PinRepositorySoftware now uses DeviceInfo when hashing PIN

Author: Wavesonics

app/src/main/kotlin/com/darkrockstudios/app/securecamera/AppModule.kt

@@ -47,7 +47,7 @@ val appModule = module {
 		val detector = get<SecurityLevelDetector>()
 		when (detector.detectSecurityLevel()) {
 			SecurityLevel.SOFTWARE ->
-				PinRepositorySoftware(get())
+				PinRepositorySoftware(get(), get())
 
 			SecurityLevel.TEE, SecurityLevel.STRONGBOX -> {
 				PinRepositoryHardware(get(), get())

app/src/main/kotlin/com/darkrockstudios/app/securecamera/security/pin/PinRepository.kt

@@ -12,8 +12,8 @@ interface PinRepository {
 		return verifyPin(pin, storedHashedPin)
 	}
 
-	fun hashPin(pin: String): HashedPin
-	fun verifyPin(inputPin: String, storedHash: HashedPin): Boolean
+	suspend fun hashPin(pin: String): HashedPin
+	suspend fun verifyPin(inputPin: String, storedHash: HashedPin): Boolean
 	suspend fun setPoisonPillPin(pin: String)
 	suspend fun getPlainPoisonPillPin(): String?
 	suspend fun getHashedPoisonPillPin(): HashedPin?
@@ -34,4 +34,9 @@ interface PinRepository {
 		val storedHashedPin = getHashedPoisonPillPin() ?: return false
 		return verifyPin(pin, storedHashedPin)
 	}
+
+	companion object {
+		const val ARGON_ITERATIONS = 5
+		const val ARGON_COST = 65536
+	}
 }

app/src/main/kotlin/com/darkrockstudios/app/securecamera/security/pin/PinRepositoryHardware.kt

@@ -2,6 +2,8 @@ package com.darkrockstudios.app.securecamera.security.pin
 
 import com.darkrockstudios.app.securecamera.preferences.*
 import com.darkrockstudios.app.securecamera.security.SchemeConfig
+import com.darkrockstudios.app.securecamera.security.pin.PinRepository.Companion.ARGON_COST
+import com.darkrockstudios.app.securecamera.security.pin.PinRepository.Companion.ARGON_ITERATIONS
 import com.darkrockstudios.app.securecamera.security.schemes.EncryptionScheme
 import com.lambdapioneer.argon2kt.Argon2Kt
 import com.lambdapioneer.argon2kt.Argon2KtResult
@@ -36,13 +38,13 @@ class PinRepositoryHardware(
 		return Json.decodeFromString(HashedPin.serializer(), hashedPinJson)
 	}
 
-	override fun hashPin(pin: String): HashedPin {
+	override suspend fun hashPin(pin: String): HashedPin {
 		val salt = CryptographyRandom.nextBytes(16)
 		val hashResult: Argon2KtResult = argon2Kt.hash(
 			mode = Argon2Mode.ARGON2_I,
 			password = pin.toByteArray(Charsets.UTF_8),
 			salt = salt,
-			tCostInIterations = ARGON_ITTERATIONS,
+			tCostInIterations = ARGON_ITERATIONS,
 			mCostInKibibyte = ARGON_COST,
 		)
 
@@ -52,7 +54,7 @@ class PinRepositoryHardware(
 		)
 	}
 
-	override fun verifyPin(
+	override suspend fun verifyPin(
 		inputPin: String,
 		storedHash: HashedPin
 	): Boolean {
@@ -107,7 +109,5 @@ class PinRepositoryHardware(
 
 	companion object {
 		const val PIN_KEY_ALIAS = "pin_key"
-		const val ARGON_ITTERATIONS = 5
-		const val ARGON_COST = 65536
 	}
 }

app/src/main/kotlin/com/darkrockstudios/app/securecamera/security/pin/PinRepositorySoftware.kt

