Add Android encryption code

Author: rikardwissing

android/TTFirebaseMessagingService.java

@@ -0,0 +1,61 @@
+package com.teamtailor.app
+
+import com.google.firebase.messaging.RemoteMessage
+import expo.modules.notifications.service.ExpoFirebaseMessagingService
+import android.util.Log
+import org.json.JSONObject
+import com.teamtailor.modules.encryption.CryptoUtils
+
+class TTFirebaseMessagingService : ExpoFirebaseMessagingService() {
+    companion object {
+        private const val TAG = "TTFirebaseMessagingService"
+    }
+
+    override fun onMessageReceived(remoteMessage: RemoteMessage) {
+        val originalData = remoteMessage.getData()
+        Log.d(TAG, "Received message with data: ${originalData}")
+
+        if (originalData["encrypted_data"]?.let { encryptedDataString ->
+            try {
+                val encryptedData = parseJsonToMap(encryptedDataString)
+                val decryptedDataString = CryptoUtils.hybridDecrypt(
+                    encryptedData["encrypted_key"]!!,
+                    encryptedData["cipher_text"]!!,
+                    encryptedData["nonce"]!!,
+                    encryptedData["tag"]!!
+                )
+                
+                val decryptedData = parseJsonToMap(decryptedDataString)
+                val modifiedData = originalData.toMutableMap().apply {
+                    remove("encrypted_data")
+                    putAll(decryptedData)
+                }
+
+                val newMessage = RemoteMessage.Builder("/topics/default").apply {
+                    remoteMessage.getMessageId()?.let { setMessageId(it) }
+                    setData(modifiedData)
+                    setTtl(remoteMessage.getTtl())
+                    setCollapseKey(remoteMessage.getCollapseKey())
+                }.build()
+
+                super.onMessageReceived(newMessage)
+                true
+            } catch (e: Exception) {
+                Log.e(TAG, "Failed to decrypt or parse encrypted data", e)
+                false
+            }
+        } == true) {
+            Log.d(TAG, "Successfully handled encrypted data")
+        } else {
+            Log.d(TAG, "No encrypted data found or decryption failed, passing original message")
+            super.onMessageReceived(remoteMessage)
+        }
+    }
+
+    private fun parseJsonToMap(jsonString: String): Map<String, String> =
+        JSONObject(jsonString).let { json ->
+            json.keys().asSequence().associateWith { key ->
+                json.getString(key)
+            }
+        }
+}

android/TTFirebaseMessagingService.kt

@@ -0,0 +1,92 @@
+apply plugin: 'com.android.library'
+apply plugin: 'kotlin-android'
+apply plugin: 'maven-publish'
+
+group = 'com.teamtailor.modules.encryption'
+version = '0.5.0'
+
+buildscript {
+  def expoModulesCorePlugin = new File(project(":expo-modules-core").projectDir.absolutePath, "ExpoModulesCorePlugin.gradle")
+  if (expoModulesCorePlugin.exists()) {
+    apply from: expoModulesCorePlugin
+    applyKotlinExpoModulesCorePlugin()
+  }
+
+  // Simple helper that allows the root project to override versions declared by this library.
+  ext.safeExtGet = { prop, fallback ->
+    rootProject.ext.has(prop) ? rootProject.ext.get(prop) : fallback
+  }
+
+  // Ensures backward compatibility
+  ext.getKotlinVersion = {
+    if (ext.has("kotlinVersion")) {
+      ext.kotlinVersion()
+    } else {
+      ext.safeExtGet("kotlinVersion", "1.8.10")
+    }
+  }
+
+  repositories {
+    mavenCentral()
+  }
+
+  dependencies {
+    classpath("org.jetbrains.kotlin:kotlin-gradle-plugin:${getKotlinVersion()}")
+  }
+}
+
+afterEvaluate {
+  publishing {
+    publications {
+      release(MavenPublication) {
+        from components.release
+      }
+    }
+    repositories {
+      maven {
+        url = mavenLocal().url
+      }
+    }
+  }
+}
+
+android {
+  compileSdkVersion safeExtGet("compileSdkVersion", 33)
+
+  def agpVersion = com.android.Version.ANDROID_GRADLE_PLUGIN_VERSION
+  if (agpVersion.tokenize('.')[0].toInteger() < 8) {
+    compileOptions {
+      sourceCompatibility JavaVersion.VERSION_11
+      targetCompatibility JavaVersion.VERSION_11
+    }
+
+    kotlinOptions {
+      jvmTarget = JavaVersion.VERSION_11.majorVersion
+    }
+  }
+
+  namespace "com.teamtailor.modules.encryption"
+  defaultConfig {
+    minSdkVersion safeExtGet("minSdkVersion", 21)
+    targetSdkVersion safeExtGet("targetSdkVersion", 34)
+    versionCode 1
+    versionName "0.5.0"
+  }
+  lintOptions {
+    abortOnError false
+  }
+  publishing {
+    singleVariant("release") {
+      withSourcesJar()
+    }
+  }
+}
+
+repositories {
+  mavenCentral()
+}
+
+dependencies {
+  implementation project(':expo-modules-core')
+  implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${getKotlinVersion()}"
+}

