Fix package and path issue

Author: haldarmahesh

CHANGELOG.md

@@ -1,3 +1,5 @@
-## 0.0.1
+## 1.0.0
 
-* TODO: Describe initial release.
+* The first version of flutter_key_cyptography is a basic key store crypto plugin. 
+* This exposes 3 functions `getPublicKey`, `sign` & `verify`.
+* The key is RSA type, SHA256withRSA algorith and 2048 bit size only.

android/src/main/kotlin/com/plugin/flutter/cryptography/key_store/CallMethodTypeEnum.kt

@@ -0,0 +1,7 @@
+package com.plugin.flutter.cryptography.key_store
+
+enum class CallMethodTypeEnum {
+    getPublicKey,
+    encrypt,
+    verify
+}

android/src/main/kotlin/com/plugin/flutter/cryptography/key_store/CipherImplementation.kt

@@ -0,0 +1,117 @@
+
+package com.plugin.flutter.cryptography.key_store
+
+import android.content.Context
+import android.content.SharedPreferences
+import android.util.Base64
+import java.nio.charset.Charset
+import java.security.Key
+import java.security.SecureRandom
+import javax.crypto.Cipher
+import javax.crypto.spec.IvParameterSpec
+import javax.crypto.spec.SecretKeySpec
+class CipherImplementation {
+
+    private val keyStoreCipher: KeyStoreImplementation
+    private val rsaImplementation: RsaImplementation
+
+    companion object {
+        private val ivSize = 16
+        private val keySize = 16
+        private const val AES_KEY_ALGORITHM = "AES"
+        private val cipher: Cipher = Cipher.getInstance("AES/CBC/PKCS7Padding")
+        private val secureRandom = SecureRandom()
+        private var secretKey: Key ? = null
+        private var aesKey: String ? = null
+        private lateinit var rsaPublicKey: String
+        private lateinit var rsaPrivateKey: String
+        private var sharedPreferenceName: String = "cipherImplementationKeystore"
+        private var SP_PUBLIC_KEY_NAME = "PUBLIC_KEY"
+        private var SP_PRIVATE_KEY_NAME = "PRIVATE_KEY"
+        private var SP_AES_KEY_NAME = "AES_KEY"
+    }
+
+    constructor(context: Context) {
+        keyStoreCipher = KeyStoreImplementation(context)
+        rsaImplementation = RsaImplementation()
+        var sharedPreference: SharedPreferences = context.getSharedPreferences(sharedPreferenceName, Context.MODE_PRIVATE)
+        val editor: SharedPreferences.Editor = sharedPreference.edit()
+
+        /// aes key is generated and stored in shared preference, this key is used to encrypt and decrypt
+        aesKey = sharedPreference.getString(SP_AES_KEY_NAME, null)
+        val rsaPublicKeyEncrypted = sharedPreference.getString(SP_PUBLIC_KEY_NAME, null)
+        val rsaPrivateKeyEncrypted = sharedPreference.getString(SP_PRIVATE_KEY_NAME, null)
+        if (aesKey != null) {
+            var encrypted: ByteArray
+            try {
+                encrypted = Base64.decode(aesKey, Base64.DEFAULT)
+                secretKey = keyStoreCipher.unwrap(encrypted, AES_KEY_ALGORITHM)
+                rsaPublicKey = decryptWithKeyStore(rsaPublicKeyEncrypted)
+                rsaPrivateKey = decryptWithKeyStore(rsaPrivateKeyEncrypted)
+                // if there is any expection in getting the keystore the exception is caught and
+                // new key sets are created
+                return
+            } catch (exception: Exception) {
+                encrypted = ByteArray(0)
+            }
+        }
+
+        val key = ByteArray(keySize)
+        secretKey = SecretKeySpec(key, AES_KEY_ALGORITHM)
+        val encryptedKey = keyStoreCipher.wrap(secretKey!!)
+        val keyPair = rsaImplementation.getRsaKeyPair()
+        secureRandom.nextBytes(key)
+
+        aesKey = Base64.encodeToString(encryptedKey, Base64.DEFAULT)
+        // this public and private key is generated to sign the data
+        // these keys are encrypted using the keystore and stored in shared preference
+        rsaPublicKey = encodeToBase64(keyPair.public.encoded)
+        rsaPrivateKey = encodeToBase64(keyPair.private.encoded)
+
+        editor.putString(SP_PUBLIC_KEY_NAME, encryptWithKeystore(rsaPublicKey))
+        editor.putString(SP_PRIVATE_KEY_NAME, encryptWithKeystore(rsaPrivateKey))
+        editor.putString(SP_AES_KEY_NAME, aesKey)
+        editor.commit()
+    }
+
+    private fun encodeToBase64(byteArray: ByteArray): String {
+        return Base64.encodeToString(byteArray, Base64.DEFAULT)
+    }
+
+    fun getPublicKey(): String {
+        return rsaPublicKey
+    }
+
+    fun encrypt(plainInput: String): String {
+        return rsaImplementation.sign(plainInput, rsaPrivateKey)
+    }
+
+    fun verify(plainText: String, signature: String): Boolean {
+        return rsaImplementation.verify(rsaPublicKey, plainText, signature)
+    }
+
+    private fun encryptWithKeystore(plainInput: String): String {
+        val inputByteArray = plainInput.toByteArray()
+        val iv = ByteArray(ivSize)
+        secureRandom.nextBytes(iv)
+        val ivParameterSpec = IvParameterSpec(iv)
+        cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec)
+        val payload = cipher.doFinal(inputByteArray)
+        val combined = ByteArray(iv.size + payload.size)
+        System.arraycopy(iv, 0, combined, 0, iv.size)
+        System.arraycopy(payload, 0, combined, iv.size, payload.size)
+        return encodeToBase64(combined)
+    }
+
+    private fun decryptWithKeyStore(input: String): String {
+        val iv = ByteArray(ivSize)
+        val inputByteArray = Base64.decode(input, 0)
+        System.arraycopy(inputByteArray, 0, iv, 0, iv.size)
+        val ivParameterSpec = IvParameterSpec(iv)
+        val payloadSize = inputByteArray.size - ivSize
+        val payload = ByteArray(payloadSize)
+        System.arraycopy(inputByteArray, iv.size, payload, 0, payloadSize)
+        cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec)
+        return String(cipher.doFinal(payload), Charset.forName("UTF-8"))
+    }
+}

