Merge pull request #9 from tombailey/master

Use hybrid RSA and AES keys to resolve RSA 256bytes input limit

Author: pradeep1991singh

android/build.gradle

@@ -16,7 +16,7 @@ android {
     buildToolsVersion "23.0.1"
 
     defaultConfig {
-        minSdkVersion 16
+        minSdkVersion 18
         targetSdkVersion 22
         versionCode 1
         versionName "1.0"

android/src/main/java/com/reactlibrary/securekeystore/Constants.java

@@ -8,9 +8,15 @@ public class Constants {
     public static final String KEYSTORE_PROVIDER_1 = "AndroidKeyStore";
     public static final String KEYSTORE_PROVIDER_2 = "AndroidKeyStoreBCWorkaround";
     public static final String KEYSTORE_PROVIDER_3 = "AndroidOpenSSL";
+
     public static final String RSA_ALGORITHM = "RSA/ECB/PKCS1Padding";
+    public static final String AES_ALGORITHM = "AES/ECB/PKCS5Padding";
+
     public static final String TAG = "SecureKeyStore";
 
     // Internal storage file
-    public static final String SKS_FILENAME = "SKS_KEY_FILE";
+    public static final String SKS_KEY_FILENAME = "SKS_KEY_FILE";
+    public static final String SKS_DATA_FILENAME = "SKS_DATA_FILE";
+
+    public static final int MAX_CIPHERTEXT_CHUNK_LENGTH = 128;
 }

android/src/main/java/com/reactlibrary/securekeystore/KeyStorage.java

@@ -6,32 +6,34 @@
 
 package com.reactlibrary.securekeystore;
 
-import com.facebook.react.bridge.NativeModule;
+import android.content.Context;
+import android.os.Build;
+import android.security.KeyPairGeneratorSpec;
+import android.util.Log;
+
+import com.facebook.react.bridge.Promise;
 import com.facebook.react.bridge.ReactApplicationContext;
-import com.facebook.react.bridge.ReactContext;
 import com.facebook.react.bridge.ReactContextBaseJavaModule;
 import com.facebook.react.bridge.ReactMethod;
-import com.facebook.react.bridge.Promise;
 
-import android.content.Context;
-import android.util.Log;
-import android.util.Base64;
-import android.security.KeyPairGeneratorSpec;
-import android.os.Build;
-
-import java.security.*;
-import java.math.BigInteger;
-import java.util.ArrayList;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.lang.StringBuffer;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.GeneralSecurityException;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.util.Calendar;
 
 import javax.crypto.Cipher;
 import javax.crypto.CipherInputStream;
 import javax.crypto.CipherOutputStream;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
 import javax.security.auth.x500.X500Principal;
 
 public class RNSecureKeyStoreModule extends ReactContextBaseJavaModule {
@@ -50,104 +52,163 @@ public String getName() {
 
   @ReactMethod
   public void set(String alias, String input, Promise promise) {
-
     try {
+      setCipherText(alias, input);
+      promise.resolve("stored ciphertext in app storage");
+    } catch (Exception e) {
+      e.printStackTrace();
+      Log.e(Constants.TAG, "Exception: " + e.getMessage());
+      promise.reject("{\"code\":9,\"api-level\":" + Build.VERSION.SDK_INT + ",\"message\":" + e.getMessage() + "}");
+    }
+  }
 
-      KeyStore keyStore = KeyStore.getInstance(getKeyStore());
-      keyStore.load(null);
-
-      if (!keyStore.containsAlias(alias)) {
-        Calendar start = Calendar.getInstance();
-        Calendar end = Calendar.getInstance();
-        end.add(Calendar.YEAR, 1);
-        KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(getContext())
-                                        .setAlias(alias)
-                                        .setSubject(new X500Principal("CN=" + alias))
-                                        .setSerialNumber(BigInteger.ONE)
-                                        .setStartDate(start.getTime())
-                                        .setEndDate(end.getTime()).build();
-
-        KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", getKeyStore());
-        generator.initialize(spec);
+  private PublicKey getOrCreatePublicKey(String alias) throws GeneralSecurityException, IOException {
+    KeyStore keyStore = KeyStore.getInstance(getKeyStore());
+    keyStore.load(null);
 
-        KeyPair keyPair = generator.generateKeyPair();
+    if (!keyStore.containsAlias(alias)) {
+      Log.i(Constants.TAG, "no existing asymmetric keys for alias");
 
