Encrypt credentials in memory

.gitignore

@@ -34,4 +34,5 @@ app/libs/javarosa-libraries.jar
 build/
 **/*~
 app/google-services.json
-app/fabric.properties
+app/fabric.properties
+app/src/META-INF/

app/build.gradle

@@ -136,42 +136,50 @@ dependencies {
 }
 
 ext {
- // Obtained from ~/.gradle/gradle.properties on build server (mobile agent), or your local
  // Obtained from ~/.gradle/gradle.properties on build server (mobile agent), or your local
  // ~/.gradle/gradle.properties file, or loads default empty strings if neither is present
- MAPBOX_SDK_API_KEY = project.properties['MAPBOX_SDK_API_KEY'] ?: ""
- ANALYTICS_TRACKING_ID_DEV = project.properties['ANALYTICS_TRACKING_ID_DEV'] ?: ""
- ANALYTICS_TRACKING_ID_LIVE = project.properties['ANALYTICS_TRACKING_ID_LIVE'] ?: ""
- GOOGLE_PLAY_MAPS_API_KEY = project.properties['GOOGLE_PLAY_MAPS_API_KEY'] ?: ""
- RELEASE_STORE_FILE = project.properties['RELEASE_STORE_FILE'] ?: "."
- RELEASE_STORE_PASSWORD = project.properties['RELEASE_STORE_PASSWORD'] ?: ""
- RELEASE_KEY_ALIAS = project.properties['RELEASE_KEY_ALIAS'] ?: ""
- RELEASE_KEY_PASSWORD = project.properties['RELEASE_KEY_PASSWORD'] ?: ""
+ MAPBOX_SDK_API_KEY = project.properties['MAPBOX_SDK_API_KEY'] ?: ''
+ ANALYTICS_TRACKING_ID_DEV = project.properties['ANALYTICS_TRACKING_ID_DEV'] ?: ''
+ ANALYTICS_TRACKING_ID_LIVE = project.properties['ANALYTICS_TRACKING_ID_LIVE'] ?: ''
+ GOOGLE_PLAY_MAPS_API_KEY = project.properties['GOOGLE_PLAY_MAPS_API_KEY'] ?: ''
+ RELEASE_STORE_FILE = project.properties['RELEASE_STORE_FILE'] ?: '.'
+ RELEASE_STORE_PASSWORD = project.properties['RELEASE_STORE_PASSWORD'] ?: ''
+ RELEASE_KEY_ALIAS = project.properties['RELEASE_KEY_ALIAS'] ?: ''
+ RELEASE_KEY_PASSWORD = project.properties['RELEASE_KEY_PASSWORD'] ?: ''
  TRUSTED_SOURCE_PUBLIC_KEY = project.properties['TRUSTED_SOURCE_PUBLIC_KEY'] ?:
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHiuy2ULV4pobkuQN2TEjmR1tn" +
  "HJ+F335hm/lVdaFQzvBmeq64MUMbumheVLDJaSUiAVzqSHDKJWH01ZQRowqBYjwo" +
  "ycVSQSeO2glc6XZZ+CJudAPXe8iFWLQp3kBBnBmVcBXCOQFO7aLgQMv4nqKZsLW0" +
  "HaAJkjpnc165Os+aYwIDAQAB"
- GOOGLE_SERVICES_API_KEY = project.properties['GOOGLE_SERVICES_API_KEY'] ?: ""
- QA_BETA_APP_ID = ""
- STANDALONE_APP_ID = ""
- LTS_APP_ID = ""
- COMMCARE_APP_ID = ""
- HQ_API_USERNAME = project.properties['HQ_API_USERNAME'] ?: ""
- HQ_API_PASSWORD = project.properties['HQ_API_PASSWORD'] ?: ""
- TEST_BUILD_TYPE = project.properties['TEST_BUILD_TYPE'] ?: "debug"
- FIREBASE_DATABASE_URL = project.properties['FIREBASE_DATABASE_URL'] ?: ""
+ GOOGLE_SERVICES_API_KEY = project.properties['GOOGLE_SERVICES_API_KEY'] ?: ''
+ QA_BETA_APP_ID = ''
+ STANDALONE_APP_ID = ''
+ LTS_APP_ID = ''
+ COMMCARE_APP_ID = ''
+ HQ_API_USERNAME = project.properties['HQ_API_USERNAME'] ?: ''
+ HQ_API_PASSWORD = project.properties['HQ_API_PASSWORD'] ?: ''
+ TEST_BUILD_TYPE = project.properties['TEST_BUILD_TYPE'] ?: 'debug'
+ FIREBASE_DATABASE_URL = project.properties['FIREBASE_DATABASE_URL'] ?: ''
+
+ // properties related to Service providers part of the Java SPI pattern
+ SERVICE_PROVIDERS_REL_DIR = 'META-INF/services'
+ /**
+ * Service provider implementations and respective service interfaces should be added to this
+ * map. The task registerServiceProviders is responsible for iterating over it and create the
+ * configuration files under META-INF/services
+ */
+ SERVICE_PROVIDERS = ['org.commcare.util.IEncryptionKeyProvider' : 'org.commcare.utils.EncryptionKeyProvider']
 }
 
