Merge pull request #6 from snabble/keystore_migration

Keystore to RSA migration

Author: ajungg

core/build.gradle

@@ -60,6 +60,7 @@ dependencies {
     implementation 'org.iban4j:iban4j:3.2.1'
     implementation 'com.caverock:androidsvg-aar:1.4'
     implementation 'com.google.android.gms:play-services-wallet:18.1.3'
+    implementation 'androidx.biometric:biometric:1.2.0-alpha03'
 
     api "com.squareup.okhttp3:okhttp:${project.okhttpVersion}"
     implementation "com.squareup.okhttp3:logging-interceptor:${project.okhttpVersion}"

core/src/main/java/io/snabble/sdk/payment/PaymentCredentials.java

@@ -22,10 +22,10 @@
 import javax.crypto.spec.OAEPParameterSpec;
 import javax.crypto.spec.PSource;
 
-import io.snabble.sdk.Events;
 import io.snabble.sdk.PaymentMethod;
 import io.snabble.sdk.R;
 import io.snabble.sdk.Snabble;
+import io.snabble.sdk.utils.Dispatch;
 import io.snabble.sdk.utils.GsonHolder;
 import io.snabble.sdk.utils.Logger;
 import io.snabble.sdk.utils.Utils;
@@ -130,9 +130,11 @@ private static class TegutEmployeeCard {
     }
 
     private String obfuscatedId;
+    // comes from previously saved data on deserialization - was used in encrypt() from old code
     private boolean isKeyStoreEncrypted;
-    private boolean canBypassKeyStore;
-    private String encryptedData;
+    @Deprecated
+    private String encryptedData; // old key-store based encrypted data
+    private String rsaEncryptedData; // rsa encrypted data
     private String signature;
     private long validTo;
     private Type type;
@@ -172,8 +174,7 @@ public static PaymentCredentials fromSEPA(String name, String iban) {
         String json = GsonHolder.get().toJson(data, SepaData.class);
 
         X509Certificate certificate = certificates.get(0);
-        pc.encryptedData = pc.rsaEncrypt(certificate, json.getBytes());
-        pc.encrypt();
+        pc.rsaEncryptedData = pc.rsaEncrypt(certificate, json.getBytes());
         pc.signature = pc.sha256Signature(certificate);
         pc.brand = Brand.UNKNOWN;
         pc.appId = Snabble.getInstance().getConfig().appId;
@@ -232,15 +233,14 @@ public static PaymentCredentials fromCreditCardData(String name,
         String json = GsonHolder.get().toJson(creditCardData, CreditCardData.class);
 
         X509Certificate certificate = certificates.get(0);
-        pc.encryptedData = pc.rsaEncrypt(certificate, json.getBytes());
-        pc.encrypt();
+        pc.rsaEncryptedData = pc.rsaEncrypt(certificate, json.getBytes());
         pc.signature = pc.sha256Signature(certificate);
         pc.brand = brand;
         pc.appId = Snabble.getInstance().getConfig().appId;
         pc.projectId = projectId;
         pc.validTo = parseValidTo("MM/yyyy", expirationMonth, expirationYear);
 
-        if (pc.encryptedData == null) {
+        if (pc.rsaEncryptedData == null) {
             return null;
         }
 
@@ -290,8 +290,7 @@ public static PaymentCredentials fromPaydirekt(PaydirektAuthorizationData author
         String json = GsonHolder.get().toJson(paydirektData, PaydirektData.class);
 
         X509Certificate certificate = certificates.get(0);
-        pc.encryptedData = pc.rsaEncrypt(certificate, json.getBytes());
-        pc.encrypt();
+        pc.rsaEncryptedData = pc.rsaEncrypt(certificate, json.getBytes());
         pc.signature = pc.sha256Signature(certificate);
         pc.appId = Snabble.getInstance().getConfig().appId;
 
@@ -301,7 +300,7 @@ public static PaymentCredentials fromPaydirekt(PaydirektAuthorizationData author
         pc.additionalData.put("deviceFingerprint", authorizationData.fingerprint);
         pc.additionalData.put("deviceIPAddress", authorizationData.ipAddress);
 
