Store session data in a secure way (#98)

* Replace SessionData DataStore with an encrypted SQLite DB.

---------

Co-authored-by: Benoit Marty <benoit@matrix.org>

libraries/encrypted-db/build.gradle.kts

@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2023 New Vector Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+plugins {
+    id("io.element.android-library")
+}
+
+android {
+    namespace = "io.element.android.libraries.encrypteddb"
+}
+
+dependencies {
+    implementation(libs.sqldelight.driver.android)
+    implementation(libs.sqlcipher)
+    implementation(libs.sqlite)
+    implementation(libs.androidx.security.crypto)
+}

libraries/encrypted-db/src/main/kotlin/io/element/encrypteddb/SqlCipherDriverFactory.kt

@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2023 New Vector Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.element.encrypteddb
+
+import android.content.Context
+import com.squareup.sqldelight.android.AndroidSqliteDriver
+import com.squareup.sqldelight.db.SqlDriver
+import io.element.encrypteddb.passphrase.PassphraseProvider
+import net.sqlcipher.database.SupportFactory
+
+/**
+ * Creates an encrypted version of the [SqlDriver] using SQLCipher's [SupportFactory].
+ * @param passphraseProvider Provides the passphrase needed to use the SQLite database with SQLCipher.
+ */
+class SqlCipherDriverFactory(
+    private val passphraseProvider: PassphraseProvider,
+) {
+    /**
+     * Returns a valid [SqlDriver] with SQLCipher support.
+     * @param schema The SQLite DB schema.
+     * @param name The name of the database to create.
+     * @param context Android [Context], used to instantiate the driver.
+     */
+    fun create(schema: SqlDriver.Schema, name: String, context: Context): SqlDriver {
+        val passphrase = passphraseProvider.getPassphrase()
+        val factory = SupportFactory(passphrase)
+        return AndroidSqliteDriver(schema = schema, context = context, name = name, factory = factory)
+    }
+}

libraries/encrypted-db/src/main/kotlin/io/element/encrypteddb/passphrase/PassphraseProvider.kt

@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2023 New Vector Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.element.encrypteddb.passphrase
+
+/**
+ * An abstraction to implement secure providers for SQLCipher passphrases.
+ */
+interface PassphraseProvider {
+    /**
+     * Returns a passphrase for SQLCipher in [ByteArray] format.
+     */
+    fun getPassphrase(): ByteArray
+}

libraries/encrypted-db/src/main/kotlin/io/element/encrypteddb/passphrase/RandomSecretPassphraseProvider.kt

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2023 New Vector Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.element.encrypteddb.passphrase
+
+import android.content.Context
+import androidx.security.crypto.EncryptedFile
+import java.io.File
+import java.security.SecureRandom
+
+/**
+ * Provides a secure passphrase for SQLCipher by generating a random secret and storing it into an [EncryptedFile].
+ * @param context Android [Context], used by [EncryptedFile] for cryptographic operations.
+ * @param file Destination file where the key will be stored.
+ * @param alias Alias of the key used to encrypt & decrypt the [EncryptedFile]'s contents.
+ * @param secretSize Length of the generated secret.
+ */
+class RandomSecretPassphraseProvider(
+    private val context: Context,
+    private val file: File,
+    private val alias: String,
+    private val secretSize: Int = 256,
+) : PassphraseProvider {
+
+    override fun getPassphrase(): ByteArray {
+        val encryptedFile = EncryptedFile.Builder(
+            file,
+            context,
+            alias,
+            EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
+        ).build()
+        return if (!file.exists()) {
+            val secret = generateSecret()
+            encryptedFile.openFileOutput().use { it.write(secret) }
+            secret
+        } else {
+            encryptedFile.openFileInput().use { it.readBytes() }
+        }
+    }
+
+    private fun generateSecret(): ByteArray {
+        val buffer = ByteArray(size = secretSize)
+        SecureRandom().nextBytes(buffer)
+        return buffer
+    }
+}