aiden
/
Aegis
mirror of https://github.com/beemdevelopment/Aegis
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add an option to set a separate password for backups and exports

Browse Source
pull/926/head
Alexander Bakker 3 years ago
parent d40ebf0f67
commit a492bcbde3
14 changed files with 243 additions and 33 deletions
Show Stats Download Patch File Download Diff File

17
app/src/main/java/com/beemdevelopment/aegis/AegisBackupAgent.java
Unescape Escape View File

@ -9,12 +9,16 @@ import android.os.ParcelFileDescriptor;
import android.util.Log;
import com.beemdevelopment.aegis.util.IOUtils;
import com.beemdevelopment.aegis.vault.VaultFile;
import com.beemdevelopment.aegis.vault.VaultRepository;
import com.beemdevelopment.aegis.vault.VaultRepositoryException;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
public class AegisBackupAgent extends BackupAgent {
private static final String TAG = AegisBackupAgent.class.getSimpleName();
@ -46,14 +50,17 @@ public class AegisBackupAgent extends BackupAgent {
}
// first copy the vault to the files/backup directory
createBackupDir();
File vaultBackupFile = getVaultBackupFile();
try {
VaultRepository.copyFileTo(this, vaultBackupFile);
} catch (IOException e) {
try (OutputStream outputStream = new FileOutputStream(vaultBackupFile)) {
createBackupDir();
VaultFile vaultFile = VaultRepository.readVaultFile(this);
byte[] bytes = vaultFile.exportable().toBytes();
outputStream.write(bytes);
} catch (VaultRepositoryException | IOException e) {
Log.e(TAG, String.format("onFullBackup() failed: %s", e));
deleteBackupDir();
throw e;
throw new IOException(e);
}
// then call the original implementation so that fullBackupContent specified in AndroidManifest is read

6
app/src/main/java/com/beemdevelopment/aegis/ui/dialogs/Dialogs.java
Unescape Escape View File

@ -114,7 +114,7 @@ public class Dialogs {
.create());
}
public static void showSetPasswordDialog(ComponentActivity activity, Dialogs.SlotListener listener) {
public static void showSetPasswordDialog(ComponentActivity activity, PasswordSlotListener listener) {
Zxcvbn zxcvbn = new Zxcvbn();
View view = activity.getLayoutInflater().inflate(R.layout.dialog_password, null);
EditText textPassword = view.findViewById(R.id.text_password);
@ -460,8 +460,8 @@ public class Dialogs {
void onTextInputResult(char[] text);
}
public interface SlotListener {
void onSlotResult(Slot slot, Cipher cipher);
public interface PasswordSlotListener {
void onSlotResult(PasswordSlot slot, Cipher cipher);
void onException(Exception e);
}

6
app/src/main/java/com/beemdevelopment/aegis/ui/fragments/preferences/ImportExportPreferencesFragment.java
Unescape Escape View File

@ -30,7 +30,7 @@ import com.beemdevelopment.aegis.vault.VaultBackupManager;
import com.beemdevelopment.aegis.vault.VaultFileCredentials;
import com.beemdevelopment.aegis.vault.VaultRepository;
import com.beemdevelopment.aegis.vault.VaultRepositoryException;
import com.beemdevelopment.aegis.vault.slots.Slot;
import com.beemdevelopment.aegis.vault.slots.PasswordSlot;
import com.beemdevelopment.aegis.vault.slots.SlotException;
import java.io.File;
@ -267,9 +267,9 @@ public class ImportExportPreferencesFragment extends PreferencesFragment {
if (_vaultManager.getVault().isEncryptionEnabled()) {
cb.exportVault(stream -> _vaultManager.getVault().export(stream));
} else {
Dialogs.showSetPasswordDialog(requireActivity(), new Dialogs.SlotListener() {
Dialogs.showSetPasswordDialog(requireActivity(), new Dialogs.PasswordSlotListener() {
@Override
public void onSlotResult(Slot slot, Cipher cipher) {
public void onSlotResult(PasswordSlot slot, Cipher cipher) {
VaultFileCredentials creds = new VaultFileCredentials();
try {

108
app/src/main/java/com/beemdevelopment/aegis/ui/fragments/preferences/SecurityPreferencesFragment.java
Unescape Escape View File

