Merge pull request #14 from OutSystems/fix/RMET-1182/cipher-database-errors

RMET-1182 ::: Fix - Ciphered Database Errors

Author: CarlsCorrea

CHANGELOG

@@ -1,6 +1,12 @@
 Changelog
 =========
 
+2.6.8-OS11 - 2022-04-12
+------------------
+
+- Fix: Fix for the error messages: Keystore operation failed, User not authenticated, Key not yet valid. (RMET-1182)
+
+
 2.6.8-OS9 - 2022-01-28
 ------------------
 

src/android/RSA.java

@@ -5,8 +5,10 @@
 import android.security.KeyPairGeneratorSpec;
 import android.security.keystore.KeyGenParameterSpec;
 import android.security.keystore.KeyInfo;
+import android.security.keystore.KeyNotYetValidException;
 import android.security.keystore.KeyPermanentlyInvalidatedException;
 import android.security.keystore.KeyProperties;
+import android.security.keystore.UserNotAuthenticatedException;
 import android.util.Log;
 
 import java.math.BigInteger;
@@ -44,17 +46,12 @@ public static byte[] decrypt(byte[] encrypted, String alias) throws Exception {
 
 	public static void createKeyPair(Context ctx, String alias) throws Exception {
 		synchronized (LOCK) {
-			Calendar notBefore = Calendar.getInstance();
 
-			//this back dates the date of the key in order to avoid some timezone issues found during use with some devices
-			notBefore.add(Calendar.HOUR_OF_DAY, -26);
-			Calendar notAfter = Calendar.getInstance();
-			notAfter.add(Calendar.YEAR, 100);
 			String principalString = String.format("CN=%s, OU=%s", alias, ctx.getPackageName());
 
-			if(Build.VERSION.SDK_INT > Build.VERSION_CODES.M){
+			if(Build.VERSION.SDK_INT > Build.VERSION_CODES.M) {
 				KeyPairGenerator generator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, KEYSTORE_PROVIDER);
-				KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(alias, KeyProperties.PURPOSE_DECRYPT)
+				KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(alias, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT)
 						.setUserAuthenticationRequired(true)
 						//the value used for the validity is 31 days a big number to ensure the keys are always usable after a authentication done by the user
 						.setUserAuthenticationValidityDurationSeconds(60*60*24*31)
@@ -64,11 +61,7 @@ public static void createKeyPair(Context ctx, String alias) throws Exception {
 						.setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
 						.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
 						.setRandomizedEncryptionRequired(true)
-						.setKeyValidityStart(notBefore.getTime())
-						.setKeyValidityEnd(notAfter.getTime());
-				if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.N){
-					builder.setInvalidatedByBiometricEnrollment(false);
-				}
+					    .setInvalidatedByBiometricEnrollment(false);
 				KeyGenParameterSpec spec = builder.build();
 				generator.initialize(spec);
 				generator.generateKeyPair();
@@ -80,8 +73,6 @@ public static void createKeyPair(Context ctx, String alias) throws Exception {
 						.setAlias(alias)
 						.setSubject(new X500Principal(principalString))
 						.setSerialNumber(BigInteger.ONE)
-						.setStartDate(notBefore.getTime())
-						.setEndDate(notAfter.getTime())
 						.setEncryptionRequired()
 						.setKeySize(2048)
 						.setKeyType("RSA")
@@ -90,8 +81,6 @@ public static void createKeyPair(Context ctx, String alias) throws Exception {
 				kpGenerator.initialize(spec);
 				kpGenerator.generateKeyPair();
 			}
-
-
 		}
 	}
 
@@ -121,7 +110,7 @@ private static void initCipher(Cipher cipher, int cipherMode, String alias) thro
 		}
 	}
 
-	public static boolean isEntryAvailable(String alias) {
+	public static boolean isEntryAvailable(String alias) throws UserNotAuthenticatedException {
 		KeyStore.PrivateKeyEntry entry;
 
 		synchronized (LOCK) {
@@ -141,6 +130,10 @@ public static boolean isEntryAvailable(String alias) {
 			initCipher(tempCipher, Cipher.ENCRYPT_MODE, alias);
 			initCipher(tempCipher, Cipher.DECRYPT_MODE, alias);
 			return true; // Key is usable
+		} catch (UserNotAuthenticatedException e) {
+			throw e;
+		} catch (KeyNotYetValidException e) {
+			return false;
 		} catch (KeyPermanentlyInvalidatedException e) {
 			// Key is never usable again, so might as well consider it's not available
 			// This will let a new one be used in its place

src/android/SecureStorage.java

@@ -217,20 +217,27 @@ private boolean init(CordovaArgs args, CallbackContext callbackContext) throws J
             }
         }
 
+        try {
 
-        if (!isDeviceSecure()) {
-            // Lock screen that requires authentication is not defined
-            Log.e(TAG, MSG_DEVICE_NOT_SECURE);
-            callbackContext.error(MSG_DEVICE_NOT_SECURE);
+            if (!isDeviceSecure()) {
+                // Lock screen that requires authentication is not defined
+                Log.e(TAG, MSG_DEVICE_NOT_SECURE);
+                callbackContext.error(MSG_DEVICE_NOT_SECURE);
 
-        } else if (!RSA.isEntryAvailable(alias)) {
-            // Key for alias does not exist
-            handleLockScreen(IntentRequestType.INIT, service, callbackContext);
+            } else if (!RSA.isEntryAvailable(alias)) {
+                // Key for alias does not exist
+                handleLockScreen(IntentRequestType.INIT, service, callbackContext);
 
-        } else {
-            // No actions are required to init correctly
-            initSuccess(callbackContext);
+            } else {
+                // No actions are required to init correctly
+                initSuccess(callbackContext);
+            }
+
+        } catch (UserNotAuthenticatedException e) {
+            //
+            handleLockScreen(IntentRequestType.INIT, service, callbackContext);
         }
+
         return true;
     }
 
@@ -597,11 +604,17 @@ public void run() {
                         Log.v(TAG, "Completed request is of init action");
 
                         String alias = service2alias(service);
-                        if (!RSA.isEntryAvailable(alias)) {
-                            //Solves Issue #96. The RSA key may have been deleted by changing the lock type.
-                            getStorage(service).clear();
-                            RSA.createKeyPair(getContext(), alias);
+
+                        try {
+                            if (!RSA.isEntryAvailable(alias)) {
+                                //Solves Issue #96. The RSA key may have been deleted by changing the lock type.
+                                getStorage(service).clear();
+                                RSA.createKeyPair(getContext(), alias);
+                            }
+                        } catch (UserNotAuthenticatedException e) {
+                            Log.v(TAG, "Authentication validity expired, request a new login.");
                         }
+
                     }
 
                     Log.v(TAG, "init returned success");