Add iOS encryption code

Author: rikardwissing

.gitignore

@@ -1,3 +1,9 @@
+# Build files
+/build
+/plugin/build
+
+yarn.lock
+
 # OSX
 #
 .DS_Store

.npmignore

@@ -4,6 +4,7 @@
 __mocks__
 __tests__
 
+/yarn.lock
 /babel.config.js
 /android/src/androidTest/
 /android/src/test/

README.md

@@ -1,6 +1,10 @@
 # ttmobile-notification-service
 
-Adds support for communication notifications
+This is a notification service that modifies incoming notifications.
+
+Currently it support communication notifications for ios. Adding company logo as avatar.
+
+It also supports e2e encryption for notifications-
 
 # Installation in managed Expo projects
 

android/TTFirebaseMessagingService.java

@@ -25,8 +25,6 @@
 public class TTFirebaseMessagingService extends ExpoFirebaseMessagingService {
 
     private static final String TAG = "TTFirebaseMessagingService";
-    private static final String KEY_ALIAS = "my_private_key_alias"; // Replace with your key alias
-    private static final String KEYSTORE_PROVIDER = "AndroidKeyStore";
 
     @Override
     public void onMessageReceived(RemoteMessage remoteMessage) {
@@ -38,9 +36,6 @@ public void onMessageReceived(RemoteMessage remoteMessage) {
             String decryptedDataString = originalData.get("encrypted_data");
 
             try {
-                // Decrypt the data
-                // String decryptedDataString = decryptData(encryptedData);
-
                 // Parse the decrypted JSON string into a Map
                 Map<String, String> decryptedData = parseJsonToMap(decryptedDataString);
 
@@ -80,46 +75,6 @@ public void onMessageReceived(RemoteMessage remoteMessage) {
             super.onMessageReceived(remoteMessage);
         }
     }
-    
-    // Method to decrypt the encrypted data string
-    private String decryptData(String encryptedData) throws Exception {
-        // Get the private key from the KeyStore
-        PrivateKey privateKey = getPrivateKeyFromKeyStore();
-
-        if (privateKey == null) {
-            throw new Exception("Private key not found in KeyStore");
-        }
-
-        // Decrypt the data
-        byte[] encryptedBytes = android.util.Base64.decode(encryptedData, android.util.Base64.DEFAULT);
-
-        Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
-        cipher.init(Cipher.DECRYPT_MODE, privateKey);
-
-        byte[] decryptedBytes = cipher.doFinal(encryptedBytes);
-
-        return new String(decryptedBytes, "UTF-8");
-    }
-
-    // Method to get the private key from the Android KeyStore
-    private PrivateKey getPrivateKeyFromKeyStore() throws Exception {
-        KeyStore keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER);
-        keyStore.load(null);
-
-        Entry entry = keyStore.getEntry(KEY_ALIAS, null);
-
-        if (entry == null) {
-            Log.e(TAG, "No key found under alias: " + KEY_ALIAS);
-            return null;
-        }
-
-        if (!(entry instanceof PrivateKeyEntry)) {
-            Log.e(TAG, "Key under alias " + KEY_ALIAS + " is not a private key");
-            return null;
-        }
-
-        return ((PrivateKeyEntry) entry).getPrivateKey();
-    }
 
     // Method to parse the decrypted JSON string into a Map<String, String>
     private Map<String, String> parseJsonToMap(String jsonString) throws JSONException {

expo-module.config.json

@@ -0,0 +1,7 @@
+{
+  "name": "ttmobile-notification-service",
+  "platforms": ["ios"],
+  "ios": {
+    "modules": ["EncryptionModule"]
+  }
+}