@ -24,6 +24,7 @@ import com.beemdevelopment.aegis.ui.dialogs.Dialogs;
import com.beemdevelopment.aegis.ui.preferences.SwitchPreference;
import com.beemdevelopment.aegis.ui.tasks.PasswordSlotDecryptTask;
import com.beemdevelopment.aegis.vault.VaultFileCredentials;
import com.beemdevelopment.aegis.vault.VaultRepository;
import com.beemdevelopment.aegis.vault.VaultRepositoryException;
import com.beemdevelopment.aegis.vault.slots.BiometricSlot;
import com.beemdevelopment.aegis.vault.slots.PasswordSlot;
@ -33,6 +34,7 @@ import com.beemdevelopment.aegis.vault.slots.SlotList;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import javax.crypto.Cipher;
@ -43,6 +45,8 @@ public class SecurityPreferencesFragment extends PreferencesFragment {
private Preference _setPasswordPreference;
private Preference _passwordReminderPreference;
private SwitchPreferenceCompat _pinKeyboardPreference;
private SwitchPreference _backupPasswordPreference;
private Preference _backupPasswordChangePreference;
@Override
public void onResume() {
@ -161,7 +165,7 @@ public class SecurityPreferencesFragment extends PreferencesFragment {
Dialogs.showPasswordInputDialog(requireContext(), R.string.set_password_confirm, R.string.pin_keyboard_description, password -> {
if (isDigitsOnly(new String(password))) {
List<PasswordSlot> slots = _vaultManager.getVault().getCredentials().getSlots().findAll(PasswordSlot.class);
List<PasswordSlot> slots = getRegularPasswordSlots(_vaultManager.getVault().getCredentials().getSlots());
PasswordSlotDecryptTask.Params params = new PasswordSlotDecryptTask.Params(slots, password);
PasswordSlotDecryptTask task = new PasswordSlotDecryptTask(requireContext(), new PasswordConfirmationListener());
task.execute(getLifecycle(), params);
@ -232,31 +236,86 @@ public class SecurityPreferencesFragment extends PreferencesFragment {
Dialogs.showSecureDialog(builder.create());
return false;
});
_backupPasswordPreference = requirePreference("pref_backup_password");
_backupPasswordPreference.setOnPreferenceChangeListener((preference, newValue) -> {
if (!isBackupPasswordSet()) {
Dialogs.showSetPasswordDialog(requireActivity(), new SetBackupPasswordListener());
} else {
SlotList slots = _vaultManager.getVault().getCredentials().getSlots();
for (Slot slot : getBackupPasswordSlots(slots)) {
slots.remove(slot);
}
saveAndBackupVault();
updateEncryptionPreferences();
}
return false;
});
_backupPasswordChangePreference = requirePreference("pref_backup_password_change");
_backupPasswordChangePreference.setOnPreferenceClickListener(preference -> {
Dialogs.showSetPasswordDialog(requireActivity(), new SetBackupPasswordListener());
return false;
});
}
private void updateEncryptionPreferences() {
boolean encrypted = _vaultManager.getVault().isEncryptionEnabled();
boolean backupPasswordSet = isBackupPasswordSet();
_encryptionPreference.setChecked(encrypted, true);
_setPasswordPreference.setVisible(encrypted);
_biometricsPreference.setVisible(encrypted);
_autoLockPreference.setVisible(encrypted);
_pinKeyboardPreference.setVisible(encrypted);
_backupPasswordPreference.getParent().setVisible(encrypted);
_backupPasswordPreference.setChecked(backupPasswordSet, true);
_backupPasswordChangePreference.setVisible(backupPasswordSet);
if (encrypted) {
SlotList slots = _vaultManager.getVault().getCredentials().getSlots();
boolean multiPassword = slots.findAll(PasswordSlot.class).size() > 1;
boolean multiBackupPassword = getBackupPasswordSlots(slots).size() > 1;
boolean multiPassword = getRegularPasswordSlots(slots).size() > 1;
