Encrypt credentials in memory

app/assets/locales/android_translatable_strings.txt

@@ -196,11 +196,12 @@ post.generic.error=An error occurred while preparing the HTTP request
 post.dialog.title=Claiming...
 post.dialog.body=Claiming chosen data from server
 post.io.error=Error reading server response: ${0}
-post.unknown.response=Received unknown resonse code (${0}) from server
+post.unknown.response=Received unknown response code (${0}) from server
 post.client.error=Client-side error (code ${0}) received from network request.
 post.server.error=Server-side error (code ${0}) received from network request.
 post.gone.error=Case is not present on server.
 post.conflict.error=You have already claimed this case.
+post.cache.encryption.key.error=Encryption error while processing server response: ${0}
 
 version.id.long=CommCare Android, version "${0}"(${1}). App v${5}. CommCare Version ${2}. Build ${3}, built on: ${4}
 version.id.short=CCDroid:"${0}"(${1}). v${5} CC${2}b[${3}] on ${4}
@@ -263,6 +264,7 @@ app.handled.error.explanation=CommCare will now restart. You may need to correct
 app.key.request.message=Another android application has requested the ability to communicate securely with CommCare. This application will be able to pass information to CommCare and trigger actions (submission, login, etc). Do you want to grant access?
 app.key.request.grant=Grant Access
 app.key.request.deny=Deny Access
+app.key.request.encryption.key.error=Error during encryption Key generation
 
 key.manage.title=Logging in
 key.manage.start=Logging in
@@ -924,6 +926,7 @@ nfc.write.type.not.supported=The well-known type you tried to write is not suppo
 nfc.write.io.error=An IO error occurred while attempting to write the Ndef message to your NFC tag
 nfc.write.msg.malformed=The Ndef message that you attempted to write was malformed
 nfc.write.success=NFC write was successful!
+nfc.write.encryption.key.error=An error occurred while handling the encryption key
 nfc.missing.domain=A domain must be provided when specifying a custom type for your NFC action
 nfc.read.success=NFC read was successful!
 nfc.read.io.error=An IO error occurred while attempting to read the Ndef message
@@ -934,6 +937,7 @@ nfc.read.error.no.ndef=The message on this NFC tag is not of a format that Andro
 nfc.read.no.data=The provided NFC tag had no data on it to read
 nfc.read.error.unsupported=The message read from the NFC tag is of a type not supported by CommCare
 nfc.read.error.mismatch=The message read from the NFC tag does not match the type specified by this app's configuration
+nfc.read.msg.decryption.key.error=An error occurred while handling the encryption key
 
 reason.for.quarantine.title=Reason for Quarantine
 reason.for.quarantine.prefix=Quarantine Reason:

