Change how we save the encyption key (#1290)

SabrinaTardio · web-flow · commit 3dce946921e1 · 2023-06-26T08:17:10.000+01:00
Task/Issue URL: https://app.asana.com/0/1177771139624306/1204466438263867/f Description: During migration to a new mac users lose their history because the encryption key (used to encrypt and decrypt history and autofill data) is not migrated into the new mac. This PR changes the way the encryption key is saved. It used to be saved in binary as an iCloud item with this change will be saved in bae64 and as a login item. The change to login item should allow the key to be migrated to the new mac. Saving the key in base 64 so that is visible from keychain could be potentially use to fix problems after migration afterwards. If the key is not been saved in the new way yet it will read the original one and save it in the new way
diff --git a/DuckDuckGo/Common/FileSystem/EncryptionKeys/EncryptionKeyStore.swift b/DuckDuckGo/Common/FileSystem/EncryptionKeys/EncryptionKeyStore.swift
@@ -23,6 +23,8 @@ enum EncryptionKeyStoreError: Error, ErrorWithParameters {
     case storageFailed(OSStatus)
     case readFailed(OSStatus)
     case deletionFailed(OSStatus)
+    case cannotTransformDataToString(OSStatus)
+    case cannotTransfrotmStringToBase64Data(OSStatus)
 
     var errorParameters: [String: String] {
         switch self {
@@ -32,6 +34,10 @@ enum EncryptionKeyStoreError: Error, ErrorWithParameters {
             return [Pixel.Parameters.keychainErrorCode: "\(status)"]
         case .deletionFailed(let status):
             return [Pixel.Parameters.keychainErrorCode: "\(status)"]
+        case .cannotTransformDataToString(let status):
+            return [Pixel.Parameters.keychainErrorCode: "\(status)"]
+        case .cannotTransfrotmStringToBase64Data(let status):
+            return [Pixel.Parameters.keychainErrorCode: "\(status)"]
         }
     }
 }
@@ -45,6 +51,8 @@ final class EncryptionKeyStore: EncryptionKeyStoring {
         static let encryptionKeyAccount = "com.duckduckgo.macos.browser"
 #endif
         static let encryptionKeyService = "DuckDuckGo Privacy Browser Data Encryption Key"
+
+        static let encryptionKeyServiceBase64 = "DuckDuckGo Privacy Browser Encryption Key v2"
     }
 
     private let generator: EncryptionKeyGenerating
@@ -53,8 +61,7 @@ final class EncryptionKeyStore: EncryptionKeyStoring {
     private var defaultKeychainQueryAttributes: [String: Any] {
         return [
             kSecClass: kSecClassGenericPassword,
-            kSecAttrAccount: account,
-            kSecUseDataProtectionKeychain: true
+            kSecAttrAccount: account
         ] as [String: Any]
     }
 
@@ -70,25 +77,43 @@ final class EncryptionKeyStore: EncryptionKeyStoring {
     // MARK: - Keychain
 
     func store(key: SymmetricKey) throws {
-        var query = defaultKeychainQueryAttributes
-        query[kSecAttrService as String] = Constants.encryptionKeyService
-        query[kSecAttrAccessible as String] = kSecAttrAccessibleWhenUnlocked
-        query[kSecValueData as String] = key.dataRepresentation
+         let attributes: [String: Any] = [
+             kSecClass as String: kSecClassGenericPassword,
+             kSecAttrAccount as String: account,
+             kSecValueData as String: key.dataRepresentation.base64EncodedString(),
+             kSecAttrService as String: Constants.encryptionKeyServiceBase64,
+             kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked
+         ]
+
+         // Add the login item to the keychain
+         let status = SecItemAdd(attributes as CFDictionary, nil)
+
+         guard status == errSecSuccess else {
+             throw EncryptionKeyStoreError.storageFailed(status)
+         }
+     }
 
-        let status = SecItemAdd(query as CFDictionary, nil)
-
-        guard status == errSecSuccess else {
-            throw EncryptionKeyStoreError.storageFailed(status)
+    func readKey() throws -> SymmetricKey {
+        /// Needed to change how we save the key
+        /// Checks if the base64 non iCloud key already exist
+        /// if so we return
+        if let key = try? readKeyFromKeychain(account: account, format: .base64) {
+            return key
+        }
+        /// If the base64 key does not exist we check if we have the legacy key
+        /// if so we store it as base64 local item key
+        if let key = try readKeyFromKeychain(account: account, format: .raw) {
+            try store(key: key)
         }
-    }
 
