From a7b8be18861bb891cadc0eb0acb083e799d6729f Mon Sep 17 00:00:00 2001
From: Julius Zint <julius.zint@awin-software.de>
Date: Sat, 20 Jun 2020 11:36:02 +0200
Subject: [PATCH] TouchID unlock Feature for MacPass.

To use it a user must first enter the correct password for the database.
If the unlock succeeds, the supplied password is encrypted with the public
part of a RSA keypair. On subsequent unlocks a TouchID button appears. If
clicked, MacPass queries the Keychain for the private key part and uses it to
decrypt the previously supplied password and tries to unlock the database
with it.
---
 MacPass/Base.lproj/PasswordInputView.xib |  85 +++++++-----
 MacPass/MPPasswordInputController.m      | 164 +++++++++++++++++++++++
 2 files changed, 218 insertions(+), 31 deletions(-)

diff --git a/MacPass/Base.lproj/PasswordInputView.xib b/MacPass/Base.lproj/PasswordInputView.xib
index 750809cd..ba6d5339 100644
--- a/MacPass/Base.lproj/PasswordInputView.xib
+++ b/MacPass/Base.lproj/PasswordInputView.xib
@@ -16,6 +16,7 @@
                 <outlet property="messageInfoTextField" destination="268" id="ahE-sq-QzR"/>
                 <outlet property="passwordTextField" destination="338" id="495"/>
                 <outlet property="togglePasswordButton" destination="408" id="493"/>
+                <outlet property="touchIdButton" destination="mQA-C0-JyU" id="fM3-PG-1OB"/>
                 <outlet property="unlockButton" destination="2" id="ZRr-Ui-ExP"/>
                 <outlet property="view" destination="1" id="143"/>
             </connections>
@@ -25,19 +26,6 @@
         <customView horizontalCompressionResistancePriority="751" translatesAutoresizingMaskIntoConstraints="NO" id="1">
             <rect key="frame" x="0.0" y="0.0" width="508" height="526"/>
             <subviews>
-                <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="2">
-                    <rect key="frame" x="310" y="168" width="83" height="32"/>
-                    <buttonCell key="cell" type="push" title="Unlock" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="3">
-                        <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
-                        <font key="font" metaFont="system"/>
-                        <string key="keyEquivalent" base64-UTF8="YES">
-DQ
-</string>
-                    </buttonCell>
-                    <connections>
-                        <action selector="_submit:" target="-2" id="KZN-ap-nDc"/>
-                    </connections>
-                </button>
                 <textField verticalHuggingPriority="750" allowsCharacterPickerTouchBarItem="YES" translatesAutoresizingMaskIntoConstraints="NO" id="17">
                     <rect key="frame" x="108" y="226" width="45" height="16"/>
                     <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Keyfile" id="18">
@@ -109,30 +97,67 @@ DQ
                         <font key="font" metaFont="system"/>
                     </buttonCell>
                 </button>
-                <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="2pb-ZG-spA">
-                    <rect key="frame" x="228" y="168" width="82" height="32"/>
-                    <buttonCell key="cell" type="push" title="Cancel" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="erj-mR-UyO">
-                        <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
-                        <font key="font" metaFont="system"/>
-                        <string key="keyEquivalent" base64-UTF8="YES">
+                <stackView distribution="fill" orientation="horizontal" alignment="top" spacing="12" horizontalStackHuggingPriority="249.99998474121094" verticalStackHuggingPriority="249.99998474121094" detachesHiddenViews="YES" translatesAutoresizingMaskIntoConstraints="NO" id="tck-n8-s0U" userLabel="SubmitButtonContainer">
+                    <rect key="frame" x="140" y="175" width="247" height="21"/>
+                    <subviews>
+                        <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="2pb-ZG-spA">
+                            <rect key="frame" x="-6" y="-7" width="82" height="32"/>
+                            <buttonCell key="cell" type="push" title="Cancel" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="erj-mR-UyO">
+                                <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
+                                <font key="font" metaFont="system"/>
+                                <string key="keyEquivalent" base64-UTF8="YES">
 Gw
 </string>
-                    </buttonCell>
-                    <connections>
-                        <action selector="_submit:" target="-2" id="aVF-1d-1Hq"/>
-                    </connections>
-                </button>
+                            </buttonCell>
+                            <connections>
+                                <action selector="_submit:" target="-2" id="aVF-1d-1Hq"/>
+                            </connections>
+                        </button>
+                        <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="mQA-C0-JyU">
+                            <rect key="frame" x="76" y="-7" width="94" height="32"/>
+                            <buttonCell key="cell" type="push" title="Touch ID" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="W9h-1u-9kq">
+                                <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
+                                <font key="font" metaFont="system"/>
+                            </buttonCell>
+                            <connections>
+                                <action selector="unlockWithTouchID:" target="-2" id="1yL-6V-t8q"/>
+                            </connections>
+                        </button>
+                        <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="2">