android/src/main/kotlin/com/plugin/flutter/cryptography/key_store/CipherPlugin.kt

@@ -0,0 +1,56 @@
+package com.plugin.flutter.cryptography.key_store
+
+import android.util.Log
+import androidx.annotation.NonNull
+import io.flutter.embedding.engine.plugins.FlutterPlugin
+import io.flutter.plugin.common.MethodCall
+import io.flutter.plugin.common.MethodChannel
+import io.flutter.plugin.common.MethodChannel.MethodCallHandler
+import io.flutter.plugin.common.MethodChannel.Result
+import io.flutter.plugin.common.PluginRegistry.Registrar
+
+/** CipherPlugin */
+public class CipherPlugin : FlutterPlugin, MethodCallHandler {
+
+  override fun onAttachedToEngine(@NonNull flutterPluginBinding: FlutterPlugin.FlutterPluginBinding) {
+    val channel = MethodChannel(flutterPluginBinding.getFlutterEngine().getDartExecutor(), "cipher")
+    channel.setMethodCallHandler(CipherPlugin())
+  }
+
+  // This static function is optional and equivalent to onAttachedToEngine. It supports the old
+  // pre-Flutter-1.12 Android projects. You are encouraged to continue supporting
+  // plugin registration via this function while apps migrate to use the new Android APIs
+  // post-flutter-1.12 via https://flutter.dev/go/android-project-migration.
+  //
+  // It is encouraged to share logic between onAttachedToEngine and registerWith to keep
+  // them functionally equivalent. Only one of onAttachedToEngine or registerWith will be called
+  // depending on the user's project. onAttachedToEngine or registerWith must both be defined
+  // in the same class.
+  companion object {
+    private lateinit var cipherImpl: CipherImplementation
+    @JvmStatic
+    fun registerWith(registrar: Registrar) {
+      val channel = MethodChannel(registrar.messenger(), "cipher")
+          cipherImpl = CipherImplementation(registrar.context())
+      channel.setMethodCallHandler(CipherPlugin())
+    }
+  }
+
+  override fun onMethodCall(@NonNull call: MethodCall, @NonNull result: Result) {
+    when(call.method) {
+      CallMethodTypeEnum.getPublicKey.name -> result.success(cipherImpl.getPublicKey())
+      CallMethodTypeEnum.encrypt.name -> result.success(cipherImpl.encrypt(call.arguments as String))
+      CallMethodTypeEnum.verify.name -> result.success(verify(call.arguments))
+      else -> result.notImplemented()
+    }
+  }
+
+  private fun verify(arguments: Any): Boolean {
+      val arguments: Map<String, String> = arguments as Map<String, String>
+      val plainText = arguments[VerifyArgumentsMapKeysEnum.plainText.name] as String
+      val signature = arguments[VerifyArgumentsMapKeysEnum.signature.name] as String
+      return cipherImpl.verify(plainText, signature)
+    }
+  override fun onDetachedFromEngine(@NonNull binding: FlutterPlugin.FlutterPluginBinding) {
+  }
+}

android/src/main/kotlin/com/plugin/flutter/cryptography/key_store/ExceptionMessage.kt

