Merge pull request #234 from corona-warn-app/dev

0.8.5

Corona-Warn-App/build.gradle

@@ -33,14 +33,14 @@ android {
         applicationId 'de.rki.coronawarnapp'
         minSdkVersion 23
         targetSdkVersion 29
-        versionCode 11
-        versionName "0.8.4"
+        versionCode 12
+        versionName "0.8.5"
         testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
 
         buildConfigField "String", "DOWNLOAD_CDN_URL", "\"$DOWNLOAD_CDN_URL\""
         buildConfigField "String", "SUBMISSION_CDN_URL", "\"$SUBMISSION_CDN_URL\""
         buildConfigField "String", "VERIFICATION_CDN_URL", "\"$VERIFICATION_CDN_URL\""
-        buildConfigField "String", "TRUSTED_CERTS_EXPORT_KEYSTORE_PW", "\"$TRUSTED_CERTS_EXPORT_KEYSTORE_PW\""
+        buildConfigField "String", "EXPORT_SIGNATURE_ID", "\"de.rki.coronawarnapp-dev\""
 
         //override URLs with local variables
         Properties properties = new Properties()
@@ -63,9 +63,6 @@ android {
             if (VERIFICATION_CDN_URL)
                 buildConfigField "String", "VERIFICATION_CDN_URL", "\"$VERIFICATION_CDN_URL\""
 
-            def TRUSTED_CERTS_EXPORT_KEYSTORE_PW = properties.getProperty('TRUSTED_CERTS_EXPORT_KEYSTORE_PW')
-            if (TRUSTED_CERTS_EXPORT_KEYSTORE_PW)
-                buildConfigField "String", "TRUSTED_CERTS_EXPORT_KEYSTORE_PW", "\"$TRUSTED_CERTS_EXPORT_KEYSTORE_PW\""
         }
     }
 
@@ -74,38 +71,14 @@ android {
             minifyEnabled true
             shrinkResources true
             proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
-
-            println "SECRET INPUT"
-            Properties properties = new Properties()
-            def secretFile = project.rootProject.file('secrets.properties')
-            if (secretFile.exists())
-                properties.load(secretFile.newDataInputStream())
-
-            def TRUSTED_CERTS_EXPORT_KEYSTORE_PW = properties.getProperty('TRUSTED_CERTS_EXPORT_KEYSTORE_PW')
-            if (TRUSTED_CERTS_EXPORT_KEYSTORE_PW) {
-                println "TRUSTED_CERTS_EXPORT_KEYSTORE_PW:$TRUSTED_CERTS_EXPORT_KEYSTORE_PW"
-                buildConfigField "String", "TRUSTED_CERTS_EXPORT_KEYSTORE_PW", "\"$TRUSTED_CERTS_EXPORT_KEYSTORE_PW\""
-            }
-            println "SECRET END"
+            buildConfigField "String", "EXPORT_SIGNATURE_ID", "\"de.rki.coronawarnapp\""
         }
         releaseForTest {
             applicationIdSuffix '.dev'
             minifyEnabled true
             shrinkResources true
             proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
-
-            println "SECRET INPUT"
-            Properties properties = new Properties()
-            def secretFile = project.rootProject.file('secrets.properties')
-            if (secretFile.exists())
-                properties.load(secretFile.newDataInputStream())
-
-            def TRUSTED_CERTS_EXPORT_KEYSTORE_PW = properties.getProperty('TRUSTED_CERTS_EXPORT_KEYSTORE_PW')
-            if (TRUSTED_CERTS_EXPORT_KEYSTORE_PW) {
-                println "TRUSTED_CERTS_EXPORT_KEYSTORE_PW:$TRUSTED_CERTS_EXPORT_KEYSTORE_PW"
-                buildConfigField "String", "TRUSTED_CERTS_EXPORT_KEYSTORE_PW", "\"$TRUSTED_CERTS_EXPORT_KEYSTORE_PW\""
-            }
-            println "SECRET END"
+            buildConfigField "String", "EXPORT_SIGNATURE_ID", "\"de.rki.coronawarnapp-dev\""
         }
     }
 
