react-native-keystore-crypto-joe 0.1.0

package/README.md

@@ -0,0 +1,71 @@
+# react-native-keystore-crypto (starter)
+
+> RSA-OAEP-SHA256 decrypt using **Android Keystore** / **iOS Keychain** with optional **biometric prompt**.  
+> Use this to provision a small secret (e.g., TOTP seed) sent by a server encrypted with the app's public key.
+
+## Install (from Git)
+
+```bash
+yarn add git+https://github.com/yourname/react-native-keystore-crypto.git
+# or
+npm i git+https://github.com/yourname/react-native-keystore-crypto.git
+```
+
+For local dev, you can `yarn add ../react-native-keystore-crypto`.
+
+### iOS
+```bash
+cd ios && pod install
+```
+
+## API
+
+```ts
+import KeystoreCrypto from 'react-native-keystore-crypto';
+
+await KeystoreCrypto.generateKeyPair(alias: string): Promise<void>;
+await KeystoreCrypto.getPublicKeyPem(alias: string): Promise<string>; // PEM SubjectPublicKeyInfo
+await KeystoreCrypto.decryptRsaOaep(alias: string, ciphertextB64: string, requireBiometric?: boolean): Promise<string>; // plaintext base64
+```
+
+## Typical Flow
+
+1. `generateKeyPair(alias)` once per device/user.  
+2. `getPublicKeyPem(alias)` → send to server.  
+3. Server encrypts secret using **RSA-OAEP-SHA256** with the given public key → returns `ciphertext_b64`.  
+4. App calls `decryptRsaOaep(alias, ciphertext_b64, true)` → gets `secret_b64` → store with `react-native-keychain` (bind to biometrics).
+
+## Usage Example
+
+```ts
+import KeystoreCrypto from 'react-native-keystore-crypto';
+import * as Keychain from 'react-native-keychain';
+import { Buffer } from 'buffer';
+
+const KEY_ALIAS = 'otp_keypair_user123_deviceABC';
+
+export async function provisionAndStoreSecret(ciphertextB64FromServer: string) {
+  try { await KeystoreCrypto.generateKeyPair(KEY_ALIAS); } catch {}
+
+  const secretB64 = await KeystoreCrypto.decryptRsaOaep(KEY_ALIAS, ciphertextB64FromServer, true);
+  const secretUtf8 = Buffer.from(secretB64, 'base64').toString('utf8');
+
+  await Keychain.setGenericPassword('k', secretB64, {
+    service: 'otp_secret',
+    accessible: Keychain.ACCESSIBLE.WHEN_UNLOCKED,
+    accessControl: Keychain.ACCESS_CONTROL.BIOMETRY_CURRENT_SET,
+  });
+
+  return { secretUtf8, secretB64 };
+}
+```
+
+## Notes
+
+- Android uses `RSA/ECB/OAEPWithSHA-256AndMGF1Padding` (OAEP SHA-256).  
+- iOS uses `SecKeyCreateDecryptedData(..., .rsaEncryptionOAEPSHA256, ...)`.  
+- RSA plaintext size is limited (≈190 bytes for 2048-bit + OAEP SHA-256). Use envelope encryption for larger payloads.  
+- iOS RSA decryption happens in **Keychain** (not Secure Enclave). To use Enclave, use EC keys (signing) rather than RSA decrypt.
+
+## License
+MIT

package/android/build.gradle

@@ -0,0 +1,36 @@
+buildscript {
+    repositories {
+        google()
+        mavenCentral()
+    }
+    dependencies {
+        classpath("com.android.tools.build:gradle:8.1.0")
+    }
+}
+
+apply plugin: 'com.android.library'
+
+android {
+    compileSdkVersion 34
+    defaultConfig {
+        minSdkVersion 23
+        targetSdkVersion 34
+        consumerProguardFiles 'consumer-rules.pro'
+    }
+    sourceSets {
+        main {
+            java.srcDirs = ['src/main/java']
+            manifest.srcFile 'src/main/AndroidManifest.xml'
+        }
+    }
+    namespace "com.keystorecrypto"
+}
+
+repositories {
+    google()
+    mavenCentral()
+}
+
+dependencies {
+    implementation 'androidx.biometric:biometric:1.2.0-alpha05'
+}

package/android/src/main/AndroidManifest.xml

@@ -0,0 +1,4 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.keystorecrypto">
+    <application/>
+</manifest>

