Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatically unlock keystore using fingerprint, if possible #14

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ You will need to configure cargo with the correct locations for "ar" and "linker
[https://mozilla.github.io/firefox-browser-architecture/experiments/2017-09-21-rust-on-android.html](https://mozilla.github.io/firefox-browser-architecture/experiments/2017-09-21-rust-on-android.html)
Then this project can be compiled with the command `cargo build --target=aarch64-linux-android` (or any other Android target).

Alternatively, you can download a precompiled deb package from the releases page.
Alternatively, you can download a precompiled deb package from the releases page, or install it from the termux package repo:

```
pkg i tergent
```

Upgrading from 0.1
------------------
Expand Down Expand Up @@ -77,4 +81,4 @@ Auto-locking
tergent does not provide password protected sessions yet.
However, Android [provides a mechanism](https://developer.android.com/training/articles/keystore#UserAuthentication) to automatically lock the keys after a specified time has passed since the last device unlock. To take advantage of this feature, use the flag while generating the keys, e.g. `--ei validity 10` for a 10-second lock. In this case, the keys are usable only for 10 seconds after the phone is unlocked. To unlock the keys after this time has passed, simply re-lock and unlock your device again.

Alternatively, you can invoke a biometric prompt (fingerprint or face unlock) which might also reset this timer depending on your device. termux includes the `termux-fingerprint` command which can be used for this purpose.
Alternatively, you can invoke a biometric prompt (fingerprint or face unlock) which might also reset this timer depending on your device. Tergent will automatically try invoking the termux Fingerprint API to prompt biometric authentication.
51 changes: 44 additions & 7 deletions src/bridge/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,15 @@ use std::error::Error;
use std::io::{Read, Write};
use std::process::{Command, Stdio};

use serde_json;
use serde_json::{Value};

use base64;

/// Send a request to `termux-api` to list all the keys.
/// Returns a string that contains a JSON object.
pub fn list_keys() -> Result<String, Box<dyn Error>> {
Ok(communicate(&["list", "--ez", "detailed", "true"], &[0; 0])?)
Ok(communicate(&"Keystore", &["-e", "command", "list", "--ez", "detailed", "true"], &[0; 0])?)
}

/// Send some data to `termux-api` to be signed.
Expand All @@ -23,16 +26,48 @@ pub fn list_keys() -> Result<String, Box<dyn Error>> {
///
/// [Signature algorithms]:
/// https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#Signature
fn sign_internal(alias: &str, algorithm: &str, data: &[u8]) -> Result<Vec<u8>, Box<dyn Error>> {
let args = [
"-e", "command", "sign",
"-e", "alias", alias,
"-e", "algorithm", algorithm
];
let output = communicate(&"Keystore", &args, data)?;
let res = base64::decode(output)?;
if res.len() == 0 {
return Err("Could not sign!".into())
}
Ok(res)
}

pub fn unlock() -> Result<(), Box<dyn Error>> {
let args = [
"--es", "title", "Tergent",
"--es", "description", "Use your fingerprint to unlock the keystore",
];
let json = communicate(&"Fingerprint", &args, &[0; 0])?;
let decoded: Value = serde_json::from_str::<serde_json::Value>(&json)?;
let res = decoded["auth_result"].as_str().ok_or("Invalid result")?;
if res == "AUTH_RESULT_FAILURE" {
return Err("Fingerprint authentication failed".into())
}
Ok(())
}

pub fn sign(alias: &str, algorithm: &str, data: &[u8]) -> Result<Vec<u8>, Box<dyn Error>> {
let args = ["sign", "-e", "alias", alias, "-e", "algorithm", algorithm];
let output = communicate(&args, data)?;
return Ok(base64::decode(output)?);
match sign_internal(&alias, &algorithm, &data) {
Ok(res) => Ok(res),
Err(_) => match unlock() {
Ok(_) => Ok(sign_internal(&alias, &algorithm, &data)?),
Err(e) => Err(e)
}
}
}

/// Performs a generic call to `termux-api`, providing `args` to its receiver.
/// Sets up proper sockets so that the `input` is provided to `termux-api` and
/// its output is returned from this function.
fn communicate(args: &[&str], input: &[u8]) -> Result<String, Box<dyn Error>> {
fn communicate(method: &str, args: &[&str], input: &[u8]) -> Result<String, Box<dyn Error>> {
let mut input_socket = socket::Socket::new()?;
let mut output_socket = socket::Socket::new()?;

Expand All @@ -43,7 +78,7 @@ fn communicate(args: &[&str], input: &[u8]) -> Result<String, Box<dyn Error>> {
.args(&["-n", "com.termux.api/.TermuxApiReceiver"])
.args(&["--es", "socket_input", &output_socket.address()])
.args(&["--es", "socket_output", &input_socket.address()])
.args(&["--es", "api_method", "Keystore", "-e", "command"])
.args(&["--es", "api_method", method])
.args(args)
.stdin(Stdio::null())
.stdout(Stdio::null())
Expand All @@ -65,6 +100,8 @@ fn communicate(args: &[&str], input: &[u8]) -> Result<String, Box<dyn Error>> {
input_socket.close()?;

// We need to reap our children otherwise they will stay as zombies.
command.wait()?;
// Ignore result, since this may error if the process has already closed
command.wait();

Ok(output)
}