@@ -1,17 +1,22 @@
 package com.darkrockstudios.app.securecamera.security.pin
 
 import com.darkrockstudios.app.securecamera.preferences.*
+import com.darkrockstudios.app.securecamera.security.DeviceInfo
 import com.darkrockstudios.app.securecamera.security.SchemeConfig
+import com.darkrockstudios.app.securecamera.security.pin.PinRepository.Companion.ARGON_COST
+import com.darkrockstudios.app.securecamera.security.pin.PinRepository.Companion.ARGON_ITERATIONS
 import com.lambdapioneer.argon2kt.Argon2Kt
 import com.lambdapioneer.argon2kt.Argon2KtResult
 import com.lambdapioneer.argon2kt.Argon2Mode
 import dev.whyoleg.cryptography.random.CryptographyRandom
+import kotlinx.coroutines.runBlocking
 import kotlinx.serialization.encodeToString
 import kotlinx.serialization.json.Json
 import kotlin.io.encoding.ExperimentalEncodingApi
 
 class PinRepositorySoftware(
 	private val dataSource: AppPreferencesDataSource,
+	private val deviceInfo: DeviceInfo,
 ) : PinRepository {
 	private val argon2Kt = Argon2Kt()
 
@@ -31,13 +36,14 @@ class PinRepositorySoftware(
 	}
 
 	@OptIn(ExperimentalStdlibApi::class)
-	override fun hashPin(pin: String): HashedPin {
+	override suspend fun hashPin(pin: String): HashedPin {
 		val salt = CryptographyRandom.nextBytes(16)
+		val password = pin.toByteArray(Charsets.UTF_8) + runBlocking { deviceInfo.getDeviceIdentifier() }
 		val hashResult: Argon2KtResult = argon2Kt.hash(
 			mode = Argon2Mode.ARGON2_I,
-			password = pin.toByteArray(Charsets.UTF_8),
+			password = password,
 			salt = salt,
-			tCostInIterations = ARGON_ITTERATIONS,
+			tCostInIterations = ARGON_ITERATIONS,
 			mCostInKibibyte = ARGON_COST,
 		)
 
@@ -48,11 +54,12 @@ class PinRepositorySoftware(
 	}
 
 	@OptIn(ExperimentalStdlibApi::class)
-	override fun verifyPin(inputPin: String, storedHash: HashedPin): Boolean {
+	override suspend fun verifyPin(inputPin: String, storedHash: HashedPin): Boolean {
+		val password = inputPin.toByteArray() + deviceInfo.getDeviceIdentifier()
 		return argon2Kt.verify(
 			mode = Argon2Mode.ARGON2_I,
 			encoded = String(storedHash.hash.base64DecodeUrlSafe()),
-			password = inputPin.toByteArray(),
+			password = password,
 		)
 	}
 
@@ -104,9 +111,4 @@ class PinRepositorySoftware(
 	override suspend fun removePoisonPillPin() {
 		dataSource.removePoisonPillPin()
 	}
-
-	companion object {
-		private const val ARGON_ITTERATIONS = 5
-		private const val ARGON_COST = 65536
-	}
 }

app/src/main/kotlin/com/darkrockstudios/app/securecamera/usecases/MigratePinHash.kt

