fix: update alias handling in CipherStorage to include prefix based on cipher and auth requirements

[Bowlerr]

Merge in #746 first to fix tests

Fixes - #730
if I understood correctly, this issue is caused by bio and non bio auth alias being considered the same.
This prefix solves that issue.
@DorianMazur is also working on a solution but was wondering if this fix would work so I can patch it in asap.

Changes

• New prefixed format:
  • Authenticated: AES_GCM_<alias>
  • Standard: AES_GCM_NO_AUTH_<alias>
• Adds helper function getPrefixedAlias in CipherStorageKeystoreAesGcm.kt
• Call helper function when using alias
• Migration process:
  1. Attempts to use new prefixed alias
  2. Falls back to legacy format if needed
  3. Verifies new key functionality
  4. Safely removes old key

---

Updated to handle migration on Base Storage for each cipher having it's own prefix.

[DorianMazur]

Thanks @Bowlerr for the PR! Can we implement this prefix for all ciphers?
Also, we probably need to remove this code too, since it checks and deletes data if it’s saved with a different cipher.
https://github.com/oblador/react-native-keychain/blob/master/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageBase.kt#L211

[DorianMazur]

I don't think it will solve #730
Were you able to reproduce this "wrapped error" locally?

[Bowlerr]

@DorianMazur Yes on my android simulator today but unsure what conditions triggered it...
I have a few reports from users with the same error. javax.crypto.AEADBadTagException so have been comparing them and seeing what the issue could be.

Could be the Alias, or after some research maybe the way we are using one cached instance?
I've got an another PR with a potential solution and I'll finish this up this week.

[Bowlerr]

Also passed Local test I wrote:

package com.oblador.keychain.cipherStorage

import android.content.Context
import android.security.keystore.KeyGenParameterSpec
import android.security.keystore.KeyInfo
import com.oblador.keychain.SecurityLevel
import com.oblador.keychain.resultHandler.ResultHandler
import org.junit.Before
import org.junit.Test
import org.junit.runner.RunWith
import org.mockito.Mock
import org.mockito.Mockito.*
import org.mockito.junit.MockitoJUnitRunner
import java.security.Key
import java.security.KeyStore
import java.security.cert.Certificate
import java.util.concurrent.atomic.AtomicInteger
import kotlin.test.assertEquals
import kotlin.test.assertFalse
import kotlin.test.assertTrue

@Suppress("UnnecessaryStubbings")
@RunWith(MockitoJUnitRunner::class)
class CipherStorageBaseTest {

  @Mock private lateinit var mockContext: Context
  @Mock private lateinit var mockKeyStore: KeyStore
  @Mock private lateinit var mockKey: Key
  @Mock private lateinit var mockResultHandler: ResultHandler
  
  @Mock private lateinit var mockCertificate: Certificate

  private lateinit var cipherStorage: TestCipherStorage

  @Before
  fun setup() {
    cipherStorage = TestCipherStorage(mockContext)
    cipherStorage.setKeyStore(mockKeyStore)
  }

  @Test
  fun testGetPrefixedAlias() {
    assertEquals(
      "AES_GCM_test", 
      CipherStorageBase.getPrefixedAlias("test", "AES_GCM")
    )
    assertEquals(
      "AES_GCM_test", 
      CipherStorageBase.getPrefixedAlias("AES_GCM_test", "AES_GCM")
    )
  }

  @Test
  fun testMigrateLegacyKey() {
    val legacyAlias = "old_key"
    val newAlias = "AES_GCM_old_key"

    println("DEBUG: Starting migration test. legacyAlias=$legacyAlias, newAlias=$newAlias")
    