-        if (pc.encryptedData == null) {
+        if (pc.rsaEncryptedData == null) {
             return null;
         }
 
@@ -342,15 +341,14 @@ public static PaymentCredentials fromDatatrans(String token, Brand brand, String
         String json = GsonHolder.get().toJson(datatransData, DatatransData.class);
 
         X509Certificate certificate = certificates.get(0);
-        pc.encryptedData = pc.rsaEncrypt(certificate, json.getBytes());
-        pc.encrypt();
+        pc.rsaEncryptedData = pc.rsaEncrypt(certificate, json.getBytes());
         pc.signature = pc.sha256Signature(certificate);
         pc.appId = Snabble.getInstance().getConfig().appId;
         pc.brand = brand;
         pc.obfuscatedId = obfuscatedId;
         pc.validTo = parseValidTo("MM/yy", expirationMonth, expirationYear);
 
-        if (pc.encryptedData == null) {
+        if (pc.rsaEncryptedData == null) {
             return null;
         }
 
@@ -387,9 +385,8 @@ public static PaymentCredentials fromTegutEmployeeCard(String obfuscatedId, Stri
         pc.brand = Brand.UNKNOWN;
         pc.appId = Snabble.getInstance().getConfig().appId;
         pc.projectId = projectId;
-        pc.canBypassKeyStore = true;
 
-        if (pc.encryptedData == null) {
+        if (pc.rsaEncryptedData == null) {
             return null;
         }
 
@@ -458,26 +455,8 @@ private String rsaEncrypt(X509Certificate certificate, byte[] data) {
         }
     }
 
-    /** Synchronous encryption using the user credentials **/
-    private void encrypt() {
-        PaymentCredentialsStore store = Snabble.getInstance().getPaymentCredentialsStore();
-
-        if (store.keyStoreCipher == null) {
-            return;
-        }
-
-        byte[] keyStoreEncrypted = store.keyStoreCipher.encrypt(encryptedData.getBytes());
-
-        if (keyStoreEncrypted != null) {
-            encryptedData = Base64.encodeToString(keyStoreEncrypted, Base64.NO_WRAP);
-            isKeyStoreEncrypted = true;
-        } else {
-            Logger.e("Could not encrypt payment credentials: KeyStore unavailable");
-        }
-    }
-
     /** Synchronous decryption using the user credentials **/
-    private String decrypt() {
+    private String decryptUsingKeyStore() {
         PaymentCredentialsStore store = Snabble.getInstance().getPaymentCredentialsStore();
 
         if (store.keyStoreCipher == null) {
@@ -510,7 +489,7 @@ public boolean isAvailableInCurrentApp() {
     }
 
     public boolean canBypassKeyStore() {
-        return canBypassKeyStore;
+        return rsaEncryptedData != null;
     }
 
     private boolean validateCertificate(X509Certificate certificate) {
@@ -615,7 +594,35 @@ public String getObfuscatedId() {
     }
 
     public String getEncryptedData() {
-        return decrypt();
+        if (rsaEncryptedData != null) {
+            return rsaEncryptedData;
+        }
+
+        Logger.logEvent("Accessing not migrated keystore credentials");
+        return decryptUsingKeyStore();
+    }
+
+    public boolean migrateFromKeyStore() {
+        // if data is available and we have not migrated before, start migration
+        if (rsaEncryptedData == null && encryptedData != null) {
+            rsaEncryptedData = decryptUsingKeyStore();
+
+            if (rsaEncryptedData != null) {
+                Logger.logEvent("Successfully migrated payment credentials");
+                return true;
+            } else {
+                Logger.logEvent("Payment credential migration was unsuccessful");
+                return false;
+            }
+        }
+
+        if (rsaEncryptedData == null) {
+            Logger.errorEvent("Payment credentials are contain no data - removing");
+            return false;
+        }
+
+        // if already migrated do nothing
+        return true;
     }
 
     public Map<String, String> getAdditionalData() {

core/src/main/java/io/snabble/sdk/payment/PaymentCredentialsStore.java

@@ -30,6 +30,7 @@ private class Data {
         private List<PaymentCredentials> credentialsList;
         private String id;
         private boolean removedOldCreditCards;
+        private boolean isMigratedFromKeyStore;
         private boolean isKeyguarded;
     }
 
