qq_25914767
qq_25914767
2016-11-08 10:00
采纳率: 50%
浏览 9.7k

android安全存储,使用AndroidKeyStore的问题

最近在研究android的keystore安全存储,网上就一篇关于这个的博客,但是有些地方没讲清楚,资料非常少。。。

我使用以下方式存储了私钥和证书:

mKeyStore = KeyStore.getInstance("AndroidKeyStore");//获取密钥库

KeyStore.PrivateKeyEntry expected = new KeyStore.PrivateKeyEntry(priKey, expectedChain);

mKeyStore.setEntry("mytestRSAkey", expected, new KeyStoreParameter.Builder(this.getBaseContext()).setEncryptionRequired(true).build());//加密存储

现在我要提取公钥和私钥:

actualEntry = mKeyStore.getEntry("mytestRSAkey",null);//获取密钥

KeyStore.PrivateKeyEntry actual = (KeyStore.PrivateKeyEntry) actualEntry;

pubKey=actual.getCertificate().getPublicKey();

priKey=actual.getPrivateKey();

可能是出于保护私钥的目的,priKey.getEncoded()是获取不到私钥的,只有一个密钥索引,导致我使用使用该私钥解密时出错

public static byte[] decrypt_RSA(byte[] encryptedData, PrivateKey privateKey)

{

try
{

Cipher cipher = Cipher.getInstance("RSA");

cipher.init(Cipher.DECRYPT_MODE, privateKey);

return cipher.doFinal(encryptedData);

} catch (Exception e)

{

return null;

}

}

现在我该怎么使用priKey来解密数据啊

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

6条回答 默认 最新

  • qq_25914767
    qq_25914767 2016-11-09 07:59
    已采纳

    问题解决,Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");就可以了

    点赞 评论
  • qq_25914767
    qq_25914767 2016-11-15 07:14

    以上是android5.0的使用方法,android6.0新增加对对称密钥的存储支持,并且可以指定应用在使用密钥时先输入锁屏密码或指纹认证,安全性得到提高。android源代码中developers/samples/android/security有DEMO可以看看

    点赞 评论
  • liurukun
    liurukun 2016-12-15 08:05

    同求,我测试了在6.0以上不行,请问楼主解决么了? 麻烦楼主告知一下

    点赞 评论
  • qq_25914767
    qq_25914767 2016-12-15 11:42
    /**
     * Creates a symmetric key in the Android Key Store which can only be used after the user has
     * authenticated with device credentials within the last X seconds.
     */
        //创建一个对称密钥并自动存储到androidkeystore,参数指明使用该密钥需要用户认证
    private void createKey() {
        // Generate a key to decrypt payment credentials, tokens, etc.
        // This will most likely be a registration step for the user when they are setting up your app.
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            KeyGenerator keyGenerator = KeyGenerator.getInstance(
                    KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
    
            // Set the alias of the entry in Android KeyStore where the key will appear
            // and the constrains (purposes) in the constructor of the Builder
            keyGenerator.init(new KeyGenParameterSpec.Builder(KEY_NAME,
                    KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                    .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
                    .setUserAuthenticationRequired(true)
                            // Require that the user has unlocked in the last 30 seconds
                    .setUserAuthenticationValidityDurationSeconds(AUTHENTICATION_DURATION_SECONDS)
                    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
                    .build());
            keyGenerator.generateKey();
        } catch (NoSuchAlgorithmException | NoSuchProviderException
                | InvalidAlgorithmParameterException | KeyStoreException
                | CertificateException | IOException e) {
            throw new RuntimeException("Failed to create a symmetric key", e);
        }
    }
    

    //从androidkeystore取出对称密钥,并使用密钥加密,使用前会弹出密码框要求数据锁屏密码
    private boolean tryEncrypt() {
    try {
    KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
    keyStore.load(null);
    SecretKey secretKey = (SecretKey) keyStore.getKey(KEY_NAME, null);
    Cipher cipher = Cipher.getInstance(
    KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_CBC + "/"
    + KeyProperties.ENCRYPTION_PADDING_PKCS7);

            // Try encrypting something, it will only work if the user authenticated within
            // the last AUTHENTICATION_DURATION_SECONDS seconds.
            cipher.init(Cipher.ENCRYPT_MODE, secretKey);
            cipher.doFinal(SECRET_BYTE_ARRAY);
    