app/build.gradle

@@ -136,31 +136,30 @@ dependencies {
 }
 
 ext {
-    // Obtained from ~/.gradle/gradle.properties on build server (mobile agent), or your local
     // Obtained from ~/.gradle/gradle.properties on build server (mobile agent), or your local
     // ~/.gradle/gradle.properties file, or loads default empty strings if neither is present
-    MAPBOX_SDK_API_KEY = project.properties['MAPBOX_SDK_API_KEY'] ?: ""
-    ANALYTICS_TRACKING_ID_DEV = project.properties['ANALYTICS_TRACKING_ID_DEV'] ?: ""
-    ANALYTICS_TRACKING_ID_LIVE = project.properties['ANALYTICS_TRACKING_ID_LIVE'] ?: ""
-    GOOGLE_PLAY_MAPS_API_KEY = project.properties['GOOGLE_PLAY_MAPS_API_KEY'] ?: ""
-    RELEASE_STORE_FILE = project.properties['RELEASE_STORE_FILE'] ?: "."
-    RELEASE_STORE_PASSWORD = project.properties['RELEASE_STORE_PASSWORD'] ?: ""
-    RELEASE_KEY_ALIAS = project.properties['RELEASE_KEY_ALIAS'] ?: ""
-    RELEASE_KEY_PASSWORD = project.properties['RELEASE_KEY_PASSWORD'] ?: ""
+    MAPBOX_SDK_API_KEY = project.properties['MAPBOX_SDK_API_KEY'] ?: ''
+    ANALYTICS_TRACKING_ID_DEV = project.properties['ANALYTICS_TRACKING_ID_DEV'] ?: ''
+    ANALYTICS_TRACKING_ID_LIVE = project.properties['ANALYTICS_TRACKING_ID_LIVE'] ?: ''
+    GOOGLE_PLAY_MAPS_API_KEY = project.properties['GOOGLE_PLAY_MAPS_API_KEY'] ?: ''
+    RELEASE_STORE_FILE = project.properties['RELEASE_STORE_FILE'] ?: '.'
+    RELEASE_STORE_PASSWORD = project.properties['RELEASE_STORE_PASSWORD'] ?: ''
+    RELEASE_KEY_ALIAS = project.properties['RELEASE_KEY_ALIAS'] ?: ''
+    RELEASE_KEY_PASSWORD = project.properties['RELEASE_KEY_PASSWORD'] ?: ''
     TRUSTED_SOURCE_PUBLIC_KEY = project.properties['TRUSTED_SOURCE_PUBLIC_KEY'] ?:
             "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHiuy2ULV4pobkuQN2TEjmR1tn" +
                     "HJ+F335hm/lVdaFQzvBmeq64MUMbumheVLDJaSUiAVzqSHDKJWH01ZQRowqBYjwo" +
                     "ycVSQSeO2glc6XZZ+CJudAPXe8iFWLQp3kBBnBmVcBXCOQFO7aLgQMv4nqKZsLW0" +
                     "HaAJkjpnc165Os+aYwIDAQAB"
-    GOOGLE_SERVICES_API_KEY = project.properties['GOOGLE_SERVICES_API_KEY'] ?: ""
-    QA_BETA_APP_ID = ""
-    STANDALONE_APP_ID = ""
-    LTS_APP_ID = ""
-    COMMCARE_APP_ID = ""
-    HQ_API_USERNAME = project.properties['HQ_API_USERNAME'] ?: ""
-    HQ_API_PASSWORD = project.properties['HQ_API_PASSWORD'] ?: ""
-    TEST_BUILD_TYPE = project.properties['TEST_BUILD_TYPE'] ?: "debug"
-    FIREBASE_DATABASE_URL = project.properties['FIREBASE_DATABASE_URL'] ?: ""
+    GOOGLE_SERVICES_API_KEY = project.properties['GOOGLE_SERVICES_API_KEY'] ?: ''
+    QA_BETA_APP_ID = ''
+    STANDALONE_APP_ID = ''
+    LTS_APP_ID = ''
+    COMMCARE_APP_ID = ''
+    HQ_API_USERNAME = project.properties['HQ_API_USERNAME'] ?: ''
+    HQ_API_PASSWORD = project.properties['HQ_API_PASSWORD'] ?: ''
+    TEST_BUILD_TYPE = project.properties['TEST_BUILD_TYPE'] ?: 'debug'
+    FIREBASE_DATABASE_URL = project.properties['FIREBASE_DATABASE_URL'] ?: ''
 }
 
 afterEvaluate {

app/src/META-INF/services/org.commcare.util.IKeyStoreEncryptionKeyProvider

@@ -0,0 +1 @@
+org.commcare.utils.KeyStoreEncryptionKeyProvider

app/src/org/commcare/CommCareApplication.java

@@ -140,6 +140,8 @@
 import okhttp3.MultipartBody;
 import okhttp3.RequestBody;
 
+import static org.commcare.util.EncryptionKeyHelper.CC_IN_MEMORY_ENCRYPTION_KEY_ALIAS;
+
 public class CommCareApplication extends MultiDexApplication {
 
     private static final String TAG = CommCareApplication.class.getSimpleName();

app/src/org/commcare/activities/InstallFromListActivity.java

@@ -32,6 +32,7 @@
 import org.commcare.preferences.GlobalPrivilegesManager;
 import org.commcare.tasks.ModernHttpTask;
 import org.commcare.tasks.templates.CommCareTaskConnector;
+import org.commcare.util.EncryptionKeyHelper;
 import org.commcare.util.LogTypes;
 import org.commcare.utils.ConnectivityStatus;
 import org.commcare.views.UserfacingErrorHandling;
@@ -355,6 +356,13 @@ public void handleIOException(IOException exception) {
         repeatRequestOrShowResults(true, false);
     }
 
