Encrypt credentials in memory

src/main/java/org/commcare/core/encryption/CryptUtil.java

@@ -1,5 +1,6 @@
 package org.commcare.core.encryption;
 
+import org.commcare.util.EncryptionKeyHelper;
 import org.javarosa.core.io.StreamsUtil;
 
 import java.io.ByteArrayInputStream;
@@ -8,6 +9,8 @@
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
@@ -138,16 +141,23 @@ public static SecretKey generateSymmetricKey(byte[] prngSeed) {
         return null;
     }
 
-    public static SecretKey generateSemiRandomKey() {
+    // Generate random Secret key with a default key lenght of 256 bits
+    public static SecretKey generateRandomSecretKey()
+            throws EncryptionKeyHelper.EncryptionKeyException {
+        final int AES_DEFAULT_KEY_LENGTH = 256;
+        return generateRandomSecretKey(AES_DEFAULT_KEY_LENGTH);
+    }
+
+    public static SecretKey generateRandomSecretKey(int keylength)
+            throws EncryptionKeyHelper.EncryptionKeyException {
         KeyGenerator generator;
         try {
             generator = KeyGenerator.getInstance("AES");
-            generator.init(256, new SecureRandom());
+            generator.init(keylength, new SecureRandom());
             return generator.generateKey();
         } catch (NoSuchAlgorithmException e) {
-            e.printStackTrace();
+            throw new EncryptionKeyHelper.EncryptionKeyException("Error encountered while generating random Key Pair", e);
         }
-        return null;
     }
 
     public static Cipher getPrivateKeyCipher(byte[] privateKey)
@@ -176,4 +186,17 @@ private static Cipher getAesKeyCipher(byte[] aesKey, int mode)
         decrypter.init(mode, spec);
         return decrypter;
     }
+
+    // For RSA
+    public static KeyPair generateRandomKeyPair(int keyLength)
+            throws EncryptionKeyHelper.EncryptionKeyException {
+        KeyPairGenerator generator;
+        try {
+             generator = KeyPairGenerator.getInstance("RSA");
+            generator.initialize(keyLength, new SecureRandom());
+            return generator.genKeyPair();
+        } catch (NoSuchAlgorithmException e) {
+            throw new EncryptionKeyHelper.EncryptionKeyException("Error encountered while generating random Key Pair", e);
+        }
+    }
 }

src/main/java/org/commcare/core/interfaces/HttpResponseProcessor.java

@@ -1,5 +1,7 @@
 package org.commcare.core.interfaces;
 
+import org.commcare.util.EncryptionKeyHelper;
+
 import java.io.IOException;
 import java.io.InputStream;
 
@@ -36,4 +38,9 @@ public interface HttpResponseProcessor {
      * A issue occurred while processing the http request or response
      */
     void handleIOException(IOException exception);
+
+    /**
+     * Encryption key error occurred while processing the http response
+     */
+    void handleEncryptionKeyException(EncryptionKeyHelper.EncryptionKeyException mException);
 }

src/main/java/org/commcare/core/interfaces/ResponseStreamAccessor.java

@@ -1,8 +1,10 @@
 package org.commcare.core.interfaces;
 
+import org.commcare.util.EncryptionKeyHelper;
+
 import java.io.IOException;
 import java.io.InputStream;
 
 public interface ResponseStreamAccessor {
-    InputStream getResponseStream() throws IOException;
+    InputStream getResponseStream() throws IOException, EncryptionKeyHelper.EncryptionKeyException;
 }

src/main/java/org/commcare/core/network/ModernHttpRequester.java

@@ -6,6 +6,7 @@
 import org.commcare.core.interfaces.ResponseStreamAccessor;
 import org.commcare.core.network.bitcache.BitCache;
 import org.commcare.core.network.bitcache.BitCacheFactory;
+import org.commcare.util.EncryptionKeyHelper;
 import org.commcare.util.NetworkStatus;
 import org.javarosa.core.io.StreamsUtil;
 
@@ -152,6 +153,9 @@ public static void processResponse(HttpResponseProcessor responseProcessor,
                 } catch (IOException e) {
                     responseProcessor.handleIOException(e);
                     return;
+                } catch (EncryptionKeyHelper.EncryptionKeyException e) {
+                    responseProcessor.handleEncryptionKeyException(e);
+                    return;
                 }
                 responseProcessor.processSuccess(responseCode, responseStream);
             } finally {
@@ -172,7 +176,8 @@ public static void processResponse(HttpResponseProcessor responseProcessor,
      * @throws IOException if an io error happens while reading or writing to cache
      */
 
-    public InputStream getResponseStream(Response<ResponseBody> response) throws IOException {
+    public InputStream getResponseStream(Response<ResponseBody> response)
+            throws IOException, EncryptionKeyHelper.EncryptionKeyException {
         InputStream inputStream = response.body().byteStream();
         BitCache cache = BitCacheFactory.getCache(cacheDirSetup, getContentLength(response));
         cache.initializeCache();
@@ -187,7 +192,8 @@ public InputStream getResponseStream(Response<ResponseBody> response) throws IOE
      * @throws IOException if an io error happens while reading or writing to cache
      */
     @Override
-    public InputStream getResponseStream() throws IOException {
+    public InputStream getResponseStream()
+            throws IOException, EncryptionKeyHelper.EncryptionKeyException {
         return getResponseStream(response);
     }
 

src/main/java/org/commcare/core/network/bitcache/BitCache.java

@@ -1,5 +1,7 @@
 package org.commcare.core.network.bitcache;
 
