codinux
/
fints4k
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implemented creating and saving random salt

This commit is contained in:
dankito 2020-10-14 02:29:58 +02:00
parent b1c027b608
commit 50ae70a92c
1 changed files with 72 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
ui/BankingiOSApp/BankingiOSApp/Security/AuthenticationService.swift
View File

@ -12,6 +12,8 @@ class AuthenticationService {
static private let UserLoginPasswordKeychainAccountName = "UserLoginPassword" static private let UserLoginPasswordKeychainAccountName = "UserLoginPassword"
static private let UserLoginPasswordSaltKeychainAccountName = "UserLoginPasswordSalt"
private let biometricAuthenticationService = BiometricAuthenticationService() private let biometricAuthenticationService = BiometricAuthenticationService()
private let persistence: IBankingPersistence private let persistence: IBankingPersistence
@ -97,7 +99,8 @@ class AuthenticationService {
func authenticateUserWithPassword(_ enteredPassword: String, _ authenticationResult: @escaping (Bool, String?) -> Void) { func authenticateUserWithPassword(_ enteredPassword: String, _ authenticationResult: @escaping (Bool, String?) -> Void) {
if let storedHash = readLoginPasswordHash() { if let storedHash = readLoginPasswordHash() {
if let hashOfEnteredPassword = hashLoginPassword(enteredPassword) { if let salt = readLoginPasswordSalt() {
if let hashOfEnteredPassword = hashLoginPassword(enteredPassword, salt) {
if storedHash == hashOfEnteredPassword { if storedHash == hashOfEnteredPassword {
let decryptDatabaseResult = openDatabase(false, enteredPassword) let decryptDatabaseResult = openDatabase(false, enteredPassword)
authenticationResult(decryptDatabaseResult, nil) authenticationResult(decryptDatabaseResult, nil)
@ -106,6 +109,7 @@ class AuthenticationService {
} }
} }
} }
}
authenticationResult(false, "Incorrect password entered".localize()) authenticationResult(false, "Incorrect password entered".localize())
} }
@ -297,13 +301,17 @@ class AuthenticationService {
@discardableResult @discardableResult
private func setLoginPassword(_ newPassword: String) -> Bool { private func setLoginPassword(_ newPassword: String) -> Bool {
do { do {
if let passwordHash = hashLoginPassword(newPassword) { let salt = Array(generateRandomPassword(8).utf8)
if let passwordHash = hashLoginPassword(newPassword, salt) {
if saveLoginPasswordSalt(salt) {
let passwordItem = createUserLoginPasswordKeychainItem() let passwordItem = createUserLoginPasswordKeychainItem()
try passwordItem.savePassword(passwordHash) try passwordItem.savePassword(passwordHash)
return true return true
} }
}
} catch { } catch {
NSLog("Could not save login password: \(error)") NSLog("Could not save login password: \(error)")
} }
@ -343,6 +351,57 @@ class AuthenticationService {
} }
@discardableResult
private func saveLoginPasswordSalt(_ salt: Array<UInt8>) -> Bool {
do {
let saltItem = createUserLoginPasswordSaltKeychainItem()
if let saltBase64Encoded = salt.toBase64() {
try saltItem.savePassword(saltBase64Encoded)
return true
}
} catch {
NSLog("Could not save login password salt: \(error)")
}
return false
}
private func readLoginPasswordSalt() -> Array<UInt8>? {
do {
let saltItem = createUserLoginPasswordSaltKeychainItem()
let saltBase64Encoded = try saltItem.readPassword()
return Array<UInt8>(base64: saltBase64Encoded)
} catch {
NSLog("Could not read login password salt: \(error)")
}
return nil
}
@discardableResult
private func deleteLoginPasswordSalt() -> Bool {
do {
let saltItem = createUserLoginPasswordSaltKeychainItem()
try saltItem.deleteItem()
return true
} catch {
NSLog("Could not delete login password salt: \(error)")
}
return false
}
private func createUserLoginPasswordSaltKeychainItem() -> KeychainPasswordItem {
return KeychainPasswordItem(Self.UserLoginPasswordSaltKeychainAccountName)
}
private func deleteAllKeyChainItems() { private func deleteAllKeyChainItems() {
deleteAuthenticationTypeKeychainItem() deleteAuthenticationTypeKeychainItem()
@ -360,11 +419,9 @@ class AuthenticationService {
} }
private func hashLoginPassword(_ loginPassword: String) -> String? { private func hashLoginPassword(_ loginPassword: String, _ salt: Array<UInt8>) -> String? {
do { do {
let password = Array(loginPassword.utf8) let password = Array(loginPassword.utf8)
//let salt = Array(generateRandomPassword(8).utf8)
let salt = Array("aaaaaaaa".utf8)
let bytes = try Scrypt(password: password, salt: salt, dkLen: 64, N: 256, r: 8, p: 1).calculate() let bytes = try Scrypt(password: password, salt: salt, dkLen: 64, N: 256, r: 8, p: 1).calculate()