react-native-security-suite 0.9.21 → 1.0.0-rc.1

package/android/src/main/java/com/securitysuite/security/EmulatorDetector.java

@@ -0,0 +1,145 @@
+package com.securitysuite.security;
+
+import android.content.Context;
+import android.hardware.Sensor;
+import android.hardware.SensorManager;
+import android.os.Build;
+
+import com.facebook.react.bridge.Arguments;
+import com.facebook.react.bridge.WritableArray;
+import com.facebook.react.bridge.WritableMap;
+import com.scottyab.rootbeer.RootBeer;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+
+/**
+ * Emulator and device environment detection (Android).
+ */
+public final class EmulatorDetector {
+  private EmulatorDetector() {}
+
+  public static WritableMap detect(Context context) {
+    WritableMap result = Arguments.createMap();
+    List<String> indicators = new ArrayList<>();
+
+    collectBuildIndicators(indicators);
+    collectQemuIndicators(indicators);
+    collectSensorIndicators(context, indicators);
+
+    RootBeer rootBeer = new RootBeer(context);
+    if (rootBeer.isEmulator()) {
+      indicators.add("RootBeer.isEmulator");
+    }
+
+    result.putBoolean("isEmulator", !indicators.isEmpty());
+    result.putBoolean("isSimulator", false);
+    result.putArray("indicators", toStringArray(indicators));
+    return result;
+  }
+
+  private static void collectBuildIndicators(List<String> indicators) {
+    String fingerprint = safeLower(Build.FINGERPRINT);
+    String model = safeLower(Build.MODEL);
+    String manufacturer = safeLower(Build.MANUFACTURER);
+    String hardware = safeLower(Build.HARDWARE);
+    String product = safeLower(Build.PRODUCT);
+    String brand = safeLower(Build.BRAND);
+    String device = safeLower(Build.DEVICE);
+
+    if (containsAny(fingerprint, "generic", "unknown", "test-keys", "emulator")) {
+      indicators.add("Build.FINGERPRINT");
+    }
+    if (containsAny(model, "google_sdk", "emulator", "android sdk built for x86", "sdk_gphone")) {
+      indicators.add("Build.MODEL");
+    }
+    if (containsAny(manufacturer, "genymotion", "unknown")) {
+      indicators.add("Build.MANUFACTURER");
+    }
+    if (containsAny(hardware, "goldfish", "ranchu", "qemu")) {
+      indicators.add("Build.HARDWARE");
+    }
+    if (containsAny(product, "sdk", "google_sdk", "sdk_gphone", "vbox")) {
+      indicators.add("Build.PRODUCT");
+    }
+    if (containsAny(brand, "generic")) {
+      indicators.add("Build.BRAND");
+    }
+    if (containsAny(device, "generic", "emu64a", "goldfish")) {
+      indicators.add("Build.DEVICE");
+    }
+  }
+
+  private static void collectQemuIndicators(List<String> indicators) {
+    String qemu = getSystemProperty("ro.kernel.qemu");
+    if ("1".equals(qemu)) {
+      indicators.add("ro.kernel.qemu");
+    }
+
+    String[] props = {
+        "ro.hardware",
+        "ro.product.device",
+        "ro.product.model",
+        "ro.product.name"
+    };
+    for (String prop : props) {
+      String value = safeLower(getSystemProperty(prop));
+      if (containsAny(value, "goldfish", "ranchu", "qemu", "sdk_gphone", "emulator")) {
+        indicators.add(prop);
+      }
+    }
+  }
+
+  private static void collectSensorIndicators(Context context, List<String> indicators) {
+    SensorManager sensorManager = (SensorManager) context.getSystemService(Context.SENSOR_SERVICE);
+    if (sensorManager == null) {
+      indicators.add("SensorManager unavailable");
+      return;
+    }
+
+    Sensor accelerometer = sensorManager.getDefaultSensor(Sensor.TYPE_ACCELEROMETER);
+    Sensor gyroscope = sensorManager.getDefaultSensor(Sensor.TYPE_GYROSCOPE);
+    if (accelerometer == null) {
+      indicators.add("Missing accelerometer");
+    }
+    if (gyroscope == null) {
+      indicators.add("Missing gyroscope");
+    }
+  }
+
+  private static String getSystemProperty(String key) {
+    try {
+      Class<?> systemProperties = Class.forName("android.os.SystemProperties");
+      return (String) systemProperties