+import org.commcare.util.EncryptionKeyHelper;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -8,7 +10,7 @@
  * @author ctsims
  */
 public interface BitCache {
-    void initializeCache() throws IOException;
+    void initializeCache() throws IOException, EncryptionKeyHelper.EncryptionKeyException;
 
     OutputStream getCacheStream() throws IOException;
 

src/main/java/org/commcare/core/network/bitcache/FileBitCache.java

@@ -1,6 +1,7 @@
 package org.commcare.core.network.bitcache;
 
 import org.commcare.core.encryption.CryptUtil;
+import org.commcare.util.EncryptionKeyHelper;
 
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
@@ -33,12 +34,12 @@ protected FileBitCache(BitCacheFactory.CacheDirSetup cacheDirSetup) {
     }
 
     @Override
-    public void initializeCache() throws IOException {
+    public void initializeCache() throws IOException, EncryptionKeyHelper.EncryptionKeyException {
         File cacheLocation = cacheDirSetup.getCacheDir();
 
         //generate temp file
         temp = File.createTempFile("commcare_pull_" + new Date().getTime(), "xml", cacheLocation);
-        key = CryptUtil.generateSemiRandomKey();
+        key = CryptUtil.generateRandomSecretKey();
     }
 
     @Override

src/main/java/org/commcare/util/CommCarePlatform.java

@@ -39,6 +39,7 @@
 public class CommCarePlatform {
     // TODO: We should make this unique using the parser to invalidate this ID or something
     public static final String APP_PROFILE_RESOURCE_ID = "commcare-application-profile";
+
     private int profile;
     private Profile cachedProfile;
 

