Switch the DB Password to use the KeyStore MasterKey (#98)

Signed-off-by: d067928 <jakob.moeller@sap.com>

Switch the DB Password to use the KeyStore MasterKey (#98)
b29232b0 · Jakob Möller · GitHub · 2db640ba · b29232b0 · b29232b0
Unverified Commit b29232b0 authored 4 years ago by Jakob Möller Committed by GitHub 4 years ago
--- a/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/storage/AppDatabase.kt
+++ b/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/storage/AppDatabase.kt
@@ -10,9 +10,9 @@ import de.rki.coronawarnapp.storage.keycache.KeyCacheEntity
 import de.rki.coronawarnapp.storage.tracing.TracingIntervalDao
 import de.rki.coronawarnapp.storage.tracing.TracingIntervalEntity
 import de.rki.coronawarnapp.util.Converters
+import de.rki.coronawarnapp.util.security.SecurityHelper
 import net.sqlcipher.database.SQLiteDatabase
 import net.sqlcipher.database.SupportFactory
-import java.util.UUID
 @Database(
    entities = [ExposureSummaryEntity::class, KeyCacheEntity::class, TracingIntervalEntity::class],
@@ -39,11 +39,8 @@ abstract class AppDatabase : RoomDatabase() {
        fun resetInstance(context: Context) = { instance = null }.also { getInstance(context) }
        private fun buildDatabase(context: Context): AppDatabase {
-            if (LocalData.databasePassword() == null) {
-                LocalData.databasePassword(UUID.randomUUID().toString().toCharArray())
-            }
            return Room.databaseBuilder(context, AppDatabase::class.java, DATABASE_NAME)
-                .openHelperFactory(SupportFactory(SQLiteDatabase.getBytes(LocalData.databasePassword())))
+                .openHelperFactory(SupportFactory(SQLiteDatabase.getBytes(SecurityHelper.getDBPassword())))
                .build()
        }
    }

--- a/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/storage/LocalData.kt
+++ b/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/storage/LocalData.kt
@@ -469,27 +469,6 @@ object LocalData {
        CoronaWarnApplication.getAppContext().getString(R.string.preference_teletan), null
    )
-    /****************************************************
-     * DATABASE PASSWORD
-     ****************************************************/
-    fun databasePassword(): CharArray? = getSharedPreferenceInstance().getString(
-        CoronaWarnApplication.getAppContext()
-            .getString(R.string.preference_database_password),
-        null
-    )?.toCharArray()
-    fun databasePassword(password: CharArray) {
-        with(getSharedPreferenceInstance().edit()) {
-            putString(
-                CoronaWarnApplication.getAppContext()
-                    .getString(R.string.preference_database_password),
-                password.toString()
-            )
-            commit()
-        }
-    }
    /****************************************************
     * ENCRYPTED SHARED PREFERENCES HANDLING
     ****************************************************/

--- a/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/util/DataRetentionHelper.kt
+++ b/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/util/DataRetentionHelper.kt
@@ -24,7 +24,6 @@ import android.util.Log
 import de.rki.coronawarnapp.storage.AppDatabase
 import de.rki.coronawarnapp.storage.FileStorageHelper
 import de.rki.coronawarnapp.storage.LocalData
-import java.util.UUID
 /**
 * Helper for supplying functionality regarding Data Retention
@@ -44,7 +43,6 @@ object DataRetentionHelper {
        LocalData.getSharedPreferenceInstance().edit().clear().apply()
        // Delete Database Instance
        AppDatabase.resetInstance(context)
-        LocalData.databasePassword(UUID.randomUUID().toString().toCharArray())
        // Export File Reset
        FileStorageHelper.getAllFilesInKeyExportDirectory().forEach { it.delete() }
        Log.w(TAG, "CWA LOCAL DATA DELETION COMPLETED.")

--- a/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/util/security/SecurityHelper.kt
+++ b/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/util/security/SecurityHelper.kt
@@ -24,16 +24,30 @@ import android.content.SharedPreferences
 import androidx.security.crypto.EncryptedSharedPreferences
 import androidx.security.crypto.MasterKeys
 import de.rki.coronawarnapp.CoronaWarnApplication
+import java.security.KeyStore
+/**
+ * Key Store and Password Access
+ */
 object SecurityHelper {
    private const val SHARED_PREF_NAME = "shared_preferences_cwa"
    private val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC
    private val masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec)
+    private const val AndroidKeyStore = "AndroidKeyStore"
+    private val keyStore: KeyStore by lazy {
+        KeyStore.getInstance(AndroidKeyStore).also {
+            it.load(null)
+        }
+    }
    val globalEncryptedSharedPreferencesInstance: SharedPreferences by lazy {
        CoronaWarnApplication.getAppContext().getEncryptedSharedPrefs(SHARED_PREF_NAME)
    }
+    /**
+     * Initializes the private encrypted key store
+     */
    private fun Context.getEncryptedSharedPrefs(fileName: String) = EncryptedSharedPreferences
        .create(
            fileName,
@@ -42,4 +56,12 @@ object SecurityHelper {
            EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
            EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
        )
+    /**
+     * Retrieves the Master Key from the Android KeyStore to use in SQLCipher
+     */
+    fun getDBPassword() = keyStore
+        .getKey(masterKeyAlias, null)
+        .toString()
+        .toCharArray()
 }