From 076b99676d96f50876ecd077ed0fe6fb31bea6df Mon Sep 17 00:00:00 2001
From: antelle <dmitryvit@gmail.com>
Date: Fri, 2 Apr 2021 18:47:04 +0200
Subject: [PATCH] fix #1775: special error message for cases when Touch ID is
 changed after setup also added Touch ID key deletion when it's disabled

---
 app/scripts/comp/launcher/native-modules.js       |  4 ++++
 app/scripts/locales/base.json                     |  1 +
 app/scripts/views/open-view.js                    |  9 ++++++++-
 .../views/settings/settings-general-view.js       |  4 ++++
 desktop/scripts/ipc-handlers/hardware-crypto.js   | 15 ++++++++++++---
 desktop/scripts/ipc.js                            |  7 ++++++-
 release-notes.md                                  |  1 +
 7 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/app/scripts/comp/launcher/native-modules.js b/app/scripts/comp/launcher/native-modules.js
index 881f56ec..9bee3360 100644
--- a/app/scripts/comp/launcher/native-modules.js
+++ b/app/scripts/comp/launcher/native-modules.js
@@ -176,6 +176,10 @@ if (Launcher) {
             return this.call('argon2', password, salt, options);
         },
 
+        hardwareCryptoDeleteKey: async () => {
+            await ipcRenderer.invoke('hardwareCryptoDeleteKey');
+        },
+
         hardwareEncrypt: async (value) => {
             const { data, salt } = await ipcRenderer.invoke('hardwareEncrypt', value.dataAndSalt());
             return new kdbxweb.ProtectedValue(data, salt);
diff --git a/app/scripts/locales/base.json b/app/scripts/locales/base.json
index d7d8399f..72a875fc 100644
--- a/app/scripts/locales/base.json
+++ b/app/scripts/locales/base.json
@@ -224,6 +224,7 @@
     "openConfigErrorNotFound": "File not found",
     "openError": "Error",
     "openErrorDescription": "There was an error opening file",
+    "openErrorDescriptionMaybeTouchIdChanged": "The error looks similar to what usually happens when Touch ID setup is changed, for example, you added or removed an additional finger. If it's the case, go to Settings, disable Touch ID, and re-enable it again.",
     "openErrorFileNotFound": "File not found",
     "openListErrorBody": "There was an error loading file list",
     "openShowAllFiles": "Show all files",
diff --git a/app/scripts/views/open-view.js b/app/scripts/views/open-view.js
index de6fad7b..31eaaaf0 100644
--- a/app/scripts/views/open-view.js
+++ b/app/scripts/views/open-view.js
@@ -689,7 +689,10 @@ class OpenView extends View {
                 .catch((err) => {
                     if (err.message.includes('User refused')) {
                         err.userCanceled = true;
+                    } else if (err.message.includes('SecKeyCreateDecryptedData')) {
+                        err.maybeTouchIdChanged = true;
                     }
+                    logger.error('Error in hardware decryption', err);
                     this.openDbComplete(err);
                 });
         } else {
@@ -718,9 +721,13 @@ class OpenView extends View {
                 if (err.notFound) {
                     err = Locale.openErrorFileNotFound;
                 }
+                let alertBody = Locale.openErrorDescription;
+                if (err.maybeTouchIdChanged) {
+                    alertBody += '\n' + Locale.openErrorDescriptionMaybeTouchIdChanged;
+                }
                 Alerts.error({
                     header: Locale.openError,
-                    body: Locale.openErrorDescription,
+                    body: alertBody,
                     pre: this.errorToString(err)
                 });
             }
diff --git a/app/scripts/views/settings/settings-general-view.js b/app/scripts/views/settings/settings-general-view.js
index f287ccda..55d74c2e 100644
--- a/app/scripts/views/settings/settings-general-view.js
+++ b/app/scripts/views/settings/settings-general-view.js
@@ -18,6 +18,7 @@ import { SettingsLogsView } from 'views/settings/settings-logs-view';
 import { SettingsPrvView } from 'views/settings/settings-prv-view';
 import { mapObject, minmax } from 'util/fn';
 import { ThemeWatcher } from 'comp/browser/theme-watcher';
+import { NativeModules } from 'comp/launcher/native-modules';
 import template from 'templates/settings/settings-general.hbs';
 
