hyperledger-archives / indy-sdk-react-native

React Native wrapper around Indy SDK Java and Objective-C wrappers.
Apache License 2.0
22 stars 14 forks source link

Wallet that is already opened can be opened with an incorrect key #33

Open MosCD3 opened 2 years ago

MosCD3 commented 2 years ago

I implemented Argon2 key derivation to derive wallet key from entered Pin The flow is when biometrics fail and you fall back to Pin, you need an API to check whether the derived wallet key out of the entered pin is correct. and because I don't know any API that could help with that so I try to initialize the wallet using the derived key and the clue here is if it fails then that might indicate the entered key is wrong (silly but that's what I know so far) While having no API to directly check (as far as I Know, hope am wrong) is a problem, however, there is other big problem

Take look at that debug code Does that make sense ?

` INFO INFO: Initializing wallet 'e9b25de8-de69-40f9-9a8c-0885a0c9dce1' { "id": "e9b25de8-de69-40f9-9a8c-0885a0c9dce1", "key": "65b5c80ba3966a0f29cd0ead918c15b08a38ce29b42feffcfeaf2cbe25bc5706" } DEBUG DEBUG: Wallet 'e9b25de8-de69-40f9-9a8c-0885a0c9dce1' initialized with handle '4'

INFO INFO: Initializing wallet 'e9b25de8-de69-40f9-9a8c-0885a0c9dce1' { "id": "e9b25de8-de69-40f9-9a8c-0885a0c9dce1", "key": "575e13c8a09515f1f5bcf8183f1d1941823da8ccbe7b63a3eb29ffa31dbe188b" } DEBUG DEBUG: Wallet 'e9b25de8-de69-40f9-9a8c-0885a0c9dce1' initialized with handle '4'`

The wallet initializes even when I pass in different keys !!

TimoGlastra commented 2 years ago

This is because the wallet is actually kept in-memory on the native side (Java/Swift). So when you open a wallet, then try to reopen it again it will look for the wallet with the same id. Technically the wallet is still opened. This is not an ideal solution, but without it every time you reload the development during react native it would throw a wallet already initialized error, basically requiring a hard reload on every change.

Ideally we should also check for the wallet key, but it doesn't. See relevant code (for Android) here: https://github.com/AbsaOSS/rn-indy-sdk/blob/master/android/src/main/java/com/reactlibrary/IndySdkModule.java#L100-L120

MosCD3 commented 2 years ago

Okay, this is confusing, I think we have to add it to the documentation, at least for now. I tested and yes, if you close the app and re-open it the whole thing works as it intended to be but don't you think @TimoGlastra it would be nice to have a separate API to check if a wallet exists with a specific id & key?. is that doable in AFJ or it is on the Indy side?

MosCD3 commented 2 years ago

@TimoGlastra Am not sure to open a ticket for that or not, let me know In case a user forgot his/her Pin, then opt in changing the pin, is there a way to tell Indy to change a key for specific wallet ?

TimoGlastra commented 2 years ago

Yes would be good to open a ticket for it in the https://github.com/hyperledger/indy-sdk-react-native repository. Pull requests also welcome

Edit: I transferred the issue.