 afterEvaluate {
  // Hack to get assets to show up in robolectric tests; try to eventually remove this
- preCommcareDebugUnitTestBuild.dependsOn mergeCommcareDebugAssets
- processStandaloneDebugGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile
- processStandaloneReleaseGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile
- processLtsDebugGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile
- processLtsReleaseGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile
- processCommcareDebugGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile
- processCommcareReleaseGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile
+ preCommcareDebugUnitTestBuild.dependsOn mergeCommcareDebugAssets, registerServiceProviders
+ processStandaloneDebugGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile, registerServiceProviders
+ processStandaloneReleaseGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile, registerServiceProviders
+ processLtsDebugGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile, registerServiceProviders
+ processLtsReleaseGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile, registerServiceProviders
+ processCommcareDebugGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile, registerServiceProviders
+ processCommcareReleaseGoogleServices.dependsOn injectPropertiesIntoFirebaseConfigFile, registerServiceProviders
 }
 
 /**
@@ -632,3 +640,17 @@ downloadLicenses {
  includeProjectDependencies = true
  dependencyConfiguration = 'compile'
 }
+
+task registerServiceProviders {
+ doLast {
+ def servProvAbsPath = android.sourceSets.main.java.srcDirs[0].path + File.separator + project.ext.SERVICE_PROVIDERS_REL_DIR
+ project.ext.SERVICE_PROVIDERS.each { servProv ->
+ println(servProvAbsPath + File.separator + "$servProv.key")
+ def file = new File(servProvAbsPath + File.separator + "$servProv.key")
+ if(!file.getParentFile().exists()) {
+ file.getParentFile().mkdirs()
+ }
+ file.write("$servProv.value")
+ }
+ }
+}

app/src/org/commcare/CommCareApplication.java

@@ -140,6 +140,9 @@
 import okhttp3.MultipartBody;
 import okhttp3.RequestBody;
 
+import static org.commcare.util.EncryptionUtils.USER_CREDENTIALS_KEY_ALIAS;
+import static org.commcare.util.EncryptionUtils.getEncryptionKeyProvider;
+
 public class CommCareApplication extends MultiDexApplication {
 
  private static final String TAG = CommCareApplication.class.getSimpleName();
@@ -228,6 +231,8 @@ public void onCreate() {
  setRoots();
  prepareTemporaryStorage();
 