+          .getMethod("get", String.class)
+          .invoke(null, key);
+    } catch (Exception ignored) {
+      return null;
+    }
+  }
+
+  private static boolean containsAny(String value, String... needles) {
+    if (value == null || value.isEmpty()) {
+      return false;
+    }
+    for (String needle : needles) {
+      if (value.contains(needle)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  private static String safeLower(String value) {
+    return value == null ? "" : value.toLowerCase(Locale.US);
+  }
+
+  private static WritableArray toStringArray(List<String> values) {
+    WritableArray array = Arguments.createArray();
+    for (String value : values) {
+      array.pushString(value);
+    }
+    return array;
+  }
+}

package/android/src/main/java/com/securitysuite/security/RuntimeDetector.java

@@ -0,0 +1,234 @@
+package com.securitysuite.security;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Set;
+
+import android.os.Debug;
+
+import com.facebook.react.bridge.Arguments;
+import com.facebook.react.bridge.WritableArray;
+import com.facebook.react.bridge.WritableMap;
+
+/**
+ * Native runtime instrumentation and debugger detection (Android).
+ */
+public final class RuntimeDetector {
+  private static final int[] FRIDA_PORTS = {27042, 27043};
+  private static final Set<String> SUSPICIOUS_MAP_KEYWORDS = new HashSet<>(Arrays.asList(
+      "frida", "frida-agent", "frida-gadget", "linjector", "xposed", "lsposed",
+      "substrate", "magisk", "zygisk", "libhooker"
+  ));
+  private static final Set<String> SUSPICIOUS_THREAD_NAMES = new HashSet<>(Arrays.asList(
+      "gmain", "gdbus", "pool-frida", "frida-agent", "frida-server"
+  ));
+
+  private RuntimeDetector() {}
+
+  public static WritableMap detect() {
+    WritableMap result = Arguments.createMap();
+    List<String> suspiciousLibraries = scanProcMaps();
+    List<Integer> suspiciousPorts = scanFridaPorts();
+    boolean fridaDetected = !suspiciousLibraries.isEmpty()
+        || !suspiciousPorts.isEmpty()
+        || hasSuspiciousThreads();
+    boolean debuggerAttached = Debug.isDebuggerConnected() || Debug.waitingForDebugger() || hasTracerPid();
+    boolean xposedDetected = detectXposed();
+    boolean magiskDetected = detectMagisk();
+
+    result.putBoolean("debuggerAttached", debuggerAttached);
+    result.putBoolean("fridaDetected", fridaDetected);
+    result.putBoolean("xposedDetected", xposedDetected);
+    result.putBoolean("magiskDetected", magiskDetected);
+    result.putArray("suspiciousLibraries", toStringArray(suspiciousLibraries));
+    result.putArray("suspiciousPorts", toIntArray(suspiciousPorts));
+    return result;
+  }
+
+  private static List<String> scanProcMaps() {
+    List<String> matches = new ArrayList<>();
+    File maps = new File("/proc/self/maps");
+    if (!maps.canRead()) {
+      return matches;
+    }
+
+    try (BufferedReader reader = new BufferedReader(new FileReader(maps))) {
+      String line;
+      while ((line = reader.readLine()) != null) {
+        String lower = line.toLowerCase(Locale.US);
+        for (String keyword : SUSPICIOUS_MAP_KEYWORDS) {
+          if (lower.contains(keyword)) {
+            matches.add(keyword);
+            break;
+          }
+        }
+      }
+    } catch (IOException ignored) {
+      // Best-effort detection.
+    }
+    return matches;
+  }
+
+  private static List<Integer> scanFridaPorts() {
+    List<Integer> openPorts = new ArrayList<>();
+    for (int port : FRIDA_PORTS) {
+      if (isLocalPortOpen(port)) {
+        openPorts.add(port);
+      }
+    }
+    return openPorts;
+  }
+
+  private static boolean isLocalPortOpen(int port) {
+    Socket socket = new Socket();
+    try {
+      socket.connect(new InetSocketAddress("127.0.0.1", port), 300);
+      return true;
+    } catch (IOException ignored) {
+      return false;
+    } finally {
+      try {
+        socket.close();
+      } catch (IOException ignored) {
+        // Ignore close failures.