@@ -38,8 +39,8 @@ private class Data {
     private List<Callback> callbacks = new CopyOnWriteArrayList<>();
     private List<OnPaymentCredentialsAddedListener> onPaymentCredentialsAddedListeners = new CopyOnWriteArrayList<>();
     private String credentialsKey;
-    private UserPreferences userPreferences;
 
+    // this still is needed for migration
     KeyStoreCipher keyStoreCipher;
 
     public PaymentCredentialsStore() {
@@ -49,7 +50,6 @@ public PaymentCredentialsStore() {
     public void init(Context context, Environment environment) {
         sharedPreferences = context.getSharedPreferences("snabble_payment", Context.MODE_PRIVATE);
         credentialsKey = "credentials_" + (environment != null ? environment.name() : "_UNKNOWN");
-        userPreferences = Snabble.getInstance().getUserPreferences();
 
         load();
         initializeKeyStore();
@@ -137,7 +137,7 @@ public boolean hasRemovedOldCreditCards() {
         return data.removedOldCreditCards;
     }
 
-    public void add(PaymentCredentials credentials) {
+    public synchronized void add(PaymentCredentials credentials) {
         if (credentials == null) {
             return;
         }
@@ -150,14 +150,19 @@ public void add(PaymentCredentials credentials) {
         notifyChanged();
     }
 
-    public void remove(PaymentCredentials credentials) {
+    public synchronized void remove(PaymentCredentials credentials) {
         if (data.credentialsList.remove(credentials)) {
             save();
             notifyChanged();
         }
     }
 
-    public void removeInvalidCredentials() {
+    public synchronized void removeInvalidCredentials() {
+        // we do not lose payment information if we are not using key store
+        if (data.isMigratedFromKeyStore) {
+            return;
+        }
+
         List<PaymentCredentials> removals = new ArrayList<>();
         for (PaymentCredentials credentials : data.credentialsList) {
             if (!credentials.canBypassKeyStore()) {
@@ -183,21 +188,40 @@ public void removeInvalidCredentials() {
         }
     }
 
-    public void clear() {
+    public synchronized void clear() {
         if (data.credentialsList.size() > 0) {
             data.credentialsList.clear();
             save();
             notifyChanged();
         }
     }
 
-    private void save() {
+    public synchronized void maybeMigrateKeyStoreCredentials() {
+        if (!data.isMigratedFromKeyStore) {
+            List<PaymentCredentials> removals = new ArrayList<>();
+
+            for (PaymentCredentials paymentCredentials : data.credentialsList) {
+                if (!paymentCredentials.migrateFromKeyStore()) {
+                    removals.add(paymentCredentials);
+                }
+            }
+
+            for (PaymentCredentials credentials : removals) {
+                data.credentialsList.remove(credentials);
+            }
+
+            data.isMigratedFromKeyStore = true;
+            save();
+        }
+    }
+
+    private synchronized void save() {
         Gson gson = new Gson();
         String json = gson.toJson(data);
         sharedPreferences.edit().putString(credentialsKey, json).apply();
     }
 
-    private void load() {
+    private synchronized void load() {
         Gson gson = new Gson();
         data = new Data();
         data.credentialsList = new ArrayList<>();
@@ -218,7 +242,7 @@ private void load() {
         }
     }
 
-    private void validate() {
+    private synchronized void validate() {
         boolean changed = false;
 
         List<PaymentCredentials> removals = new ArrayList<>();

ui/build.gradle

@@ -65,6 +65,7 @@ dependencies {
     implementation 'ch.datatrans:android-sdk:1.4.2'
     implementation 'com.google.android.gms:play-services-wallet:18.1.3'
     implementation 'eu.rekisoft.android.util:LazyWorker:2.0.1'
+    implementation 'androidx.biometric:biometric:1.2.0-alpha03'
 
     def camerax_version = "1.0.1"
     implementation "androidx.camera:camera-core:${camerax_version}"

ui/src/main/AndroidManifest.xml

@@ -2,8 +2,8 @@
 <manifest package="io.snabble.sdk.ui"
     xmlns:android="http://schemas.android.com/apk/res/android">
 
