Never recreating the key pair used to encrypt symmetric encryption keys

wmathurin · wmathurin · commit aebd091102fd · 2026-01-12T17:49:31.000-08:00
Instead using a new key pair (with OAEP cipher mode) when needed
That will allow MSDK and MCSDK to live side by side
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/security/SalesforceKeyGenerator.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/security/SalesforceKeyGenerator.java
@@ -59,7 +59,8 @@ public class SalesforceKeyGenerator {
     private static final String SHARED_PREF_FILE = "identifier.xml";
     private static final String ENCRYPTED_ID_SHARED_PREF_KEY = "encrypted_%s";
     private static final String ID_PREFIX = "id_";
-    private static final String KEYSTORE_ALIAS = "com.salesforce.androidsdk.security.KEYPAIR";
+    protected static final String LEGACY_KEYPAIR_ALIAS = "com.salesforce.androidsdk.security.KEYPAIR";
+    protected static final String MSDK_KEYPAIR_ALIAS = "com.salesforce.androidsdk.security.MSDK_KEYPAIR";
     private static final String SHA256 = "SHA-256";
     private static final String AES = "AES";
 
@@ -160,10 +161,17 @@ private synchronized static String generateUniqueIdIfNoneStored(String name, int
         // Checks if we have a unique identifier stored.
         final String encryptedUniqueId = readFromSharedPrefs(ID_PREFIX + name);
         if (encryptedUniqueId != null) {
-            final PrivateKey privateKey = KeyStoreWrapper.getInstance().getRSAPrivateKey(KEYSTORE_ALIAS);
-            uniqueId =  Encryptor.decryptWithRSA(privateKey, encryptedUniqueId, Encryptor.CipherMode.RSA_OAEP_SHA256);
+            final PrivateKey msdkPrivateKey = KeyStoreWrapper.getInstance().getRSAPrivateKey(MSDK_KEYPAIR_ALIAS);
+            uniqueId =  Encryptor.decryptWithRSA(msdkPrivateKey, encryptedUniqueId, Encryptor.CipherMode.RSA_OAEP_SHA256);
+            // Decryption failed - must have been encrypted with legacy key (LEGACY_KEYPAIR_ALIAS)
             if (uniqueId == null) {
-                uniqueId = Encryptor.decryptWithRSA(privateKey, encryptedUniqueId, Encryptor.CipherMode.RSA_PKCS1);
+                final PrivateKey privateKey = KeyStoreWrapper.getInstance().getRSAPrivateKey(LEGACY_KEYPAIR_ALIAS);
+                uniqueId = Encryptor.decryptWithRSA(privateKey, encryptedUniqueId, Encryptor.CipherMode.RSA_OAEP_SHA256);
+                // Decryption failed - must have been encrypted with legacy key with old cipher mode
+                if (uniqueId == null) {
+                    uniqueId = Encryptor.decryptWithRSA(privateKey, encryptedUniqueId, Encryptor.CipherMode.RSA_PKCS1);
+                }
+                // We need to store it with thew new key (MSDK_KEYPAIR_ALIAS)
                 storeUniqueId = true;
             }
         }
@@ -174,15 +182,9 @@ private synchronized static String generateUniqueIdIfNoneStored(String name, int
             storeUniqueId = true;
         }
 
-        // Encrypt and store unique id if it was just created, or if it had to be decrypted with old cipher mode
+        // Encrypt and store unique id if it was just created, or if it had to be decrypted with old key
         if (storeUniqueId) {
-            // Check if existing key supports OAEP padding, recreate if not
-            if (!KeyStoreWrapper.getInstance().keySupportsOAEPPadding(KEYSTORE_ALIAS)) {
-                SalesforceSDKLogger.i(TAG, "Key doesn't support OAEP padding, recreating key pair with OAEP support");
-                KeyStoreWrapper.getInstance().deleteKey(KEYSTORE_ALIAS);
-            }
-            
-            final PublicKey publicKey = KeyStoreWrapper.getInstance().getRSAPublicKey(KEYSTORE_ALIAS);
+            final PublicKey publicKey = KeyStoreWrapper.getInstance().getRSAPublicKey(MSDK_KEYPAIR_ALIAS);
             final String encryptedKey = Encryptor.encryptWithRSA(publicKey, uniqueId, Encryptor.CipherMode.RSA_OAEP_SHA256);
             storeInSharedPrefs(ID_PREFIX + name, encryptedKey);
         }
@@ -208,12 +210,12 @@ private static String createUniqueId(int length) {
         return uniqueId;
     }
 
