bitwarden-android/src/Android/Services/KeyStoreBackedStorageService.cs

259 lines
8.1 KiB
C#
Raw Normal View History

2017-05-27 08:05:12 +03:00
using System.IO;
using Java.Security;
using Javax.Crypto;
using Android.OS;
using Bit.App.Abstractions;
using System;
using Android.Security;
using Javax.Security.Auth.X500;
using Java.Math;
using Android.Security.Keystore;
using Android.App;
using Plugin.Settings.Abstractions;
2017-05-27 18:45:03 +03:00
using Java.Util;
using Android.Content;
2017-05-27 08:05:12 +03:00
namespace Bit.Android.Services
{
public class KeyStoreBackedStorageService : ISecureStorageService
{
private const string AndroidKeyStore = "AndroidKeyStore";
private const string KeyAlias = "bitwardenKey";
private const string SettingsFormat = "ksSecured:{0}";
2017-05-27 18:46:42 +03:00
private const string AesKey = "ksSecured:aesKeyForService";
2017-05-27 08:05:12 +03:00
2017-06-06 05:25:59 +03:00
private readonly string _rsaMode;
private readonly bool _oldAndroid;
2017-05-27 08:05:12 +03:00
private readonly ISettings _settings;
private readonly KeyStore _keyStore;
private readonly ISecureStorageService _oldKeyStorageService;
2017-05-27 08:05:12 +03:00
public KeyStoreBackedStorageService(ISettings settings)
{
2017-06-06 05:25:59 +03:00
_oldAndroid = Build.VERSION.SdkInt < BuildVersionCodes.M;
2017-06-07 05:50:20 +03:00
_rsaMode = _oldAndroid ? "RSA/ECB/PKCS1Padding" : "RSA/ECB/OAEPPadding";
2017-06-06 05:25:59 +03:00
2017-05-27 19:23:35 +03:00
_oldKeyStorageService = new KeyStoreStorageService(new char[] { });
2017-05-27 08:05:12 +03:00
_settings = settings;
_keyStore = KeyStore.GetInstance(AndroidKeyStore);
_keyStore.Load(null);
GenerateRsaKey();
2017-05-27 08:05:12 +03:00
GenerateAesKey();
}
public bool Contains(string key)
{
2017-05-27 19:23:35 +03:00
return _settings.Contains(string.Format(SettingsFormat, key)) || _oldKeyStorageService.Contains(key);
2017-05-27 08:05:12 +03:00
}
public void Delete(string key)
{
2017-05-27 18:42:22 +03:00
CleanupOldKeyStore(key);
2017-05-27 08:05:12 +03:00
_settings.Remove(string.Format(SettingsFormat, key));
}
public byte[] Retrieve(string key)
{
2017-05-27 19:23:35 +03:00
var formattedKey = string.Format(SettingsFormat, key);
if(!_settings.Contains(formattedKey))
2017-05-27 08:05:12 +03:00
{
2017-05-27 18:42:22 +03:00
return TryGetAndMigrateFromOldKeyStore(key);
2017-05-27 08:05:12 +03:00
}
var cs = _settings.GetValueOrDefault<string>(formattedKey);
if(string.IsNullOrWhiteSpace(cs))
{
return null;
}
var aesKey = GetAesKey();
if(aesKey == null)
{
return null;
}
try
{
return App.Utilities.Crypto.AesCbcDecrypt(new App.Models.CipherString(cs), aesKey);
}
catch(Exception e)
{
Console.WriteLine("Failed to decrypt from secure storage.");
_settings.Remove(formattedKey);
//throw;
SendEmail(e.Message + "\n\n" + e.StackTrace);
return null;
}
2017-05-27 08:05:12 +03:00
}
public void Store(string key, byte[] dataBytes)
{
2017-05-27 19:23:35 +03:00
var formattedKey = string.Format(SettingsFormat, key);
2017-05-27 18:42:22 +03:00
CleanupOldKeyStore(key);
2017-05-27 08:05:12 +03:00
if(dataBytes == null)
{
2017-05-27 19:23:35 +03:00
_settings.Remove(formattedKey);
2017-05-27 08:05:12 +03:00
return;
}
var aesKey = GetAesKey();
if(aesKey == null)
{
return;
}
2017-05-27 08:05:12 +03:00
try
{
var cipherString = App.Utilities.Crypto.AesCbcEncrypt(dataBytes, aesKey);
_settings.AddOrUpdateValue(formattedKey, cipherString.EncryptedString);
}
catch(Exception e)
{
Console.WriteLine("Failed to encrypt to secure storage.");
SendEmail(e.Message + "\n\n" + e.StackTrace);
//throw;
}
2017-05-27 08:05:12 +03:00
}
private void GenerateRsaKey()
2017-05-27 08:05:12 +03:00
{
if(_keyStore.ContainsAlias(KeyAlias))
{
return;
}
2017-06-06 05:25:59 +03:00
var gen = KeyPairGenerator.GetInstance(KeyProperties.KeyAlgorithmRsa, AndroidKeyStore);
var start = Calendar.Instance;