@@ -215,10 +188,10 @@ dependencies {
 
     // Play Services
     implementation 'com.google.android.play:core:1.7.3'
-    implementation 'com.google.android.gms:play-services-base:17.2.1'
-    implementation 'com.google.android.gms:play-services-basement:17.2.1'
+    implementation 'com.google.android.gms:play-services-base:17.3.0'
+    implementation 'com.google.android.gms:play-services-basement:17.3.0'
     implementation 'com.google.android.gms:play-services-safetynet:17.0.0'
-    implementation 'com.google.android.gms:play-services-tasks:17.0.2'
+    implementation 'com.google.android.gms:play-services-tasks:17.1.0'
     api fileTree(dir: 'libs', include: ['play-services-nearby-18.0.2-eap.aar'])
 
     // HTTP

Corona-Warn-App/config/detekt.yml

@@ -66,7 +66,7 @@ complexity:
     active: true
     threshold: 15
     ignoreSingleWhenExpression: false
-    ignoreSimpleWhenEntries: false
+    ignoreSimpleWhenEntries: true
     ignoreNestingFunctions: false
     nestingFunctions: [run, let, apply, with, also, use, forEach, isNotNull, ifNull]
   LabeledExpression:
@@ -514,7 +514,15 @@ style:
     maxJumpCount: 1
   MagicNumber:
     active: true
-    excludes: ['**/test/**', '**/androidTest/**', '**/*.Test.kt', '**/*.Spec.kt', '**/*.Spek.kt']
+    excludes: [
+      '**/test/**',
+      '**/androidTest/**',
+      '**/*.Test.kt',
+      '**/*.Spec.kt',
+      '**/*.Spek.kt',
+      '**/CwaWebException.kt',
+      '**/HttpErrorParser.kt'
+    ]
     ignoreNumbers: ['-1', '0', '1', '2']
     ignoreHashCodeFunction: true
     ignorePropertyDeclaration: false
@@ -523,7 +531,7 @@ style:
     ignoreCompanionObjectPropertyDeclaration: true
     ignoreAnnotation: false
     ignoreNamedArgument: true
-    ignoreEnums: false
+    ignoreEnums: true
     ignoreRanges: false
   MandatoryBracesIfStatements:
     active: false

Corona-Warn-App/src/androidTest/java/de/rki/coronawarnapp/util/security/DBPasswordTest.kt