-    private static String readFromSharedPrefs(String key) {
+    protected static String readFromSharedPrefs(String key) {
         final SharedPreferences prefs = SalesforceSDKManager.getInstance().getAppContext().getSharedPreferences(SHARED_PREF_FILE, 0);
         return prefs.getString(getSharedPrefKey(key), null);
     }
 
-    private synchronized static void storeInSharedPrefs(String key, String value) {
+    protected synchronized static void storeInSharedPrefs(String key, String value) {
         final SharedPreferences prefs = SalesforceSDKManager.getInstance().getAppContext().getSharedPreferences(SHARED_PREF_FILE, 0);
         prefs.edit().putString(getSharedPrefKey(key), value).apply();
     }
diff --git a/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/security/SalesforceKeyGeneratorTest.java b/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/security/SalesforceKeyGeneratorTest.java
@@ -28,8 +28,11 @@
 
 import android.app.Application;
 import android.app.Instrumentation;
+import android.content.SharedPreferences;
 
 import com.salesforce.androidsdk.TestForceApp;
+import com.salesforce.androidsdk.analytics.security.Encryptor;
+import com.salesforce.androidsdk.app.SalesforceSDKManager;
 
 import org.junit.Assert;
 import org.junit.Before;
@@ -40,6 +43,9 @@
 import androidx.test.filters.SmallTest;
 import androidx.test.platform.app.InstrumentationRegistry;
 