-        Log.i(Constants.TAG, "created new key pairs");
-      }
+      Calendar start = Calendar.getInstance();
+      Calendar end = Calendar.getInstance();
+      end.add(Calendar.YEAR, 50);
+      KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(getContext())
+              .setAlias(alias)
+              .setSubject(new X500Principal("CN=" + alias))
+              .setSerialNumber(BigInteger.ONE)
+              .setStartDate(start.getTime())
+              .setEndDate(end.getTime()).build();
 
-      PublicKey publicKey = keyStore.getCertificate(alias).getPublicKey();
+      KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", getKeyStore());
+      generator.initialize(spec);
+      generator.generateKeyPair();
 
-      if (input.isEmpty()) {
-        Log.d(Constants.TAG, "Exception: input text is empty");
-        return;
-      }
+      Log.i(Constants.TAG, "created new asymmetric keys for alias");
+    }
 
-      Cipher cipher = Cipher.getInstance(Constants.RSA_ALGORITHM);
-      cipher.init(Cipher.ENCRYPT_MODE, publicKey);
-      ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
-      CipherOutputStream cipherOutputStream = new CipherOutputStream(outputStream, cipher);
-      cipherOutputStream.write(input.getBytes("UTF-8"));
-      cipherOutputStream.close();
-      byte[] vals = outputStream.toByteArray();
+    return keyStore.getCertificate(alias).getPublicKey();
+  }
 
-      // writing key to storage
-      KeyStorage.writeValues(getContext(), alias, vals);
-      Log.i(Constants.TAG, "key created and stored successfully");
-      promise.resolve("key stored successfully");
+  private byte[] encryptRsaPlainText(PublicKey publicKey, byte[] plainTextBytes) throws GeneralSecurityException, IOException {
+    Cipher cipher = Cipher.getInstance(Constants.RSA_ALGORITHM);
+    cipher.init(Cipher.ENCRYPT_MODE, publicKey);
+    return encryptCipherText(cipher, plainTextBytes);
+  }
 
-    } catch (Exception e) {
-      Log.e(Constants.TAG, "Exception: " + e.getMessage());
-      promise.reject("{\"code\":9,\"api-level\":" + Build.VERSION.SDK_INT + ",\"message\":" + e.getMessage() + "}");
-    }
+  private byte[] encryptAesPlainText(SecretKey secretKey, String plainText) throws GeneralSecurityException, IOException {
+    Cipher cipher = Cipher.getInstance(Constants.AES_ALGORITHM);
+    cipher.init(Cipher.ENCRYPT_MODE, secretKey);
+    return encryptCipherText(cipher, plainText);
+  }
 
+  private byte[] encryptCipherText(Cipher cipher, String plainText) throws GeneralSecurityException, IOException {
+    return encryptCipherText(cipher, plainText.getBytes("UTF-8"));
   }
 
-  @ReactMethod
-  public void get(String alias, Promise promise) {
+  private byte[] encryptCipherText(Cipher cipher, byte[] plainTextBytes) throws GeneralSecurityException, IOException {
+    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+    CipherOutputStream cipherOutputStream = new CipherOutputStream(outputStream, cipher);
+    cipherOutputStream.write(plainTextBytes);
+    cipherOutputStream.close();
+    return outputStream.toByteArray();
+  }
 
+  private SecretKey getOrCreateSecretKey(String alias) throws GeneralSecurityException, IOException {
     try {
+      return getSymmetricKey(alias);
+    } catch (FileNotFoundException fnfe) {
+      Log.i(Constants.TAG, "no existing symmetric key for alias");
 
-      KeyStore keyStore = KeyStore.getInstance(getKeyStore());
-      keyStore.load(null);
-      PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, null);
+      KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
+      //32bytes / 256bits AES key
+      keyGenerator.init(256);
+      SecretKey secretKey = keyGenerator.generateKey();
+      PublicKey publicKey = getOrCreatePublicKey(alias);
 
-      Cipher output = Cipher.getInstance(Constants.RSA_ALGORITHM);
-      output.init(Cipher.DECRYPT_MODE, privateKey);
-      CipherInputStream cipherInputStream = new CipherInputStream(
-              new ByteArrayInputStream(KeyStorage.readValues(getContext(), alias)), output);
 
-      ArrayList<Byte> values = new ArrayList<Byte>();
-      int nextByte;
-      while ((nextByte = cipherInputStream.read()) != -1) {
-        values.add((byte) nextByte);
-      }
-      byte[] bytes = new byte[values.size()];
-      for (int i = 0; i < bytes.length; i++) {
-        bytes[i] = values.get(i).byteValue();
-      }
+      //TODO: develop only
+      Log.d(Constants.TAG, "saving secret key: " + new String(secretKey.getEncoded(), "UTF-8"));
 
-      String finalText = new String(bytes, 0, bytes.length, "UTF-8");
-      promise.resolve(finalText);
 