package/android/src/main/java/com/keystorecrypto/KeystoreCryptoModule.kt

@@ -0,0 +1,138 @@
+package com.keystorecrypto
+
+import android.app.Activity
+import android.os.Build
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import android.util.Base64
+import androidx.biometric.BiometricPrompt
+import androidx.core.content.ContextCompat
+import com.facebook.react.bridge.*
+import java.security.KeyPairGenerator
+import java.security.KeyStore
+import javax.crypto.Cipher
+import javax.crypto.spec.OAEPParameterSpec
+import javax.crypto.spec.PSource
+
+class KeystoreCryptoModule(private val reactContext: ReactApplicationContext) :
+  ReactContextBaseJavaModule(reactContext) {
+
+  override fun getName() = "KeystoreCrypto"
+
+  @ReactMethod
+  fun generateKeyPair(alias: String, promise: Promise) {
+    try {
+      if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
+        promise.reject("UNSUPPORTED", "Android < 6.0 không hỗ trợ AndroidKeyStore")
+        return
+      }
+      val kpg = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore")
+      val builder = KeyGenParameterSpec.Builder(
+        alias,
+        KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
+      )
+        .setKeySize(2048)
+        .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
+        .setUserAuthenticationRequired(true)
+
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
+        builder.setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG)
+      }
+
+      kpg.initialize(builder.build())
+      kpg.generateKeyPair()
+      promise.resolve(null)
+    } catch (e: Exception) {
+      promise.reject("GEN_KEY_ERR", e)
+    }
+  }
+
+  private fun getPrivateKey(alias: String): java.security.PrivateKey {
+    val ks = KeyStore.getInstance("AndroidKeyStore")
+    ks.load(null)
+    val entry = ks.getEntry(alias, null) as? KeyStore.PrivateKeyEntry
+      ?: throw IllegalStateException("No private key for alias=$alias")
+    return entry.privateKey
+  }
+
+  @ReactMethod
+  fun getPublicKeyPem(alias: String, promise: Promise) {
+    try {
+      val ks = KeyStore.getInstance("AndroidKeyStore")
+      ks.load(null)
+      val cert = ks.getCertificate(alias) ?: throw IllegalStateException("No cert for alias=$alias")
+      val spki = cert.publicKey.encoded
+      val b64 = Base64.encodeToString(spki, Base64.NO_WRAP)
+      val pem = "-----BEGIN PUBLIC KEY-----\n$b64\n-----END PUBLIC KEY-----"
+      promise.resolve(pem)
+    } catch (e: Exception) {
+      promise.reject("PUBKEY_ERR", e)
+    }
+  }
+
+  private fun newOaepCipherForDecrypt(privateKey: java.security.PrivateKey): Cipher {
+    val cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding")
+    val oaep = OAEPParameterSpec(
+      "SHA-256",
+      "MGF1",
+      java.security.spec.MGF1ParameterSpec.SHA1, // Android OAEP default MGF1 SHA-1
+      PSource.PSpecified.DEFAULT
+    )
+    cipher.init(Cipher.DECRYPT_MODE, privateKey, oaep)
+    return cipher
+  }
+
+  @ReactMethod
+  fun decryptRsaOaep(alias: String, ciphertextB64: String, requireBiometric: Boolean, promise: Promise) {
+    try {
+      val privateKey = getPrivateKey(alias)
+      val ct = Base64.decode(ciphertextB64, Base64.DEFAULT)
+
+      val activity: Activity? = currentActivity
+      if (requireBiometric) {
+        if (activity == null) {
+          promise.reject("NO_ACTIVITY", "No current activity for biometric prompt")
+          return
+        }
+        activity.runOnUiThread {
+          try {
+            val cipher = newOaepCipherForDecrypt(privateKey)
+            val executor = ContextCompat.getMainExecutor(activity)
+            val callback = object : BiometricPrompt.AuthenticationCallback() {
+              override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
+                try {
+                  val c = result.cryptoObject?.cipher ?: cipher
+                  val pt = c.doFinal(ct)
+                  val outB64 = Base64.encodeToString(pt, Base64.NO_WRAP)
+                  promise.resolve(outB64)
+                } catch (e: Exception) {
+                  promise.reject("DECRYPT_ERR", e)
+                }
+              }
+              override fun onAuthenticationError(code: Int, errString: CharSequence) {
+                promise.reject("AUTH_ERR", Exception("$code: $errString"))
+              }
+            }
+            val prompt = BiometricPrompt(activity, executor, callback)
+            val info = BiometricPrompt.PromptInfo.Builder()
+              .setTitle("Xác thực để giải mã")
+              .setSubtitle("Dùng vân tay/face để giải mã secret")
+              .setNegativeButtonText("Huỷ")
+              .build()
+            prompt.authenticate(BiometricPrompt.CryptoObject(cipher))
+          } catch (e: Exception) {
+            promise.reject("PROMPT_ERR", e)
+          }
+        }
+      } else {
+        val cipher = newOaepCipherForDecrypt(privateKey)
+        val pt = cipher.doFinal(ct)
+        val outB64 = Base64.encodeToString(pt, Base64.NO_WRAP)
+        promise.resolve(outB64)
+      }
+    } catch (e: Exception) {
+      promise.reject("DECRYPT_ERR", e)
+    }
+  }
+}