@@ -0,0 +1,13 @@
+package com.plugin.flutter.cryptography.key_store
+
+class ExceptionMessage {
+    companion object {
+        const val NO_ALGORITHM = "Could not reconstruct the public key, the given algorithm could not be found."
+        const val INVALID_KEY= "Could not reconstruct the public key"
+        const val CANNOT_CREATE_KEY = "Cannot create the keys"
+        const val CANNOT_CREATE_KEY_WITH_STRONGBOX = "Cannot create keys for Android v 28 and higher, when strongbox is not available"
+        const val NOT_PRIVATE_KEY = "Not an instance of private key"
+        const val KEY_NOT_FOUND = "No key found with defined alias"
+        const val CERTIFICATE_NOT_FOUND = "No certificate found with defined key alias"
+    }
+}

android/src/main/kotlin/com/plugin/flutter/cryptography/key_store/KeyStoreImplementation.kt

@@ -0,0 +1,169 @@
+package com.plugin.flutter.cryptography.key_store
+
+import android.annotation.TargetApi
+import android.content.Context
+import android.os.Build
+import android.security.KeyPairGeneratorSpec
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import android.security.keystore.StrongBoxUnavailableException
+import java.math.BigInteger
+import java.security.*
+import java.security.spec.AlgorithmParameterSpec
+import java.util.*
+import javax.crypto.Cipher
+import javax.security.auth.x500.X500Principal
+
+class KeyStoreImplementation(context: Context) {
+    private val KEY_ALIAS: String
+    private val KEYSTORE_PROVIDER_ANDROID = "AndroidKeyStore"
+    private val TYPE_RSA = "RSA"
+    private val start = Calendar.getInstance()
+    private val end = Calendar.getInstance()
+
+    init {
+        end.add(Calendar.MONTH, 3) // TODO decide on validity
+        KEY_ALIAS = "get_package" + "com.plugin.flutter.cryptography.key_store"
+        createKeysIfNotExists(context)
+    }
+
+    private fun createKeysIfNotExists(context: Context) {
+        val keyStore: KeyStore = KeyStore.getInstance(KEYSTORE_PROVIDER_ANDROID)
+        keyStore.load(null)
+        val privateKey = keyStore.getKey(KEY_ALIAS, null)
+        // if the keys are not present in keystore then create a new pair
+        if (privateKey == null)
+            createKeys(context)
+    }
+
+    private fun createKeys(context: Context) {
+        val keyPairGenerator = KeyPairGenerator.getInstance(TYPE_RSA, KEYSTORE_PROVIDER_ANDROID)
+        val algorithmParameterSpec: AlgorithmParameterSpec = getAlgorithmSpec(context)
+
+        try {
+            initializeKeyPair(keyPairGenerator, algorithmParameterSpec)
+        } catch (exception: Exception) {
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && exception is StrongBoxUnavailableException)
+                generateKeysForAndroidPWithoutStrongBox(keyPairGenerator)
+             else
+                throw Exception(ExceptionMessage.CANNOT_CREATE_KEY)
+        }
+    }
+
+    @TargetApi(Build.VERSION_CODES.P)
+    private fun generateKeysForAndroidPWithoutStrongBox(keyPairGenerator: KeyPairGenerator) {
+        try {
+            val algorithmParameterSpecWithoutStrongBox = keyPairBuilder().build()
+            initializeKeyPair(keyPairGenerator, algorithmParameterSpecWithoutStrongBox)
+        } catch (exception: Exception) {
+            throw Exception(ExceptionMessage.CANNOT_CREATE_KEY_WITH_STRONGBOX)
+        }
+    }
+
+    private fun initializeKeyPair(keyPairGenerator: KeyPairGenerator, algorithmParameterSpec: AlgorithmParameterSpec) {
+        keyPairGenerator.initialize(algorithmParameterSpec)
+        keyPairGenerator.generateKeyPair()
+    }
+
+    @TargetApi(Build.VERSION_CODES.P)
+    private fun keyPairBuilder(): KeyGenParameterSpec.Builder {
+
+    return KeyGenParameterSpec.Builder(KEY_ALIAS, KeyProperties.PURPOSE_DECRYPT or KeyProperties.PURPOSE_ENCRYPT)
+                    .setCertificateSubject(X500Principal("CN=$KEY_ALIAS"))
