final KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(KEYSTORE_ALIAS_SAMPLE, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setAlgorithmParameterSpec(new ECGenParameterSpec(AttestationProtocol.EC_CURVE)) .setDigests(AttestationProtocol.KEY_DIGEST) .setAttestationChallenge("sample".getBytes());
private void encryptIdentityKeyBiometric(byte[] encKey) { if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) { try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"); keyPairGenerator.initialize(new KeyGenParameterSpec.Builder( "quickPass", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT ) .setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, F4)) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) .setUserAuthenticationRequired(true) .build()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); //or try with "RSA" cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic()); this.biometricKeyEncrypted = cipher.doFinal(encKey); } catch (Exception e) { Log.e(TAG, e.getMessage(), e); } } }
@Override public void writeResult(PrintWriter out) throws GeneralSecurityException { String alias = intent.getStringExtra("alias"); String algorithm = intent.getStringExtra("algorithm"); int purposes = intent.getIntExtra("purposes", 0); String[] digests = intent.getStringArrayExtra("digests"); int size = intent.getIntExtra("size", 2048); String curve = intent.getStringExtra("curve"); int userValidity = intent.getIntExtra("validity", 0); KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(alias, purposes); builder.setDigests(digests); if (algorithm.equals(KeyProperties.KEY_ALGORITHM_RSA)) { // only the exponent 65537 is supported for now builder.setAlgorithmParameterSpec( new RSAKeyGenParameterSpec(size, RSAKeyGenParameterSpec.F4)); builder.setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1); } if (algorithm.equals(KeyProperties.KEY_ALGORITHM_EC)) { builder.setAlgorithmParameterSpec(new ECGenParameterSpec(curve)); } if (userValidity > 0) { builder.setUserAuthenticationRequired(true); builder.setUserAuthenticationValidityDurationSeconds(userValidity); } KeyPairGenerator generator = KeyPairGenerator.getInstance(algorithm, PROVIDER); generator.initialize(builder.build()); generator.generateKeyPair(); } });
final KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(attestationKeystoreAlias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setAlgorithmParameterSpec(new ECGenParameterSpec(EC_CURVE)) .setDigests(KEY_DIGEST) .setAttestationChallenge(challenge)
/** * Generate NIST P-256 EC Key pair for signing and verification * * @param keyName * @param invalidatedByBiometricEnrollment * @return * @throws Exception */ @TargetApi(Build.VERSION_CODES.P) private KeyPair generateKeyPair(String keyName, boolean invalidatedByBiometricEnrollment) throws Exception { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyName, KeyProperties.PURPOSE_SIGN) .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) // Require the user to authenticate with a biometric to authorize every use of the key .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(invalidatedByBiometricEnrollment); keyPairGenerator.initialize(builder.build()); return keyPairGenerator.generateKeyPair(); }
/** * Generate NIST P-256 EC Key pair for signing and verification * @param keyName * @param invalidatedByBiometricEnrollment * @return * @throws Exception */ private KeyPair generateKeyPair(String keyName, boolean invalidatedByBiometricEnrollment) throws Exception { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyName, KeyProperties.PURPOSE_SIGN) .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) // Require the user to authenticate with a biometric to authorize every use of the key .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(invalidatedByBiometricEnrollment); keyPairGenerator.initialize(builder.build()); return keyPairGenerator.generateKeyPair(); }
@TargetApi(Build.VERSION_CODES.M) static void createKeysM(String alias, boolean requireAuth) { try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, SecurityConstants.KEYSTORE_PROVIDER_ANDROID_KEYSTORE); keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(alias, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT).setAlgorithmParameterSpec( new RSAKeyGenParameterSpec(1024, F4)) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) // Only permit the private key to be used if the user authenticated // within the last five minutes. .setUserAuthenticationRequired(requireAuth) .build()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); } catch (NoSuchProviderException | NoSuchAlgorithmException | InvalidAlgorithmParameterException e) { throw new RuntimeException(e); } }
/** * Android Keystoreに非対称鍵のペアを生成します。 * 秘密鍵は指紋認証に必ず利用されます。公開鍵の利用に制限はありません。 */ public void createKeyPair() { try { mKeyPairGenerator.initialize( new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_SIGN) .setDigests(KeyProperties.DIGEST_SHA256) .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) // 利用時に毎回認証を要求します。 .setUserAuthenticationRequired(true) .build()); mKeyPairGenerator.generateKeyPair(); } catch (InvalidAlgorithmParameterException e) { throw new RuntimeException(e); } }