@@ -0,0 +1,132 @@
+/******************************************************************************
+ * Corona-Warn-App                                                            *
+ *                                                                            *
+ * SAP SE and all other contributors /                                        *
+ * copyright owners license this file to you under the Apache                 *
+ * License, Version 2.0 (the "License"); you may not use this                 *
+ * file except in compliance with the License.                                *
+ * You may obtain a copy of the License at                                    *
+ *                                                                            *
+ * http://www.apache.org/licenses/LICENSE-2.0                                 *
+ *                                                                            *
+ * Unless required by applicable law or agreed to in writing,                 *
+ * software distributed under the License is distributed on an                *
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY                     *
+ * KIND, either express or implied.  See the License for the                  *
+ * specific language governing permissions and limitations                    *
+ * under the License.                                                         *
+ ******************************************************************************/
+
+package de.rki.coronawarnapp.util.security
+
+import android.content.Context
+import android.database.sqlite.SQLiteDatabase
+import androidx.test.core.app.ApplicationProvider
+import de.rki.coronawarnapp.storage.AppDatabase
+import de.rki.coronawarnapp.storage.DATABASE_NAME
+import de.rki.coronawarnapp.storage.keycache.KeyCacheEntity
+import kotlinx.coroutines.runBlocking
+import net.sqlcipher.database.SQLiteException
+import org.hamcrest.Matchers.equalTo
+import org.hamcrest.Matchers.not
+import org.junit.Assert.assertThat
+import org.junit.Assert.assertTrue
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.junit.runners.JUnit4
+import java.io.File
+import java.util.UUID
+import kotlin.random.Random
+
+@RunWith(JUnit4::class)
+class DBPasswordTest {
+
+    private val appContext: Context
+        get() = ApplicationProvider.getApplicationContext()
+
+    private val db: AppDatabase
+        get() = AppDatabase.getInstance(appContext)
+
+    @Before
+    fun setUp() {
+        clearSharedPreferences()
+        AppDatabase.reset(appContext)
+    }
+
+    @Test
+    fun generatesPassphraseInCorrectLength() {
+        val passphrase = SecurityHelper.getDBPassword()
+        assertTrue(passphrase.size in 32..48)
+    }
+
+    @Test
+    fun secondPassphraseShouldBeDifferFromFirst() {
+        val passphrase1 = SecurityHelper.getDBPassword()
+
+        clearSharedPreferences()
+        val passphrase2 = SecurityHelper.getDBPassword()
+
+        assertThat(passphrase1, not(equalTo(passphrase2)))
+    }
+
+    @Test
+    fun canLoadDataFromEncryptedDatabase() {
+        runBlocking {
+            val id = UUID.randomUUID().toString()
+            val path = UUID.randomUUID().toString()
+            val type = Random.nextInt(1000)
+
+            insertFakeEntity(id, path, type)
+            val keyCacheEntity = loadFakeEntity()
+
+            assertThat(keyCacheEntity.id, equalTo(id))
+            assertThat(keyCacheEntity.path, equalTo(path))
+            assertThat(keyCacheEntity.type, equalTo(type))
+        }
+    }
+
+    @Test
+    fun testDbInstanceIsActuallyResetWhenCalled() {
+        val before = this.db
+        AppDatabase.reset(appContext)
+        val after = this.db
+
+        assertTrue(before != after)
+    }
+
+    @Test(expected = SQLiteException::class)
+    fun loadingDataFromDatabaseWillFailWhenPassphraseIsIncorrect() {
+        runBlocking {
+            val id = UUID.randomUUID().toString()
+            val path = UUID.randomUUID().toString()
+            val type = Random.nextInt(1000)
+            insertFakeEntity(id, path, type)
+
+            clearSharedPreferences()
+            AppDatabase.resetInstance()
+
+            val keyCacheEntity = loadFakeEntity()
+            assertThat(keyCacheEntity.id, equalTo(id))
+            assertThat(keyCacheEntity.path, equalTo(path))
+            assertThat(keyCacheEntity.type, equalTo(type))
+        }
+    }
+
+    private suspend fun insertFakeEntity(
+        id: String,
+        path: String,
+        type: Int
+    ) {
+        db.dateDao().insertEntry(KeyCacheEntity().apply {
+            this.id = id
+            this.path = path
+            this.type = type
+        })
+    }
+
+    private suspend fun loadFakeEntity(): KeyCacheEntity = db.dateDao().getAllEntries().first()
+
+    private fun clearSharedPreferences() =
+        SecurityHelper.globalEncryptedSharedPreferencesInstance.edit().clear().commit()
+}

Corona-Warn-App/src/main/assets/export-server-public-keys-for-verification.properties

@@ -0,0 +1,2 @@
+de.rki.coronawarnapp-dev=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3BYTxr2HuJYQG+d7Ezu6KS8GEbFkiEvyJFg0j+C839gTjT6j7Ho0EXXZ/a07ZfvKcC2cmc1SunsrqU9Jov1J5Q==
+de.rki.coronawarnapp=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc7DEstcUIRcyk35OYDJ95/hTg3UVhsaDXKT0zK7NhHPXoyzipEnOp3GyNXDVpaPi3cAfQmxeuFMZAIX2+6A5Xg==

Corona-Warn-App/src/main/java/de/rki/coronawarnapp/TestRiskLevelCalculation.kt

@@ -36,6 +36,7 @@ import de.rki.coronawarnapp.ui.viewmodel.SettingsViewModel
 import de.rki.coronawarnapp.ui.viewmodel.SubmissionViewModel
 import de.rki.coronawarnapp.ui.viewmodel.TracingViewModel
 import de.rki.coronawarnapp.util.KeyFileHelper
+import de.rki.coronawarnapp.util.security.SecurityHelper
 import kotlinx.android.synthetic.main.fragment_test_risk_level_calculation.transmission_number
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
@@ -107,7 +108,7 @@ class TestRiskLevelCalculation : Fragment() {
                         // Database Reset
                         AppDatabase.getInstance(requireContext()).clearAllTables()
                         // Delete Database Instance
-                        AppDatabase.resetInstance(requireContext())
+                        SecurityHelper.resetSharedPrefs()
                         // Export File Reset
                         FileStorageHelper.getAllFilesInKeyExportDirectory().forEach { it.delete() }