fix #1775: special error message for cases when Touch ID is changed after setup

also added Touch ID key deletion when it's disabled
2 years ago · 076b99676d
parent b3dfa05a4a
commit 076b99676d
7 changed files with 36 additions and 5 deletions
--- a/app/scripts/comp/launcher/native-modules.js
+++ b/app/scripts/comp/launcher/native-modules.js
@ -176,6 +176,10 @@ if (Launcher) {
            return this.call('argon2', password, salt, options);
        },

+        hardwareCryptoDeleteKey: async () => {
+            await ipcRenderer.invoke('hardwareCryptoDeleteKey');
+        },
+
        hardwareEncrypt: async (value) => {
            const { data, salt } = await ipcRenderer.invoke('hardwareEncrypt', value.dataAndSalt());
            return new kdbxweb.ProtectedValue(data, salt);
--- a/app/scripts/locales/base.json
+++ b/app/scripts/locales/base.json
@ -224,6 +224,7 @@
    "openConfigErrorNotFound": "File not found",
    "openError": "Error",
    "openErrorDescription": "There was an error opening file",
+    "openErrorDescriptionMaybeTouchIdChanged": "The error looks similar to what usually happens when Touch ID setup is changed, for example, you added or removed an additional finger. If it's the case, go to Settings, disable Touch ID, and re-enable it again.",
    "openErrorFileNotFound": "File not found",
    "openListErrorBody": "There was an error loading file list",
    "openShowAllFiles": "Show all files",
--- a/app/scripts/views/open-view.js
+++ b/app/scripts/views/open-view.js
@ -689,7 +689,10 @@ class OpenView extends View {
                .catch((err) => {
                    if (err.message.includes('User refused')) {
                        err.userCanceled = true;
+                    } else if (err.message.includes('SecKeyCreateDecryptedData')) {
+                        err.maybeTouchIdChanged = true;
                    }
+                    logger.error('Error in hardware decryption', err);
                    this.openDbComplete(err);
                });
        } else {
@ -718,9 +721,13 @@ class OpenView extends View {
                if (err.notFound) {
                    err = Locale.openErrorFileNotFound;
                }
+                let alertBody = Locale.openErrorDescription;
+                if (err.maybeTouchIdChanged) {
+                    alertBody += '\n' + Locale.openErrorDescriptionMaybeTouchIdChanged;
+                }
                Alerts.error({
                    header: Locale.openError,
-                    body: Locale.openErrorDescription,
+                    body: alertBody,
                    pre: this.errorToString(err)
                });
            }
--- a/app/scripts/views/settings/settings-general-view.js
+++ b/app/scripts/views/settings/settings-general-view.js
@ -18,6 +18,7 @@ import { SettingsLogsView } from 'views/settings/settings-logs-view';
 import { SettingsPrvView } from 'views/settings/settings-prv-view';
 import { mapObject, minmax } from 'util/fn';
 import { ThemeWatcher } from 'comp/browser/theme-watcher';
+import { NativeModules } from 'comp/launcher/native-modules';
 import template from 'templates/settings/settings-general.hbs';

 class SettingsGeneralView extends View {
@ -449,6 +450,9 @@ class SettingsGeneralView extends View {
        this.render();

        this.appModel.checkEncryptedPasswordsStorage();
+        if (!deviceOwnerAuth) {
+            NativeModules.hardwareCryptoDeleteKey().catch(() => {});
+        }
    }

    changeDeviceOwnerAuthTimeout(e) {
--- a/desktop/scripts/ipc-handlers/hardware-crypto.js
+++ b/desktop/scripts/ipc-handlers/hardware-crypto.js
@ -1,13 +1,23 @@
 const { readXoredValue, makeXoredValue } = require('../util/byte-utils');
 const { reqNative } = require('../util/req-native');

+const keyTag = 'net.antelle.keeweb.encryption-key';
+
 let testCipherParams;
+let keyChecked = false;

 module.exports = {
+    hardwareCryptoDeleteKey,
    hardwareEncrypt,
    hardwareDecrypt
 };

+async function hardwareCryptoDeleteKey() {
+    const secureEnclave = reqNative('secure-enclave');
+    await secureEnclave.deleteKeyPair({ keyTag });
+    keyChecked = false;
+}
+
 async function hardwareEncrypt(e, value) {
    return await hardwareCrypto(value, true);
 }
@ -27,7 +37,6 @@ async function hardwareCrypto(value, encrypt, touchIdPrompt) {
    //  so any attempt to use Secure Enclave API fails with an error.

    const secureEnclave = reqNative('secure-enclave');
-    const keyTag = 'net.antelle.keeweb.encryption-key';

    const data = readXoredValue(value);

@ -69,12 +78,12 @@ async function hardwareCrypto(value, encrypt, touchIdPrompt) {
    return makeXoredValue(res);

    async function checkKey() {
-        if (checkKey.done) {
+        if (keyChecked) {
            return;
        }
        try {
            await secureEnclave.createKeyPair({ keyTag });
-            checkKey.done = true;
+            keyChecked = true;
        } catch (e) {
            if (!e.keyExists) {
                throw e;
--- a/desktop/scripts/ipc.js
+++ b/desktop/scripts/ipc.js
@ -1,9 +1,14 @@
 const { ipcMain } = require('electron');
-const { hardwareEncrypt, hardwareDecrypt } = require('./ipc-handlers/hardware-crypto');
+const {
+    hardwareCryptoDeleteKey,
+    hardwareEncrypt,
+    hardwareDecrypt
+} = require('./ipc-handlers/hardware-crypto');
 const { spawnProcess } = require('./ipc-handlers/spawn-process');
 const { nativeModuleCall } = require('./ipc-handlers/native-module-host-proxy');

 module.exports.setupIpcHandlers = () => {
+    ipcMain.handle('hardwareCryptoDeleteKey', hardwareCryptoDeleteKey);
    ipcMain.handle('hardwareEncrypt', hardwareEncrypt);
    ipcMain.handle('hardwareDecrypt', hardwareDecrypt);
    ipcMain.handle('spawnProcess', spawnProcess);
--- a/release-notes.md
+++ b/release-notes.md
@ -5,6 +5,7 @@ Release notes
 `+` option to use short-lived tokens in cloud storages  
 `+` opening XML and CSV files using the Open button  
 `*` password generator now includes all selected character ranges  
+`+` better Touch ID error messages  
 `-` legacy auto-type removed  

 ##### v1.17.5 (2021-03-27)