+ getEncryptionKeyProvider().generateCryptographicKeyInKeyStore(USER_CREDENTIALS_KEY_ALIAS);
+
  if (LegacyInstallUtils.checkForLegacyInstall(this)) {
  dbState = STATE_LEGACY_DETECTED;
  } else {

app/src/org/commcare/android/database/global/models/AndroidSharedKeyRecord.java

@@ -14,9 +14,6 @@
 
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
 
 /**
  * This is a record of a key that CommCare ODK has shared with another app
@@ -52,18 +49,10 @@ public AndroidSharedKeyRecord(String keyId, byte[] privateKey, byte[] publicKey)
  }
 
  public static AndroidSharedKeyRecord generateNewSharingKey() {
- try {
- KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
- generator.initialize(512, new SecureRandom());
- KeyPair pair = generator.genKeyPair();
- byte[] encodedPrivate = pair.getPrivate().getEncoded();
- String privateEncoding = pair.getPrivate().getFormat();
- byte[] encodedPublic = pair.getPublic().getEncoded();
- String publicencoding = pair.getPublic().getFormat();
- return new AndroidSharedKeyRecord(PropertyUtils.genUUID(), pair.getPrivate().getEncoded(), pair.getPublic().getEncoded());
- } catch (NoSuchAlgorithmException nsae) {
- return null;
- }
+ KeyPair pair = CryptUtil.generateRandomKeyPair(512);
+ byte[] encodedPrivate = pair.getPrivate().getEncoded();
+ byte[] encodedPublic = pair.getPublic().getEncoded();
+ return new AndroidSharedKeyRecord(PropertyUtils.genUUID(), encodedPrivate, encodedPublic);
  }
 
  private String getKeyId() {

app/src/org/commcare/android/nfc/NfcManager.java

@@ -1,11 +1,9 @@
 package org.commcare.android.nfc;
 
-import android.annotation.TargetApi;
 import android.app.PendingIntent;
 import android.content.Context;
 import android.content.IntentFilter;
 import android.nfc.NfcAdapter;
-import android.os.Build;
 
 import org.apache.commons.lang3.StringUtils;
 import org.commcare.util.EncryptionUtils;
@@ -60,7 +58,7 @@ public String decryptValue(String message) throws EncryptionUtils.EncryptionExce
  if (message.startsWith(payloadTag)) {
  message = message.replace(payloadTag, "");
  if (!StringUtils.isEmpty(encryptionKey)) {
- message = EncryptionUtils.decrypt(message, encryptionKey);
+ message = EncryptionUtils.decryptWithBase64EncodedKey("AES", message, encryptionKey);
  }
  } else if (!allowUntaggedRead && !isEmptyPayloadTag(payloadTag)) {
  throw new InvalidPayloadTagException();
@@ -97,7 +95,7 @@ public String tagAndEncryptPayload(String message) throws EncryptionUtils.Encryp
  }
  String payload = message;
  if (!StringUtils.isEmpty(encryptionKey)) {
- payload = EncryptionUtils.encrypt(payload, encryptionKey);
+ payload = EncryptionUtils.encryptWithBase64EncodedKey("AES", payload, encryptionKey);
  }
  if (payload.contains(PAYLOAD_DELIMITER)) {
  throw new InvalidPayloadException();

app/src/org/commcare/models/database/user/DemoUserBuilder.java

@@ -65,7 +65,7 @@ private void createAndWriteKeyRecordAndUser() {
  int userCount = keyRecordDB.getIDsForValue(UserKeyRecord.META_USERNAME, username).size();
 
  if (userCount == 0) {
- SecretKey secretKey = CryptUtil.generateSemiRandomKey();
+ SecretKey secretKey = CryptUtil.generateRandomSecretKey();
  if (secretKey == null) {
  throw new RuntimeException("Error setting up user's encrypted storage");
  }

app/src/org/commcare/tasks/DataPullTask.java

@@ -223,7 +223,7 @@ private byte[] getEncryptionKey() {
 
  private void initUKRForLogin() {
  if (blockRemoteKeyManagement || shouldGenerateFirstKey()) {
- SecretKey newKey = CryptUtil.generateSemiRandomKey();
+ SecretKey newKey = CryptUtil.generateRandomSecretKey();
  if (newKey == null) {
  return;
  }

