refactor: Improve Cipher Management with Thread-Safe Caching (#738)

* refactor: Improve Cipher Management with Thread-Safe Caching

* fix: remove not needed code

* refactor: cleaned up CipherCache and added comments

- Added an optional "prefix" parameter to support multiple cache keys per transformation.

- Replaced manual cache initialization with getOrPut on a synchronized ThreadLocal map.

- Enhanced code readability with detailed KDoc comments.

---------

Co-authored-by: MazurDorian <[email protected]>

Author: Bowlerr

android/src/main/java/com/oblador/keychain/KeychainModule.kt

@@ -13,6 +13,7 @@ import com.facebook.react.bridge.ReactContextBaseJavaModule
 import com.facebook.react.bridge.ReactMethod
 import com.facebook.react.bridge.ReadableMap
 import com.facebook.react.module.annotations.ReactModule
+import com.oblador.keychain.cipherStorage.CipherCache
 import com.oblador.keychain.cipherStorage.CipherStorage
 import com.oblador.keychain.cipherStorage.CipherStorage.DecryptionResult
 import com.oblador.keychain.cipherStorage.CipherStorageBase
@@ -156,6 +157,8 @@ class KeychainModule(reactContext: ReactApplicationContext) :
     if (coroutineScope.isActive) {
       coroutineScope.cancel("$KEYCHAIN_MODULE has been destroyed.")
     }
+    // Clean up cipher cache
+    CipherCache.clearCache()
   }
 
   /** {@inheritDoc} */

android/src/main/java/com/oblador/keychain/cipherStorage/CipherCache.kt

@@ -0,0 +1,48 @@
+package com.oblador.keychain.cipherStorage
+
+import android.util.Log
+import java.security.NoSuchAlgorithmException
+import javax.crypto.Cipher
+import javax.crypto.NoSuchPaddingException
+
+/**
+ * Thread-safe cache for Cipher instances to improve performance by reusing existing instances.
+ * Uses ThreadLocal storage to maintain separate caches for different threads.
+ */
+object CipherCache {
+    private val LOG_TAG = CipherCache::class.java.simpleName
+    
+    private val cipherCache = ThreadLocal<MutableMap<String, Cipher>>()
+
+    /**
+     * Gets or creates a Cipher instance for the specified transformation.
+     * This method is thread-safe and caches Cipher instances per thread.
+     *
+     * @param transformation The name of the transformation, e.g., "AES/CBC/PKCS7Padding"
+     * @param prefix An optional identifier added to the cache key to distinguish between different uses of the same transformation.
+     *              The prefix only affects how the cipher is stored in the cache and does not modify the cipher's behavior.
+     * @return A Cipher instance for the requested transformation
+     * @throws NoSuchAlgorithmException if the transformation algorithm is not available
+     * @throws NoSuchPaddingException if the padding scheme is not available
+     */
+    @Throws(NoSuchAlgorithmException::class, NoSuchPaddingException::class)
+    fun getCipher(transformation: String, prefix: String? = null): Cipher {
+        return synchronized(this) {
+            val cacheKey = prefix?.let { "${it}_$transformation" } ?: transformation
+            (cipherCache.get() ?: mutableMapOf<String, Cipher>().also { cipherCache.set(it) })
+                .getOrPut(cacheKey) { Cipher.getInstance(transformation) }
+        }
+    }
+
+    /**
+     * Clears the cipher cache for the current thread.
+     * This should be called when the ciphers are no longer needed to free up resources.
+     */
+    fun clearCache() {
+        try {
+            cipherCache.remove()
+        } catch (e: Exception) {
+            Log.w(LOG_TAG, "Failed to clear cipher cache: ${e.message}")
+        }
+    }
+}

android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageBase.kt

@@ -79,10 +79,6 @@ abstract class CipherStorageBase(protected val applicationContext: Context) : Ci
 
   // region Members
 
-  /** Get cached instance of cipher. Get instance operation is slow. */
-  @Transient
-  protected var cachedCipher: Cipher? = null
-
   /** Cached instance of the Keystore. */
   @Transient
   protected var cachedKeyStore: KeyStore? = null
@@ -164,14 +160,7 @@ abstract class CipherStorageBase(protected val applicationContext: Context) : Ci
   /** Get cipher instance and cache it for any next call. */
   @Throws(NoSuchAlgorithmException::class, NoSuchPaddingException::class)
   fun getCachedInstance(): Cipher {
-    if (cachedCipher == null) {
-      synchronized(this) {
-        if (cachedCipher == null) {
-          cachedCipher = Cipher.getInstance(getEncryptionTransformation())
-        }
-      }
-    }
-    return cachedCipher!!
+    return CipherCache.getCipher(getEncryptionTransformation())
   }
 
   /** Check requirements to the security level. */
@@ -466,24 +455,6 @@ abstract class CipherStorageBase(protected val applicationContext: Context) : Ci
 
   // endregion
 
-  // region Testing
-
-  /** Override internal cipher instance cache. */
-  @VisibleForTesting
-  fun setCipher(cipher: Cipher): CipherStorageBase {
-    cachedCipher = cipher
-    return this
-  }
-
-  /** Override the keystore instance cache. */
-  @VisibleForTesting
-  fun setKeyStore(keystore: KeyStore): CipherStorageBase {
-    cachedKeyStore = keystore
-    return this
-  }
-
-  // endregion
-
   // region Nested declarations
 
   /** Generic cipher initialization. */

android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreAesGcm.kt

@@ -66,7 +66,7 @@ class CipherStorageKeystoreAesGcm(
     /** AES. */
     override fun getEncryptionAlgorithm(): String = ALGORITHM_AES
 
-    /** AES/CBC/PKCS7Padding */
+    /** AES/GCM/NoPadding */
     override fun getEncryptionTransformation(): String = ENCRYPTION_TRANSFORMATION
 
     // endregion