 class SettingsGeneralView extends View {
@@ -449,6 +450,9 @@ class SettingsGeneralView extends View {
         this.render();
 
         this.appModel.checkEncryptedPasswordsStorage();
+        if (!deviceOwnerAuth) {
+            NativeModules.hardwareCryptoDeleteKey().catch(() => {});
+        }
     }
 
     changeDeviceOwnerAuthTimeout(e) {
diff --git a/desktop/scripts/ipc-handlers/hardware-crypto.js b/desktop/scripts/ipc-handlers/hardware-crypto.js
index 5518a06b..bc5a2b59 100644
--- a/desktop/scripts/ipc-handlers/hardware-crypto.js
+++ b/desktop/scripts/ipc-handlers/hardware-crypto.js
@@ -1,13 +1,23 @@
 const { readXoredValue, makeXoredValue } = require('../util/byte-utils');
 const { reqNative } = require('../util/req-native');
 
+const keyTag = 'net.antelle.keeweb.encryption-key';
+
 let testCipherParams;
+let keyChecked = false;
 
 module.exports = {
+    hardwareCryptoDeleteKey,
     hardwareEncrypt,
     hardwareDecrypt
 };
 
+async function hardwareCryptoDeleteKey() {
+    const secureEnclave = reqNative('secure-enclave');
+    await secureEnclave.deleteKeyPair({ keyTag });
+    keyChecked = false;
+}
+
 async function hardwareEncrypt(e, value) {
     return await hardwareCrypto(value, true);
 }
@@ -27,7 +37,6 @@ async function hardwareCrypto(value, encrypt, touchIdPrompt) {
     //  so any attempt to use Secure Enclave API fails with an error.
 
     const secureEnclave = reqNative('secure-enclave');
-    const keyTag = 'net.antelle.keeweb.encryption-key';
 
     const data = readXoredValue(value);
 
@@ -69,12 +78,12 @@ async function hardwareCrypto(value, encrypt, touchIdPrompt) {
     return makeXoredValue(res);
 
     async function checkKey() {
-        if (checkKey.done) {
+        if (keyChecked) {
             return;
         }
         try {
             await secureEnclave.createKeyPair({ keyTag });
-            checkKey.done = true;
+            keyChecked = true;
         } catch (e) {
             if (!e.keyExists) {
                 throw e;
diff --git a/desktop/scripts/ipc.js b/desktop/scripts/ipc.js
index 7c8ab496..d0aaad59 100644
--- a/desktop/scripts/ipc.js
+++ b/desktop/scripts/ipc.js
@@ -1,9 +1,14 @@
 const { ipcMain } = require('electron');
-const { hardwareEncrypt, hardwareDecrypt } = require('./ipc-handlers/hardware-crypto');
+const {
+    hardwareCryptoDeleteKey,
+    hardwareEncrypt,
+    hardwareDecrypt
+} = require('./ipc-handlers/hardware-crypto');
 const { spawnProcess } = require('./ipc-handlers/spawn-process');
 const { nativeModuleCall } = require('./ipc-handlers/native-module-host-proxy');
 
 module.exports.setupIpcHandlers = () => {
+    ipcMain.handle('hardwareCryptoDeleteKey', hardwareCryptoDeleteKey);
     ipcMain.handle('hardwareEncrypt', hardwareEncrypt);
     ipcMain.handle('hardwareDecrypt', hardwareDecrypt);
     ipcMain.handle('spawnProcess', spawnProcess);
diff --git a/release-notes.md b/release-notes.md
index eed50019..50373bd0 100644
--- a/release-notes.md
+++ b/release-notes.md
@@ -5,6 +5,7 @@ Release notes
 `+` option to use short-lived tokens in cloud storages  
 `+` opening XML and CSV files using the Open button  
 `*` password generator now includes all selected character ranges  
+`+` better Touch ID error messages  
 `-` legacy auto-type removed  
 
 ##### v1.17.5 (2021-03-27)