-    func readKey() throws -> SymmetricKey {
-        if let key = try readKeyFromKeychain(account: account) {
+        /// We try again to retrieve the base64 non iCloud key
+        /// if so we return the key
+        /// otherwise we generate a new one and store it
+        if let key = try readKeyFromKeychain(account: account, format: .base64) {
             return key
         } else {
             let generatedKey = generator.randomKey()
             try store(key: generatedKey)
-
             return generatedKey
         }
     }
@@ -105,11 +130,22 @@ final class EncryptionKeyStore: EncryptionKeyStoring {
 
     // MARK: - Private
 
-    private func readKeyFromKeychain(account: String) throws -> SymmetricKey? {
+    private enum KeyFormat {
+        case raw
+        case base64
+    }
+
+    private func readKeyFromKeychain(account: String, format: KeyFormat) throws -> SymmetricKey? {
         var query = defaultKeychainQueryAttributes
         query[kSecReturnData as String] = true
 
         var item: CFTypeRef?
+        switch format {
+        case .raw:
+            query[kSecAttrService as String] = Constants.encryptionKeyService
+        case .base64:
+            query[kSecAttrService as String] = Constants.encryptionKeyServiceBase64
+        }
         let status = SecItemCopyMatching(query as CFDictionary, &item)
 
         switch status {
@@ -118,12 +154,25 @@ final class EncryptionKeyStore: EncryptionKeyStoring {
                 throw EncryptionKeyStoreError.readFailed(status)
             }
 
-            return SymmetricKey(data: data)
+            let finalData: Data
+            switch format {
+            case .raw:
+                finalData = data
+            case .base64:
+                guard let base64String = String(data: data, encoding: .utf8) else {
+                    throw EncryptionKeyStoreError.cannotTransformDataToString(status)
+                }
+                guard let keyData = Data(base64Encoded: base64String) else {
+                    throw EncryptionKeyStoreError.cannotTransfrotmStringToBase64Data(status)
+                }
+                finalData = keyData
+            }
+            print(finalData.base64EncodedString())
+            return SymmetricKey(data: finalData)
         case errSecItemNotFound:
             return nil
         default:
             throw EncryptionKeyStoreError.readFailed(status)
         }
     }
-
 }
diff --git a/IntegrationTests/EncryptionKeyStoreTests.swift b/IntegrationTests/EncryptionKeyStoreTests.swift
@@ -27,11 +27,13 @@ final class EncryptionKeyStoreTests: XCTestCase {
     override func setUp() {
         super.setUp()
         removeTestKeys()
+        UserDefaultsWrapper<Any>.clearAll()
     }
 
     override func tearDown() {
         super.tearDown()
         removeTestKeys()
+        UserDefaultsWrapper<Any>.clearAll()
     }
 
     func testStoringKeys() {
@@ -68,9 +70,40 @@ final class EncryptionKeyStoreTests: XCTestCase {
         XCTAssertEqual(firstReadKey, secondReadKey)
     }
 
+    func testThatIfWhenThereIsAKeySavedInRowFormatTheSameKeyIsReadInBase64() {
+        let originalKey = generator.randomKey()
+        let store = EncryptionKeyStore(generator: generator, account: account)
+
+        try? storeWithOldMechanism(key: originalKey)
+        let readKey = try? store.readKey()
+
+        XCTAssertEqual(originalKey, readKey)
+    }
+
     private func removeTestKeys() {
         let store = EncryptionKeyStore(generator: generator, account: account)
         try? store.deleteKey()
     }
 
+    private func storeWithOldMechanism(key: SymmetricKey) throws {
+        var query = oldDefaultKeychainQueryAttributes
+        query[kSecAttrService as String] = EncryptionKeyStore.Constants.encryptionKeyService
+         query[kSecAttrAccessible as String] = kSecAttrAccessibleWhenUnlocked
+         query[kSecValueData as String] = key.dataRepresentation
+
+         let status = SecItemAdd(query as CFDictionary, nil)
+
+         guard status == errSecSuccess else {
+             throw EncryptionKeyStoreError.storageFailed(status)
+         }
+     }
+
+    private var oldDefaultKeychainQueryAttributes: [String: Any] {
+        return [
+            kSecClass: kSecClassGenericPassword,
+            kSecAttrAccount: account,
+            kSecUseDataProtectionKeychain: true
+        ] as [String: Any]
+    }
+
 }
