
         return KeyManagerFactory.getKeyManager(config);

infrastructure/eid-wallet/src/lib/crypto/KeyManagerFactory.ts

@@ -1,6 +1,7 @@
 import { KeyManagerFactory } from "$lib/crypto";
 import type { KeyManager } from "$lib/crypto";
 import type { Store } from "@tauri-apps/plugin-store";
+import type { UserController } from "./user";
 
 export type KeyServiceContext =
     | "onboarding"
@@ -67,20 +68,50 @@ export class KeyService {
             const cachedManager = this.#managerCache.get(cacheKey);
             if (cachedManager) {
                 await this.#touchContext(cacheKey, cachedManager);
-                return cachedManager;
+                // If user is pre-verification, ensure we're using software keys
+                const isFake = await this.#isPreVerificationUser();
+                if (isFake && cachedManager.getType() === "hardware") {
+                    // Force software keys for pre-verification users
+                    this.#managerCache.delete(cacheKey);
+                } else {
+                    return cachedManager;
+                }
             }
             this.#managerCache.delete(cacheKey);
         }
 
+        const isFake = await this.#isPreVerificationUser();
+        // Force pre-verification mode if user is fake/pre-verification
+        const effectiveContext = isFake ? "pre-verification" : context;
         const manager = await KeyManagerFactory.getKeyManagerForContext(
             keyId,
-            context,
+            effectiveContext,
+            isFake ?? false,
         );
         this.#managerCache.set(cacheKey, manager);
         await this.#persistContext(cacheKey, manager, keyId, context);
         return manager;
     }
 
+    /**
+     * Check if the current user is a pre-verification (demo) user
+     */
+    async #isPreVerificationUser(): Promise<boolean> {
+        const isFake = await this.#store
+            .get<boolean>("fake")
+            .then((f) => {
+                if (!f) {
+                    return false;
+                }
+                return f;
+            })
+            .catch((error) => {
+                console.error("Failed to get fake:", error);
+                return false;
+            });
+        return isFake;
+    }
+
     async ensureKey(
         keyId: string,
         context: KeyServiceContext,

infrastructure/eid-wallet/src/lib/global/controllers/key.ts

@@ -23,12 +23,59 @@ let verificationId = $state("");
 let demoName = $state("");
 let verificationSuccess = $state(false);
 let keyManager: KeyManager | null = $state(null);
+let showHardwareError = $state(false);
+let checkingHardware = $state(false);
 const KEY_ID = "default";
 
 const handleGetStarted = async () => {
-    //get started functionality
     isPaneOpen = true;
     preVerified = false;
+    checkingHardware = true;
+    showHardwareError = false;
+    error = null;
+
+    try {
+        if (!globalState) {
+            globalState = getContext<() => GlobalState>("globalState")();
+        }
+
+        // Actually try to generate a test hardware key
+        const testKeyId = `hardware-test-${Date.now()}`;
+        console.log(
+            "Testing hardware key generation with test key:",
+            testKeyId,
+        );
+
+        try {
+            const { manager, created } = await globalState.keyService.ensureKey(
+                testKeyId,
+                "onboarding",
+            );
+            console.log(
+                "Test key result - Manager type:",
+                manager.getType(),
+                "Created:",
+                created,
+            );
+
+            // Check if we got hardware manager and it actually created a key
+            if (manager.getType() !== "hardware") {
+                throw new Error("Got software fallback instead of hardware");
+            }
+
+            // Hardware works! Clean up test key and proceed
+            console.log("Hardware keys are working");
+            checkingHardware = false;
+        } catch (keyError) {
+            console.error("Hardware key test failed:", keyError);
+            showHardwareError = true;
+            checkingHardware = false;
+        }
+    } catch (err) {
+        console.error("Error checking hardware:", err);
+        showHardwareError = true;
+        checkingHardware = false;
+    }
 };
 
 const handlePreVerified = () => {
@@ -104,8 +151,24 @@ async function getApplicationPublicKey() {
 }
 
 const handleNext = async () => {
-    //handle next functionlity
-    goto("/verify");
+    // Initialize keys for onboarding context before going to verify
+    try {
+        loading = true;
+        if (!globalState) {
+            globalState = getContext<() => GlobalState>("globalState")();
+        }
+        await initializeKeyManager();
+        await ensureKeyForContext();
+        loading = false;
+        goto("/verify");
+    } catch (err) {
+        console.error("Failed to initialize keys for onboarding:", err);
+        error = "Failed to initialize security keys. Please try again.";
+        loading = false;
+        setTimeout(() => {
+            error = null;
+        }, 5000);
+    }
 };
 
 let globalState: GlobalState;
@@ -239,9 +302,13 @@ onMount(async () => {
             >
         </p>
         <div class="flex justify-center whitespace-nowrap mt-1">
-            <ButtonAction class="w-full" callback={handleGetStarted}
-                >Get Started</ButtonAction
+            <ButtonAction 
+                class="w-full" 
+                callback={handleGetStarted}
+                disabled={checkingHardware}
             >
+                {checkingHardware ? "Checking device..." : "Get Started"}
+            </ButtonAction>
         </div>
 