+    @Override
+    public void handleEncryptionKeyException(EncryptionKeyHelper.EncryptionKeyException exception) {
+        Logger.log(LogTypes.TYPE_ERROR_ENCRYPTION_KEY,
+                "An ENcryptionKeyException was encountered when pocessing available apps request: " + exception.getMessage());
+        repeatRequestOrShowResults(true, false);
+    }
+
     private void handleRequestError(int responseCode, boolean couldBeUserError) {
         Logger.log(LogTypes.TYPE_ERROR_SERVER_COMMS,
                 "Request to " + urlCurrentlyRequestingFrom + " in get available apps request " +

app/src/org/commcare/activities/KeyAccessRequestActivity.java

@@ -4,12 +4,16 @@
 import android.os.Bundle;
 import android.widget.Button;
 import android.widget.TextView;
+import android.widget.Toast;
 
 import org.commcare.CommCareApplication;
 import org.commcare.android.database.global.models.AndroidSharedKeyRecord;
 import org.commcare.dalvik.R;
+import org.commcare.util.EncryptionKeyHelper;
 import org.commcare.views.ManagedUi;
 import org.commcare.views.UiElement;
+import org.javarosa.core.services.Logger;
+import org.javarosa.core.services.locale.Localization;
 
 import androidx.appcompat.app.AppCompatActivity;
 
@@ -34,7 +38,14 @@ protected void onCreate(Bundle savedInstanceState) {
 
         grantButton.setOnClickListener(v -> {
             Intent response = new Intent(getIntent());
-            AndroidSharedKeyRecord record = AndroidSharedKeyRecord.generateNewSharingKey();
+            AndroidSharedKeyRecord record = null;
+            try {
+                record = AndroidSharedKeyRecord.generateNewSharingKey();
+            } catch (EncryptionKeyHelper.EncryptionKeyException e) {
+                Toast.makeText(this, Localization.get("app.key.request.encryption.key.error"), Toast.LENGTH_LONG).show();
+                Logger.exception("Exception while generating encryption key ", e);
+                return;
+            }
             CommCareApplication.instance().getGlobalStorage(AndroidSharedKeyRecord.class).write(record);
             record.writeResponseToIntent(response);
             setResult(AppCompatActivity.RESULT_OK, response);

app/src/org/commcare/activities/PostRequestActivity.java

@@ -19,6 +19,7 @@
 import org.commcare.tasks.DataPullTask;
 import org.commcare.tasks.ModernHttpTask;
 import org.commcare.tasks.templates.CommCareTaskConnector;
+import org.commcare.util.EncryptionKeyHelper;
 import org.commcare.views.ManagedUi;
 import org.commcare.views.UiElement;
 import org.commcare.views.dialogs.CustomProgressDialog;
@@ -214,6 +215,11 @@ public void handleIOException(IOException exception) {
         }
     }
 
+    @Override
+    public void handleEncryptionKeyException(EncryptionKeyHelper.EncryptionKeyException exception) {
+        enterErrorState(Localization.get("post.cache.encryption.key.error", exception.getMessage()));
+    }
+
     @Override
     public void onBackPressed() {
         if (inErrorState) {

app/src/org/commcare/activities/QueryRequestActivity.java

@@ -23,6 +23,7 @@
 import org.commcare.session.RemoteQuerySessionManager;
 import org.commcare.tasks.ModernHttpTask;
 import org.commcare.tasks.templates.CommCareTaskConnector;
+import org.commcare.util.EncryptionKeyHelper;
 import org.commcare.utils.SessionRegistrationHelper;
 import org.commcare.utils.SessionUnavailableException;
 import org.commcare.views.UserfacingErrorHandling;
@@ -196,6 +197,11 @@ public void handleIOException(IOException exception) {
         }
     }
 
+    @Override
+    public void handleEncryptionKeyException(EncryptionKeyHelper.EncryptionKeyException exception) {
+        enterErrorState(Localization.get("post.cache.encryption.key.error", exception.getMessage()));
+    }
+
     @Override
     public CustomProgressDialog generateProgressDialog(int taskId) {
         String title, message;

app/src/org/commcare/android/database/global/models/AndroidSharedKeyRecord.java

@@ -9,14 +9,12 @@
 import org.commcare.models.framework.Persisting;
 import org.commcare.modern.database.Table;
 import org.commcare.modern.models.MetaField;
+import org.commcare.util.EncryptionKeyHelper;
 import org.javarosa.core.services.Logger;
 import org.javarosa.core.util.PropertyUtils;
 
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
 
 /**
  * This is a record of a key that CommCare ODK has shared with another app
@@ -51,19 +49,12 @@ public AndroidSharedKeyRecord(String keyId, byte[] privateKey, byte[] publicKey)
         this.publicKey = publicKey;
     }
 