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
 /**
  * Tests for {@link SalesforceKeyGenerator}.
  *
@@ -87,4 +93,111 @@ public void testGetEncryptionKey() {
         Assert.assertEquals("Encryption keys with the same name should be the same", id1Again, id1);
         Assert.assertNotSame("Encryption keys with different names should be different", id2, id1);
     }
+
+    @Test
+    public void testGetUniqueIdStoredUsingLegacyKeyPairAndOldCipherMode() {
+        encryptAndStoreInPrefs("test_name", "test_value", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1);
+        Assert.assertEquals("test_value", decryptFromPrefs("test_name", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+
+        // Now calling getUniqueId
+        Assert.assertEquals("test_value", SalesforceKeyGenerator.getUniqueId("test_name"));
+
+        // The value should have been re-encrypted
+        // - it should not be decryptable with the legacy key pair
+        // - it should be decryptable with the msdk key pair
+        Assert.assertNull(decryptFromPrefs("test_name", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value", decryptFromPrefs("test_name", SalesforceKeyGenerator.MSDK_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+    }
+
+    @Test
+    public void testGetUniqueIdStoredUsingLegacyKeyPairAndNewCipherMode() {
+        encryptAndStoreInPrefs("test_name", "test_value", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256);
+        Assert.assertEquals("test_value", decryptFromPrefs("test_name", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+
+        // Now calling getUniqueId
+        Assert.assertEquals("test_value", SalesforceKeyGenerator.getUniqueId("test_name"));
+
+        // The value should have been re-encrypted
+        // - it should not be decryptable with the legacy key pair
+        // - it should be decryptable with the msdk key pair
+        Assert.assertNull(decryptFromPrefs("test_name", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+        Assert.assertEquals("test_value", decryptFromPrefs("test_name", SalesforceKeyGenerator.MSDK_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+    }
+
+    @Test
+    public void testMultipleGetUniqueIdStoredUsingLegacyKeyPair() {
+        encryptAndStoreInPrefs("test_name_1", "test_value_1", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1);
+        encryptAndStoreInPrefs("test_name_2", "test_value_2", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1);
+        encryptAndStoreInPrefs("test_name_3", "test_value_3", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1);
+        Assert.assertEquals("test_value_1", decryptFromPrefs("test_name_1", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value_2", decryptFromPrefs("test_name_2", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value_3", decryptFromPrefs("test_name_3", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+
+        // Now calling getUniqueId for the first one
+        Assert.assertEquals("test_value_1", SalesforceKeyGenerator.getUniqueId("test_name_1"));
+
+        // The value should have been re-encrypted
+        // - it should not be decryptable with the legacy key pair
+        // - it should be decryptable with the msdk key pair
+        Assert.assertNull(decryptFromPrefs("test_name_1", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value_1", decryptFromPrefs("test_name_1", SalesforceKeyGenerator.MSDK_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+
+        // Other values should not have been re-encrypted
+        Assert.assertEquals("test_value_2", decryptFromPrefs("test_name_2", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value_3", decryptFromPrefs("test_name_3", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+
+        // Now calling getUniqueId for the second one
+        Assert.assertEquals("test_value_2", SalesforceKeyGenerator.getUniqueId("test_name_2"));
+
+        // The value should have been re-encrypted
+        // - it should not be decryptable with the legacy key pair
+        // - it should be decryptable with the msdk key pair
+        Assert.assertNull(decryptFromPrefs("test_name_2", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value_2", decryptFromPrefs("test_name_2", SalesforceKeyGenerator.MSDK_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+
+        // The already re-encrypted value should have been left alone
+        Assert.assertNull(decryptFromPrefs("test_name_1", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value_1", decryptFromPrefs("test_name_1", SalesforceKeyGenerator.MSDK_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+
+        // The third one should not have been re-encrypted
+        Assert.assertEquals("test_value_3", decryptFromPrefs("test_name_3", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+
+        // Now calling getUniqueId for the third one
+        Assert.assertEquals("test_value_3", SalesforceKeyGenerator.getUniqueId("test_name_3"));
+
+        // The value should have been re-encrypted
+        // - it should not be decryptable with the legacy key pair
+        // - it should be decryptable with the msdk key pair
+        Assert.assertNull(decryptFromPrefs("test_name_3", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value_3", decryptFromPrefs("test_name_3", SalesforceKeyGenerator.MSDK_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+
+        // The already re-encrypted values should have been left alone
+        Assert.assertNull(decryptFromPrefs("test_name_1", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value_1", decryptFromPrefs("test_name_1", SalesforceKeyGenerator.MSDK_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+        Assert.assertNull(decryptFromPrefs("test_name_2", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1));
+        Assert.assertEquals("test_value_2", decryptFromPrefs("test_name_2", SalesforceKeyGenerator.MSDK_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_OAEP_SHA256));
+    }
+
+
+    @Test
+    public void testMakeSureLegacyKeyPairNotRecreated() {
+        encryptAndStoreInPrefs("test_name", "test_value", SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS, Encryptor.CipherMode.RSA_PKCS1);
+        PublicKey legacyPublicKey = KeyStoreWrapper.getInstance().getRSAPublicKey(SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS);
+        // Now calling getUniqueId
+        Assert.assertEquals("test_value", SalesforceKeyGenerator.getUniqueId("test_name"));
+        // The legacy key pair should NOT have been deleted or recreated
+        Assert.assertEquals(legacyPublicKey.toString(), KeyStoreWrapper.getInstance().getRSAPublicKey(SalesforceKeyGenerator.LEGACY_KEYPAIR_ALIAS).toString());
+    }
+
+    private void encryptAndStoreInPrefs(String name, String value, String keyPairAlias, Encryptor.CipherMode cipherMode) {
+        PublicKey publicKey = KeyStoreWrapper.getInstance().getRSAPublicKey(keyPairAlias);
+        String encryptedKey = Encryptor.encryptWithRSA(publicKey, value, cipherMode);
+        SalesforceKeyGenerator.storeInSharedPrefs("id_" + name, encryptedKey);
+    }
+
+    private String decryptFromPrefs(String name, String keyPairAlias, Encryptor.CipherMode cipherMode) {
+        PrivateKey privateKey = KeyStoreWrapper.getInstance().getRSAPrivateKey(keyPairAlias);
+        String encryptedValue = SalesforceKeyGenerator.readFromSharedPrefs("id_" + name);
+        return Encryptor.decryptWithRSA(privateKey, encryptedValue, cipherMode);
+    }
 }