src/main/java/org/commcare/util/EncryptionHelper.java

@@ -0,0 +1,163 @@
+package org.commcare.util;
+
+import java.nio.ByteBuffer;
+import java.nio.charset.Charset;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.GCMParameterSpec;
+
+public class EncryptionHelper {
+
+    public enum CryptographicOperation {Encryption, Decryption}
+
+    /**
+     * Encrypts a message using a key stored in the platform KeyStore. The key is retrieved using
+     * its alias which is established during key generation.
+     *
+     * @param message  a UTF-8 encoded message to be encrypted
+     * @param keyAlias alias of the Key stored in the KeyStore, depending on the algorithm,
+     *                 it can be a SecretKey (for AES) or PublicKey (for RSA) to be used to
+     *                 encrypt the message
+     * @return A base64 encoded payload containing the IV and AES or RSA encrypted ciphertext,
+     *         which can be decoded by this utility's decrypt method and the same key
+     */
+    public static String encryptWithKeyStore(String message, String keyAlias)
+            throws EncryptionException, EncryptionKeyHelper.EncryptionKeyException {
+        EncryptionKeyAndTransformation keyAndTransformation =
+                EncryptionKeyHelper.retrieveKeyFromKeyStore(keyAlias, CryptographicOperation.Encryption);
+
+        return encrypt(message, keyAndTransformation);
+    }
+
+    public static String encryptWithEncodedKey(String message, String key)
+            throws EncryptionException, EncryptionKeyHelper.EncryptionKeyException {
+        EncryptionKeyAndTransformation keyAndTransformation =
+                EncryptionKeyHelper.retrieveKeyFromEncodedKey(key);
+
+        return encrypt(message, keyAndTransformation);
+    }
+
+    /**
+     * Encrypts a message using the AES or RAS algorithms and produces a base64 encoded payload
+     * containing the ciphertext, and, when applicable, a random IV which was used to encrypt
+     * the input.
+     *
+     * @param message          a UTF-8 encoded message to be encrypted
+     * @param keyAndTransform  depending on the algorithm, a SecretKey or PublicKey, and
+     *                         cryptographic transformation to be used to encrypt the message
+     * @return  A base64 encoded payload containing the IV and AES or RSA encrypted ciphertext,
+     *          which can be decoded by this utility's decrypt method and the same key
+     */
+    private static String encrypt(String message, EncryptionKeyAndTransformation keyAndTransform)
+            throws EncryptionException {
+        final int MIN_IV_LENGTH_BYTE = 1;
+        final int MAX_IV_LENGTH_BYTE = 255;
+
+        try {
+            Cipher cipher = Cipher.getInstance(keyAndTransform.getTransformation());
+            cipher.init(Cipher.ENCRYPT_MODE, keyAndTransform.getKey());
+            byte[] encryptedMessage = cipher.doFinal(message.getBytes(Charset.forName("UTF-8")));
+            byte[] iv = cipher.getIV();
+            int ivSize = (iv == null ? 0 : iv.length);
+            if (ivSize == 0) {
+                iv = new byte[0];
+            } else if (ivSize < MIN_IV_LENGTH_BYTE || ivSize > MAX_IV_LENGTH_BYTE) {
+                throw new EncryptionException("Initialization vector should be between " +
+                        MIN_IV_LENGTH_BYTE + " and " + MAX_IV_LENGTH_BYTE +
+                        " bytes long, but it is " + ivSize + " bytes");
+            }
+            // The conversion of iv.length to byte takes the low 8 bits. To
+            // convert back, cast to int and mask with 0xFF.
+            byte[] ivPlusMessage = ByteBuffer.allocate(1 + ivSize + encryptedMessage.length)
+                    .put((byte)ivSize)
+                    .put(iv)
+                    .put(encryptedMessage)
+                    .array();
+            return Base64.encode(ivPlusMessage);
+        } catch (Exception ex) {
+            throw new EncryptionException("Unknown error during encryption", ex);
+        }
+    }
+
+    /**
+     * Decrypts a base64 payload containing an IV and AES or RSA encrypted ciphertext using a key
+     * stored in the platform KeyStore. The key is retrieved using its alias which is established
+     * during key generation.
+     *
+     * @param message  a UTF-8 encoded message to be decrypted
+     * @param keyAlias key alias of the Key stored in the KeyStore, depending on the algorithm,
+     *                 it can be a SecretKey (for AES) or PrivateKey (for RSA) to be used to
+     *                 decrypt the message
+     * @return Decrypted message of the provided ciphertext,
+     */
+    public static String decryptWithKeyStore(String message, String keyAlias)
+            throws EncryptionKeyHelper.EncryptionKeyException, EncryptionHelper.EncryptionException {
+        EncryptionKeyAndTransformation keyAndTransformation =
+                EncryptionKeyHelper.retrieveKeyFromKeyStore(keyAlias, CryptographicOperation.Decryption);
+
+        return decrypt(message, keyAndTransformation);
+    }
+
+    public static String decryptWithEncodedKey(String message, String key)
+            throws EncryptionException, EncryptionKeyHelper.EncryptionKeyException {
+        EncryptionKeyAndTransformation keyAndTransformation =
+                EncryptionKeyHelper.retrieveKeyFromEncodedKey(key);
+
+        return decrypt(message, keyAndTransformation);
+    }
+
+    /**
+     * Decrypts a base64 payload containing an IV and AES or RSA encrypted ciphertext using the
+     * provided key
+     *
+     * @param message         a message to be decrypted
+     * @param keyAndTransform depending on the algorithm, a Secret key or Private key and its
+     *                        respective cryptographic transformation to be used for decryption
+     * @return Decrypted message for the given encrypted message
+     */
+    private static String decrypt(String message, EncryptionKeyAndTransformation keyAndTransform)
+            throws EncryptionException {
+        final int TAG_LENGTH_BIT = 128;
+
+        try {
+            byte[] messageBytes = Base64.decode(message);
+            ByteBuffer bb = ByteBuffer.wrap(messageBytes);
+            int ivLengthByte = bb.get() & 0xFF;
+            byte[] iv = new byte[ivLengthByte];
+            bb.get(iv);
+
+            byte[] cipherText = new byte[bb.remaining()];
+            bb.get(cipherText);
+
+            Cipher cipher = Cipher.getInstance(keyAndTransform.getTransformation());
+            if (ivLengthByte > 0) {
+                cipher.init(Cipher.DECRYPT_MODE, keyAndTransform.getKey(), new GCMParameterSpec(TAG_LENGTH_BIT, iv));
+            } else {
+                cipher.init(Cipher.DECRYPT_MODE, keyAndTransform.getKey());
+            }
+            byte[] plainText = cipher.doFinal(cipherText);
+            return new String(plainText, Charset.forName("UTF-8"));
+        } catch (NoSuchAlgorithmException | BadPaddingException | NoSuchPaddingException |
+                 IllegalBlockSizeException | InvalidKeyException | Base64DecoderException |
+                 InvalidAlgorithmParameterException e) {
+            throw new EncryptionException("Error encountered while decrypting the message", e);
+        }
+    }
+
+    public static class EncryptionException extends Exception {
+
+        public EncryptionException(String message) {
+            super(message);
+        }
+
+        public EncryptionException(String message, Throwable cause) {
+            super(message, cause);
+        }
+    }
+}

src/main/java/org/commcare/util/EncryptionKeyAndTransformation.java

@@ -0,0 +1,26 @@
+package org.commcare.util;
+
+import java.security.Key;
+
+/**
+ * Utility class for holding an encryption key and transformation string pair
+ *
+ * @author dviggiano
+ */
+public class EncryptionKeyAndTransformation {
+    private Key key;
+    private String transformation;
+
+    public EncryptionKeyAndTransformation(Key key, String transformation) {
+        this.key = key;
+        this.transformation = transformation;
+    }
+
+    public Key getKey() {
+        return key;
+    }
+
+    public String getTransformation() {
+        return transformation;
+    }
+}