-    <uses-permission android:name="android.permission.USE_BIOMETRIC" />
-    <uses-permission android:name="android.permission.USE_FINGERPRINT" />
+    <uses-permission android:name="android.permission.USE_BIOMETRIC"/>
+    <uses-permission android:name="android.permission.USE_FINGERPRINT"/>
 
     <application>
         <provider

ui/src/main/java/io/snabble/sdk/ui/Keyguard.java

@@ -18,6 +18,7 @@
 
 import java.util.concurrent.Executors;
 
+import io.snabble.sdk.Snabble;
 import io.snabble.sdk.utils.Dispatch;
 
 public class Keyguard {
@@ -111,6 +112,9 @@ private static void success(Callback callback) {
                 return;
             }
 
+            // migrate key store stored values to rsa stored values
+            Snabble.getInstance().getPaymentCredentialsStore().maybeMigrateKeyStoreCredentials();
+
             if (currentCallback != null) {
                 currentCallback.success();
                 currentCallback = null;

utils/src/main/java/io/snabble/sdk/utils/security/KeyStoreCipher.java

@@ -7,13 +7,15 @@
 
 import io.snabble.sdk.utils.Logger;
 
+@Deprecated
 public abstract class KeyStoreCipher {
     public abstract String id();
     public abstract void validate();
     public abstract void purge();
     public abstract byte[] encrypt(byte[] data);
     public abstract byte[] decrypt(byte[] encrypted);
 
+    @Deprecated
     @RequiresApi(api = Build.VERSION_CODES.JELLY_BEAN_MR2)
     public static KeyStoreCipher create(Context context, String tag, boolean requireUserAuthentication) {
         try {

utils/src/main/java/io/snabble/sdk/utils/security/KeyStoreCipherJellyBeanMR2.java

@@ -31,6 +31,7 @@
 import io.snabble.sdk.utils.Logger;
 import io.snabble.sdk.utils.Utils;
 
+@Deprecated
 @RequiresApi(api = Build.VERSION_CODES.JELLY_BEAN_MR2)
 public class KeyStoreCipherJellyBeanMR2 extends KeyStoreCipher {
     private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
@@ -47,6 +48,7 @@ public class KeyStoreCipherJellyBeanMR2 extends KeyStoreCipher {
     private boolean requireUserAuthentication;
     private Context context;
 
+    @Deprecated
     KeyStoreCipherJellyBeanMR2(Context context, String alias, boolean requireUserAuthentication) {
         this.alias = alias + "_JB_MR2";
         this.context = context;

utils/src/main/java/io/snabble/sdk/utils/security/KeyStoreCipherMarshmallow.java

@@ -21,6 +21,7 @@
 import io.snabble.sdk.utils.Logger;
 import io.snabble.sdk.utils.Utils;
 
+@Deprecated
 @RequiresApi(api = Build.VERSION_CODES.M)
 public class KeyStoreCipherMarshmallow extends KeyStoreCipher {
     private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
@@ -32,7 +33,8 @@ public class KeyStoreCipherMarshmallow extends KeyStoreCipher {
     private boolean requireUserAuthentication;
     private boolean wasNotAccessible = false;
     private boolean wasPermanentlyInvalidated = false;
-    
+
+    @Deprecated
     KeyStoreCipherMarshmallow(String alias, boolean requireUserAuthentication) {
         this.alias = alias + "_M";
         this.requireUserAuthentication = requireUserAuthentication;
@@ -103,7 +105,7 @@ private boolean isKeyAccessible() {
         }  catch (Exception e) {
             wasNotAccessible = true;
             Logger.logEvent("KeyStore inaccessible: " + e.getClass().getName() + ": " + e.getMessage());
-            return true;
+            return false;
         }
     }