try fail android biometric prompt

a-sit-plus · Jan 14, 2025 · d26933f · d26933f
1 parent cf94f41
commit d26933f
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 16 deletions.
diff --git a/demoapp/composeApp/src/commonMain/kotlin/at/asitplus/cryptotest/App.kt b/demoapp/composeApp/src/commonMain/kotlin/at/asitplus/cryptotest/App.kt
@@ -65,6 +65,7 @@ import at.asitplus.signum.supreme.os.SigningProvider
 import at.asitplus.signum.supreme.sign.Verifier
 import io.github.aakira.napier.DebugAntilog
 import io.github.aakira.napier.Napier
+import io.ktor.util.encodeBase64
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.ExperimentalCoroutinesApi
 import kotlinx.coroutines.launch
@@ -471,9 +472,9 @@ internal fun App() {
                             val pub = eph.publicKey as CryptoPublicKey.EC
                             Napier.i { "Got Pubkey: $pub" }
                             val agreed= pub.keyAgreement( currentSigner!!.getOrThrow() as Signer.ECDSA).getOrThrow()
-                            Napier.i { "AGREED1: ${Base64.encodeToByteArray(agreed)}" }
+                            Napier.i { "AGREED1: ${agreed.encodeBase64()}" }
                             val agreed2 = ( currentSigner!!.getOrThrow() as Signer.ECDSA).keyAgreement(pub).getOrThrow()
-                            Napier.i { "AGREED2: ${Base64.encodeToByteArray(agreed2)}" }
+                            Napier.i { "AGREED2: ${agreed2.encodeBase64()}" }
                         }
 
                     },

diff --git a/supreme/src/androidMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.android.kt b/supreme/src/androidMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.android.kt
@@ -1,19 +1,65 @@
 package at.asitplus.signum.supreme.agreement
 
+import android.security.keystore.UserNotAuthenticatedException
+import androidx.biometric.BiometricPrompt.CryptoObject
 import at.asitplus.signum.indispensable.CryptoPublicKey
 import at.asitplus.signum.indispensable.toJcaPublicKey
 import at.asitplus.signum.supreme.HazardousMaterials
+import at.asitplus.signum.supreme.dsl.DSL
 import at.asitplus.signum.supreme.dsl.DSLConfigureFn
 import at.asitplus.signum.supreme.hazmat.jcaPrivateKey
 import at.asitplus.signum.supreme.os.AndroidKeyStoreProvider
+import at.asitplus.signum.supreme.os.AndroidKeystoreSigner
+import at.asitplus.signum.supreme.os.AndroidSignerSigningConfiguration
 import at.asitplus.signum.supreme.os.PlatformSigningProvider
 import at.asitplus.signum.supreme.os.PlatformSigningProviderSignerSigningConfigurationBase
+import at.asitplus.signum.supreme.os.needsAuthenticationForEveryUse
 import at.asitplus.signum.supreme.sign.Signer
 
-actual fun Signer.ECDSA.performAgreement(publicKey: CryptoPublicKey.EC, config: DSLConfigureFn<PlatformSigningProviderSignerSigningConfigurationBase>): ByteArray =
+actual suspend fun Signer.ECDSA.performAgreement(
+    publicKey: CryptoPublicKey.EC,
+    config: DSLConfigureFn<PlatformSigningProviderSignerSigningConfigurationBase>
+): ByteArray {
     /*TODO: check auth similar to https://github.com/a-sit-plus/kmp-crypto/blob/02ee22227dcef3ee03e65a19f0aa578168f7b518/supreme/src/androidMain/kotlin/at/asitplus/signum/supreme/os/AndroidKeyStoreProvider.kt#L360*/
-    javax.crypto.KeyAgreement.getInstance("ECDH","AndroidKeyStore").also {
-        @OptIn(HazardousMaterials::class)
-        it.init(jcaPrivateKey)
-        it.doPhase(publicKey.toJcaPublicKey().getOrThrow(), true)
-    }.generateSecret()
+
+    return if (this is AndroidKeystoreSigner) {
+        val resolvedConfig = DSL.resolve(::AndroidSignerSigningConfiguration, config)
+        javax.crypto.KeyAgreement.getInstance("ECDH", "AndroidKeyStore").also {
+
+            if (needsAuthenticationForEveryUse) {
+                it.init(jcaPrivateKey)
+                attemptBiometry(
+                    DSL.ConfigStack(resolvedConfig.unlockPrompt.v, resolvedConfig.unlockPrompt.v),
+                    null //TODO ????
+                )
+            } else {
+                try {
+                    it.init(jcaPrivateKey)
+                } catch (_: UserNotAuthenticatedException) {
+                    attemptBiometry(
+                        DSL.ConfigStack(
+                            resolvedConfig.unlockPrompt.v,
+                            resolvedConfig.unlockPrompt.v
+                        ),
+                        null
+                    )
+                    it.init(jcaPrivateKey)
+                }
+            }
+
+
+            attemptBiometry(
+                DSL.ConfigStack(resolvedConfig.unlockPrompt.v, resolvedConfig.unlockPrompt.v),
+                null
+            )
+            it.doPhase(publicKey.toJcaPublicKey().getOrThrow(), true)
+        }.generateSecret()
+
+    } else {
+        javax.crypto.KeyAgreement.getInstance("ECDH", "AndroidKeyStore").also {
+            @OptIn(HazardousMaterials::class)
+            it.init(jcaPrivateKey)
+            it.doPhase(publicKey.toJcaPublicKey().getOrThrow(), true)
+        }.generateSecret()
+    }
+}
diff --git a/supreme/src/androidMain/kotlin/at/asitplus/signum/supreme/os/AndroidKeyStoreProvider.kt b/supreme/src/androidMain/kotlin/at/asitplus/signum/supreme/os/AndroidKeyStoreProvider.kt
@@ -306,7 +306,7 @@ sealed class AndroidKeystoreSigner private constructor(
         data class Error(val code: Int, val message: String): AuthResult
     }
 