+      }
+    }
+  }
+
+  private static boolean hasSuspiciousThreads() {
+    File taskDir = new File("/proc/self/task");
+    File[] tasks = taskDir.listFiles();
+    if (tasks == null) {
+      return false;
+    }
+
+    for (File task : tasks) {
+      File comm = new File(task, "comm");
+      if (!comm.canRead()) {
+        continue;
+      }
+      try (BufferedReader reader = new BufferedReader(new FileReader(comm))) {
+        String name = reader.readLine();
+        if (name == null) {
+          continue;
+        }
+        String normalized = name.trim().toLowerCase(Locale.US);
+        if (SUSPICIOUS_THREAD_NAMES.contains(normalized)) {
+          return true;
+        }
+      } catch (IOException ignored) {
+        // Continue scanning other tasks.
+      }
+    }
+    return false;
+  }
+
+  private static boolean hasTracerPid() {
+    File status = new File("/proc/self/status");
+    if (!status.canRead()) {
+      return false;
+    }
+
+    try (BufferedReader reader = new BufferedReader(new FileReader(status))) {
+      String line;
+      while ((line = reader.readLine()) != null) {
+        if (line.startsWith("TracerPid:")) {
+          String pid = line.substring("TracerPid:".length()).trim();
+          return !"0".equals(pid);
+        }
+      }
+    } catch (IOException ignored) {
+      // Best-effort detection.
+    }
+    return false;
+  }
+
+  private static boolean detectXposed() {
+    String[] paths = {
+        "/system/framework/XposedBridge.jar",
+        "/system/lib/libxposed_art.so",
+        "/system/lib64/libxposed_art.so",
+        "/data/adb/lspd",
+        "/data/adb/modules/zygisk_lsposed"
+    };
+    for (String path : paths) {
+      if (new File(path).exists()) {
+        return true;
+      }
+    }
+
+    try {
+      throw new Exception("xposed_probe");
+    } catch (Exception exception) {
+      for (StackTraceElement element : exception.getStackTrace()) {
+        String className = element.getClassName().toLowerCase(Locale.US);
+        if (className.contains("de.robv.android.xposed")
+            || className.contains("org.lsposed")
+            || className.contains("io.github.lsposed")) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  private static boolean detectMagisk() {
+    String[] paths = {
+        "/sbin/.magisk",
+        "/sbin/.core",
+        "/data/adb/magisk",
+        "/data/adb/modules",
+        "/cache/.disable_magisk"
+    };
+    for (String path : paths) {
+      if (new File(path).exists()) {
+        return true;
+      }
+    }
+
+    String[] props = {"ro.boot.vbmeta.device_state", "ro.boot.verifiedbootstate"};
+    for (String prop : props) {
+      String value = getSystemProperty(prop);
+      if (value != null && value.toLowerCase(Locale.US).contains("orange")) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  private static String getSystemProperty(String key) {
+    try {
+      Class<?> systemProperties = Class.forName("android.os.SystemProperties");
+      return (String) systemProperties
+          .getMethod("get", String.class)
+          .invoke(null, key);
+    } catch (Exception ignored) {
+      return null;
+    }
+  }
+
+  private static WritableArray toStringArray(List<String> values) {
+    WritableArray array = Arguments.createArray();
+    for (String value : values) {
+      array.pushString(value);
+    }
+    return array;
+  }
+
+  private static WritableArray toIntArray(List<Integer> values) {
+    WritableArray array = Arguments.createArray();
+    for (Integer value : values) {
+      array.pushInt(value);
+    }
+    return array;
+  }
+}

package/android/src/test/java/com/securitysuite/JWSGeneratorTest.java

@@ -0,0 +1,153 @@
+package com.securitysuite;
+
+import com.facebook.react.bridge.Arguments;
+import com.facebook.react.bridge.ReadableMap;
