uport-project / uport-android-sdk Goto Github PK

@mirceanis commented on Fri Aug 03 2018

pre-derive encryption keys and JWT signing key and store them under simple encryption.

Description TBD, reason in epic description (#112)

this issue should move to an SDK repo when work starts

The class KPAccountCreator should be renamed to something more intuitive and comments to be added for a better understanding of what the class is doing

Acceptance criteria:

• KPAccountCreator to be renamed to KeyPairAccountCreator
• kdoc comment describing high level functionality of class
• kdoc comment describing AccountCreator interface
• Existing tests must pass (after rename)
• breaking change from rename marked in changelog

No new tests needed but they won't be rejected if any are added :)

_{This is mirroring #161718980 in pivotal}

The SDK should support more than the Uport.defaultAccount

There should exist a method of listing all the accounts, for ex:
fun Uport.allAccounts(): List<Account>

Distinction has to be made between root addresses and addresses derived from the same seed.
It's probably necessary to store the derivation path(s) as fields of Account objects.

• disable single account limitation
• add isDefault field to Account class
• isolate account storage behind an interface with upsert(acc), get(handle), delete(handle)
• save new accounts in account storage
• load accounts from acc storage
• expose allAccounts()

the SDK exposes a deleteAccount function but it is not implemented.

... and remove support for proxy accounts (or make them non-default)

• remove unnu
• remove sensui/nisaba references
• create branch/tag to have an anchor to the current status

Some big improvements have been made to the kotlin language, some of which are of great importance to this SDK.

Most notably:

• coroutines are a stable API now
• introduction of unsigned types (simplifies a lot of code for signer/hashing/encryption/encoding)
• inline classes (can be more expressive and safer to work with primitive types or aliases)

All changes are documented here:
https://kotlinlang.org/docs/reference/whatsnew13.html

ethr-did jwts use ES256K-R algorithm, with a signature that can be used to recover the signing public key.

JWTTools.create() should allow configuration of this.

Async is handled differently in different modules. Some use callbacks, some coroutines, some both.
Since coroutines are here to stay, all async functionality should be ported to that pattern so the code becomes much more readable.

The only reason for choosing moshi was that kethereum is using it and it made sense to go the same path and not bloat the sdk with another json lib.
Kethereum is on a path to replace moshi with kotlinx serialization (komputing/KEthereum#31) so it will become necessary to do so here as well.

The uport-android-signer has moved to the SDK repo, but documentation for it has not.
There should be at a readme/wiki for the signer with at least the information contained in the original repository.

This would simplify development a lot by avoiding a release step in the signer when needed.
This also has the advantage of reducing the code footprint since some stuff can be shifted to more appropriate modules and deduplicated.

Developers that just want to use the signer and nothing else from the SDK would be able to import only the signer.
The current signer can either be deprecated or made to point to the corresponding module in this SDK.

Create the equivalent of this function from javascript:

createDisclosureRequest https://github.com/uport-project/uport-js/blob/bc928d707650e144b53d6b98f7514260a7c93553/src/Credentials.js#L138
Message Spec https://delta.uport.me/messages/sharereq

The sdk is using jitpack for distribution but the bundling code is not really aligned to that.

• mismatches in groupID
• demo app should also demo loading
• version used in build.gradle files needs to be kept in sync with git tags

Hello, I'm trying to create a basic mobile app that allows me to do authentication with uPort mobile app. I used demoapp in this repository (fixed some problems it as) and finally managed to make it work.

Now my problem is related to what to do after receiving the token. I was looking at https://developer.uport.me/flows/selectivedisclosure and it was not very clear to me. My current problem is related to https://github.com/uport-project/uport-android-sdk/blob/develop/demoapp/src/main/java/me/uport/sdk/demoapp/request_flows/uPortLoginActivity.kt#L39. Do I need a simples web-app running to catch that callback? If so, how do I send back to my app?

Also, I would like to start helping at least with documentation. How can I do so?
Thank you so much in advance.

Steps to reproduce:

• initialize Uport sdk
• call Uport.createAccount(network) { err, acc -> /* do something in account callback*/ }
• Uport.defaultAccount is still null after account callback has been called, even if the acc has been created successfully

The did module only covers the uport DID resolver.
There should be another module that can resolve ethr-did identities.

Find a way to count the method references in each lib module.
Keeping below the dex limit is tough but it has to start somewhere.
This number should be as low as possible so it should form a baseline to be checked against when making changes.

Steps to reproduce:

• on a device with a fingerprint sensor
• run the uport-android-signer demoapp
• tap use fingerprint, then tap create a seed then sign a random string
• approve the signature using your fingerprint
• The demoapp crashes with the following stacktrace:

