feat: improve error handling (#762)

* Added error code constants for both platforms.

* Enhanced exception to support error codes
- Added additional overloads to simplify usage.
- Removed need for reThrowOnError (and "Wrapped error: " prefix).

* Removed instances of overwriting the real error.

* Applied correct error codes.

* Added mapping of various BiometricPrompt error codes.

* Added some consistency with Android when an unknown error occurs.

* Removed E_SUPPORTED_BIOMETRY_ERROR error code.

* Renamed CryptoFailedException to KeychainException.

* Made default error code E_UNKNOWN_ERROR.

* Removed CRYPTO_FAILED error code.

* Removed INTERNAL_ERROR error code.

* Improved error code mapping.

* Removed need for E_KEYCHAIN_DUPLICATE_ITEM.

* Removed E_INTERACTIVE_MODE_UNAVAILABLE error.

* Removed KEYCHAIN_INTERACTION_NOT_ALLOWED to IOS_INTERACTION_NOT_ALLOWED.

* Split up some biometric error codes.

* Consolidated error info.

* Removed unnecessary cases.

* Fixed case where rejectWithError could be called with no error.

* Fixed use of wrong error.

* Simplified logic.

* Added support for mapping LocalAuthentication errors.

* Omit extra iOS cancel code until further investigation.

* Moved to generic canceled error code.

* Improved function name.

* Avoid defaulting to unknown errors.

* Correct error code and formatting.

* Fixed mapping of unhandled LA error codes.

* Consolidated E_AUTH_UNKNOWN_ERROR & E_AUTH_FAILED into E_AUTH_ERROR (renamed from E_BIOMETRIC_ERROR).

* Aligned TS enums.

* Default to E_INTERNAL_ERROR when custom errors are thrown.

* More improvements to error codes.

* Removed need for ANDROID_USER_NOT_AUTHENTICATED.

* Refactored & aligned error codes.

* Removed need for E_BIOMETRIC_INSUFFICIENT_SPACE and BIOMETRIC_UNABLE_TO_PROCESS.

* Improved error code names.

* Improved message.

* Fixed iOS build errors.

* Removed AUTH_PERMISSION_DENIED.

* Aligned format of error messages.

* Renamed enum to ERROR_CODE.

* Removed reformatting of unknown errors.

* Consolidated configuration errors.

* Renamed KEY_PERMANENTLY_INVALIDATED to AUTH_INVALIDATED.

* Minor refactor.

* Consolidated E_UNKNOWN_ERROR into E_INTERNAL_ERROR.

* Fixed logic when can't authenticate.

* Wrapped error messages.

* Added documentation alongside error codes.

* Fixed build error.

Author: lewie9021

android/src/main/java/com/oblador/keychain/KeychainModule.kt

@@ -22,7 +22,7 @@ import com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesGcm
 import com.oblador.keychain.cipherStorage.CipherStorageKeystoreRsaEcb
 import com.oblador.keychain.resultHandler.ResultHandler
 import com.oblador.keychain.resultHandler.ResultHandlerProvider
-import com.oblador.keychain.exceptions.CryptoFailedException
+import com.oblador.keychain.exceptions.KeychainException
 import com.oblador.keychain.exceptions.EmptyParameterException
 import com.oblador.keychain.exceptions.KeyStoreAccessException
 import kotlinx.coroutines.CoroutineScope
@@ -92,13 +92,23 @@ class KeychainModule(reactContext: ReactApplicationContext) :
   /** Known error codes. */
   internal annotation class Errors {
     companion object {
-      const val E_EMPTY_PARAMETERS = "E_EMPTY_PARAMETERS"
-      const val E_CRYPTO_FAILED = "E_CRYPTO_FAILED"
-      const val E_KEYSTORE_ACCESS_ERROR = "E_KEYSTORE_ACCESS_ERROR"
-      const val E_SUPPORTED_BIOMETRY_ERROR = "E_SUPPORTED_BIOMETRY_ERROR"
-
-      /** Raised for unexpected errors. */
-      const val E_UNKNOWN_ERROR = "E_UNKNOWN_ERROR"
+      // Authentication errors
+      const val E_PASSCODE_NOT_SET = "E_PASSCODE_NOT_SET"
+      const val E_BIOMETRIC_NOT_ENROLLED = "E_BIOMETRIC_NOT_ENROLLED"
+      const val E_BIOMETRIC_TIMEOUT = "E_BIOMETRIC_TIMEOUT"
+      const val E_BIOMETRIC_LOCKOUT = "E_BIOMETRIC_LOCKOUT"
+      const val E_BIOMETRIC_LOCKOUT_PERMANENT = "E_BIOMETRIC_LOCKOUT_PERMANENT"
+      const val E_BIOMETRIC_TEMPORARILY_UNAVAILABLE = "E_BIOMETRIC_TEMPORARILY_UNAVAILABLE"
+      const val E_BIOMETRIC_UNAVAILABLE = "E_BIOMETRIC_UNAVAILABLE"
+      const val E_BIOMETRIC_VENDOR_ERROR = "E_BIOMETRIC_VENDOR_ERROR"
+      const val E_AUTH_INVALIDATED = "E_AUTH_INVALIDATED"
+      const val E_AUTH_CANCELED = "E_AUTH_CANCELED"
+      const val E_AUTH_ERROR = "E_AUTH_ERROR"
+
+      // Misc errors
+      const val E_INVALID_PARAMETERS = "E_INVALID_PARAMETERS"
+      const val E_STORAGE_ACCESS_ERROR = "E_STORAGE_ACCESS_ERROR"
+      const val E_INTERNAL_ERROR = "E_INTERNAL_ERROR"
     }
   }
 