boolean multiBio = slots.findAll(BiometricSlot.class).size() > 1;
boolean canUseBio = BiometricsHelper.isAvailable(requireContext());
_setPasswordPreference.setEnabled(!multiPassword);
_biometricsPreference.setEnabled(canUseBio && !multiBio);
_biometricsPreference.setChecked(slots.has(BiometricSlot.class), true);
_passwordReminderPreference.setVisible(slots.has(BiometricSlot.class));
_backupPasswordChangePreference.setEnabled(!multiBackupPassword);
} else {
_setPasswordPreference.setEnabled(false);
_biometricsPreference.setEnabled(false);
_biometricsPreference.setChecked(false, true);
_passwordReminderPreference.setVisible(false);
_backupPasswordChangePreference.setEnabled(false);
}
}
private boolean isBackupPasswordSet() {
VaultRepository vault = _vaultManager.getVault();
if (!vault.isEncryptionEnabled()) {
return false;
}
return getBackupPasswordSlots(vault.getCredentials().getSlots()).size() > 0;
}
private static List<PasswordSlot> getBackupPasswordSlots(SlotList slots) {
return getPasswordSlots(slots, true);
}
private static List<PasswordSlot> getRegularPasswordSlots(SlotList slots) {
return getPasswordSlots(slots, false);
}
private static List<PasswordSlot> getPasswordSlots(SlotList slots, boolean isBackup) {
return slots
.findAll(PasswordSlot.class)
.stream()
.filter(s -> s.isBackup() == isBackup)
.collect(Collectors.toList());
}
private String getPasswordReminderSummary() {
@ -291,9 +350,9 @@ public class SecurityPreferencesFragment extends PreferencesFragment {
return getString(R.string.pref_auto_lock_summary, builder.toString());
}
private class SetPasswordListener implements Dialogs.SlotListener {
private class SetPasswordListener implements Dialogs.PasswordSlotListener {
@Override
public void onSlotResult(Slot slot, Cipher cipher) {
public void onSlotResult(PasswordSlot slot, Cipher cipher) {
VaultFileCredentials creds = _vaultManager.getVault().getCredentials();
SlotList slots = creds.getSlots();
@ -331,6 +390,43 @@ public class SecurityPreferencesFragment extends PreferencesFragment {
}
}
private class SetBackupPasswordListener implements Dialogs.PasswordSlotListener {
@Override
public void onSlotResult(PasswordSlot slot, Cipher cipher) {
slot.setIsBackup(true);
VaultFileCredentials creds = _vaultManager.getVault().getCredentials();
SlotList slots = creds.getSlots();
try {
// encrypt the master key for this slot
slot.setKey(creds.getKey(), cipher);
// remove the old backup password slot
for (Slot oldSlot : getBackupPasswordSlots(slots)) {
slots.remove(oldSlot);
}
// add the new backup password slot
slots.add(slot);
} catch (SlotException e) {
onException(e);
return;
}
_vaultManager.getVault().setCredentials(creds);
saveAndBackupVault();
updateEncryptionPreferences();
}
@Override
public void onException(Exception e) {
e.printStackTrace();
updateEncryptionPreferences();
Dialogs.showErrorDialog(requireContext(), R.string.encryption_set_password_error, e);
}
}
private class RegisterBiometricsListener implements BiometricSlotInitializer.Listener {
@Override
public void onInitializeSlot(BiometricSlot slot, Cipher cipher) {
@ -357,9 +453,9 @@ public class SecurityPreferencesFragment extends PreferencesFragment {
}
}
private class EnableEncryptionListener implements Dialogs.SlotListener {
private class EnableEncryptionListener implements Dialogs.PasswordSlotListener {
@Override
public void onSlotResult(Slot slot, Cipher cipher) {
public void onSlotResult(PasswordSlot slot, Cipher cipher) {
VaultFileCredentials creds = new VaultFileCredentials();
try {