+                            <rect key="frame" x="170" y="-7" width="83" height="32"/>
+                            <buttonCell key="cell" type="push" title="Unlock" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="3">
+                                <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
+                                <font key="font" metaFont="system"/>
+                                <string key="keyEquivalent" base64-UTF8="YES">
+DQ
+</string>
+                            </buttonCell>
+                            <connections>
+                                <action selector="_submit:" target="-2" id="KZN-ap-nDc"/>
+                            </connections>
+                        </button>
+                    </subviews>
+                    <visibilityPriorities>
+                        <integer value="1000"/>
+                        <integer value="1000"/>
+                        <integer value="1000"/>
+                    </visibilityPriorities>
+                    <customSpacing>
+                        <real value="3.4028234663852886e+38"/>
+                        <real value="3.4028234663852886e+38"/>
+                        <real value="3.4028234663852886e+38"/>
+                    </customSpacing>
+                </stackView>
                 <textField hidden="YES" verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="txI-yI-5nE">
                     <rect key="frame" x="157" y="204" width="195" height="14"/>
                     <textFieldCell key="cell" selectable="YES" title="key_file_warnig" id="f6J-5f-ZvP">
-                        <font key="font" metaFont="smallSystem"/>
+                        <font key="font" metaFont="menu" size="11"/>
                         <color key="textColor" name="secondaryLabelColor" catalog="System" colorSpace="catalog"/>
                         <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
                     </textFieldCell>
                 </textField>
             </subviews>
             <constraints>
-                <constraint firstAttribute="bottom" relation="greaterThanOrEqual" secondItem="2" secondAttribute="bottom" constant="20" symbolic="YES" id="122"/>
                 <constraint firstItem="262" firstAttribute="top" relation="greaterThanOrEqual" secondItem="1" secondAttribute="top" constant="20" symbolic="YES" id="276"/>
                 <constraint firstAttribute="centerX" secondItem="262" secondAttribute="centerX" id="286"/>
                 <constraint firstAttribute="centerY" secondItem="338" secondAttribute="centerY" id="386"/>
@@ -150,19 +175,17 @@ Gw
                 <constraint firstItem="486" firstAttribute="leading" secondItem="241" secondAttribute="trailing" constant="8" symbolic="YES" id="489"/>
                 <constraint firstItem="486" firstAttribute="leading" secondItem="408" secondAttribute="leading" id="490"/>
                 <constraint firstItem="408" firstAttribute="trailing" secondItem="486" secondAttribute="trailing" id="492"/>
-                <constraint firstItem="2" firstAttribute="trailing" secondItem="486" secondAttribute="trailing" id="496"/>
+                <constraint firstItem="tck-n8-s0U" firstAttribute="top" secondItem="txI-yI-5nE" secondAttribute="bottom" constant="8" id="6tz-an-3SW"/>
                 <constraint firstItem="408" firstAttribute="leading" secondItem="338" secondAttribute="trailing" constant="8" symbolic="YES" id="7qE-8F-QgB"/>
-                <constraint firstItem="2pb-ZG-spA" firstAttribute="baseline" secondItem="2" secondAttribute="baseline" id="9nK-MH-Ozs"/>
                 <constraint firstItem="txI-yI-5nE" firstAttribute="trailing" secondItem="241" secondAttribute="trailing" id="AVL-HO-SMq"/>
                 <constraint firstItem="17" firstAttribute="leading" relation="greaterThanOrEqual" secondItem="1" secondAttribute="leading" constant="20" symbolic="YES" id="EOa-K4-v7J"/>
                 <constraint firstItem="338" firstAttribute="leading" secondItem="d8O-Ha-rrS" secondAttribute="trailing" constant="8" symbolic="YES" id="KYs-Ia-SVl"/>
-                <constraint firstItem="2pb-ZG-spA" firstAttribute="leading" relation="greaterThanOrEqual" secondItem="1" secondAttribute="leading" constant="20" symbolic="YES" id="SUS-76-os4"/>
-                <constraint firstItem="2" firstAttribute="top" secondItem="txI-yI-5nE" secondAttribute="bottom" constant="8" symbolic="YES" id="jJs-hc-O2O"/>
+                <constraint firstAttribute="bottom" relation="greaterThanOrEqual" secondItem="tck-n8-s0U" secondAttribute="bottom" constant="20" symbolic="YES" id="Sny-FR-cY1"/>
+                <constraint firstItem="tck-n8-s0U" firstAttribute="trailing" secondItem="486" secondAttribute="trailing" id="UtJ-18-p5u"/>
                 <constraint firstItem="d8O-Ha-rrS" firstAttribute="centerY" secondItem="338" secondAttribute="centerY" id="kgB-jV-OGy"/>
                 <constraint firstItem="txI-yI-5nE" firstAttribute="top" secondItem="241" secondAttribute="bottom" constant="8" symbolic="YES" id="lfg-eB-T2O"/>
                 <constraint firstItem="txI-yI-5nE" firstAttribute="leading" secondItem="241" secondAttribute="leading" id="nGY-6Q-Vwy"/>
                 <constraint firstItem="d8O-Ha-rrS" firstAttribute="leading" relation="greaterThanOrEqual" secondItem="1" secondAttribute="leading" constant="20" symbolic="YES" id="vxq-YP-UhR"/>
-                <constraint firstItem="2" firstAttribute="leading" secondItem="2pb-ZG-spA" secondAttribute="trailing" constant="12" id="ytJ-5Z-5rT"/>
             </constraints>
             <point key="canvasLocation" x="-127" y="-46"/>
         </customView>
diff --git a/MacPass/MPPasswordInputController.m b/MacPass/MPPasswordInputController.m
index 96001ca3..b432f875 100644
--- a/MacPass/MPPasswordInputController.m
+++ b/MacPass/MPPasswordInputController.m
@@ -32,6 +32,8 @@
 