@@ -200,13 +210,13 @@ class KeychainModule(reactContext: ReactApplicationContext) :
           promise.resolve(results)
         } catch (e: EmptyParameterException) {
           Log.e(KEYCHAIN_MODULE, e.message, e)
-          promise.reject(Errors.E_EMPTY_PARAMETERS, e)
-        } catch (e: CryptoFailedException) {
+          promise.reject(Errors.E_INVALID_PARAMETERS, e)
+        } catch (e: KeychainException) {
           Log.e(KEYCHAIN_MODULE, e.message, e)
-          promise.reject(Errors.E_CRYPTO_FAILED, e)
+          promise.reject(e.errorCode, e)
         } catch (fail: Throwable) {
           Log.e(KEYCHAIN_MODULE, fail.message, fail)
-          promise.reject(Errors.E_UNKNOWN_ERROR, fail)
+          promise.reject(Errors.E_INTERNAL_ERROR, fail)
         }
       }
     }
@@ -224,7 +234,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
   }
 
   /** Get Cipher storage instance based on user provided options. */
-  @Throws(CryptoFailedException::class)
+  @Throws(KeychainException::class)
   private fun getSelectedStorage(options: ReadableMap?): CipherStorage {
     val accessControl = getAccessControlOrDefault(options)
     val useBiometry = getUseBiometry(accessControl)
@@ -269,13 +279,13 @@ class KeychainModule(reactContext: ReactApplicationContext) :
           promise.resolve(credentials)
         } catch (e: KeyStoreAccessException) {
           Log.e(KEYCHAIN_MODULE, e.message!!)
-          promise.reject(Errors.E_KEYSTORE_ACCESS_ERROR, e)
-        } catch (e: CryptoFailedException) {
+          promise.reject(Errors.E_STORAGE_ACCESS_ERROR, e)
+        } catch (e: KeychainException) {
           Log.e(KEYCHAIN_MODULE, e.message!!)
-          promise.reject(Errors.E_CRYPTO_FAILED, e)
+          promise.reject(e.errorCode, e)
         } catch (fail: Throwable) {
           Log.e(KEYCHAIN_MODULE, fail.message, fail)
-          promise.reject(Errors.E_UNKNOWN_ERROR, fail)
+          promise.reject(Errors.E_INTERNAL_ERROR, fail)
         }
       }
     }
@@ -287,7 +297,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
       val services = doGetAllGenericPasswordServices()
       promise.resolve(Arguments.makeNativeArray<Any>(services.toTypedArray()))
     } catch (e: KeyStoreAccessException) {
-      promise.reject(Errors.E_KEYSTORE_ACCESS_ERROR, e)
+      promise.reject(Errors.E_STORAGE_ACCESS_ERROR, e)
     }
   }
 