-    public static AndroidSharedKeyRecord generateNewSharingKey() {
-        try {
-            KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
-            generator.initialize(512, new SecureRandom());
-            KeyPair pair = generator.genKeyPair();
-            byte[] encodedPrivate = pair.getPrivate().getEncoded();
-            String privateEncoding = pair.getPrivate().getFormat();
-            byte[] encodedPublic = pair.getPublic().getEncoded();
-            String publicencoding = pair.getPublic().getFormat();
-            return new AndroidSharedKeyRecord(PropertyUtils.genUUID(), pair.getPrivate().getEncoded(), pair.getPublic().getEncoded());
-        } catch (NoSuchAlgorithmException nsae) {
-            return null;
-        }
+    public static AndroidSharedKeyRecord generateNewSharingKey()
+            throws EncryptionKeyHelper.EncryptionKeyException {
+        KeyPair pair = CryptUtil.generateRandomKeyPair(512);
+        byte[] encodedPrivate = pair.getPrivate().getEncoded();
+        byte[] encodedPublic = pair.getPublic().getEncoded();
+        return new AndroidSharedKeyRecord(PropertyUtils.genUUID(), encodedPrivate, encodedPublic);
     }
 
     private String getKeyId() {

app/src/org/commcare/android/nfc/NfcManager.java

@@ -1,14 +1,13 @@
 package org.commcare.android.nfc;
 
-import android.annotation.TargetApi;
 import android.app.PendingIntent;
 import android.content.Context;
 import android.content.IntentFilter;
 import android.nfc.NfcAdapter;
-import android.os.Build;
 
 import org.apache.commons.lang3.StringUtils;
-import org.commcare.util.EncryptionUtils;
+import org.commcare.util.EncryptionHelper;
+import org.commcare.util.EncryptionKeyHelper;
 
 import javax.annotation.Nullable;
 
@@ -55,12 +54,13 @@ public void disableForegroundDispatch(AppCompatActivity activity) {
         }
     }
 
-    public String decryptValue(String message) throws EncryptionUtils.EncryptionException {
+    public String decryptValue(String message)
+            throws EncryptionHelper.EncryptionException, EncryptionKeyHelper.EncryptionKeyException {
         String payloadTag = getPayloadTag();
         if (message.startsWith(payloadTag)) {
             message = message.replace(payloadTag, "");
             if (!StringUtils.isEmpty(encryptionKey)) {
-                message = EncryptionUtils.decrypt(message, encryptionKey);
+                    message = EncryptionHelper.decryptWithEncodedKey(message, encryptionKey);
             }
         } else if (!allowUntaggedRead && !isEmptyPayloadTag(payloadTag)) {
             throw new InvalidPayloadTagException();
@@ -91,13 +91,14 @@ private boolean isEmptyPayloadTag(String payloadTag) {
         return payloadTag.contentEquals(getEmptyPayloadTag());
     }
 
-    public String tagAndEncryptPayload(String message) throws EncryptionUtils.EncryptionException {
+    public String tagAndEncryptPayload(String message)
+            throws EncryptionHelper.EncryptionException, EncryptionKeyHelper.EncryptionKeyException {
         if (StringUtils.isEmpty(message)) {
             return message;
         }
         String payload = message;
         if (!StringUtils.isEmpty(encryptionKey)) {
-            payload = EncryptionUtils.encrypt(payload, encryptionKey);
+            payload = EncryptionHelper.encryptWithEncodedKey(payload, encryptionKey);
         }
         if (payload.contains(PAYLOAD_DELIMITER)) {
             throw new InvalidPayloadException();

app/src/org/commcare/android/nfc/NfcReadActivity.java

@@ -1,18 +1,17 @@
 package org.commcare.android.nfc;
 
-import android.annotation.TargetApi;
 import android.content.Intent;
 import android.nfc.FormatException;
 import android.nfc.NdefMessage;
 import android.nfc.NdefRecord;
 import android.nfc.Tag;
 import android.nfc.tech.Ndef;
-import android.os.Build;
 import android.os.Bundle;
 import android.util.Pair;
 
 import org.commcare.android.javarosa.IntentCallout;
-import org.commcare.util.EncryptionUtils;
+import org.commcare.util.EncryptionHelper;
+import org.commcare.util.EncryptionKeyHelper;
 
 import java.io.IOException;
 
