Naive handling AES->RSA upgrade path

Since AES and RSA share the same key space the upgrade path
fails cause the RSA class gets a false positive for containsAlias call.

Currently I just remove the AES key before encrypting with rsa key, however
this could potentially result in a situation where the aes key gets removed
but RSA key generation/encryption fails. This would cause data loss.

I though about an alternative prefix solution for the server but maybe theres even
 a better way to do it.

Also:

- Handle case where key has been permanently invalidated

Author: Jyrno42

android/src/main/java/com/oblador/keychain/KeychainModule.java

@@ -3,6 +3,7 @@
 import android.annotation.TargetApi;
 import android.app.Activity;
 import android.os.Build;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
 import android.support.annotation.NonNull;
 import android.util.Log;
 
@@ -110,9 +111,10 @@ public void setGenericPasswordForOptions(String service, String username, String
 
     @ReactMethod
     public void getGenericPasswordForOptions(String service, ReadableMap options, final Promise promise) {
+        final String defaultService = getDefaultServiceIfNull(service);
+        String accessControl = null;
+
         try {
-            final String defaultService = getDefaultServiceIfNull(service);
-            String accessControl = null;
             if (options != null && options.hasKey(ACCESS_CONTROL_KEY)) {
                 accessControl = options.getString(ACCESS_CONTROL_KEY);
             }
@@ -163,12 +165,12 @@ public void onDecrypt(DecryptionResult decryptionResult, String info, String err
                             credentials.putString("password", decryptionResult.password);
 
                             try {
+                                // clean up the old cipher storage
+                                oldCipherStorage.removeKey(defaultService);
                                 // encrypt using the current cipher storage
                                 EncryptionResult encryptionResult = currentCipherStorage.encrypt(defaultService, decryptionResult.username, decryptionResult.password);
                                 // store the encryption result
                                 prefsStorage.storeEncryptedEntry(defaultService, encryptionResult);
-                                // clean up the old cipher storage
-                                oldCipherStorage.removeKey(defaultService);
                             } catch (CryptoFailedException e) {
                                 Log.e(KEYCHAIN_MODULE, e.getMessage());
                                 promise.reject(E_CRYPTO_FAILED, e);
@@ -188,6 +190,20 @@ public void onDecrypt(DecryptionResult decryptionResult, String info, String err
                 // decrypt using the older cipher storage
                 oldCipherStorage.decrypt(decryptionHandler, defaultService, resultSet.usernameBytes, resultSet.passwordBytes);
             }
+        } catch (KeyPermanentlyInvalidatedException e) {
+            Log.e(KEYCHAIN_MODULE, String.format("Key for service %s permanently invalidated", defaultService));
+
+            try {
+                CipherStorage cipherStorage = getCipherStorageForCurrentAPILevel(getUseBiometry(accessControl));
+                if (cipherStorage != null) {
+                        cipherStorage.removeKey(defaultService);
+                }
+            } catch (Exception error) {
+                error.printStackTrace();
+                Log.e(KEYCHAIN_MODULE, "Failed removing invalidated key: " + error.getMessage());
+            }
+
+            promise.resolve(false);
         } catch (CryptoFailedException e) {
             Log.e(KEYCHAIN_MODULE, e.getMessage());
             promise.reject(E_CRYPTO_FAILED, e);

android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorage.java

@@ -1,6 +1,7 @@
 package com.oblador.keychain.cipherStorage;
 
 import android.app.Activity;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
 import android.support.annotation.NonNull;
 
 import com.oblador.keychain.exceptions.CryptoFailedException;
@@ -38,7 +39,7 @@ interface DecryptionResultHandler {
 
     EncryptionResult encrypt(@NonNull String service, @NonNull String username, @NonNull String password) throws CryptoFailedException;
 
-    void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException;
+    void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException, KeyPermanentlyInvalidatedException;
 
     void removeKey(@NonNull String service) throws KeyStoreAccessException;
 

android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageFacebookConceal.java

@@ -2,6 +2,7 @@
 
 import android.app.Activity;
 import android.os.Build;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
 import android.support.annotation.NonNull;
 
 import com.facebook.android.crypto.keychain.AndroidConceal;
@@ -62,7 +63,7 @@ public EncryptionResult encrypt(@NonNull String service, @NonNull String usernam
     }
 
     @Override
-    public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException {
+    public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException, KeyPermanentlyInvalidatedException {
         if (!crypto.isAvailable()) {
             throw new CryptoFailedException("Crypto is missing");
         }

android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreAESCBC.java

@@ -4,6 +4,7 @@
 import android.app.Activity;
 import android.os.Build;
 import android.security.keystore.KeyGenParameterSpec;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
 import android.security.keystore.KeyProperties;
 import android.support.annotation.NonNull;
 
@@ -103,7 +104,7 @@ private void generateKeyAndStoreUnderAlias(@NonNull String service) throws NoSuc
     }
 
     @Override
-    public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException {
+    public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException, KeyPermanentlyInvalidatedException {
         service = getDefaultServiceIfEmpty(service);
 
         try {

android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreRSAECB.java

@@ -10,6 +10,7 @@
 import android.os.Build;
 import android.os.CancellationSignal;
 import android.security.keystore.KeyGenParameterSpec;
+import android.security.keystore.KeyPermanentlyInvalidatedException;
 import android.security.keystore.KeyProperties;
 import android.security.keystore.UserNotAuthenticatedException;
 import android.support.annotation.NonNull;
@@ -227,7 +228,7 @@ private void generateKeyAndStoreUnderAlias(@NonNull String service) throws NoSuc
     }
 
     @Override
-    public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException {
+    public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @NonNull String service, @NonNull byte[] username, @NonNull byte[] password) throws CryptoFailedException, KeyPermanentlyInvalidatedException {
         service = getDefaultServiceIfEmpty(service);
 
         KeyStore keyStore;
@@ -255,6 +256,8 @@ public void decrypt(@NonNull DecryptionResultHandler decryptionResultHandler, @N
             throw new CryptoFailedException("Could not get key from Keystore", e);
         } catch (KeyStoreAccessException e) {
             throw new CryptoFailedException("Could not access Keystore", e);
+        } catch (KeyPermanentlyInvalidatedException e) {
+            throw e;
         } catch (Exception e) {
             e.printStackTrace();
             throw new CryptoFailedException("Unknown error: " + e.getMessage(), e);