@@ -329,10 +339,10 @@ class KeychainModule(reactContext: ReactApplicationContext) :
       promise.resolve(true)
     } catch (e: KeyStoreAccessException) {
       Log.e(KEYCHAIN_MODULE, e.message!!)
-      promise.reject(Errors.E_KEYSTORE_ACCESS_ERROR, e)
+      promise.reject(Errors.E_STORAGE_ACCESS_ERROR, e)
     } catch (fail: Throwable) {
       Log.e(KEYCHAIN_MODULE, fail.message, fail)
-      promise.reject(Errors.E_UNKNOWN_ERROR, fail)
+      promise.reject(Errors.E_INTERNAL_ERROR, fail)
     }
   }
 
@@ -397,7 +407,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
       promise.resolve(reply)
     } catch (fail: Throwable) {
       Log.e(KEYCHAIN_MODULE, fail.message, fail)
-      promise.reject(Errors.E_UNKNOWN_ERROR, fail)
+      promise.reject(Errors.E_INTERNAL_ERROR, fail)
     }
   }
 
@@ -417,12 +427,9 @@ class KeychainModule(reactContext: ReactApplicationContext) :
         }
       }
       promise.resolve(reply)
-    } catch (e: Exception) {
-      Log.e(KEYCHAIN_MODULE, e.message, e)
-      promise.reject(Errors.E_SUPPORTED_BIOMETRY_ERROR, e)
     } catch (fail: Throwable) {
       Log.e(KEYCHAIN_MODULE, fail.message, fail)
-      promise.reject(Errors.E_UNKNOWN_ERROR, fail)
+      promise.reject(Errors.E_INTERNAL_ERROR, fail)
     }
   }
 
@@ -442,7 +449,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
    * Extract credentials from current storage. In case if current storage is not matching results
    * set then executed migration.
    */
-  @Throws(CryptoFailedException::class, KeyStoreAccessException::class)
+  @Throws(KeychainException::class, KeyStoreAccessException::class)
   private suspend fun decryptCredentials(
     alias: String,
     current: CipherStorage,
@@ -472,7 +479,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
   }
 
   /** Try to decrypt with provided storage. */
-  @Throws(CryptoFailedException::class)
+  @Throws(KeychainException::class)
   private suspend fun decryptToResult(
     alias: String,
     storage: CipherStorage,
@@ -487,15 +494,18 @@ class KeychainModule(reactContext: ReactApplicationContext) :
       resultSet.password!!,
       SecurityLevel.ANY
     )
-    CryptoFailedException.reThrowOnError(handler.error)
-    if (null == handler.decryptionResult) {
-      throw CryptoFailedException("No decryption results and no error. Something deeply wrong!")
+    val error = handler.error
+    if (error != null) {
+      throw KeychainException(error.message, error)
+    }
+    if (handler.decryptionResult == null) {
+      throw KeychainException("No decryption results and no error. Something deeply wrong!")
     }
     return handler.decryptionResult!!
   }
 