            // If the user has recently authenticated, you will reach here.
            showAlreadyAuthenticated();
            return true;
        } catch (UserNotAuthenticatedException e) {
            // User is not authenticated, let's authenticate with device credentials.
            showAuthenticationScreen();
            return false;
        } catch (KeyPermanentlyInvalidatedException e) {
            // This happens if the lock screen has been disabled or reset after the key was
            // generated after the key was generated.
            Toast.makeText(this, "Keys are invalidated after created. Retry the purchase\n"
                            + e.getMessage(),
                    Toast.LENGTH_LONG).show();
            return false;
        } catch (BadPaddingException | IllegalBlockSizeException | KeyStoreException |
                CertificateException | UnrecoverableKeyException | IOException
                | NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException e) {
            throw new RuntimeException(e);
        }
    }
    
    点赞 评论
  • qq_25914767
    qq_25914767 2016-12-15 11:48
    private void showAuthenticationScreen() {
        // Create the Confirm Credentials screen. You can customize the title and description. Or
        // we will provide a generic one for you if you leave it null
        Intent intent = mKeyguardManager.createConfirmDeviceCredentialIntent(null, null);
        if (intent != null) {
            startActivityForResult(intent, REQUEST_CODE_CONFIRM_DEVICE_CREDENTIALS);
        }
    }
    
    点赞 评论
  • qq_25914767
    qq_25914767 2016-12-15 12:05
     /*
     * Copyright (C) 2015 The Android Open Source Project
     *
     * Licensed under the Apache License, Version 2.0 (the "License");
     * you may not use this file except in compliance with the License.
     * You may obtain a copy of the License at
     *
     *      http://www.apache.org/licenses/LICENSE-2.0
     *
     * Unless required by applicable law or agreed to in writing, software
     * distributed under the License is distributed on an "AS IS" BASIS,
     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     * See the License for the specific language governing permissions and
     * limitations under the License
     */
    
    package com.example.android.confirmcredential;
    
    import android.app.Activity;
    import android.app.KeyguardManager;
    import android.content.Context;
    import android.content.Intent;
    import android.os.Bundle;
    import android.security.keystore.KeyGenParameterSpec;
    import android.security.keystore.KeyPermanentlyInvalidatedException;
    import android.security.keystore.KeyProperties;
    import android.security.keystore.UserNotAuthenticatedException;
    import android.view.View;
    import android.widget.Button;
    import android.widget.TextView;
    import android.widget.Toast;
    
    import java.io.IOException;
    import java.security.InvalidAlgorithmParameterException;
    import java.security.InvalidKeyException;
    import java.security.KeyStore;
    import java.security.KeyStoreException;
    import java.security.NoSuchAlgorithmException;
    import java.security.NoSuchProviderException;
    import java.security.UnrecoverableKeyException;
    import java.security.cert.CertificateException;
    
    import javax.crypto.BadPaddingException;
    import javax.crypto.Cipher;
    import javax.crypto.IllegalBlockSizeException;
    import javax.crypto.KeyGenerator;
    import javax.crypto.NoSuchPaddingException;
    import javax.crypto.SecretKey;
    
    /**
     * Main entry point for the sample, showing a backpack and "Purchase" button.
     */
    public class MainActivity extends Activity {
    
        /** Alias for our key in the Android Key Store. */
        private static final String KEY_NAME = "my_key";
        private static final byte[] SECRET_BYTE_ARRAY = new byte[] {1, 2, 3, 4, 5, 6};
    
        private static final int REQUEST_CODE_CONFIRM_DEVICE_CREDENTIALS = 1;
    
        /**
         * If the user has unlocked the device Within the last this number of seconds,
         * it can be considered as an authenticator.
         */
        private static final int AUTHENTICATION_DURATION_SECONDS = 30;
    
        private KeyguardManager mKeyguardManager;
    
        @Override
        protected void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
            setContentView(R.layout.activity_main);
            mKeyguardManager = (KeyguardManager) getSystemService(Context.KEYGUARD_SERVICE);
            Button purchaseButton = (Button) findViewById(R.id.purchase_button);
            if (!mKeyguardManager.isKeyguardSecure()) {
                // Show a message that the user hasn't set up a lock screen.
                Toast.makeText(this,
                        "Secure lock screen hasn't set up.\n"
                                + "Go to 'Settings -> Security -> Screenlock' to set up a lock screen",
                        Toast.LENGTH_LONG).show();
                purchaseButton.setEnabled(false);
                return;
            }
            createKey();
            findViewById(R.id.purchase_button).setOnClickListener(new View.OnClickListener() {
                @Override
                public void onClick(View v) {
                    // Test to encrypt something. It might fail if the timeout expired (30s).
                    tryEncrypt();
                }
            });
        }
    