+import com.facebook.react.bridge.WritableMap;
+
+import org.junit.Test;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class JWSGeneratorTest {
+  private static final String SECRET = "secret";
+
+  @Test
+  public void omittedPayloadProducesThreeSegmentsWithEmptyMiddle() throws Exception {
+    assertEmptyPayloadCase(null);
+  }
+
+  @Test
+  public void nullPayloadProducesThreeSegmentsWithEmptyMiddle() throws Exception {
+    assertEmptyPayloadCase("");
+  }
+
+  @Test
+  public void emptyStringPayloadProducesThreeSegmentsWithEmptyMiddle() throws Exception {
+    assertEmptyPayloadCase("");
+  }
+
+  @Test
+  public void stringNullPayloadIsNotEmpty() throws Exception {
+    JWSGenerator generator = new JWSGenerator();
+    String jws = generator.generate("null", SECRET, "HS256", headersWithKid(), false);
+    String[] segments = jws.split("\\.", -1);
+
+    assertEquals(3, segments.length);
+    assertEquals(base64Url("null"), segments[1]);
+    assertFalse(segments[1].isEmpty());
+  }
+
+  @Test
+  public void stringUndefinedPayloadIsNotEmpty() throws Exception {
+    JWSGenerator generator = new JWSGenerator();
+    String jws = generator.generate("undefined", SECRET, "HS256", headersWithKid(), false);
+    String[] segments = jws.split("\\.", -1);
+
+    assertEquals(3, segments.length);
+    assertEquals(base64Url("undefined"), segments[1]);
+  }
+
+  @Test
+  public void objectPayloadIsBase64UrlEncodedJson() throws Exception {
+    JWSGenerator generator = new JWSGenerator();
+    String payload = "{\"amount\":1000}";
+    String jws = generator.generate(payload, SECRET, "HS256", headersWithKid(), false);
+    String[] segments = jws.split("\\.", -1);
+
+    assertEquals(3, segments.length);
+    assertEquals(base64Url(payload), segments[1]);
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void algorithmMismatchThrows() throws Exception {
+    WritableMap headers = Arguments.createMap();
+    headers.putString("alg", "HS256");
+    headers.putString("kid", "test-key");
+
+    JWSGenerator generator = new JWSGenerator();
+    generator.generate("", SECRET, "HS512", headers, false);
+  }
+
+  @Test
+  public void algorithmFromHeaderIsUsed() throws Exception {
+    WritableMap headers = Arguments.createMap();
+    headers.putString("alg", "HS384");
+    headers.putString("kid", "test-key");
+
+    JWSGenerator generator = new JWSGenerator();
+    String jws = generator.generate("", SECRET, null, headers, false);
+    String protectedHeaderJson = new String(
+        Base64.getUrlDecoder().decode(jws.split("\\.", -1)[0]),
+        StandardCharsets.UTF_8
+    );
+
+    assertTrue(protectedHeaderJson.contains("\"alg\":\"HS384\""));
+  }
+
+  @Test
+  public void defaultAlgorithmIsHs256() throws Exception {
+    JWSGenerator generator = new JWSGenerator();
+    String jws = generator.generate("", SECRET, null, headersWithKid(), false);
+    String protectedHeaderJson = new String(
+        Base64.getUrlDecoder().decode(jws.split("\\.", -1)[0]),
+        StandardCharsets.UTF_8
+    );
+
+    assertTrue(protectedHeaderJson.contains("\"alg\":\"HS256\""));
+  }
+
+  @Test
+  public void detachedOutputUsesDoubleDot() throws Exception {
+    JWSGenerator generator = new JWSGenerator();
+    String jws = generator.generate("payload", SECRET, "HS256", headersWithKid(), true);
+
+    assertTrue(jws.contains(".."));
+    assertEquals(2, jws.split("\\.\\.", -1).length);
+    assertTrue(generator.verify(jws, "payload", SECRET, "HS256", true));
+  }
+
+  private void assertEmptyPayloadCase(String payload) throws Exception {
+    JWSGenerator generator = new JWSGenerator();
+    String jws = generator.generate(payload, SECRET, "HS256", headersWithKid(), false);
+    String[] segments = jws.split("\\.", -1);
+
+    assertEquals(3, segments.length);
+    assertEquals("", segments[1]);