15
app/src/main/java/com/beemdevelopment/aegis/vault/VaultFile.java
Unescape Escape View File

@ -117,6 +117,21 @@ public class VaultFile {
}
}
/**
* Returns a copy of this VaultFile that's suitable for exporting.
* In case there's a backup password slot, any regular password slots are stripped.
*/
public VaultFile exportable() {
if (!isEncrypted()) {
return this;
}
return new VaultFile(getContent(), new VaultFile.Header(
getHeader().getSlots().exportable(),
getHeader().getParams()
));
}
public static class Header {
private SlotList _slots;
private CryptParameters _params;

8
app/src/main/java/com/beemdevelopment/aegis/vault/VaultFileCredentials.java
Unescape Escape View File

@ -37,4 +37,12 @@ public class VaultFileCredentials implements Serializable {
public SlotList getSlots() {
return _slots;
}
/**
* Returns a copy of these VaultFileCredentials that is suitable for exporting.
* In case there's a backup password slot, any regular password slots are stripped.
*/
public VaultFileCredentials exportable() {
return new VaultFileCredentials(_key, _slots.exportable());
}
}

7
app/src/main/java/com/beemdevelopment/aegis/vault/VaultManager.java
Unescape Escape View File

@ -19,7 +19,9 @@ import com.beemdevelopment.aegis.ui.dialogs.Dialogs;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.util.ArrayList;
import java.util.List;
@ -198,7 +200,10 @@ public class VaultManager {
}
File tempFile = File.createTempFile(VaultBackupManager.FILENAME_PREFIX, ".json", dir);
VaultRepository.copyFileTo(_context, tempFile);
try (OutputStream outStream = new FileOutputStream(tempFile)) {
_repo.export(outStream);
}
_backups.scheduleBackup(tempFile, _prefs.getBackupsLocation(), _prefs.getBackupsVersionCount());
} catch (IOException e) {
throw new VaultRepositoryException(e);

13
app/src/main/java/com/beemdevelopment/aegis/vault/VaultRepository.java
Unescape Escape View File

@ -107,13 +107,6 @@ public class VaultRepository {
return new VaultRepository(context, vault, creds);
}
public static void copyFileTo(Context context, File destFile) throws IOException {
try (InputStream inStream = VaultRepository.getAtomicFile(context).openRead();
OutputStream outStream = new FileOutputStream(destFile)) {
IOUtils.copy(inStream, outStream);
}
}
void save() throws VaultRepositoryException {
try {
JSONObject obj = _vault.toJson();
@ -137,7 +130,7 @@ public class VaultRepository {
}
/**
* Exports the vault bt serializing it and writing it to the given OutputStream. If encryption
* Exports the vault by serializing it and writing it to the given OutputStream. If encryption
* is enabled, the vault will be encrypted automatically.
*/
public void export(OutputStream stream) throws VaultRepositoryException {
@ -149,6 +142,10 @@ public class VaultRepository {
* not null, it will be used to encrypt the vault first.
*/
public void export(OutputStream stream, VaultFileCredentials creds) throws VaultRepositoryException {
if (creds != null) {
creds = creds.exportable();
}
try {
VaultFile vaultFile = new VaultFile();
if (creds != null) {

17
app/src/main/java/com/beemdevelopment/aegis/vault/slots/PasswordSlot.java
Unescape Escape View File

@ -16,16 +16,19 @@ import javax.crypto.SecretKey;
public class PasswordSlot extends RawSlot {
private boolean _repaired;
private boolean _isBackup;
private SCryptParameters _params;
public PasswordSlot() {
super();
}
protected PasswordSlot(UUID uuid, byte[] key, CryptParameters keyParams, SCryptParameters scryptParams, boolean repaired) {
protected PasswordSlot(UUID uuid, byte[] key, CryptParameters keyParams, SCryptParameters scryptParams, boolean repaired, boolean isBackup) {
super(uuid, key, keyParams);
_params = scryptParams;
_repaired = repaired;
_isBackup = isBackup;
}
@Override
@ -37,6 +40,7 @@ public class PasswordSlot extends RawSlot {
obj.put("p", _params.getP());
obj.put("salt", Hex.encode(_params.getSalt()));
obj.put("repaired", _repaired);
obj.put("is_backup", _isBackup);
return obj;
} catch (JSONException e) {
throw new RuntimeException(e);
@ -70,8 +74,15 @@ public class PasswordSlot extends RawSlot {
return _repaired;
}
public SCryptParameters getSCryptParameters() {
return _params;
/**
* Reports whether this slot is a backup password slot.
*/
public boolean isBackup() {
return _isBackup;
}
public void setIsBackup(boolean isBackup) {
_isBackup = isBackup;
}
@Override

3
app/src/main/java/com/beemdevelopment/aegis/vault/slots/Slot.java
Unescape Escape View File

@ -140,7 +140,8 @@ public abstract class Slot extends UUIDMap.Value {
Hex.decode(obj.getString("salt"))
);
boolean repaired = obj.optBoolean("repaired", false);
slot = new PasswordSlot(uuid, key, keyParams, scryptParams, repaired);
boolean isBackup = obj.optBoolean("is_backup", false);
slot = new PasswordSlot(uuid, key, keyParams, scryptParams, repaired, isBackup);
break;
case Slot.TYPE_BIOMETRIC:
slot = new BiometricSlot(uuid, key, keyParams);

27
app/src/main/java/com/beemdevelopment/aegis/vault/slots/SlotList.java
Unescape Escape View File