@@ -2,10 +2,11 @@ package com.darkrockstudios.app.securecamera.usecases
 
 import at.favre.lib.crypto.bcrypt.BCrypt
 import com.darkrockstudios.app.securecamera.preferences.*
+import com.darkrockstudios.app.securecamera.security.DeviceInfo
 import com.darkrockstudios.app.securecamera.security.SecurityLevel
 import com.darkrockstudios.app.securecamera.security.SecurityLevelDetector
-import com.darkrockstudios.app.securecamera.security.pin.PinRepositoryHardware.Companion.ARGON_COST
-import com.darkrockstudios.app.securecamera.security.pin.PinRepositoryHardware.Companion.ARGON_ITTERATIONS
+import com.darkrockstudios.app.securecamera.security.pin.PinRepository.Companion.ARGON_COST
+import com.darkrockstudios.app.securecamera.security.pin.PinRepository.Companion.ARGON_ITERATIONS
 import com.darkrockstudios.app.securecamera.security.pin.PinRepositoryHardware.Companion.PIN_KEY_ALIAS
 import com.darkrockstudios.app.securecamera.security.schemes.EncryptionScheme
 import com.darkrockstudios.app.securecamera.security.schemes.HardwareBackedEncryptionScheme
@@ -21,6 +22,7 @@ class MigratePinHash(
 	private val dataSource: AppPreferencesDataSource,
 	private val encryptionScheme: EncryptionScheme,
 	private val removePoisonPillIUseCase: RemovePoisonPillIUseCase,
+	private val deviceInfo: DeviceInfo,
 ) {
 	private val argon2Kt = Argon2Kt()
 
@@ -50,7 +52,7 @@ class MigratePinHash(
 
 	private suspend fun migrateToHardware(pin: String) {
 		val legacyPin = getLegacyHashedPin()
-		val newPin = argonHashPin(pin, legacyPin!!.salt)
+		val newPin = argonHashPinHardware(pin, legacyPin!!.salt)
 
 		val hashedPinJson = Json.Default.encodeToString(newPin)
 
@@ -64,23 +66,21 @@ class MigratePinHash(
 		// Migrate the encryption key, just need to rename it
 		encryptionScheme as HardwareBackedEncryptionScheme
 		// There should only be 1 key because we removed the Poison Pill
-		val oldKeyFile =
-			encryptionScheme.keyDir().listFiles()?.first() ?: error("No key file found! Migration will fail")
-		val newKeyFile = encryptionScheme.dekFile(newPin)
-		oldKeyFile.renameTo(newKeyFile)
+		encryptionScheme.keyDir().listFiles()?.first()?.let { oldKeyFile ->
+			val newKeyFile = encryptionScheme.dekFile(newPin)
+			oldKeyFile.renameTo(newKeyFile)
+		}
 	}
 
-	private suspend fun argonHashPin(pin: String, salt: String): HashedPin {
+	private suspend fun argonHashPinHardware(pin: String, salt: String): HashedPin {
 		val hashResult: Argon2KtResult = argon2Kt.hash(
 			mode = Argon2Mode.ARGON2_I,
 			password = pin.toByteArray(Charsets.UTF_8),
 			salt = salt.toByteArray(),
-			tCostInIterations = ARGON_ITTERATIONS,
+			tCostInIterations = ARGON_ITERATIONS,
 			mCostInKibibyte = ARGON_COST,
 		)
 
-		Timber.i("argonHashPin done")
-
 		return HashedPin(
 			hashResult.encodedOutputAsString().toByteArray().base64EncodeUrlSafe(),
 			salt
@@ -93,11 +93,27 @@ class MigratePinHash(
 		val schemeConfig = dataSource.getSchemeConfig()
 		val key = dataSource.getCipherKey()
 
-		val hashedPin = argonHashPin(pin, legacyPin!!.salt)
+		val hashedPin = argonHashPinSoftware(pin, legacyPin!!.salt)
 
 		val cipheredHash = XorCipher.encrypt(Json.Default.encodeToString(hashedPin), key)
 		val configJson = Json.encodeToString(schemeConfig)
 
 		dataSource.setAppPin(cipheredHash, configJson)
 	}
+
+	private suspend fun argonHashPinSoftware(pin: String, salt: String): HashedPin {
+		val hashResult: Argon2KtResult = argon2Kt.hash(
+			mode = Argon2Mode.ARGON2_I,
+			password = pin.toByteArray(Charsets.UTF_8) + deviceInfo.getDeviceIdentifier(),
+			salt = salt.toByteArray(),
+			tCostInIterations = ARGON_ITERATIONS,
+			mCostInKibibyte = ARGON_COST,
+		)
+
+		return HashedPin(
+			hashResult.encodedOutputAsString().toByteArray().base64EncodeUrlSafe(),
+			salt
+		)
+	}
+
 }