+    assertTrue(jws.contains(".."));
+    assertTrue(generator.verify(jws, payload == null ? "" : payload, SECRET, "HS256", false));
+  }
+
+  private ReadableMap headersWithKid() {
+    WritableMap headers = Arguments.createMap();
+    headers.putString("kid", "test-key");
+    return headers;
+  }
+
+  private String base64Url(String value) {
+    return Base64.getUrlEncoder().withoutPadding()
+        .encodeToString(value.getBytes(StandardCharsets.UTF_8));
+  }
+
+  private String signReference(String protectedHeader, String payloadString, String algorithm)
+      throws Exception {
+    String encodedPayload = payloadString == null || payloadString.isEmpty()
+        ? ""
+        : base64Url(payloadString);
+    String signingInput = protectedHeader + "." + encodedPayload;
+    String macAlgorithm = CryptoUtils.hmacAlgorithmForJws(algorithm);
+    Mac mac = Mac.getInstance(macAlgorithm);
+    mac.init(new SecretKeySpec(SECRET.getBytes(StandardCharsets.UTF_8), macAlgorithm));
+    String signature = Base64.getUrlEncoder().withoutPadding().encodeToString(mac.doFinal(
+        signingInput.getBytes(StandardCharsets.UTF_8)
+    ));
+    return protectedHeader + "." + encodedPayload + "." + signature;
+  }
+}

package/android/src/test/java/com/securitysuite/SecureStorageNativeTest.java

@@ -0,0 +1,37 @@
+package com.securitysuite;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+public class SecureStorageNativeTest {
+  @Test
+  public void secureStorageException_includesOperationAndFailureMessage() {
+    Exception wrapped =
+        invokeSecureStorageException(
+            "setItem", new IllegalArgumentException("Storage key is required"));
+
+    assertTrue(wrapped.getMessage().startsWith("Secure storage operation failed"));
+    assertTrue(wrapped.getMessage().contains("(setItem)"));
+    assertTrue(wrapped.getMessage().contains("Storage key is required"));
+  }
+
+  @Test
+  public void secureStorageException_usesExceptionTypeWhenMessageMissing() {
+    Exception wrapped = invokeSecureStorageException("getItem", new RuntimeException());
+
+    assertEquals(
+        "Secure storage operation failed (getItem): RuntimeException",
+        wrapped.getMessage());
+  }
+
+  private static Exception invokeSecureStorageException(String operation, Exception cause)
+      throws Exception {
+    var method =
+        SecureStorageNative.class.getDeclaredMethod(
+            "secureStorageException", String.class, Exception.class);
+    method.setAccessible(true);
+    return (Exception) method.invoke(null, operation, cause);
+  }
+}

package/ios/CryptoConfig.swift

@@ -0,0 +1,124 @@
+import Foundation
+
+@available(iOS 13.0, *)
+struct CryptoConfig {
+    static let defaultKeyAgreement = "ECDH"
+    static let defaultKeyFactory = "EC"
+    static let defaultEncryptionKeyAlgorithm = "AES"
+    static let defaultHmacKeyAlgorithm = "HmacSHA256"
+    static let defaultCipherTransformation = "AES/GCM/NoPadding"
+    static let defaultGcmTagLength = 128
+    static let defaultGcmIvLength = 12
+
+    let keyAgreementAlgorithm: String
+    let keyFactoryAlgorithm: String
+    let encryptionKeyAlgorithm: String
+    let hmacKeyAlgorithm: String
+    let cipherTransformation: String
+    let gcmTagLength: Int
+    let gcmIvLength: Int
+
+    static func defaults() -> CryptoConfig {
+        CryptoConfig(
+            keyAgreementAlgorithm: defaultKeyAgreement,
+            keyFactoryAlgorithm: defaultKeyFactory,
+            encryptionKeyAlgorithm: defaultEncryptionKeyAlgorithm,
+            hmacKeyAlgorithm: defaultHmacKeyAlgorithm,
+            cipherTransformation: defaultCipherTransformation,
+            gcmTagLength: defaultGcmTagLength,
+            gcmIvLength: defaultGcmIvLength
+        )
+    }
+
+    static func from(dictionary: NSDictionary?) throws -> CryptoConfig {