@ -57,4 +57,31 @@ public class SlotList extends UUIDMap<Slot> {
public <T extends Slot> boolean has(Class<T> type) {
return find(type) != null;
}
/**
* Returns a copy of this SlotList that is suitable for exporting.
* In case there's a backup password slot, any regular password slots are stripped.
*/
public SlotList exportable() {
boolean hasBackupSlots = false;
for (Slot slot : this) {
if (slot instanceof PasswordSlot && ((PasswordSlot) slot).isBackup()) {
hasBackupSlots = true;
break;
}
}
if (!hasBackupSlots) {
return this;
}
SlotList slots = new SlotList();
for (Slot slot : this) {
if (!(slot instanceof PasswordSlot) || ((PasswordSlot) slot).isBackup()) {
slots.add(slot);
}
}
return slots;
}
}

5
app/src/main/res/values/strings.xml
Unescape Escape View File

@ -76,6 +76,11 @@
<string name="pref_auto_lock_type_back_button">The back button is pressed</string>
<string name="pref_auto_lock_type_minimize">The app is minimized</string>
<string name="pref_auto_lock_type_device_lock">The device is locked</string>
<string name="pref_backup_password_category">Backup &amp; Export</string>
<string name="pref_backup_password_title">Separate password for backup &amp; export</string>
<string name="pref_backup_password_summary">If enabled, the password that is used to unlock the app can\'t be used to decrypt backups and exports anymore.</string>
<string name="pref_backup_password_change_title">Change password for backup &amp; export</string>
<string name="pref_backup_password_change_summary">Set a new password that\'ll be used to encrypt the vault during backup and export.</string>
<string name="pref_encryption_title">Encryption</string>
<string name="pref_encryption_summary">Encrypt the vault and unlock it with a password or biometrics</string>
<string name="pref_biometrics_title">Biometric unlock</string>

17
app/src/main/res/xml/preferences_security.xml
Unescape Escape View File

@ -33,6 +33,23 @@
android:dependency="pref_biometrics"
app:iconSpaceReserved="false"/>
</PreferenceCategory>
<PreferenceCategory
android:title="@string/pref_backup_password_category"
app:iconSpaceReserved="false">
<com.beemdevelopment.aegis.ui.preferences.SwitchPreference
android:key="pref_backup_password"
android:title="@string/pref_backup_password_title"
android:summary="@string/pref_backup_password_summary"
android:persistent="false"
app:iconSpaceReserved="false"/>
<Preference
android:key="pref_backup_password_change"
android:title="@string/pref_backup_password_change_title"
android:summary="@string/pref_backup_password_change_summary"
android:dependency="pref_encryption"
app:iconSpaceReserved="false"/>
</PreferenceCategory>
<PreferenceCategory
android:title="@string/pref_section_behavior_title"
app:iconSpaceReserved="false">

27
app/src/test/java/com/beemdevelopment/aegis/vault/slots/SlotTest.java
Unescape Escape View File

@ -1,5 +1,9 @@
package com.beemdevelopment.aegis.vault.slots;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.assertThrows;
import com.beemdevelopment.aegis.crypto.CryptoUtils;
import com.beemdevelopment.aegis.crypto.MasterKey;
import com.beemdevelopment.aegis.crypto.SCryptParameters;
@ -16,9 +20,6 @@ import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertThrows;
public class SlotTest {
private MasterKey _masterKey;
@ -93,4 +94,24 @@ public class SlotTest {
garbledCiphertext[0] = (byte) ~garbledCiphertext[0];
assertThrows(SlotIntegrityException.class, () -> slot.getKey(decryptCipher));
}
@Test
public void testPasswordSlotExclusion() {
SlotList slots = new SlotList();
PasswordSlot passSlot = new PasswordSlot();
PasswordSlot passSlot2 = new PasswordSlot();
slots.add(passSlot);
slots.add(passSlot2);
assertArrayEquals(slots.getValues().toArray(), slots.exportable().getValues().toArray());
SlotList backupSlots = new SlotList();
PasswordSlot backupSlot = new PasswordSlot();
backupSlot.setIsBackup(true);
slots.add(backupSlot);
backupSlots.add(backupSlot);
assertArrayEquals(backupSlots.getValues().toArray(), slots.exportable().getValues().toArray());
assertNotEquals(slots.getValues().toArray(), slots.exportable().getValues().toArray());
}
}

Write Preview
Loading…
Cancel
Save