var end = Calendar.Instance;
end.Add(CalendarField.Year, 30);
var subject = new X500Principal($"CN={KeyAlias}");
2017-05-27 08:05:12 +03:00
if(_oldAndroid)
{
var spec = new KeyPairGeneratorSpec.Builder(Application.Context)
.SetAlias(KeyAlias)
.SetSubject(subject)
.SetSerialNumber(BigInteger.Ten)
.SetStartDate(start.Time)
.SetEndDate(end.Time)
2017-05-27 08:05:12 +03:00
.Build();
gen.Initialize(spec);
}
else
{
var spec = new KeyGenParameterSpec.Builder(KeyAlias, KeyStorePurpose.Decrypt | KeyStorePurpose.Encrypt)
.SetCertificateSubject(subject)
.SetCertificateSerialNumber(BigInteger.Ten)
.SetKeyValidityStart(start.Time)
.SetKeyValidityEnd(end.Time)
2017-06-06 05:25:59 +03:00
.SetDigests(KeyProperties.DigestSha256)
.SetEncryptionPaddings(KeyProperties.EncryptionPaddingRsaOaep)
2017-05-27 08:05:12 +03:00
.Build();
2017-06-06 05:25:59 +03:00
gen.Initialize(spec);
2017-05-27 08:05:12 +03:00
}
2017-06-06 05:25:59 +03:00
gen.GenerateKeyPair();
2017-05-27 08:05:12 +03:00
}
private KeyStore.PrivateKeyEntry GetRsaKeyEntry()
2017-05-27 08:05:12 +03:00
{
return _keyStore.GetEntry(KeyAlias, null) as KeyStore.PrivateKeyEntry;
}
2017-05-27 08:05:12 +03:00
private void GenerateAesKey()
{
2017-05-27 18:46:42 +03:00
if(_settings.Contains(AesKey))
2017-05-27 08:05:12 +03:00
{
return;
}
var key = App.Utilities.Crypto.RandomBytes(512 / 8);
2017-05-27 08:05:12 +03:00
var encKey = RsaEncrypt(key);
2017-05-27 18:46:42 +03:00
_settings.AddOrUpdateValue(AesKey, Convert.ToBase64String(encKey));
2017-05-27 08:05:12 +03:00
}
private App.Models.SymmetricCryptoKey GetAesKey()
2017-05-27 08:05:12 +03:00
{
try
2017-05-27 08:05:12 +03:00
{
2017-05-27 18:46:42 +03:00
var encKey = _settings.GetValueOrDefault<string>(AesKey);
if(encKey == null)
{
return null;
}
2017-05-27 08:05:12 +03:00
var encKeyBytes = Convert.FromBase64String(encKey);
var key = RsaDecrypt(encKeyBytes);
return new App.Models.SymmetricCryptoKey(key);
2017-05-27 08:05:12 +03:00
}
catch(Exception e)
2017-05-27 08:05:12 +03:00
{
Console.WriteLine("Cannot get AesKey.");
_keyStore.DeleteEntry(KeyAlias);
_settings.Remove(AesKey);
//throw;
SendEmail(e.Message + "\n\n" + e.StackTrace);
return null;
2017-05-27 08:05:12 +03:00
}
}
2017-06-06 05:25:59 +03:00
private byte[] RsaEncrypt(byte[] data)
2017-05-27 08:05:12 +03:00
{
2017-06-06 05:25:59 +03:00
using(var entry = GetRsaKeyEntry())
using(var cipher = Cipher.GetInstance(_rsaMode))
2017-05-27 08:05:12 +03:00
{
2017-06-06 05:25:59 +03:00
cipher.Init(CipherMode.EncryptMode, entry.Certificate.PublicKey);
var cipherText = cipher.DoFinal(data);
return cipherText;
2017-05-27 08:05:12 +03:00
}
2017-06-06 05:25:59 +03:00
}
2017-05-27 08:05:12 +03:00
2017-06-06 05:25:59 +03:00
private byte[] RsaDecrypt(byte[] encData)
{
using(var entry = GetRsaKeyEntry())
using(var cipher = Cipher.GetInstance(_rsaMode))
2017-05-27 08:05:12 +03:00
{
2017-06-06 05:25:59 +03:00
cipher.Init(CipherMode.DecryptMode, entry.PrivateKey);
var plainText = cipher.DoFinal(encData);
return plainText;
2017-05-27 08:05:12 +03:00
}
}
2017-05-27 18:42:22 +03:00
private byte[] TryGetAndMigrateFromOldKeyStore(string key)
{
if(_oldKeyStorageService.Contains(key))
{
var value = _oldKeyStorageService.Retrieve(key);
Store(key, value);
_oldKeyStorageService.Delete(key);
return value;
}
return null;
}
private void CleanupOldKeyStore(string key)
{
if(_oldKeyStorageService.Contains(key))
{
_oldKeyStorageService.Delete(key);
}
}
private void SendEmail(string text)
{
var emailIntent = new Intent(Intent.ActionSend);
emailIntent.SetType("plain/text");
emailIntent.PutExtra(Intent.ExtraEmail, new String[] { "hello@bitwarden.com" });
emailIntent.PutExtra(Intent.ExtraSubject, "Crash Report");
emailIntent.PutExtra(Intent.ExtraText, text);
Application.Context.StartActivity(Intent.CreateChooser(emailIntent, "Send mail..."));
}
2017-05-27 08:05:12 +03:00
}
}