        /**
         * Tries to encrypt some data with the generated key in {@link #createKey} which is
         * only works if the user has just authenticated via device credentials.
         */
        private boolean tryEncrypt() {
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                SecretKey secretKey = (SecretKey) keyStore.getKey(KEY_NAME, null);
                Cipher cipher = Cipher.getInstance(
                        KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_CBC + "/"
                                + KeyProperties.ENCRYPTION_PADDING_PKCS7);
    
                // Try encrypting something, it will only work if the user authenticated within
                // the last AUTHENTICATION_DURATION_SECONDS seconds.
                cipher.init(Cipher.ENCRYPT_MODE, secretKey);
                cipher.doFinal(SECRET_BYTE_ARRAY);
    
                // If the user has recently authenticated, you will reach here.
                showAlreadyAuthenticated();
                return true;
            } catch (UserNotAuthenticatedException e) {
                // User is not authenticated, let's authenticate with device credentials.
                showAuthenticationScreen();
                return false;
            } catch (KeyPermanentlyInvalidatedException e) {
                // This happens if the lock screen has been disabled or reset after the key was
                // generated after the key was generated.
                Toast.makeText(this, "Keys are invalidated after created. Retry the purchase\n"
                                + e.getMessage(),
                        Toast.LENGTH_LONG).show();
                return false;
            } catch (BadPaddingException | IllegalBlockSizeException | KeyStoreException |
                    CertificateException | UnrecoverableKeyException | IOException
                    | NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException e) {
                throw new RuntimeException(e);
            }
        }
    
        /**
         * Creates a symmetric key in the Android Key Store which can only be used after the user has
         * authenticated with device credentials within the last X seconds.
         */
        private void createKey() {
            // Generate a key to decrypt payment credentials, tokens, etc.
            // This will most likely be a registration step for the user when they are setting up your app.
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                KeyGenerator keyGenerator = KeyGenerator.getInstance(
                        KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
    
                // Set the alias of the entry in Android KeyStore where the key will appear
                // and the constrains (purposes) in the constructor of the Builder
                keyGenerator.init(new KeyGenParameterSpec.Builder(KEY_NAME,
                        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
                        .setUserAuthenticationRequired(true)
                                // Require that the user has unlocked in the last 30 seconds
                        .setUserAuthenticationValidityDurationSeconds(AUTHENTICATION_DURATION_SECONDS)
                        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
                        .build());
                keyGenerator.generateKey();
            } catch (NoSuchAlgorithmException | NoSuchProviderException
                    | InvalidAlgorithmParameterException | KeyStoreException
                    | CertificateException | IOException e) {
                throw new RuntimeException("Failed to create a symmetric key", e);
            }
        }
    
        private void showAuthenticationScreen() {
            // Create the Confirm Credentials screen. You can customize the title and description. Or
            // we will provide a generic one for you if you leave it null
            Intent intent = mKeyguardManager.createConfirmDeviceCredentialIntent(null, null);
            if (intent != null) {
                startActivityForResult(intent, REQUEST_CODE_CONFIRM_DEVICE_CREDENTIALS);
            }
        }
    
        @Override
        protected void onActivityResult(int requestCode, int resultCode, Intent data) {
            if (requestCode == REQUEST_CODE_CONFIRM_DEVICE_CREDENTIALS) {
                // Challenge completed, proceed with using cipher
                if (resultCode == RESULT_OK) {
                    if (tryEncrypt()) {
                        showPurchaseConfirmation();
                    }
                } else {
                    // The user canceled or didn’t complete the lock screen
                    // operation. Go to error/cancellation flow.
                }
            }
        }
    
        private void showPurchaseConfirmation() {
            findViewById(R.id.confirmation_message).setVisibility(View.VISIBLE);
            findViewById(R.id.purchase_button).setEnabled(false);
        }
    
        private void showAlreadyAuthenticated() {
            TextView textView = (TextView) findViewById(
                    R.id.already_has_valid_device_credential_message);
            textView.setVisibility(View.VISIBLE);
            textView.setText(getString(
                    R.string.already_confirmed_device_credentials_within_last_x_seconds,
                    AUTHENTICATION_DURATION_SECONDS));
            findViewById(R.id.purchase_button).setEnabled(false);
        }
    
    }
    
    
    
    
    点赞 评论

相关推荐