    `when`(mockKeyStore.getKey(legacyAlias, null)).thenReturn(mockKey)
    `when`(mockKeyStore.getCertificateChain(legacyAlias)).thenReturn(arrayOf(mockCertificate))
    `when`(mockKeyStore.getKey(newAlias, null)).thenReturn(mockKey)
  
    try {
      println("DEBUG: Calling migrateLegacyKey()")
      CipherStorageBase.migrateLegacyKey(
        legacyAlias,
        newAlias, 
        mockKeyStore,
        mockResultHandler,
        SecurityLevel.SECURE_SOFTWARE
      )
      println("DEBUG: migrateLegacyKey() completed successfully")
    } catch(e: Exception) {
      println("DEBUG: migrateLegacyKey() threw exception: ${e.message}")
      throw e
    }

    val inOrder = inOrder(mockKeyStore)
    inOrder.verify(mockKeyStore).getKey(legacyAlias, null)
    inOrder.verify(mockKeyStore).setKeyEntry(eq(newAlias), eq(mockKey), isNull(), any())
    inOrder.verify(mockKeyStore).getKey(newAlias, null)
    inOrder.verify(mockKeyStore).deleteEntry(legacyAlias)
    println("DEBUG: Migration test verified in order")
  }

  @Test
  fun testExtractKeyWithMigration() {
    val retries = AtomicInteger(1)
    val alias = "test_key"
    val prefixedAlias = "AES_GCM_test_key"

    `when`(mockKeyStore.containsAlias(prefixedAlias)).thenReturn(false)
    `when`(mockKeyStore.containsAlias(alias)).thenReturn(true)
    `when`(mockKeyStore.getKey(alias, null)).thenReturn(mockKey)

    val result = cipherStorage.testExtractKeyWithMigration(
      alias,
      "AES_GCM",
      mockResultHandler,
      SecurityLevel.SECURE_SOFTWARE,
      retries
    )

    assertEquals(mockKey, result)
    verify(mockKeyStore).setKeyEntry(
      eq(prefixedAlias),
      eq(mockKey),
      isNull(),
      any()
    )
  }

  @Test
  fun testValidateKeySecurityLevel() {
    val keyInfo = mock(KeyInfo::class.java)
    lenient().`when`(keyInfo.isInsideSecureHardware).thenReturn(true)
    
    lenient().`when`(mockKey.algorithm).thenReturn("AES")
    assertTrue(
      cipherStorage.testValidateKeySecurityLevel(
        SecurityLevel.SECURE_SOFTWARE,
        mockKey
      )
    )
  }

  private class TestCipherStorage(context: Context) : CipherStorageBase(context) {
    override fun getCipherStorageName() = "TEST"
    override fun getMinSupportedApiLevel() = 23
    override fun isAuthSupported() = false
    override fun getEncryptionAlgorithm() = "AES"
    override fun getEncryptionTransformation() = "AES/GCM/NoPadding"
    override fun getKeyGenSpecBuilder(alias: String) =
      mock(KeyGenParameterSpec.Builder::class.java)
    
    @Suppress("DEPRECATION")
    override fun getKeyInfo(key: Key): KeyInfo {
      val mockKeyInfo = mock(KeyInfo::class.java)
      `when`(mockKeyInfo.isInsideSecureHardware).thenReturn(true)
      return mockKeyInfo
    }
    
    override fun generateKey(spec: KeyGenParameterSpec): Key = mock(Key::class.java)
    
    override fun encrypt(
      handler: ResultHandler,
      alias: String,
      username: String,
      password: String,
      level: SecurityLevel
    ) {
      // No-op implementation for testing
    }
    
    override fun decrypt(
      handler: ResultHandler,
      alias: String,
      username: ByteArray,
      password: ByteArray,
      level: SecurityLevel
    ) {
      // No-op implementation for testing.
      val result = CipherStorage.DecryptionResult("", "", SecurityLevel.SECURE_SOFTWARE)
      handler.onDecrypt(result, null)
    }
    fun testExtractKeyWithMigration(
      alias: String,
      prefix: String, 
      handler: ResultHandler,
      level: SecurityLevel,
      retries: AtomicInteger
    ): Key = extractKeyWithMigration(alias, prefix, handler, level, retries)
    
    fun testValidateKeySecurityLevel(level: SecurityLevel, key: Key): Boolean =
      validateKeySecurityLevel(level, key)
  }
}

[Bowlerr]

@DorianMazur Do I need to do anything for iOS?