+        guard let dictionary = dictionary else {
+            return defaults()
+        }
+
+        return CryptoConfig(
+            keyAgreementAlgorithm: try validateKeyAgreement(
+                dictionary["keyAgreementAlgorithm"] as? String ?? defaultKeyAgreement
+            ),
+            keyFactoryAlgorithm: try validateKeyFactory(
+                dictionary["keyFactoryAlgorithm"] as? String ?? defaultKeyFactory
+            ),
+            encryptionKeyAlgorithm: try validateEncryptionKeyAlgorithm(
+                dictionary["encryptionKeyAlgorithm"] as? String ?? defaultEncryptionKeyAlgorithm
+            ),
+            hmacKeyAlgorithm: try validateHmacKeyAlgorithm(
+                dictionary["hmacKeyAlgorithm"] as? String ?? defaultHmacKeyAlgorithm
+            ),
+            cipherTransformation: try validateCipherTransformation(
+                dictionary["cipherTransformation"] as? String ?? defaultCipherTransformation
+            ),
+            gcmTagLength: dictionary["gcmTagLength"] as? Int ?? defaultGcmTagLength,
+            gcmIvLength: dictionary["gcmIvLength"] as? Int ?? defaultGcmIvLength
+        )
+    }
+
+    func merged(with dictionary: NSDictionary?) throws -> CryptoConfig {
+        guard let dictionary = dictionary else { return self }
+        var merged: [String: Any] = [
+            "keyAgreementAlgorithm": keyAgreementAlgorithm,
+            "keyFactoryAlgorithm": keyFactoryAlgorithm,
+            "encryptionKeyAlgorithm": encryptionKeyAlgorithm,
+            "hmacKeyAlgorithm": hmacKeyAlgorithm,
+            "cipherTransformation": cipherTransformation,
+            "gcmTagLength": gcmTagLength,
+            "gcmIvLength": gcmIvLength,
+        ]
+        for (key, value) in dictionary {
+            if let stringKey = key as? String {
+                merged[stringKey] = value
+            }
+        }
+        return try CryptoConfig.from(dictionary: merged as NSDictionary)
+    }
+
+    private static func validateKeyAgreement(_ algorithm: String) throws -> String {
+        guard algorithm == "ECDH" else {
+            throw NSError(domain: "CryptoConfig", code: 1, userInfo: [
+                NSLocalizedDescriptionKey: "Unsupported keyAgreementAlgorithm: \(algorithm)",
+            ])
+        }
+        return algorithm
+    }
+
+    private static func validateKeyFactory(_ algorithm: String) throws -> String {
+        guard algorithm == "EC" else {
+            throw NSError(domain: "CryptoConfig", code: 2, userInfo: [
+                NSLocalizedDescriptionKey: "Unsupported keyFactoryAlgorithm: \(algorithm)",
+            ])
+        }
+        return algorithm
+    }
+
+    private static func validateEncryptionKeyAlgorithm(_ algorithm: String) throws -> String {
+        guard algorithm == "AES" else {
+            throw NSError(domain: "CryptoConfig", code: 3, userInfo: [
+                NSLocalizedDescriptionKey: "Unsupported encryptionKeyAlgorithm: \(algorithm)",
+            ])
+        }
+        return algorithm
+    }
+
+    private static func validateHmacKeyAlgorithm(_ algorithm: String) throws -> String {
+        switch algorithm {
+        case "HmacSHA256", "HmacSHA384", "HmacSHA512":
+            return algorithm
+        default:
+            throw NSError(domain: "CryptoConfig", code: 4, userInfo: [
+                NSLocalizedDescriptionKey: "Unsupported hmacKeyAlgorithm: \(algorithm)",
+            ])
+        }
+    }
+
+    private static func validateCipherTransformation(_ transformation: String) throws -> String {
+        guard transformation == "AES/GCM/NoPadding" else {
+            throw NSError(domain: "CryptoConfig", code: 5, userInfo: [
+                NSLocalizedDescriptionKey: "Unsupported cipherTransformation: \(transformation)",
+            ])
+        }
+        return transformation
+    }
+}