-    } catch (Exception e) {
-      Log.e(Constants.TAG, "Exception: " + e.getMessage());
-      promise.reject("{\"code\":1,\"api-level\":" + Build.VERSION.SDK_INT + ",\"message\":" + e.getMessage() + "}");
+      Storage.writeValues(getContext(), Constants.SKS_KEY_FILENAME + alias,
+        encryptRsaPlainText(publicKey, secretKey.getEncoded()));
+
+      Log.i(Constants.TAG, "created new symmetric keys for alias");
+      return secretKey;
     }
   }
 
+  private void setCipherText(String alias, String input) throws GeneralSecurityException, IOException {
+    Storage.writeValues(getContext(), Constants.SKS_DATA_FILENAME + alias,
+      encryptAesPlainText(getOrCreateSecretKey(alias), input));
+  }
+
   @ReactMethod
-  public void remove(String alias, Promise promise) {
+  public void get(String alias, Promise promise) {
     try {
-      KeyStorage.resetValues(getContext(), alias);
-      Log.i(Constants.TAG, "key removed successfully");
-      promise.resolve("key removed successfully");
-
+      promise.resolve(getPlainText(alias));
     } catch (Exception e) {
+      e.printStackTrace();
       Log.e(Constants.TAG, "Exception: " + e.getMessage());
-      promise.reject("{\"code\":6,\"api-level\":" + Build.VERSION.SDK_INT + ",\"message\":" + e.getMessage() + "}");
+      promise.reject("{\"code\":1,\"api-level\":" + Build.VERSION.SDK_INT + ",\"message\":" + e.getMessage() + "}");
     }
   }
 
+  private PrivateKey getPrivateKey(String alias) throws GeneralSecurityException, IOException {
+    KeyStore keyStore = KeyStore.getInstance(getKeyStore());
+    keyStore.load(null);
+    return (PrivateKey) keyStore.getKey(alias, null);
+  }
+
+  private byte[] decryptRsaCipherText(PrivateKey privateKey, byte[] cipherTextBytes) throws GeneralSecurityException, IOException {
+    Cipher cipher = Cipher.getInstance(Constants.RSA_ALGORITHM);
+    cipher.init(Cipher.DECRYPT_MODE, privateKey);
+    return decryptCipherText(cipher, cipherTextBytes);
+  }
+
+  private byte[] decryptAesCipherText(SecretKey secretKey, byte[] cipherTextBytes) throws GeneralSecurityException, IOException {
+    Cipher cipher = Cipher.getInstance(Constants.AES_ALGORITHM);
+    cipher.init(Cipher.DECRYPT_MODE, secretKey);
+    return decryptCipherText(cipher, cipherTextBytes);
+  }
+
+  private byte[] decryptCipherText(Cipher cipher, byte[] cipherTextBytes) throws IOException {
+    ByteArrayInputStream bais = new ByteArrayInputStream(cipherTextBytes);
+    CipherInputStream cipherInputStream = new CipherInputStream(bais, cipher);
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    byte[] buffer = new byte[256];
+    int bytesRead = cipherInputStream.read(buffer);
+    while (bytesRead != -1) {
+      baos.write(buffer, 0, bytesRead);
+      bytesRead = cipherInputStream.read(buffer);
+    }
+    return baos.toByteArray();
+  }
+
+  private SecretKey getSymmetricKey(String alias) throws GeneralSecurityException, IOException {
+    byte[] cipherTextBytes = Storage.readValues(getContext(), Constants.SKS_KEY_FILENAME + alias);
+
+    //TODO: develop only
+    Log.d(Constants.TAG, "reading secret key: " + new String(decryptRsaCipherText(getPrivateKey(alias), cipherTextBytes), "UTF-8"));
+
+    return new SecretKeySpec(decryptRsaCipherText(getPrivateKey(alias), cipherTextBytes), Constants.AES_ALGORITHM);
+  }
+
+  private String getPlainText(String alias) throws GeneralSecurityException, IOException {
+    SecretKey secretKey = getSymmetricKey(alias);
+    byte[] cipherTextBytes = Storage.readValues(getContext(), Constants.SKS_DATA_FILENAME + alias);
+    return new String(decryptAesCipherText(secretKey, cipherTextBytes), "UTF-8");
+  }
+
+  @ReactMethod
+  public void remove(String alias, Promise promise) {
+    Storage.resetValues(getContext(), new String[]{
+      Constants.SKS_DATA_FILENAME + alias,
+      Constants.SKS_KEY_FILENAME + alias,
+    });
+    promise.resolve("cleared alias");
+  }
+
   private Context getContext() {
     return getReactApplicationContext();
   }