ios/CryptoUtils.swift

@@ -0,0 +1,196 @@
+import Foundation
+import Security
+import CryptoKit
+
+public final class CryptoUtils {
+    private static let keyTag = "com.teamtailor.app.cryptoutils"
+    private static let keychainGroup = "group.com.teamtailor.keys"
+    
+    public enum CryptoError: Error {
+        case keyGenerationFailed(String)
+        case keychainAccessFailed(String)
+        case publicKeyExtractionFailed
+        case privateKeyNotFound
+        case invalidBase64Input
+        case rsaDecryptionFailed
+        case invalidAESKey
+        case aesDecryptionFailed
+        case rsaEncryptionFailed
+    }
+    
+    private static func generateKeyPair(tag: Data) throws -> SecKey {
+        guard let access = SecAccessControlCreateWithFlags(
+            kCFAllocatorDefault,
+            kSecAttrAccessibleAfterFirstUnlock, // This means that the key is only accessible after the device has been unlocked once. So if we get notifications before that, then we will show fallback gdpr compliant message. Any other option are more restrictive. 
+            [],
+            nil
+        ) else {
+            throw CryptoError.keyGenerationFailed("Failed to create access control")
+        }
+
+        let attributes: [String: Any] = [
+            kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
+            kSecAttrKeySizeInBits as String: 2048,
+            kSecPrivateKeyAttrs as String: [
+                kSecAttrIsPermanent as String: true,
+                kSecAttrApplicationTag as String: tag,
+                kSecAttrAccessGroup as String: keychainGroup,
+                kSecAttrAccessControl as String: access
+            ]
+        ]
+        
+        guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, nil) else {
+            throw CryptoError.keyGenerationFailed("Failed to generate key pair")
+        }
+        
+        return privateKey
+    }
+
+    private static func getPrivateKey() throws -> SecKey {
+        let tag = keyTag.data(using: .utf8)!
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassKey,
+            kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
+            kSecAttrApplicationTag as String: tag,
+            kSecReturnRef as String: true,
+            kSecAttrAccessGroup as String: keychainGroup
+        ]
+
+        var item: CFTypeRef?
+        let status = SecItemCopyMatching(query as CFDictionary, &item)
+
+        if status == errSecSuccess {
+            return item as! SecKey
+        }
+
+        if status == errSecItemNotFound {
+            return try generateKeyPair(tag: tag)
+        }
+
+        let error = SecCopyErrorMessageString(status, nil) as String? ?? "Unknown error"
+        NSLog("CryptoUtils: Keychain access failed with error: \(error)")
+        throw CryptoError.keychainAccessFailed(error)
+    }
+
+    public static func getPublicKey() throws -> String {
+        let privateKey = try getPrivateKey()
+        
+        guard let publicKey = SecKeyCopyPublicKey(privateKey) else {
+            throw CryptoError.publicKeyExtractionFailed
+        }
+        
+        guard let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) as Data? else {
+            throw CryptoError.publicKeyExtractionFailed
+        }
+        
+        return publicKeyData.base64EncodedString()
+    }
+    
+    public static func rsaDecrypt(encryptedBase64: String) throws -> Data {
+        guard let cipherData = Data(base64Encoded: encryptedBase64) else {
+            throw CryptoError.invalidBase64Input
+        }
+        
+        let privateKey = try getPrivateKey()
+        
+        var error: Unmanaged<CFError>?
+        guard let decryptedData = SecKeyCreateDecryptedData(privateKey,
+                                                          .rsaEncryptionOAEPSHA1,
+                                                          cipherData as CFData,
+                                                          &error) as Data? else {
+            if let error = error?.takeRetainedValue() {
+                NSLog("RSA Decrypt: Failed with error: \(error)")
+            }
+            throw CryptoError.rsaDecryptionFailed
+        }
+        
+        return decryptedData
+    }
+    
+    public static func rsaEncrypt(data: Data) throws -> String {
+        let privateKey = try getPrivateKey()
+        guard let publicKey = SecKeyCopyPublicKey(privateKey) else {
+            throw CryptoError.privateKeyNotFound
+        }
+        
+        var error: Unmanaged<CFError>?
+        guard let encryptedData = SecKeyCreateEncryptedData(
+            publicKey,
+            .rsaEncryptionOAEPSHA1,
+            data as CFData,
+            &error
+        ) as Data? else {
+            if let error = error?.takeRetainedValue() {
+                NSLog("RSA Encrypt: Failed with error: \(error)")
+            }
+            throw CryptoError.rsaEncryptionFailed
+        }
+        
+        return encryptedData.base64EncodedString()
+    }
+    
+    public static func hybridDecrypt(
+        encryptedKey: String,
+        cipherText: String,
+        nonce: String,
+        tag: String
+    ) throws -> String {
+        let aesKeyData = try rsaDecrypt(encryptedBase64: encryptedKey)
+
+        guard let cipherData = Data(base64Encoded: cipherText),
+              let nonceData = Data(base64Encoded: nonce),
+              let tagData = Data(base64Encoded: tag) else {
+            throw CryptoError.invalidBase64Input
+        }
+        
+        guard let aeadNonce = try? AES.GCM.Nonce(data: nonceData) else {
+            throw CryptoError.invalidBase64Input
+        }
+        
+        let symmetricKey = SymmetricKey(data: aesKeyData)
+        do {
+            let sealedBox = try AES.GCM.SealedBox(
+                nonce: aeadNonce,
+                ciphertext: cipherData,
+                tag: tagData
+            )
+            
+            let decryptedData = try AES.GCM.open(sealedBox, using: symmetricKey)
+            
+            guard let decryptedString = String(data: decryptedData, encoding: .utf8) else {
+                throw CryptoError.aesDecryptionFailed
+            }
+            
+            return decryptedString
+            
+        } catch {
+            NSLog("AES Decryption failed: \(error)")
+            throw CryptoError.aesDecryptionFailed
+        }
+    }
+    
+    public static func deleteKeyPair() {
+        let tag = keyTag.data(using: .utf8)!
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassKey,
+            kSecAttrApplicationTag as String: tag,
+            kSecAttrAccessGroup as String: keychainGroup
+        ]
+        SecItemDelete(query as CFDictionary)
+    }
+
+    public static func testEncryption(message: String) throws -> Bool {
+        guard let messageData = message.data(using: .utf8) else {
+            throw CryptoError.invalidBase64Input
+        }
+        
+        let encrypted = try rsaEncrypt(data: messageData)
+        let decryptedData = try rsaDecrypt(encryptedBase64: encrypted)
+        
+        guard let decryptedMessage = String(data: decryptedData, encoding: .utf8) else {
+            throw CryptoError.rsaDecryptionFailed
+        }
+        
+        return message == decryptedMessage
+    }
+}

