From eeeb28d76b1b8f9f335e63704fb8671479da8ac1 Mon Sep 17 00:00:00 2001 From: Dave Humphreys Date: Tue, 30 Oct 2018 20:33:45 +0000 Subject: [PATCH 1/4] Fix for PasswordHardCoded bug Added migration support from old to new PasswordHardCoded values and back again --- .../AccountStore/AndroidAccountStore.cs | 40 +++++++++++++++---- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs b/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs index cdede1100..11f649d80 100644 --- a/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs +++ b/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs @@ -48,9 +48,10 @@ internal partial class AndroidAccountStore : AccountStore // NOTE security hole! Left for backwards compatibility // PR56 static readonly char[] PasswordHardCoded = "3295043EA18CA264B2C40E0B72051DEF2D07AD2B4593F43DDDE1515A7EC32617".ToCharArray(); + static readonly char[] PasswordHardCodedOriginal = "System.Char[]".ToCharArray(); public AndroidAccountStore(Context context) - : this(context, new string(PasswordHardCoded)) + : this(context, new string(PasswordHardCoded)) { return; } @@ -66,7 +67,8 @@ public AndroidAccountStore(Context context, string password) if (password == null) { throw new ArgumentNullException("password"); - } + } + Password = password.ToCharArray(); this.context = context; @@ -104,7 +106,17 @@ public AndroidAccountStore(Context context, string password) // that was encoded with the old hard coded password, which was deprecated. // We'll try to open the keystore with the old password, and migrate the contents // to a new one that will be encoded with the new password. - MigrateKeyStore(context); + //MigrateKeyStore(context); + try + { + //try with the original password + MigrateKeyStore(context, PasswordHardCodedOriginal); + } + catch (Java.IO.IOException ex2) + { + //migrate using the default + MigrateKeyStore(context); + } } } } @@ -211,7 +223,19 @@ public bool FileExists(Context context, String filename) } #region Migration of key store with hard coded password + + //Keep for backward compatibility void MigrateKeyStore(Context context) + { + MigrateKeyStore(context, PasswordHardCoded); + } + + /// + /// Migrates the key store. + /// + /// Context. + /// Password. + void MigrateKeyStore(Context context, char[] oldpassword) { // Moves aside the old keystore, opens it with the old hard coded password // and copies all entries to the new keystore, secured with the app provided password @@ -225,13 +249,13 @@ void MigrateKeyStore(Context context) { using (var s = context.OpenFileInput(FileName)) { - ks.Load(s, PasswordHardCoded); + ks.Load(s, oldpassword); } } MoveKeyStoreFile(context, FileName, FileName + "Old"); LoadEmptyKeyStore(Password); - CopyKeyStoreContents(); + CopyKeyStoreContents(oldpassword); context.DeleteFile(FileName + "Old"); } @@ -254,14 +278,14 @@ protected void MoveKeyStoreFile(Context context, string source, string destinati context.DeleteFile(FileName); } - protected void CopyKeyStoreContents() + protected void CopyKeyStoreContents(char[] oldPassword) { var oldKeyStore = KeyStore.GetInstance(KeyStore.DefaultType); - var oldProtection = new KeyStore.PasswordProtection(PasswordHardCoded); + var oldProtection = new KeyStore.PasswordProtection(oldPassword); using (var s = context.OpenFileInput(FileName + "Old")) { - oldKeyStore.Load(s, PasswordHardCoded); + oldKeyStore.Load(s, oldPassword); // Copy all aliases to a new keystore, using a different password var aliases = oldKeyStore.Aliases(); while (aliases.HasMoreElements) From c29b483335110136f8f4458b813f8c0601fc413b Mon Sep 17 00:00:00 2001 From: Dave Humphreys Date: Tue, 30 Oct 2018 20:35:01 +0000 Subject: [PATCH 2/4] Update AndroidAccountStore.cs --- .../AccountStore/AndroidAccountStore.