package/android/src/main/java/com/keystorecrypto/KeystoreCryptoPackage.kt

@@ -0,0 +1,15 @@
+package com.keystorecrypto
+
+import com.facebook.react.ReactPackage
+import com.facebook.react.bridge.NativeModule
+import com.facebook.react.bridge.ReactApplicationContext
+import com.facebook.react.uimanager.ViewManager
+
+class KeystoreCryptoPackage : ReactPackage {
+  override fun createNativeModules(reactContext: ReactApplicationContext): List<NativeModule> {
+    return listOf(KeystoreCryptoModule(reactContext))
+  }
+  override fun createViewManagers(reactContext: ReactApplicationContext): List<ViewManager<*, *>> {
+    return emptyList()
+  }
+}

package/ios/KeystoreCrypto.m

@@ -0,0 +1,15 @@
+#import <React/RCTBridgeModule.h>
+
+@interface RCT_EXTERN_MODULE(KeystoreCrypto, NSObject)
+RCT_EXTERN_METHOD(generateKeyPair:(NSString *)alias
+                  resolver:(RCTPromiseResolveBlock)resolve
+                  rejecter:(RCTPromiseRejectBlock)reject)
+RCT_EXTERN_METHOD(getPublicKeyPem:(NSString *)alias
+                  resolver:(RCTPromiseResolveBlock)resolve
+                  rejecter:(RCTPromiseRejectBlock)reject)
+RCT_EXTERN_METHOD(decryptRsaOaep:(NSString *)alias
+                  ciphertextB64:(NSString *)ciphertextB64
+                  requireBiometric:(BOOL)requireBiometric
+                  resolver:(RCTPromiseResolveBlock)resolve
+                  rejecter:(RCTPromiseRejectBlock)reject)
+@end

package/ios/KeystoreCrypto.swift

@@ -0,0 +1,109 @@
+import Foundation
+import LocalAuthentication
+import Security
+
+@objc(KeystoreCrypto)
+class KeystoreCrypto: NSObject {
+
+  @objc
+  func generateKeyPair(_ alias: String,
+                       resolver resolve: RCTPromiseResolveBlock,
+                       rejecter reject: RCTPromiseRejectBlock) {
+    let tag = alias.data(using: .utf8)!
+
+    let access = SecAccessControlCreateWithFlags(
+      nil,
+      kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+      .evaluatorAuthenticated, // requires auth (biometry/passcode)
+      nil
+    )!
+
+    let attributes: [String: Any] = [
+      kSecAttrKeyType as String:            kSecAttrKeyTypeRSA,
+      kSecAttrKeySizeInBits as String:      2048,
+      kSecAttrIsPermanent as String:        true,
+      kSecAttrApplicationTag as String:     tag,
+      kSecAttrAccessControl as String:      access
+    ]
+
+    var error: Unmanaged<CFError>?
+    if let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) {
+      _ = SecKeyCopyPublicKey(privateKey)
+      resolve(nil)
+    } else {
+      reject("GEN_KEY_ERR", "Failed to create RSA key", error?.takeRetainedValue())
+    }
+  }
+
+  @objc
+  func getPublicKeyPem(_ alias: String,
+                       resolver resolve: RCTPromiseResolveBlock,
+                       rejecter reject: RCTPromiseRejectBlock) {
+    let tag = alias.data(using: .utf8)!
+    let q: [String: Any] = [
+      kSecClass as String: kSecClassKey,
+      kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
+      kSecAttrApplicationTag as String: tag,
+      kSecReturnRef as String: true
+    ]
+    var item: CFTypeRef?
+    let st = SecItemCopyMatching(q as CFDictionary, &item)
+    guard st == errSecSuccess, let priv = item as! SecKey? else {
+      reject("NO_KEY", "Key not found", nil); return
+    }
+    guard let pub = SecKeyCopyPublicKey(priv) else {
+      reject("NO_PUB", "No public key", nil); return
+    }
+    var err: Unmanaged<CFError>?
+    guard let spki = SecKeyCopyExternalRepresentation(pub, &err) as Data? else {
+      reject("EXPORT_ERR", "Export pub failed", err?.takeRetainedValue()); return
+    }
+    let b64 = spki.base64EncodedString(options: [.lineLength64Characters])
+    let pem = "-----BEGIN PUBLIC KEY-----\n\(b64)\n-----END PUBLIC KEY-----"
+    resolve(pem)
+  }
+
+  @objc
+  func decryptRsaOaep(_ alias: String,
+                      ciphertextB64: String,
+                      requireBiometric: Bool,
+                      resolver resolve: RCTPromiseResolveBlock,
+                      rejecter reject: RCTPromiseRejectBlock) {
+
+    let tag = alias.data(using: .utf8)!
+    let q: [String: Any] = [
+      kSecClass as String: kSecClassKey,
+      kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
+      kSecAttrApplicationTag as String: tag,
+      kSecReturnRef as String: true
+    ]
+    var item: CFTypeRef?
+    let st = SecItemCopyMatching(q as CFDictionary, &item)
+    guard st == errSecSuccess, let privateKey = item as! SecKey? else {
+      reject("NO_KEY", "Key not found", nil); return
+    }
+
+    guard let ct = Data(base64Encoded: ciphertextB64) else {
+      reject("BAD_INPUT", "ciphertextB64 invalid", nil); return
+    }
+
+    var context: LAContext? = nil
+    if requireBiometric {
+      let c = LAContext()
+      c.localizedReason = "Authenticate to decrypt secret"
+      context = c
+    }
+
+    let alg = SecKeyAlgorithm.rsaEncryptionOAEPSHA256
+    guard SecKeyIsAlgorithmSupported(privateKey, .decrypt, alg) else {
+      reject("ALG_UNSUPPORTED", "Algorithm not supported", nil); return
+    }
+
+    var err: Unmanaged<CFError>?
+    if let clear = SecKeyCreateDecryptedData(privateKey, alg, ct as CFData, &err) as Data? {
+      resolve(clear.base64EncodedString())
+    } else {
+      reject("DECRYPT_ERR", "Decrypt failed", err?.takeRetainedValue())
+    }
+  }
+}