app/src/org/commcare/utils/EncryptionKeyProvider.java

@@ -0,0 +1,163 @@
+package org.commcare.utils;
+
+import android.os.Build;
+import android.security.KeyPairGeneratorSpec;
+import android.security.keystore.KeyGenParameterSpec;
+import android.security.keystore.KeyProperties;
+
+import org.commcare.CommCareApplication;
+import org.commcare.util.EncryptionKeyAndTransformation;
+import org.commcare.util.EncryptionUtils;
+import org.commcare.util.IEncryptionKeyProvider;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.Key;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Security;
+import java.security.UnrecoverableEntryException;
+import java.security.cert.CertificateException;
+import java.util.GregorianCalendar;
+
+import javax.crypto.KeyGenerator;
+import javax.security.auth.x500.X500Principal;
+
+import androidx.annotation.RequiresApi;
+
+import static org.commcare.utils.GlobalConstants.KEYSTORE_NAME;
+
+/**
+ * Class for providing encryption keys backed by Android Keystore
+ *
+ * @author dviggiano
+ */
+public class EncryptionKeyProvider implements IEncryptionKeyProvider {
+
+ @RequiresApi(api = Build.VERSION_CODES.M)
+ private static final String ALGORITHM = KeyProperties.KEY_ALGORITHM_AES;
+ @RequiresApi(api = Build.VERSION_CODES.M)
+ private static final String BLOCK_MODE = KeyProperties.BLOCK_MODE_GCM;
+ @RequiresApi(api = Build.VERSION_CODES.M)
+ private static final String PADDING = KeyProperties.ENCRYPTION_PADDING_NONE;
+ private static KeyStore keystoreSingleton = null;
+
+ private static KeyStore getKeyStore() throws KeyStoreException, CertificateException,
+ IOException, NoSuchAlgorithmException {
+ if (keystoreSingleton == null) {
+ keystoreSingleton = KeyStore.getInstance(KEYSTORE_NAME);
+ keystoreSingleton.load(null);
+ }
+ return keystoreSingleton;
+ }
+
+ @Override
+ public EncryptionKeyAndTransformation retrieveKeyFromKeyStore(String keyAlias,
+ EncryptionUtils.CryptographicOperation operation)
+ throws KeyStoreException, UnrecoverableEntryException, NoSuchAlgorithmException,
+ CertificateException, IOException {
+ Key key;
+ if (getKeyStore().containsAlias(keyAlias)) {
+ KeyStore.Entry keyEntry = getKeyStore().getEntry(keyAlias, null);
+ if (keyEntry instanceof KeyStore.PrivateKeyEntry) {
+ if (operation == EncryptionUtils.CryptographicOperation.Encryption) {
+ key = ((KeyStore.PrivateKeyEntry)keyEntry).getCertificate().getPublicKey();
+ } else {
+ key = ((KeyStore.PrivateKeyEntry)keyEntry).getPrivateKey();
+ }
+ } else {
+ key = ((KeyStore.SecretKeyEntry)keyEntry).getSecretKey();
+ }
+ } else {
+ throw new KeyStoreException("Key not found in KeyStore");
+ }
+ if (key != null) {
+ return new EncryptionKeyAndTransformation(key, getTransformationString(key.getAlgorithm()));
+ } else {
+ return null;
+ }
+ }
+
+ // Generates a cryptrographic key and adds it to the Android KeyStore
+ public void generateCryptographicKeyInKeyStore(String keyAlias) {
+ if (isKeyStoreAvailable()) {
+ try {
+ if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+ KeyGenerator keyGenerator = KeyGenerator
+ .getInstance(getAESKeyAlgorithmRepresentation(), KEYSTORE_NAME);
+ KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(keyAlias,
+ KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+ .setBlockModes(BLOCK_MODE)
