auth/com.midnight.kuira.core.auth/BiometricGate

BiometricGate

class BiometricGate(keyManager: WalletKeyManager)

Wraps BiometricPrompt + BiometricPrompt.CryptoObject as a suspend function.

Provides per-use authentication gating for cryptographic operations. Each call shows the system biometric prompt (fingerprint, face, or PIN fallback) and returns an AuthenticatedCipher that can perform exactly one crypto operation.

Security model (verified against AOSP):

  • CryptoObject binds authentication to a specific beginOperation() in KeyMint

  • The HardwareAuthToken's challenge field matches the operation handle

  • This provides TEE-level per-operation enforcement — not just time-based

  • Works with AUTH_BIOMETRIC_STRONG | AUTH_DEVICE_CREDENTIAL on API 30+ (AndroidX biometric 1.1.0 stable)

Constructors

Link copied to clipboard
constructor(keyManager: WalletKeyManager)

Functions

Link copied to clipboard
suspend fun authenticateForDecrypt(activity: FragmentActivity, iv: ByteArray, title: String = "Authenticate", subtitle: String? = null): AuthenticatedCipher

Authenticates the user and returns a cipher ready for decryption.

Link copied to clipboard
suspend fun authenticateForEncrypt(activity: FragmentActivity, title: String = "Authenticate", subtitle: String? = null): AuthenticatedCipher

Authenticates the user and returns a cipher ready for encryption.

Link copied to clipboard
fun tryDecryptWithinAuthWindow(iv: ByteArray, ciphertext: ByteArray): ByteArray?

Attempts to decrypt ciphertext with the master key WITHOUT showing a BiometricPrompt. Succeeds silently when the Keystore auth-validity window (set via AuthPolicy.VALIDITY_DURATION_SECONDS) is currently open for the key. The caller MUST wipe the returned bytes once it's done with the plaintext.

Link copied to clipboard
fun tryEncryptWithinAuthWindow(): Cipher?

Attempts to obtain a Cipher initialized for encryption with the master key WITHOUT showing a BiometricPrompt. Returns a fresh, unused Cipher when the auth-validity window is open; null when expired or anything else goes wrong, in which case the caller should fall back to authenticateForEncrypt.