在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称:oblador/react-native-keychain开源软件地址:https://github.com/oblador/react-native-keychain开源编程语言:Java 70.0%开源软件介绍:react-native-keychainKeychain/Keystore Access for React Native
Installation
Usageimport * as Keychain from 'react-native-keychain';
async () => {
const username = 'zuck';
const password = 'poniesRgr8';
// Store the credentials
await Keychain.setGenericPassword(username, password);
try {
// Retrieve the credentials
const credentials = await Keychain.getGenericPassword();
if (credentials) {
console.log(
'Credentials successfully loaded for user ' + credentials.username
);
} else {
console.log('No credentials stored');
}
} catch (error) {
console.log("Keychain couldn't be accessed!", error);
}
await Keychain.resetGenericPassword();
}; See Both API
|
Key | Platform | Description | Default |
---|---|---|---|
accessControl |
All | This dictates how a keychain item may be used, see possible values in Keychain.ACCESS_CONTROL . |
None |
accessible |
iOS only | This dictates when a keychain item is accessible, see possible values in Keychain.ACCESSIBLE . |
Keychain.ACCESSIBLE.WHEN_UNLOCKED |
accessGroup |
iOS only | In which App Group to share the keychain. Requires additional setup with entitlements. | None |
authenticationPrompt |
All | What to prompt the user when unlocking the keychain with biometry or device password. | See authenticationPrompt Properties |
authenticationType |
iOS only | Policies specifying which forms of authentication are acceptable. | Keychain.AUTHENTICATION_TYPE.DEVICE_PASSCODE_OR_BIOMETRICS |
service |
All | Reverse domain name qualifier for the service associated with password. | App bundle ID |
storage |
Android only | Force specific cipher storage usage during saving the password | Select best available storage |
rules |
Android only | Force following to a specific security rules | Keychain.RULES.AUTOMATIC_UPGRADE |
authenticationPrompt
PropertiesKey | Platform | Description | Default |
---|---|---|---|
title |
All | Title of the authentication prompt when requesting a stored secret. | Authenticate to retrieve secret |
subtitle |
Android only | Subtitle of the Android authentication prompt when requesting a stored secret. | None. Optional |
description |
Android only | Description of the Android authentication prompt when requesting a stored secret. | None. Optional |
cancel |
Android only | Negative button text of the Android authentication prompt when requesting a stored secret. | Cancel |
Keychain.ACCESS_CONTROL
enumKey | Description |
---|---|
USER_PRESENCE |
Constraint to access an item with either Touch ID or passcode. |
BIOMETRY_ANY |
Constraint to access an item with Touch ID for any enrolled fingers. |
BIOMETRY_CURRENT_SET |
Constraint to access an item with Touch ID for currently enrolled fingers. |
DEVICE_PASSCODE |
Constraint to access an item with a passcode. |
APPLICATION_PASSWORD |
Constraint to use an application-provided password for data encryption key generation. |
BIOMETRY_ANY_OR_DEVICE_PASSCODE |
Constraint to access an item with Touch ID for any enrolled fingers or passcode. |
BIOMETRY_CURRENT_SET_OR_DEVICE_PASSCODE |
Constraint to access an item with Touch ID for currently enrolled fingers or passcode. |
Note #1:
BIOMETRY_ANY
,BIOMETRY_CURRENT_SET
,BIOMETRY_ANY_OR_DEVICE_PASSCODE
,BIOMETRY_CURRENT_SET_OR_DEVICE_PASSCODE
- recognized by Android as a requirement for Biometric enabled storage (Till we got a better implementation);Note #2: For Android we support only two states:
None
(default) andFingerprint
(use only biometric protected storage);Face
recognition fails with "User not authenticated" exception, see issue #318
Refs:
Keychain.ACCESSIBLE
enumKey | Description |
---|---|
WHEN_UNLOCKED |
The data in the keychain item can be accessed only while the device is unlocked by the user. |
AFTER_FIRST_UNLOCK |
The data in the keychain item cannot be accessed after a restart until the device has been unlocked once by the user. |
ALWAYS |
The data in the keychain item can always be accessed regardless of whether the device is locked. |
WHEN_PASSCODE_SET_THIS_DEVICE_ONLY |
The data in the keychain can only be accessed when the device is unlocked. Only available if a passcode is set on the device. Items with this attribute never migrate to a new device. |
WHEN_UNLOCKED_THIS_DEVICE_ONLY |
The data in the keychain item can be accessed only while the device is unlocked by the user. Items with this attribute do not migrate to a new device. |
AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY |
The data in the keychain item cannot be accessed after a restart until the device has been unlocked once by the user. Items with this attribute never migrate to a new device. |
ALWAYS_THIS_DEVICE_ONLY |
The data in the keychain item can always be accessed regardless of whether the device is locked. Items with this attribute never migrate to a new device. |
Refs:
Keychain.AUTHENTICATION_TYPE
enumKey | Description |
---|---|
DEVICE_PASSCODE_OR_BIOMETRICS |
Device owner is going to be authenticated by biometry or device passcode. |
BIOMETRICS |
Device owner is going to be authenticated using a biometric method (Touch ID or Face ID). |
Refs:
Keychain.BIOMETRY_TYPE
enumKey | Description |
---|---|
TOUCH_ID |
Device supports authentication with Touch ID. (iOS only) |
FACE_ID |
Device supports authentication with Face ID. (iOS only) |
FINGERPRINT |
Device supports authentication with Fingerprint. (Android only) |
FACE |
Device supports authentication with Face Recognition. (Android only) |
IRIS |
Device supports authentication with Iris Recognition. (Android only) |
Refs:
Keychain.SECURITY_LEVEL
enum (Android only)If set, securityLevel
parameter specifies minimum security level that the encryption key storage should guarantee for storing credentials to succeed.