android/build.gradle

@@ -0,0 +1,2 @@
+<manifest>
+</manifest>

android/src/main/AndroidManifest.xml

@@ -0,0 +1,95 @@
+package com.teamtailor.modules.encryption
+
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import android.util.Base64
+import java.security.KeyPairGenerator
+import java.security.KeyStore
+import java.security.SecureRandom
+import javax.crypto.Cipher
+import javax.crypto.spec.GCMParameterSpec
+import javax.crypto.spec.SecretKeySpec
+
+object CryptoUtils {
+    private const val KEY_ALIAS = "com.teamtailor.modules.encryption.cryptoutils2"
+    private const val ANDROID_KEYSTORE = "AndroidKeyStore"
+    private const val GCM_TAG_LENGTH = 128
+
+    private fun getOrCreateKeyPair(): KeyStore.PrivateKeyEntry {
+        val keyStore = KeyStore.getInstance(ANDROID_KEYSTORE)
+        keyStore.load(null)
+
+        if (!keyStore.containsAlias(KEY_ALIAS)) {
+            val spec = KeyGenParameterSpec.Builder(
+                KEY_ALIAS,
+                KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
+            )
+                .setDigests(KeyProperties.DIGEST_SHA1)  // Changed to SHA1 to match Ruby/iOS
+                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
+                .setKeySize(2048)  // Explicitly set key size to match other implementations
+                .build()
+
+            val generator = KeyPairGenerator.getInstance(
+                KeyProperties.KEY_ALGORITHM_RSA,
+                ANDROID_KEYSTORE
+            )
+            generator.initialize(spec)
+            generator.generateKeyPair()
+        }
+
+        return keyStore.getEntry(KEY_ALIAS, null) as KeyStore.PrivateKeyEntry
+    }
+
+    fun getPublicKey(): String {
+        val entry = getOrCreateKeyPair()
+        return Base64.encodeToString(entry.certificate.publicKey.encoded, Base64.NO_WRAP)
+    }
+
+    fun hybridDecrypt(encryptedKey: String, cipherText: String, nonce: String, tag: String): String {
+        val aesKey = rsaDecrypt(encryptedKey)
+        val cipher = Cipher.getInstance("AES/GCM/NoPadding")
+        
+        val nonceBytes = Base64.decode(nonce, Base64.NO_WRAP)
+        val cipherBytes = Base64.decode(cipherText, Base64.NO_WRAP)
+        val tagBytes = Base64.decode(tag, Base64.NO_WRAP)
+        
+        val spec = GCMParameterSpec(GCM_TAG_LENGTH, nonceBytes)
+        val secretKey = SecretKeySpec(aesKey, "AES")  // AES-256 key from RSA decryption
+        
+        cipher.init(Cipher.DECRYPT_MODE, secretKey, spec)
+        val decryptedBytes = cipher.doFinal(cipherBytes + tagBytes)
+        
+        return String(decryptedBytes, Charsets.UTF_8)
+    }
+
+    fun rsaDecrypt(encryptedBase64: String): ByteArray {
+        val entry = getOrCreateKeyPair()
+        // Use RSA/ECB/OAEPWithSHA-1AndMGF1Padding to match Ruby's OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+        val cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding")
+        cipher.init(Cipher.DECRYPT_MODE, entry.privateKey)
+        
+        val encryptedBytes = Base64.decode(encryptedBase64, Base64.NO_WRAP)
+        return cipher.doFinal(encryptedBytes)
+    }
+
+    fun deleteKeyPair() {
+        val keyStore = KeyStore.getInstance(ANDROID_KEYSTORE)
+        keyStore.load(null)
+        keyStore.deleteEntry(KEY_ALIAS)
+    }
+
+    fun testEncryption(message: String): Boolean {
+        val entry = getOrCreateKeyPair()
+        val cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding")
+        
+        // Encrypt
+        cipher.init(Cipher.ENCRYPT_MODE, entry.certificate.publicKey)
+        val encrypted = cipher.doFinal(message.toByteArray())
+        
+        // Decrypt
+        cipher.init(Cipher.DECRYPT_MODE, entry.privateKey)
+        val decrypted = cipher.doFinal(encrypted)
+        
+        return message == String(decrypted)
+    }
+}

android/src/main/java/com/teamtailor/modules/encryption/CryptoUtils.kt

@@ -0,0 +1,30 @@
+package com.teamtailor.modules.encryption
+
+import expo.modules.kotlin.modules.Module
+import expo.modules.kotlin.modules.ModuleDefinition
+
+class EncryptionModule : Module() {
+    override fun definition() = ModuleDefinition {
+        Name("EncryptionModule")
+
+        Function("getPublicKey") {
+            CryptoUtils.getPublicKey()
+        }
+
+        Function("hybridDecrypt") { encryptedKey: String, cipherText: String, nonce: String, tag: String ->
+            CryptoUtils.hybridDecrypt(encryptedKey, cipherText, nonce, tag)
+        }
+
+        Function("deleteKeyPair") {
+            CryptoUtils.deleteKeyPair()
+        }
+
+        Function("testEncryption") { message: String ->
+            CryptoUtils.testEncryption(message)
+        }
+
+        Function("rsaDecrypt") { encryptedBase64: String ->
+            CryptoUtils.rsaDecrypt(encryptedBase64)
+        }
+    }
+}

android/src/main/java/com/teamtailor/modules/encryption/EncryptionModule.kt

@@ -1,7 +1,10 @@
 {
   "name": "ttmobile-notification-service",
-  "platforms": ["ios"],
+  "platforms": ["ios", "android"],
   "ios": {
     "modules": ["EncryptionModule"]
+  },
+  "android": {
+    "modules": ["com.teamtailor.modules.encryption.EncryptionModule"]
   }
 }