   /** Try to encrypt with provided storage. */
-  @Throws(CryptoFailedException::class)
+  @Throws(KeychainException::class)
   private suspend fun encryptToResult(
     alias: String,
     storage: CipherStorage,
@@ -506,9 +516,12 @@ class KeychainModule(reactContext: ReactApplicationContext) :
   ): CipherStorage.EncryptionResult {
     val handler = getInteractiveHandler(storage, promptInfo)
     storage.encrypt(handler, alias, username, password, securityLevel)
-    CryptoFailedException.reThrowOnError(handler.error)
-    if (null == handler.encryptionResult) {
-      throw CryptoFailedException("No decryption results and no error. Something deeply wrong!")
+    val error = handler.error
+    if (error != null) {
+      throw KeychainException(error.message, error)
+    }
+    if (handler.encryptionResult == null) {
+      throw KeychainException("No encryption results and no error. Something deeply wrong!")
     }
     return handler.encryptionResult!!
   }
@@ -526,7 +539,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
   /* package */
   @Throws(
     KeyStoreAccessException::class,
-    CryptoFailedException::class,
+    KeychainException::class,
     IllegalArgumentException::class
   )
   private suspend fun migrateCipherStorage(
@@ -563,7 +576,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
    * The "Current" CipherStorage is the cipherStorage with the highest API level that is lower than
    * or equal to the current API level. Parameter allow to reduce level.
    */
-  @Throws(CryptoFailedException::class)
+  @Throws(KeychainException::class)
   fun getCipherStorageForCurrentAPILevel(
     useBiometry: Boolean,
     usePasscode: Boolean
@@ -594,7 +607,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
       foundCipher = variant
     }
     if (foundCipher == null) {
-      throw CryptoFailedException("Unsupported Android SDK " + Build.VERSION.SDK_INT)
+      throw KeychainException("Unsupported Android SDK " + Build.VERSION.SDK_INT, Errors.E_INVALID_PARAMETERS)
     }
     Log.d(KEYCHAIN_MODULE, "Selected storage: " + foundCipher.getCipherStorageName())
     return foundCipher
@@ -641,7 +654,7 @@ class KeychainModule(reactContext: ReactApplicationContext) :
       if (isSecureHardwareAvailable) {
         SecurityLevel.SECURE_HARDWARE
       } else SecurityLevel.SECURE_SOFTWARE
-    } catch (e: CryptoFailedException) {
+    } catch (e: KeychainException) {
       Log.w(KEYCHAIN_MODULE, "Security Level Exception: " + e.message, e)
       SecurityLevel.ANY
     }
@@ -799,17 +812,18 @@ class KeychainModule(reactContext: ReactApplicationContext) :
     /**
      * Throw exception if required security level does not match storage provided security level.
      */
-    @Throws(CryptoFailedException::class)
+    @Throws(KeychainException::class)
     fun throwIfInsufficientLevel(storage: CipherStorage, level: SecurityLevel) {
       if (storage.securityLevel().satisfiesSafetyThreshold(level)) {
         return
       }
-      throw CryptoFailedException(
+      throw KeychainException(
         String.format(
           "Cipher Storage is too weak. Required security level is: %s, but only %s is provided",
           level.name,
           storage.securityLevel().name
-        )
+        ),
+        Errors.E_INVALID_PARAMETERS
       )
     }
 

android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorage.kt

@@ -2,7 +2,7 @@ package com.oblador.keychain.cipherStorage
 
 import com.oblador.keychain.SecurityLevel
 import com.oblador.keychain.resultHandler.ResultHandler
-import com.oblador.keychain.exceptions.CryptoFailedException
+import com.oblador.keychain.exceptions.KeychainException
 import com.oblador.keychain.exceptions.KeyStoreAccessException
 
 @Suppress("unused", "MemberVisibilityCanBePrivate")
@@ -44,10 +44,10 @@ interface CipherStorage {
   /**
    * Encrypt credentials with provided key (by alias) and required security level.
    *
-   * @throws CryptoFailedException If encryption fails.
+   * @throws KeychainException If encryption fails.
    */
 
-  @Throws(CryptoFailedException::class)
+  @Throws(KeychainException::class)
   fun encrypt(
     handler: ResultHandler,
     alias: String,
@@ -60,9 +60,9 @@ interface CipherStorage {
   /**
    * Decrypt the credentials but redirect results of operation to handler.
    *
-   * @throws CryptoFailedException If decryption fails.
+   * @throws KeychainException If decryption fails.
    */
-  @Throws(CryptoFailedException::class)
+  @Throws(KeychainException::class)
   fun decrypt(
     handler: ResultHandler,
     alias: String,

android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageBase.kt

@@ -9,10 +9,11 @@ import android.security.keystore.UserNotAuthenticatedException
 import android.util.Log
 import androidx.annotation.VisibleForTesting
 import com.oblador.keychain.DeviceAvailability
+import com.oblador.keychain.KeychainModule.Errors
 import com.oblador.keychain.SecurityLevel
 import com.oblador.keychain.cipherStorage.CipherStorageBase.DecryptBytesHandler
 import com.oblador.keychain.cipherStorage.CipherStorageBase.EncryptStringHandler
-import com.oblador.keychain.exceptions.CryptoFailedException
+import com.oblador.keychain.exceptions.KeychainException
 import com.oblador.keychain.exceptions.KeyStoreAccessException
 import java.io.ByteArrayInputStream
 import java.io.ByteArrayOutputStream
@@ -164,11 +165,12 @@ abstract class CipherStorageBase(protected val applicationContext: Context) : Ci
   }
 