ios/EncryptionModule.entitlements

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>keychain-access-groups</key>
+    <array>
+        <string>$(AppIdentifierPrefix)group.com.teamtailor.keys</string>
+    </array>
+</dict>
+</plist>

ios/EncryptionModule.podspec

@@ -0,0 +1,25 @@
+require 'json'
+
+package = JSON.parse(File.read(File.join(__dir__, '..', 'package.json')))
+
+Pod::Spec.new do |s|
+  s.name           = 'EncryptionModule'
+  s.version        = package['version']
+  s.summary        = package['description']
+  s.license        = package['license']
+  s.author         = package['author']
+  s.homepage       = package['homepage']
+  s.platform       = :ios, '13.4'
+  s.source         = { git: package['repository'], tag: "v#{s.version}" }
+  s.source_files   = 'EncryptionModule.swift', 'CryptoUtils.swift'
+  s.dependency 'ExpoModulesCore'
+  
+  # Ensure we can use keychain
+  s.frameworks     = 'Security'
+  
+  # Add keychain sharing entitlements
+  s.pod_target_xcconfig = {
+    'CODE_SIGN_ENTITLEMENTS' => 'EncryptionModule.entitlements',
+    'OTHER_CODE_SIGN_FLAGS' => '--entitlements $(PODS_TARGET_SRCROOT)/EncryptionModule.entitlements'
+  }
+end