-    private suspend fun attemptBiometry(config: DSL.ConfigStack<AndroidUnlockPromptConfiguration>, forSpecificKey: CryptoObject?) {
+    internal suspend fun attemptBiometry(config: DSL.ConfigStack<AndroidUnlockPromptConfiguration>, forSpecificKey: CryptoObject?) {
         val channel = Channel<AuthResult>(capacity = Channel.RENDEZVOUS)
         val effectiveContext = config.getProperty(AndroidUnlockPromptConfiguration::explicitContext,
             checker = AndroidUnlockPromptConfiguration::hasExplicitContext, default = {

diff --git a/supreme/src/commonMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.kt b/supreme/src/commonMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.kt
@@ -18,7 +18,7 @@ import at.asitplus.signum.supreme.sign.signerFor
  *
  * [config] can be used to display a custom authentication prompt
  */
-fun Signer.ECDSA.keyAgreement(
+suspend fun Signer.ECDSA.keyAgreement(
     publicKey: CryptoPublicKey.EC,
     config: DSLConfigureFn<PlatformSigningProviderSignerSigningConfigurationBase> = null
 ): KmmResult<ByteArray> = catching {
@@ -30,7 +30,7 @@ fun Signer.ECDSA.keyAgreement(
  * Elliptic-curve Diffie-Hellman key agreement.
  * Curves of public key and signer need to match!
  */
-fun CryptoPrivateKey.WithPublicKey<CryptoPublicKey.EC>.keyAgreement(publicKey: CryptoPublicKey.EC) = catching {
+suspend fun CryptoPrivateKey.WithPublicKey<CryptoPublicKey.EC>.keyAgreement(publicKey: CryptoPublicKey.EC) = catching {
     (SignatureAlgorithm.ECDSA(this.publicKey.curve.nativeDigest, this.publicKey.curve).signerFor(this)
         .getOrThrow() as Signer.ECDSA).keyAgreement(
         publicKey
@@ -41,7 +41,7 @@ fun CryptoPrivateKey.WithPublicKey<CryptoPublicKey.EC>.keyAgreement(publicKey: C
  * Elliptic-curve Diffie-Hellman key agreement.
  * Curves of public key and signer need to match!
  */
-fun CryptoPublicKey.EC.keyAgreement(privateKey: CryptoPrivateKey.WithPublicKey<CryptoPublicKey.EC>) =
+suspend fun CryptoPublicKey.EC.keyAgreement(privateKey: CryptoPrivateKey.WithPublicKey<CryptoPublicKey.EC>) =
     privateKey.keyAgreement(this)
 
 /**
@@ -50,12 +50,12 @@ fun CryptoPublicKey.EC.keyAgreement(privateKey: CryptoPrivateKey.WithPublicKey<C
  *
  * [config] can be used to display a custom authentication prompt
  */
-fun CryptoPublicKey.EC.keyAgreement(
+suspend fun CryptoPublicKey.EC.keyAgreement(
     signer: Signer.ECDSA,
     config: DSLConfigureFn<PlatformSigningProviderSignerSigningConfigurationBase> = null
 ) = signer.keyAgreement(this, config)
 
-internal expect fun Signer.ECDSA.performAgreement(
+internal expect suspend fun Signer.ECDSA.performAgreement(
     publicKey: CryptoPublicKey.EC,
     config: DSLConfigureFn<PlatformSigningProviderSignerSigningConfigurationBase>
 ): ByteArray
diff --git a/supreme/src/iosMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.ios.kt b/supreme/src/iosMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.ios.kt
@@ -20,7 +20,7 @@ import kotlinx.cinterop.memScoped
 import platform.Foundation.NSData
 
 @OptIn(ExperimentalForeignApi::class)
-internal actual fun Signer.ECDSA.performAgreement(publicKey: CryptoPublicKey.EC, config: DSLConfigureFn<PlatformSigningProviderSignerSigningConfigurationBase>): ByteArray {
+internal actual suspend fun Signer.ECDSA.performAgreement(publicKey: CryptoPublicKey.EC, config: DSLConfigureFn<PlatformSigningProviderSignerSigningConfigurationBase>): ByteArray {
 
     return catchingUnwrapped {
         val priv =  if( this is EphemeralSigner.EC)

diff --git a/supreme/src/jvmMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.jvm.kt b/supreme/src/jvmMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.jvm.kt
@@ -9,7 +9,7 @@ import at.asitplus.signum.supreme.os.PlatformSigningProviderSignerSigningConfigu
 import at.asitplus.signum.supreme.sign.Signer
 import javax.crypto.KeyAgreement
 
-internal actual fun Signer.ECDSA.performAgreement(publicKey: CryptoPublicKey.EC, config: DSLConfigureFn<PlatformSigningProviderSignerSigningConfigurationBase>): ByteArray =
+internal actual suspend fun Signer.ECDSA.performAgreement(publicKey: CryptoPublicKey.EC, config: DSLConfigureFn<PlatformSigningProviderSignerSigningConfigurationBase>): ByteArray =
     KeyAgreement.getInstance("ECDH").also {
         @OptIn(HazardousMaterials::class)
         it.init(jcaPrivateKey)