/*
* Copyright (C) 2016 Square, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.squareup.whorlwind;
import android.content.Context;
import android.hardware.fingerprint.FingerprintManager;
import android.os.Build;
import android.security.keystore.KeyProperties;
import androidx.annotation.CheckResult;
import androidx.annotation.RequiresApi;
import android.util.Log;
import com.squareup.whorlwind.ReadResult.ReadState;
import io.reactivex.Completable;
import io.reactivex.Observable;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import okio.ByteString;
public abstract class Whorlwind {
static final String TAG = "Whorlwind";
public static Whorlwind create(Context context, Storage storage, String keyAlias) {
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
return new NullWhorlwind();
}
return createRealWhorlwind(context, storage, keyAlias);
}
@RequiresApi(Build.VERSION_CODES.M)
private static Whorlwind createRealWhorlwind(Context context, Storage storage, String keyAlias) {
try {
FingerprintManager fingerprintManager = context.getSystemService(FingerprintManager.class);
if (fingerprintManager == null) {
Log.w(TAG, "No fingerprint manager.");
return new NullWhorlwind();
}
if (!isHardwareDetected(fingerprintManager)) return new NullWhorlwind();
KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null); // Ensure the key store can be loaded before continuing.
KeyPairGenerator keyGenerator =
KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
RealWhorlwind.createCipher(); // If this doesn't throw, the cipher we need is available.
return new RealWhorlwind(context, fingerprintManager, storage, keyAlias, keyStore,
keyGenerator, keyFactory);
} catch (Exception e) {
Log.w(TAG, "Cannot store securely.", e);
return new NullWhorlwind();
}
}
@RequiresApi(Build.VERSION_CODES.M)
static boolean isHardwareDetected(FingerprintManager fingerprintManager) {
try {
return fingerprintManager.isHardwareDetected();
} catch (SecurityException e) {
Log.w(TAG, "Failed detecting hardware", e);
return false;
}
}
@RequiresApi(api = Build.VERSION_CODES.M)
static boolean hasEnrolledFingerprints(FingerprintManager fingerprintManager) {
try {
return fingerprintManager.hasEnrolledFingerprints();
} catch (IllegalStateException e) {
// see https://github.com/square/whorlwind/issues/36
Log.w(TAG, "Cannot know if device has enrolled fingerprints", e);
return false;
}
}
Whorlwind() {
// Prevent 3rd-party implementations.
}
/**
* Returns true if the device is currently capable of reading/writing from/to secure storage.
*
* <p>
* <b>Note:</b> This method must be checked before subscribing to
* {@link #write(String, ByteString)} or {@link #read(String)}.
*/
@CheckResult
public abstract boolean canStoreSecurely();
/**
* Writes a value to secure storage. Must check {@link #canStoreSecurely()} before subscribing.
*/
@CheckResult
public abstract Completable write(String name, ByteString value);
/**
* Reads a value from secure storage. If no value is found, a result with a {@code state} of
* {@link ReadState#READY READY} and a null {@code value} will be emitted. Otherwise, a result
* with a {@code state} of {@link ReadState#NEEDS_AUTH NEEDS_AUTH} will be emitted and the
* fingerprint reader will be activated. Future events from the fingerprint reader will be
* emitted to the stream.
*
* Must check {@link #canStoreSecurely()} before subscribing.
*/
@CheckResult
public abstract Observable<ReadResult> read(String name);
}