Key | Description |
---|---|
ANY |
no security guarantees needed (default value); Credentials can be stored in FB Secure Storage; |
SECURE_SOFTWARE |
requires for the key to be stored in the Android Keystore, separate from the encrypted data; |
SECURE_HARDWARE |
requires for the key to be stored on a secure hardware (Trusted Execution Environment or Secure Environment). Read this article for more information. |
Keychain.STORAGE_TYPE
enum (Android only)Key | Description |
---|---|
FB |
Facebook compatibility cipher |
AES |
Encryptions without human interaction. |
RSA |
Encryption with biometrics. |
Keychain.SECURITY_RULES
enum (Android only)Key | Description |
---|---|
NONE |
No rules. Be dummy, developer control everything |
AUTOMATIC_UPGRADE |
Upgrade secret to the best available storage as soon as it is available and user request secret extraction. Upgrade not applied till we request the secret. This rule only applies to secrets stored with FacebookConseal. |
As a rule the library will try to apply the best possible encryption for storing secrets. Once the secret is stored however its does not try to upgrade it unless FacebookConseal was used and the option 'SECURITY_RULES' is set to 'AUTOMATIC_UPGRADE'
Q: What will happen if user disables/drops biometric usage?
A: User will lose ability to extract secret from storage. On re-enable biometric access to the secret will be possible again.
Q: Is it possible to implement automatic downgrading?
A: From security perspective any Automatic downgrading is treated as "a loss of the trust" point. Developer should implement own logic to allow downgrade and deal with "security loss". (My recommendation - never do that!)
Q: How to enable automatic upgrade for FacebookConseal?
A: Do call getGenericPassword({ ...otherProps, rules: "AUTOMATIC_UPGRADE" })
with extra property rules
set to AUTOMATIC_UPGRADE
string value.
Q: How to force a specific level of encryption during saving the secret?
A: Do call setGenericPassword({ ...otherProps, storage: "AES" })
with forced storage.
Note: attempt to force storage
RSA
when biometrics is not available will force code to reject call with errors specific to device biometric configuration state.
node_modules/react-native-keychain/RNKeychain.xcodeproj
libRNKeychain.a
.pod 'RNKeychain'
is not in your Podfile
Add the following to your Podfile
and run pod update
:
pod 'RNKeychain', :path => '../node_modules/react-native-keychain'
Keychain Sharing
entitlement for iOS 10+For iOS 10 you'll need to enable the Keychain Sharing
entitlement in the Capabilities
section of your build target. (See screenshot). Otherwise you'll experience the error shown below.
Error: {
code = "-34018";
domain = NSOSStatusErrorDomain;
message = "The operation couldn\U2019t be completed. (OSStatus error -34018.)";
}
android/settings.gradle
to look like this (without the +):rootProject.name = 'MyApp'
include ':app'
+ include ':react-native-keychain'
+ project(':react-native-keychain').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-keychain/android')
android/app/build.gradle
(note: app folder) to look like this:apply plugin: 'com.android.application'
android {
...
}
dependencies {
implementation fileTree(dir: 'libs', include: ['*.jar'])
implementation 'com.android.support:appcompat-v7:23.0.1'
implementation 'com.facebook.react:react-native:0.19.+'
+ implementation project(':react-native-keychain')
}
MainApplication.java
(deep in android/app/src/main/java/...
) to look like this (note two places to edit):package com.myapp;
+ import com.oblador.keychain.KeychainPackage;
....
public class MainActivity extends extends ReactActivity {
@Override
protected List<ReactPackage> getPackages() {
return Arrays.<ReactPackage>asList(
new MainReactPackage(),
+ new KeychainPackage()
);
}
...
}
On Android builds that use proguard (like release), you may see the following error:
RNKeychainManager: no keychain entry found for service:
JNI DETECTED ERROR IN APPLICATION: JNI FindClass called with pending exception java.lang.NoSuchFieldError: no "J" field "mCtxPtr" in class "Lcom/facebook/crypto/cipher/NativeGCMCipher;" or its superclasses
If so, add a proguard rule in proguard-rules.pro
:
-keep class com.facebook.crypto.** {
*;
}
The keychain manager relies on interfacing with the native application itself. As such, it does not successfully compile and run in the context of a Jest test, where there is no underlying app to communicate with. To be able to call the JS functions exposed by this module in a unit test, you should mock them in one of the following two ways:
First, let's create a mock object for the module:
const keychainMock = {
SECURITY_LEVEL_ANY: "MOCK_SECURITY_LEVEL_ANY",
SECURITY_LEVEL_SECURE_SOFTWARE: "MOCK_SECURITY_LEVEL_SECURE_SOFTWARE",
SECURITY_LEVEL_SECURE_HARDWARE: "MOCK_SECURITY_LEVEL_SECURE_HARDWARE",
setGenericPassword: jest.fn().mockResolvedValue(),
getGenericPassword: jest.fn().mockResolvedValue(),
resetGenericPassword: jest.fn().mockResolvedValue(),
...
}
__mocks__
DirectoryRead the jest docs for initial setup
Create a react-native-keychain
folder in the __mocks__
directory and add index.js
file in it. It should contain the following code:
export default keychainMock;