+ .setEncryptionPaddings(PADDING)
+ .build();
+ keyGenerator.init(keyGenParameterSpec);
+ keyGenerator.generateKey();
+ } else {
+ // Because KeyGenParameterSpec was introduced in Android SDK 23, prior versions
+ // need to resource to KeyPairGenerator which only generates asymmetric keys,
+ // hence the need to switch to a correspondent algorithm as well, RSA
+ // TODO: Add link to StackOverflow page
+ KeyPairGenerator keyGenerator = KeyPairGenerator
+ .getInstance(getRSAKeyAlgorithmRepresentation(), KEYSTORE_NAME);
+ GregorianCalendar start = new GregorianCalendar();
+ GregorianCalendar end = new GregorianCalendar();
+ end.add(GregorianCalendar.YEAR, 100);
+
+ KeyPairGeneratorSpec keySpec = new KeyPairGeneratorSpec.Builder(CommCareApplication.instance())
+ // Key alias to be used to retrieve it from the KeyStore
+ .setAlias(keyAlias)
+ // The subject used for the self-signed certificate of the generated pair
+ .setSubject(new X500Principal(String.format("CN=%s", keyAlias)))
+ // The serial number used for the self-signed certificate of the
+ // generated pair
+ .setSerialNumber(BigInteger.valueOf(1337))
+ // Date range of validity for the generated pair
+ .setStartDate(start.getTime())
+ .setEndDate(end.getTime())
+ .build();
+
+ keyGenerator.initialize(keySpec);
+ keyGenerator.generateKeyPair();
+ }
+
+ } catch (NoSuchAlgorithmException | NoSuchProviderException |
+ InvalidAlgorithmParameterException e) {
+ throw new RuntimeException(e);
+ }
+ } else {
+ throw new RuntimeException("KeyStore not available");
+ }
+ }
+
+ @Override
+ public boolean isKeyStoreAvailable() {
+ return Security.getProvider(KEYSTORE_NAME) != null;
+ }
+
+ @Override
+ public String getAESKeyAlgorithmRepresentation() {
+ return ALGORITHM;
+ }
+
+ @Override
+ public String getRSAKeyAlgorithmRepresentation() {
+ return "RSA";
+ }
+
+ @Override
+ public String getTransformationString(String algorithm) {
+ String transformation = null;
+ if (algorithm.equals(getRSAKeyAlgorithmRepresentation())) {
+ transformation = "RSA/ECB/PKCS1Padding";
+ } else if (algorithm.equals(getAESKeyAlgorithmRepresentation())) {
+ transformation = String.format("%s/%s/%s", algorithm, BLOCK_MODE, PADDING);
+ }
+ // This will cause an error if null
+ return transformation;
+ }
+
+}

app/src/org/commcare/utils/EncryptionUtils.java

@@ -1,7 +1,6 @@
 package org.commcare.utils;
 
 import org.commcare.util.Base64;
-
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 

app/src/org/commcare/utils/GlobalConstants.java

@@ -56,4 +56,6 @@ public class GlobalConstants {
  public static final String TRUSTED_SOURCE_PUBLIC_KEY = BuildConfig.TRUSTED_SOURCE_PUBLIC_KEY;
 
  public static final String SMS_INSTALL_KEY_STRING = "[commcare app - do not delete]";
+
+ public static final String KEYSTORE_NAME = "AndroidKeyStore";
 }

app/src/org/commcare/utils/TemplatePrinterUtils.java

@@ -38,7 +38,7 @@
 public abstract class TemplatePrinterUtils {
 
  private static final String FORMAT_REGEX_WITH_DELIMITER = "((?<=%2$s)|(?=%1$s))";
- private static final SecretKey KEY = CryptUtil.generateSemiRandomKey();
+ private static final SecretKey KEY = CryptUtil.generateRandomSecretKey();
 
  /**
  * Concatenate all Strings in a String array to one String.