         <p class="mt-2 text-center">
@@ -304,20 +371,63 @@ onMount(async () => {
             </div>
         {/if}
     {:else}
-        <h4 class="mt-[2.3svh] mb-[0.5svh]">
-            Your Digital Self begins with the Real You
-        </h4>
-        <p class="text-black-700">
-            In the Web 3.0 Data Space, identity is linked to reality. We begin
-            by verifying your real-world passport, which serves as the
-            foundation for issuing your secure ePassport. At the same time, we
-            generate your eName – a unique digital identifier – and create your
-            eVault to store and protect your personal data.
-        </p>
-        <div class="flex justify-center whitespace-nowrap my-[2.3svh]">
-            <ButtonAction class="w-full" callback={handleNext}
-                >Next</ButtonAction
-            >
-        </div>
+        {#if checkingHardware}
+            <div class="my-20">
+                <div
+                    class="align-center flex w-full flex-col items-center justify-center gap-6"
+                >
+                    <Shadow size={40} color="rgb(142, 82, 255);" />
+                    <h4>Checking device capabilities...</h4>
+                </div>
+            </div>
+        {:else if showHardwareError}
+            <h4 class="mt-[2.3svh] mb-[0.5svh] text-red-600">
+                Hardware Security Not Available
+            </h4>
+            <p class="text-black-700 mb-4">
+                Your phone doesn't support hardware crypto keys, which is a requirement for verified IDs.
+            </p>
+            <p class="text-black-700 mb-4">
+                Please use the pre-verification code option to create a demo account instead.
+            </p>
+            <div class="flex justify-center whitespace-nowrap my-[2.3svh]">
+                <ButtonAction 
+                    class="w-full" 
+                    callback={() => {
+                        isPaneOpen = false;
+                        handlePreVerified();
+                    }}
+                >
+                    Use Pre-Verification Code
+                </ButtonAction>
+            </div>
+        {:else}
+            {#if loading}
+                <div class="my-20">
+                    <div
+                        class="align-center flex w-full flex-col items-center justify-center gap-6"
+                    >
+                        <Shadow size={40} color="rgb(142, 82, 255);" />
+                        <h4>Initializing security keys...</h4>
+                    </div>
+                </div>
+            {:else}
+                <h4 class="mt-[2.3svh] mb-[0.5svh]">
+                    Your Digital Self begins with the Real You
+                </h4>
+                <p class="text-black-700">
+                    In the Web 3.0 Data Space, identity is linked to reality. We begin
+                    by verifying your real-world passport, which serves as the
+                    foundation for issuing your secure ePassport. At the same time, we
+                    generate your eName – a unique digital identifier – and create your
+                    eVault to store and protect your personal data.
+                </p>
+                <div class="flex justify-center whitespace-nowrap my-[2.3svh]">
+                    <ButtonAction class="w-full" callback={handleNext}
+                        >Next</ButtonAction
+                    >
+                </div>
+            {/if}
+        {/if}
     {/if}
 </Drawer>

infrastructure/eid-wallet/src/routes/(auth)/onboarding/+page.svelte

@@ -109,12 +109,41 @@ let hardwareKeyCheckComplete = $state(false);
 const KEY_ID = "default";
 
 async function handleVerification() {
-    const { data } = await axios.post(
-        new URL("/verification", PUBLIC_PROVISIONER_URL).toString(),
-    );
-    verificaitonId.set(data.id);
-    showVeriffModal = true;
-    watchEventStream(data.id);
+    try {
+        // Ensure keys are initialized before starting verification
+        if (!keyManager) {
+            try {
+                await initializeKeyManager();
+                await ensureKeyForVerification();
+            } catch (keyError) {
+                console.error("Failed to initialize keys:", keyError);
+                // If key initialization fails, go back to onboarding
+                await goto("/onboarding");
+                return;
+            }
+        }
+
+        const { data } = await axios.post(
+            new URL("/verification", PUBLIC_PROVISIONER_URL).toString(),
+        );
+        verificaitonId.set(data.id);
+        showVeriffModal = true;
+        watchEventStream(data.id);
+    } catch (error) {
+        console.error("Failed to start verification:", error);
+        // If verification fails due to key issues or any initialization error, go back to onboarding
+        const errorMessage =
+            error instanceof Error
+                ? error.message.toLowerCase()
+                : String(error).toLowerCase();
+        if (
+            errorMessage.includes("key") ||
+            errorMessage.includes("initialize") ||
+            errorMessage.includes("manager")
+        ) {
+            await goto("/onboarding");
+        }
+    }
 }
 
 function watchEventStream(id: string) {
@@ -227,9 +256,23 @@ onMount(async () => {
     // Check hardware key support first
     await checkHardwareKeySupport();
 
+    // If hardware is not available, redirect back to onboarding
+    if (!hardwareKeySupported) {
+        console.log("Hardware not available, redirecting to onboarding");
+        await goto("/onboarding");
+        return;
+    }
+
     // Initialize key manager and check if default key pair exists
-    await initializeKeyManager();
-    await ensureKeyForVerification();
+    try {
+        await initializeKeyManager();
+        await ensureKeyForVerification();
+    } catch (error) {
+        console.error("Failed to initialize keys for verification:", error);
+        // If key initialization fails, redirect back to onboarding
+        await goto("/onboarding");
+        return;
+    }
 
     handleContinue = async () => {
         if ($status !== "approved" && $status !== "duplicate")