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs b/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs index 11f649d80..c75078d1e 100644 --- a/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs +++ b/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs @@ -51,7 +51,7 @@ internal partial class AndroidAccountStore : AccountStore static readonly char[] PasswordHardCodedOriginal = "System.Char[]".ToCharArray(); public AndroidAccountStore(Context context) - : this(context, new string(PasswordHardCoded)) + : this(context, new string(PasswordHardCoded)) { return; } @@ -67,7 +67,7 @@ public AndroidAccountStore(Context context, string password) if (password == null) { throw new ArgumentNullException("password"); - } + } Password = password.ToCharArray(); From f2c57ff7ddd92d95ef272814fdf9a32eb83ab4fb Mon Sep 17 00:00:00 2001 From: Dave Humphreys Date: Tue, 30 Oct 2018 20:38:00 +0000 Subject: [PATCH 3/4] Removed unused exception --- .../AccountStore/AndroidAccountStore.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs b/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs index c75078d1e..23c0bfa17 100644 --- a/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs +++ b/source/Core/Xamarin.Auth.XamarinAndroid/AccountStore/AndroidAccountStore.cs @@ -112,7 +112,7 @@ public AndroidAccountStore(Context context, string password) //try with the original password MigrateKeyStore(context, PasswordHardCodedOriginal); } - catch (Java.IO.IOException ex2) + catch () { //migrate using the default MigrateKeyStore(context); From d0cdea1fb106e1ab55ac6cb97f62474742e82f51 Mon Sep 17 00:00:00 2001 From: Dave Humphreys Date: Wed, 31 Oct 2018 21:46:53 +0000 Subject: [PATCH 4/4] Update nuget versions --- nuget/Xamarin.Auth.Extensions.nuspec | 5 ++--- nuget/Xamarin.Auth.XamarinForms.nuspec | 5 ++--- nuget/Xamarin.Auth.nuspec | 5 ++--- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/nuget/Xamarin.Auth.Extensions.nuspec b/nuget/Xamarin.Auth.Extensions.nuspec index a64f8e3c5..2135766c1 100644 --- a/nuget/Xamarin.Auth.Extensions.nuspec +++ b/nuget/Xamarin.Auth.Extensions.nuspec @@ -21,11 +21,10 @@ http://semver.org/ --> - 1.6.0.2 + 1.6.0.3 - - Xamarin.Android KeyStore not initialized fix - - cake script fixes for VS2015 and older projects + - Fix migrations from old PasswordHardCoded value to new https://github.com/xamarin/Xamarin.Auth/blob/master/License.md diff --git a/nuget/Xamarin.Auth.XamarinForms.nuspec b/nuget/Xamarin.Auth.XamarinForms.nuspec index 49e9f67ca..350d4a88c 100644 --- a/nuget/Xamarin.Auth.XamarinForms.nuspec +++ b/nuget/Xamarin.Auth.XamarinForms.nuspec @@ -24,11 +24,10 @@ http://semver.org/ --> - 1.6.0.2 + 1.6.0.3 - - Xamarin.Android KeyStore not initialized fix - - cake script fixes for VS2015 and older projects + - Fix migrations from old PasswordHardCoded value to new https://github.com/xamarin/Xamarin.Auth/blob/master/License.md diff --git a/nuget/Xamarin.Auth.nuspec b/nuget/Xamarin.Auth.nuspec index a6710cf2b..cfa173aea 100644 --- a/nuget/Xamarin.Auth.nuspec +++ b/nuget/Xamarin.Auth.nuspec @@ -24,11 +24,10 @@ http://semver.org/ --> - 1.6.0.2 + 1.6.0.3 - - Xamarin.Android KeyStore not initialized fix - - cake script fixes for VS2015 and older projects + - Fix migrations from old PasswordHardCoded value to new https://github.com/xamarin/Xamarin.Auth/blob/master/License.md