   /** Check requirements to the security level. */
-  @Throws(CryptoFailedException::class)
+  @Throws(KeychainException::class)
   protected fun throwIfInsufficientLevel(level: SecurityLevel) {
     if (!securityLevel().satisfiesSafetyThreshold(level)) {
-      throw CryptoFailedException(
-        "Insufficient security level (wants $level; got ${securityLevel()})"
+      throw KeychainException(
+        "Insufficient security level (wants $level; got ${securityLevel()})",
+        Errors.E_INVALID_PARAMETERS
       )
     }
   }
@@ -328,7 +330,7 @@ abstract class CipherStorageBase(protected val applicationContext: Context) : Ci
 
   /** Decrypt provided bytes to a string. */
   @SuppressLint("NewApi")
-  @Throws(GeneralSecurityException::class, IOException::class, CryptoFailedException::class)
+  @Throws(GeneralSecurityException::class, IOException::class, KeychainException::class)
   protected open fun decryptBytes(
     key: Key,
     bytes: ByteArray,
@@ -351,7 +353,7 @@ abstract class CipherStorageBase(protected val applicationContext: Context) : Ci
                 throw UserNotAuthenticatedException()
               }
               e is javax.crypto.AEADBadTagException -> {
-                throw CryptoFailedException(
+                throw KeychainException(
                   "Decryption failed: Authentication tag verification failed. " +
                   "This usually indicates that the encrypted data was modified, corrupted, " +
                   "or is being decrypted with the wrong key.",
@@ -402,7 +404,7 @@ abstract class CipherStorageBase(protected val applicationContext: Context) : Ci
     }
 
     if (!validateKeySecurityLevel(requiredLevel, secretKey!!)) {
-      throw CryptoFailedException("Cannot generate keys with required security guarantees")
+      throw KeychainException("Cannot generate keys with required security guarantees", Errors.E_INVALID_PARAMETERS)
     }
   }
 

android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreAesCbc.kt

@@ -10,7 +10,7 @@ import com.oblador.keychain.KeychainModule.KnownCiphers
 import com.oblador.keychain.SecurityLevel
 import com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesCbc.IV.IV_LENGTH
 import com.oblador.keychain.resultHandler.ResultHandler
-import com.oblador.keychain.exceptions.CryptoFailedException
+import com.oblador.keychain.exceptions.KeychainException
 import java.io.IOException
 import java.security.GeneralSecurityException
 import java.security.Key
@@ -74,7 +74,7 @@ class CipherStorageKeystoreAesCbc(reactContext: ReactApplicationContext) :
 
     // region Overrides
 
-    @Throws(CryptoFailedException::class)
+    @Throws(KeychainException::class)
     override fun encrypt(
         handler: ResultHandler,
         alias: String,
@@ -95,19 +95,14 @@ class CipherStorageKeystoreAesCbc(reactContext: ReactApplicationContext) :
                 encryptString(key, username), encryptString(key, password), this
             )
             handler.onEncrypt(result, null)
-        } catch (e: GeneralSecurityException) {
-            throw CryptoFailedException("Could not encrypt data with alias: $alias", e)
         } catch (fail: Throwable) {
-            throw CryptoFailedException(
-                "Unknown error with alias: $alias, error: ${fail.message}",
-                fail
-            )
+            throw KeychainException("Could not encrypt data with alias: $alias, error: ${fail.message}", fail)
         }
     }
 
 
     /** Redirect call to [decrypt] method. */
-    @Throws(CryptoFailedException::class)
+    @Throws(KeychainException::class)
     override fun decrypt(
         handler: ResultHandler,
         alias: String,
@@ -129,7 +124,7 @@ class CipherStorageKeystoreAesCbc(reactContext: ReactApplicationContext) :
             )
             handler.onDecrypt(results, null)
         } catch (e: GeneralSecurityException) {
-            throw CryptoFailedException("Could not decrypt data with alias: $alias", e)
+            throw KeychainException("Could not decrypt data with alias: $alias, error: ${e.message}", e)
         } catch (fail: Throwable) {
             handler.onDecrypt(null, fail)
         }