@@ -95,11 +94,13 @@ private void readFromNfcTag(Tag tag) {
             finishWithErrorToast("nfc.read.io.error", e);
         } catch (FormatException e) {
             finishWithErrorToast("nfc.read.msg.malformed", e);
-        } catch (EncryptionUtils.EncryptionException e) {
+        } catch (EncryptionHelper.EncryptionException e) {
             finishWithErrorToast("nfc.read.msg.decryption.error", e);
         } catch (NfcManager.InvalidPayloadTagException e) {
             // payload doesn't have our tag attached, so we should not let the app read this message
             finishWithErrorToast("nfc.read.msg.payload.tag.error");
+        } catch (EncryptionKeyHelper.EncryptionKeyException e) {
+            finishWithErrorToast("nfc.read.msg.decryption.key.error", e);
         } finally {
             try {
                 ndefObject.close();

app/src/org/commcare/android/nfc/NfcWriteActivity.java

@@ -1,17 +1,16 @@
 package org.commcare.android.nfc;
 
-import android.annotation.TargetApi;
 import android.content.Intent;
 import android.nfc.FormatException;
 import android.nfc.NdefMessage;
 import android.nfc.NdefRecord;
 import android.nfc.Tag;
 import android.nfc.tech.Ndef;
-import android.os.Build;
 import android.os.Bundle;
 
 import org.commcare.android.javarosa.IntentCallout;
-import org.commcare.util.EncryptionUtils;
+import org.commcare.util.EncryptionHelper;
+import org.commcare.util.EncryptionKeyHelper;
 
 import java.io.IOException;
 
@@ -42,10 +41,12 @@ protected void initFields() {
         typeForPayload = getIntent().getStringExtra(NFC_PAYLOAD_SINGLE_TYPE_ARG);
         try {
             payloadToWrite = nfcManager.tagAndEncryptPayload(getIntent().getStringExtra(NFC_PAYLOAD_TO_WRITE));
-        } catch (EncryptionUtils.EncryptionException e) {
+        } catch (EncryptionHelper.EncryptionException e) {
             finishWithErrorToast("nfc.write.encryption.error", e);
         } catch (NfcManager.InvalidPayloadException e) {
             finishWithErrorToast("nfc.write.payload.error", e);
+        } catch (EncryptionKeyHelper.EncryptionKeyException e) {
+            finishWithErrorToast("nfc.write.encryption.error", e);
         }
     }
 

app/src/org/commcare/models/database/user/DemoUserBuilder.java

@@ -11,6 +11,7 @@
 import org.commcare.android.database.app.models.UserKeyRecord;
 import org.commcare.core.encryption.CryptUtil;
 import org.commcare.models.encryption.ByteEncrypter;
+import org.commcare.util.EncryptionKeyHelper;
 import org.javarosa.core.model.User;
 import org.javarosa.core.util.PropertyUtils;
 
@@ -65,8 +66,11 @@ private void createAndWriteKeyRecordAndUser() {
         int userCount = keyRecordDB.getIDsForValue(UserKeyRecord.META_USERNAME, username).size();
 
         if (userCount == 0) {
-            SecretKey secretKey = CryptUtil.generateSemiRandomKey();
-            if (secretKey == null) {
+
+            SecretKey secretKey;
+            try {
+                secretKey = CryptUtil.generateRandomSecretKey();
+            } catch (EncryptionKeyHelper.EncryptionKeyException e) {
                 throw new RuntimeException("Error setting up user's encrypted storage");
             }
             randomKey = secretKey.getEncoded();

app/src/org/commcare/network/GetAndParseActor.java

@@ -12,6 +12,7 @@
 import org.commcare.core.network.AuthInfo;
 import org.commcare.core.network.AuthenticationInterceptor;
 import org.commcare.core.network.ModernHttpRequester;
+import org.commcare.util.EncryptionKeyHelper;
 import org.commcare.util.LogTypes;
 import org.javarosa.core.io.StreamsUtil;
 import org.javarosa.core.services.Logger;
@@ -108,6 +109,13 @@ public void handleIOException(IOException exception) {
             }
         }
 
+        @Override
+        public void handleEncryptionKeyException(EncryptionKeyHelper.EncryptionKeyException exception) {
+            Logger.log(LogTypes.TYPE_ERROR_ENCRYPTION_KEY,
+                    String.format("Encountered EncryptionKeyException while getting response stream for %s response: %s",
+                            requestName, exception.getMessage()));
+        }
+
         private void processErrorResponse(int responseCode) {
             Logger.log(LogTypes.TYPE_ERROR_SERVER_COMMS,
                     String.format("Received error response from %s request: %s", requestName, responseCode));