+                    .setDigests(KeyProperties.DIGEST_SHA256)
+                    .setBlockModes(KeyProperties.BLOCK_MODE_ECB)
+                    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
+                    .setCertificateSerialNumber(BigInteger.valueOf(1))
+                    .setCertificateNotBefore(start.time)
+                    .setCertificateNotAfter(end.time)
+    }
+
+    @TargetApi(Build.VERSION_CODES.M)
+    private fun keyPairBuilderDeprecated(context: Context): KeyPairGeneratorSpec.Builder {
+        return KeyPairGeneratorSpec.Builder(context)
+                .setAlias(KEY_ALIAS)
+                .setSubject(X500Principal("CN=$KEY_ALIAS"))
+                .setSerialNumber(BigInteger.valueOf(1))
+                .setStartDate(start.time)
+                .setEndDate(end.time)
+    }
+
+    private fun getAlgorithmSpec(context: Context): AlgorithmParameterSpec {
+        val algorithmParameterSpec: AlgorithmParameterSpec
+        if (isAndroidBelowM()) {
+            algorithmParameterSpec = keyPairBuilderDeprecated(context).build()
+        } else {
+            val keyPairSpecBuilder = keyPairBuilder()
+            setStrongBox(keyPairSpecBuilder)
+            algorithmParameterSpec = keyPairSpecBuilder.build()
+        }
+
+        return algorithmParameterSpec
+    }
+    private fun setStrongBox(keyPairSpecBuilder: KeyGenParameterSpec.Builder) {
+        if (isAndroidIsGreaterThanEqualP()) {
+            keyPairSpecBuilder.setIsStrongBoxBacked(true)
+        }
+    }
+
+    private fun isAndroidBelowM(): Boolean {
+        return Build.VERSION.SDK_INT < Build.VERSION_CODES.M
+    }
+
+    private fun isAndroidIsGreaterThanEqualP(): Boolean {
+        return Build.VERSION.SDK_INT >= Build.VERSION_CODES.P
+    }
+
+    private fun getPrivateKey(): PrivateKey {
+        val keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER_ANDROID)
+        keyStore.load(null)
+        val key: Key = keyStore.getKey(KEY_ALIAS, null) ?: throw Exception(ExceptionMessage.KEY_NOT_FOUND)
+        if (key !is PrivateKey) {
+            throw Exception(ExceptionMessage.NOT_PRIVATE_KEY)
+        }
+        return key
+    }
+
+    fun getPublicKey(): PublicKey {
+        val keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER_ANDROID)
+        keyStore.load(null)
+
+        val certificate = keyStore.getCertificate(KEY_ALIAS) ?: throw Exception(ExceptionMessage.CERTIFICATE_NOT_FOUND)
+        val publicKey: PublicKey
+        publicKey = certificate.getPublicKey()
+        return publicKey
+    }
+
+   fun wrap(key: Key): ByteArray {
+        val publicKey: PublicKey = getPublicKey()
+        val cipher = getRSACipher()
+        cipher.init(Cipher.WRAP_MODE, publicKey)
+        return cipher.wrap(key)
+    }
+
+    fun unwrap(wrappedKey: ByteArray, algorithm: String): Key {
+        val privateKey = getPrivateKey()
+        val cipher = getRSACipher()
+        cipher.init(Cipher.UNWRAP_MODE, privateKey)
+        return cipher.unwrap(wrappedKey, algorithm, Cipher.SECRET_KEY)
+    }
+    // todo with app pin creation
+    fun encrypt(input: String): ByteArray {
+        val byteArrayInput = input.toByteArray()
+        val publicKey = getPublicKey()
+        val cipher = getRSACipher()
+        cipher.init(Cipher.ENCRYPT_MODE, publicKey)
+        return cipher.doFinal(byteArrayInput)
+    }
+
+    @Throws(Exception::class)
+    private fun getRSACipher(): Cipher {
+        return if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
+            // error in android 6: InvalidKeyException: Need RSA private or public key
+            Cipher.getInstance("RSA/ECB/PKCS1Padding", "AndroidOpenSSL")
+        } else {
+            // error in android 5: NoSuchProviderException: Provider not available: AndroidKeyStoreBCWorkaround
+            Cipher.getInstance("RSA/ECB/PKCS1Padding", "AndroidKeyStoreBCWorkaround")
+        }
+    }
+}