package/lib/typescript/src/index.d.ts

@@ -0,0 +1,11 @@
+declare module 'react-native-keystore-crypto' {
+  export function generateKeyPair(alias: string): Promise<void>;
+  export function getPublicKeyPem(alias: string): Promise<string>;
+  export function decryptRsaOaep(alias: string, ciphertextB64: string, requireBiometric?: boolean): Promise<string>;
+  const _default: {
+    generateKeyPair: typeof generateKeyPair;
+    getPublicKeyPem: typeof getPublicKeyPem;
+    decryptRsaOaep: typeof decryptRsaOaep;
+  };
+  export default _default;
+}

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "react-native-keystore-crypto-joe",
+  "version": "0.1.0",
+  "description": "RSA OAEP decrypt via Android Keystore / iOS Keychain + biometric gating for React Native",
+  "main": "src/index.ts",
+  "module": "src/index.ts",
+  "types": "lib/typescript/src/index.d.ts",
+  "react-native": "src/index",
+  "keywords": [
+    "react-native",
+    "keystore",
+    "keychain",
+    "rsa",
+    "oaep",
+    "biometric",
+    "secure",
+    "crypto"
+  ],
+  "author": "Your Name",
+  "license": "MIT",
+  "homepage": "https://github.com/yourname/react-native-keystore-crypto",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/yourname/react-native-keystore-crypto.git"
+  },
+  "bugs": {
+    "url": "https://github.com/yourname/react-native-keystore-crypto/issues"
+  },
+  "scripts": {
+    "build": "echo No build step required for Git install",
+    "prepare": "echo Skipping prepare on Git install"
+  },
+  "peerDependencies": {
+    "react": "*",
+    "react-native": "*"
+  },
+  "devDependencies": {}
+}

package/react-native-keystore-crypto.podspec

@@ -0,0 +1,13 @@
+Pod::Spec.new do |s|
+  s.name         = "react-native-keystore-crypto"
+  s.version      = "0.1.0"
+  s.summary      = "RSA OAEP decrypt via Keychain/Keystore for React Native"
+  s.license      = { :type => "MIT" }
+  s.author       = { "Your Name" => "you@example.com" }
+  s.homepage     = "https://github.com/yourname/react-native-keystore-crypto"
+  s.source       = { :git => "https://github.com/yourname/react-native-keystore-crypto.git", :tag => "#{s.version}" }
+  s.platforms    = { :ios => "12.0" }
+  s.source_files = "ios/*.{h,m,mm,swift}"
+  s.requires_arc = true
+  s.dependency 'React-Core'
+end

package/react-native.config.js

@@ -0,0 +1,8 @@
+module.exports = {
+  dependency: {
+    platforms: {
+      android: {},
+      ios: {},
+    },
+  },
+};

package/src/index.ts

@@ -0,0 +1,14 @@
+import { NativeModules } from 'react-native';
+
+type Native = {
+  generateKeyPair(alias: string): Promise<void>;
+  getPublicKeyPem(alias: string): Promise<string>;
+  decryptRsaOaep(alias: string, ciphertextB64: string, requireBiometric?: boolean): Promise<string>;
+};
+
+const { KeystoreCrypto } = NativeModules;
+if (!KeystoreCrypto) {
+  throw new Error('KeystoreCrypto native module not linked');
+}
+
+export default KeystoreCrypto as Native;