 #import "NSError+Messages.h"
 
+static NSMutableDictionary* touchIDSecuredPasswords;
+
 @interface MPPasswordInputController ()
 
 @property (strong) NSButton *showPasswordButton;
@@ -44,6 +46,7 @@
 @property (weak) IBOutlet NSButton *enablePasswordCheckBox;
 @property (weak) IBOutlet NSButton *unlockButton;
 @property (weak) IBOutlet NSButton *cancelButton;
+@property (weak) IBOutlet NSButton *touchIdButton;
 
 @property (copy) NSString *message;
 @property (copy) NSString *cancelLabel;
@@ -64,6 +67,9 @@
   self = [super initWithNibName:nibNameOrNil bundle:nibBundleOrNil];
   if(self) {
     _enablePassword = YES;
+    if(touchIDSecuredPasswords == NULL) {
+      touchIDSecuredPasswords = [[NSMutableDictionary alloc]init];
+    }
     [NSNotificationCenter.defaultCenter addObserver:self selector:@selector(_selectKeyURL) name:MPDidChangeStoredKeyFilesSettings object:nil];
   }
   return self;
@@ -129,6 +135,9 @@
   BOOL cancel = (sender == self.cancelButton);
   BOOL result = self.completionHandler(password, self.keyPathControl.URL, cancel, &error);
   if(cancel || result) {
+    if(result && self.keyPathControl.URL == nil) {
+      [self _storePasswordForTouchIDUnlock:password forDatabase:@"DatabaseID"];
+    }
     return;
   }
   [self _showError:error];
@@ -138,6 +147,150 @@
   }
 }
 