    Process: me.uport.signer.demo, PID: 12608
    java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:448)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)
     Caused by: java.lang.reflect.InvocationTargetException
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807) 
     Caused by: javax.crypto.BadPaddingException
        at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:515)
        at javax.crypto.Cipher.doFinal(Cipher.java:1741)
        at com.uport.sdk.signer.encryption.FingerprintAsymmetricProtection$decrypt$1.invoke(FingerprintAsymmetricProtection.kt:55)
        at com.uport.sdk.signer.encryption.FingerprintAsymmetricProtection$decrypt$1.invoke(FingerprintAsymmetricProtection.kt:20)
        at com.uport.sdk.signer.encryption.FingerprintAsymmetricProtection$showFingerprintDialog$1.onFingerprintSuccess(FingerprintAsymmetricProtection.kt:82)
        at com.uport.sdk.signer.encryption.FingerprintDialog$showSuccessText$1.onAnimationEnd(FingerprintDialog.kt:154)
        at android.view.ViewPropertyAnimator$AnimatorEventListener.onAnimationEnd(ViewPropertyAnimator.java:1122)
        at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:552)
        at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:1209)
        at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:1449)
        at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:146)
        at android.animation.AnimationHandler.-wrap2(Unknown Source:0)
        at android.animation.AnimationHandler$1.doFrame(AnimationHandler.java:54)
        at android.view.Choreographer$CallbackRecord.run(Choreographer.java:976)
        at android.view.Choreographer.doCallbacks(Choreographer.java:790)
        at android.view.Choreographer.doFrame(Choreographer.java:722)
        at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:964)
        at android.os.Handler.handleCallback(Handler.java:790)
        at android.os.Handler.dispatchMessage(Handler.java:99)
        at android.os.Looper.loop(Looper.java:164)
        at android.app.ActivityThread.main(ActivityThread.java:6501)
        at java.lang.reflect.Method.invoke(Native Method) 
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438) 
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807) 
     Caused by: android.security.KeyStoreException: Invalid argument
        at android.security.KeyStore.getKeyStoreException(KeyStore.java:697)
        at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:224)
        at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:506)
        at javax.crypto.Cipher.doFinal(Cipher.java:1741) 
        at com.uport.sdk.signer.encryption.FingerprintAsymmetricProtection$decrypt$1.invoke(FingerprintAsymmetricProtection.kt:55) 
        at com.uport.sdk.signer.encryption.FingerprintAsymmetricProtection$decrypt$1.invoke(FingerprintAsymmetricProtection.kt:20) 
        at com.uport.sdk.signer.encryption.FingerprintAsymmetricProtection$showFingerprintDialog$1.onFingerprintSuccess(FingerprintAsymmetricProtection.kt:82) 
        at com.uport.sdk.signer.encryption.FingerprintDialog$showSuccessText$1.onAnimationEnd(FingerprintDialog.kt:154) 
        at android.view.ViewPropertyAnimator$AnimatorEventListener.onAnimationEnd(ViewPropertyAnimator.java:1122) 
        at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:552) 
        at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:1209) 
        at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:1449) 
        at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:146) 
        at android.animation.AnimationHandler.-wrap2(Unknown Source:0) 
        at android.animation.AnimationHandler$1.doFrame(AnimationHandler.java:54) 
        at android.view.Choreographer$CallbackRecord.run(Choreographer.java:976) 
        at android.view.Choreographer.doCallbacks(Choreographer.java:790) 
        at android.view.Choreographer.doFrame(Choreographer.java:722) 
        at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:964) 
        at android.os.Handler.handleCallback(Handler.java:790) 
        at android.os.Handler.dispatchMessage(Handler.java:99) 
        at android.os.Looper.loop(Looper.java:164) 
        at android.app.ActivityThread.main(ActivityThread.java:6501) 
        at java.lang.reflect.Method.invoke(Native Method) 
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438) 
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807) 

tests are missing from a lot of the modules

The test vector from DID-JWT does not pass

https://github.com/uport-project/did-jwt/blob/develop/src/__tests__/__snapshots__/SimpleSigner-test.js.snap

The problem is the recovery param.
JS expects it to be 0 or 1 but the Signer is writing a 27 or 28 in the Jose encoding when encoding for recoverable signature.
Therefore, when passing a JWT created by this SDK to did-jwt to validate it will crash with "The recovery param is more than two bits" error.

JWTTools contains code copied from kethereum and modified to allow signature recovery for jwt.
To keep things DRY, this code should remain part of kethereum and a PR made there to expose the necessary parts.

the SDK should provide an easy way of choosing a particular network

this is an issue because the tx can be relayed on a different network (if the nonces sync)

Goal

Coroutines don't fix every asynchrony problem that android may encounter but they do provide ways of working with the component lifecycle.

Our demo-app and sample code should display the proper way to build coroutine contexts that includes lifecycle-aware jobs and intentional exception handler.

References

• https://kotlinlang.org/docs/reference/coroutines/exception-handling.html#coroutineexceptionhandler
• https://github.com/Kotlin/kotlinx.coroutines/blob/master/ui/coroutines-guide-ui.md

Acceptance

• A coroutine exception handler is created in demoapp
• Exception handler is added to coroutine context
• Coroutine context is canceled on activity destroy - or, even better on ViewModel release
• All Suppress("LabeledExpression") annotations that reference activity instances are removed from demoapp

Testing

TBD

@mirceanis commented on Thu Jul 19 2018

When integrators use the signer library in an app that uses proguard, they should not have to struggle to find a working proguard configuration for the classes created here, nor one to patch the warnings.

This should be done by providing a consumerProguardFiles entry in signer/build.gradle

Apps may encounter warnings about:
javax.naming.** - because of some unused classes from spongycastle
java.lang.management.** - ??
org.slf4j.** - because of dependencies of kethereum
android.** - ??

definition of done

• signer demoapp has a release version with minification enabled
• signer demoapp does NOT need special proguard configuration to use the signer library. It should automatically propagate the proguard config

the signer module is using FingerprintManager which has been deprecated in the latest API level(28)

relates to [#161277119]