+- (void) _createAndAddRSAKeyPair {
+  CFErrorRef error = NULL;
+  NSString* publicKeyLabel =  @"MacPass TouchID Feature Public Key";
+  NSString* privateKeyLabel = @"MacPass TouchID Feature Private Key";
+  NSData* publicKeyTag =  [@"com.hicknhacksoftware.macpass.publickey"  dataUsingEncoding:NSUTF8StringEncoding];
+  NSData* privateKeyTag = [@"com.hicknhacksoftware.macpass.privatekey" dataUsingEncoding:NSUTF8StringEncoding];
+  SecAccessControlRef access = NULL;
+  if (@available(macOS 10.13.4, *)) {
+    access = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
+                                             kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+                                             kSecAccessControlBiometryCurrentSet,
+                                             &error);
+    if(access == NULL) {
+      NSError *err = CFBridgingRelease(error);
+      NSLog(@"Error while trying to create AccessControl for TouchID unlock feature: %@", [err description]);
+      return;
+    }
+    NSDictionary* attributes = @{
+      (id)kSecAttrKeyType:        (id)kSecAttrKeyTypeRSA,
+      (id)kSecAttrKeySizeInBits:  @2048,
+      (id)kSecAttrSynchronizable: @NO,
+      (id)kSecPrivateKeyAttrs:
+           @{ (id)kSecAttrIsPermanent:    @YES,
+              (id)kSecAttrApplicationTag: privateKeyTag,
+              (id)kSecAttrLabel: privateKeyLabel,
+              (id)kSecAttrAccessControl:  (__bridge id)access
+            },
+      (id)kSecPublicKeyAttrs:
+           @{ (id)kSecAttrIsPermanent:    @YES,
+              (id)kSecAttrApplicationTag: publicKeyTag,
+              (id)kSecAttrLabel: publicKeyLabel,
+            },
+    };
+    SecKeyRef privateKey = NULL;
+    SecKeyRef publicKey = NULL;
+    OSStatus result = SecKeyGeneratePair((__bridge CFDictionaryRef)attributes, &privateKey, &publicKey);
+    if(result == errSecSuccess) {
+      CFRelease(publicKey);
+      CFRelease(privateKey);
+    }
+    else {
+      NSString* description = (__bridge NSString*)SecCopyErrorMessageString(result, NULL);
+      NSLog(@"Error while trying to create a RSA keypair for TouchID unlock feature: %@", description);
+    }
+  }
+  else {
+    return;
+  }
+}
+
+- (void) _storePasswordForTouchIDUnlock: (NSString*) password forDatabase: (NSString*) databaseId {
+  NSData* passwordData = [password dataUsingEncoding:NSUTF8StringEncoding];
+  NSData* tag = [@"com.hicknhacksoftware.macpass.publickey" dataUsingEncoding:NSUTF8StringEncoding];
+  NSDictionary *getquery = @{
+    (id)kSecClass: (id)kSecClassKey,
+    (id)kSecAttrApplicationTag: tag,
+    (id)kSecReturnRef: @YES,
+  };
+  SecKeyRef publicKey = NULL;
+  OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)getquery, (CFTypeRef *)&publicKey);
+  if (status != errSecSuccess) {
+    [self _createAndAddRSAKeyPair];
+    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)getquery, (CFTypeRef *)&publicKey);
+    if (status != errSecSuccess) {
+      NSString* description = (__bridge NSString*)SecCopyErrorMessageString(status, NULL);
+      NSLog(@"Error while trying to query public key from Keychain: %@", description);
+      return;
+    }
+  }
+  SecKeyAlgorithm algorithm = kSecKeyAlgorithmRSAEncryptionOAEPSHA512;
+  BOOL canEncrypt = SecKeyIsAlgorithmSupported(publicKey, kSecKeyOperationTypeEncrypt, algorithm);
+  if(canEncrypt) {
+    int k = (int)SecKeyGetBlockSize(publicKey);
+    int hlen = 512 / 8;
+    int maxMessageLengthInByte = k - 2 * hlen - 2;
+    if([passwordData length] <= maxMessageLengthInByte) {
+      CFErrorRef error = NULL;
+      NSData* cipherText = (NSData*)CFBridgingRelease(SecKeyCreateEncryptedData(publicKey, algorithm, (__bridge CFDataRef)passwordData, &error));
+      if (cipherText) {
+        [touchIDSecuredPasswords setObject:cipherText forKey:databaseId];
+      }
+      else {
+        NSError *err = CFBridgingRelease(error);
+        NSLog(@"Error while trying decrypt password for TouchID unlock: %@", [err description]);
+      }
+    }
+    else {
+      NSLog(@"The password is to large to be encrypted");
+      return;
+    }
+  }
+  else {
+      NSLog(@"The key retreived from the Keychain is unable to encrypt data");
+  }
+  if (publicKey)  { CFRelease(publicKey);  }
+}
+
+- (NSString*) _loadPasswordForTochIDUnlock: (NSString*) databaseId {
+  NSString* result = nil;
+  NSData* cipherText = [touchIDSecuredPasswords valueForKey:databaseId];
+  if(cipherText != nil) {
+    NSData* tag = [@"com.hicknhacksoftware.macpass.privatekey" dataUsingEncoding:NSUTF8StringEncoding];
+    NSDictionary *queryPrivateKey = @{
+      (id)kSecClass: (id)kSecClassKey,
+      (id)kSecAttrApplicationTag: tag,
+      (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA,
+      (id)kSecReturnRef: @YES,
+    };
+    SecKeyRef privateKey = NULL;
+    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)queryPrivateKey, (CFTypeRef *)&privateKey);
+    if (status == errSecSuccess) {
+      SecKeyAlgorithm algorithm = kSecKeyAlgorithmRSAEncryptionOAEPSHA512;
+      BOOL canDecrypt = SecKeyIsAlgorithmSupported(privateKey, kSecKeyOperationTypeDecrypt, algorithm);
+      if(canDecrypt) {
+        if([cipherText length] == SecKeyGetBlockSize(privateKey)) {
+          CFErrorRef error = NULL;
+          NSData* clearText = (NSData*)CFBridgingRelease(SecKeyCreateDecryptedData(privateKey, algorithm, (__bridge CFDataRef)cipherText, &error));
+          if (clearText) {
+            result = [[NSString alloc]initWithData:clearText encoding:NSUTF8StringEncoding];
+          }
+          else {
+            NSError *err = CFBridgingRelease(error);
+            NSLog(@"Error while trying decrypt password for TouchID unlock: %@", [err description]);
+          }
+        }
+        else {
+          NSLog(@"Block size of the cipher text has a unexpected value: %lu", (unsigned long)[cipherText length]);
+        }
+      }
+      else {
+        NSLog(@"Key does not support decryption");
+      }
+    }
+    else {
+      NSString* description = (__bridge NSString*)SecCopyErrorMessageString(status, NULL);
+      NSLog(@"Error while trying to retrive private key for decryption: %@", description);
+    }
+    if (privateKey) {
+      CFRelease(privateKey);
+    }
+  }
+  return result;
+}
+
 - (IBAction)resetKeyFile:(id)sender {
   /* If the reset was triggered by ourselves we want to preselect the keyfile */
   if(sender == self) {
@@ -153,6 +306,8 @@
   self.enablePassword = YES;
   self.passwordTextField.stringValue = @"";
   self.messageInfoTextField.hidden = (nil == self.message);
+  self.touchIdButton.hidden = [touchIDSecuredPasswords valueForKey:@"DatabaseID"] == nil;
+    
   if(self.message) {
     self.messageInfoTextField.stringValue = self.message;
     self.messageImageView.image = [NSImage imageNamed:NSImageNameInfo];
@@ -236,5 +391,14 @@
   }
 }
 
+- (IBAction)unlockWithTouchID:(id)sender {
+  NSString* password = [self _loadPasswordForTochIDUnlock:@"DatabaseID"];
+  if(password != nil) {
+    NSError* error;
+    self.completionHandler(password, nil, false, &error);
+    [self _showError:error];
+  }
+}
+
 
 @end