private void createKeyForTimeout() throws Exception { KeyStore.Entry entry=ks.getEntry(KEY_NAME, null); if (entry==null) { KeyGenParameterSpec spec= new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) .setUserAuthenticationRequired(true) .setUserAuthenticationValidityDurationSeconds(TIMEOUT_SECONDS) .build(); KeyGenerator keygen= KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, KEYSTORE); keygen.init(spec); keygen.generateKey(); } }
private void isInsideSecureHardware() { try { createKeyForTimeout(); } catch (Exception e) { Toast.makeText(this, "Could not create the key", Toast.LENGTH_LONG).show(); Log.e(getClass().getSimpleName(), "Exception creating key", e); return; } try { SecretKey key=(SecretKey)ks.getKey(KEY_NAME, null); KeyInfo info= (KeyInfo)SecretKeyFactory.getInstance(key.getAlgorithm(), KEYSTORE) .getKeySpec(key, KeyInfo.class); if (info.isInsideSecureHardware()) { Toast.makeText(this, "Key is inside secure hardware", Toast.LENGTH_LONG).show(); } else { Toast.makeText(this, "Key is only secured by software", Toast.LENGTH_LONG).show(); } } catch (Exception e) { Toast.makeText(this, "Well, *that* didn't work...", Toast.LENGTH_LONG).show(); Log.e(getClass().getSimpleName(), "Exception getting key info", e); } } }
KeyGenParameterSpec spec= new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN|KeyProperties.PURPOSE_VERIFY) .setCertificateSubject(new X500Principal("CN=Inspeckage, OU=ACPM, O=ACPM, C=BR")) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) .setCertificateNotBefore(start.getTime()) .setCertificateNotAfter(end.getTime()) .setKeyValidityStart(start.getTime()) .setKeyValidityEnd(end.getTime()) .setKeySize(2048) .setCertificateSerialNumber(BigInteger.valueOf(1)) .build();
private static AlgorithmParameterSpec generateParameterSpec(String alias) { return new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT) .setBlockModes(ENCRYPTION_BLOCK_MODE) .setEncryptionPaddings(ENCRYPTION_PADDING) .setRandomizedEncryptionRequired(true) .setKeySize(ENCRYPTION_KEY_SIZE) .build(); }
/** * Generate NIST P-256 EC Key pair for signing and verification * @param keyName * @param invalidatedByBiometricEnrollment * @return * @throws Exception */ private KeyPair generateKeyPair(String keyName, boolean invalidatedByBiometricEnrollment) throws Exception { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyName, KeyProperties.PURPOSE_SIGN) .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) // Require the user to authenticate with a biometric to authorize every use of the key .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(invalidatedByBiometricEnrollment); keyPairGenerator.initialize(builder.build()); return keyPairGenerator.generateKeyPair(); }
@Override public void generateKey(CryptoUtils.ICryptoFactory cryptoFactory, String alias, Context context) throws Exception { Calendar writeExpiry = Calendar.getInstance(); writeExpiry.add(Calendar.YEAR, ENCRYPT_KEY_LIFETIME_IN_YEARS); CryptoUtils.IKeyGenerator keyGenerator = cryptoFactory.getKeyGenerator(KeyProperties.KEY_ALGORITHM_AES, ANDROID_KEY_STORE); keyGenerator.init(new KeyGenParameterSpec.Builder(alias, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) .setKeySize(AES_KEY_SIZE) .setKeyValidityForOriginationEnd(writeExpiry.getTime()) .build()); keyGenerator.generateKey(); }
/** * Generate a new key pair entry in the Android Keystore by using the KeyPairGenerator API. * This creates both a KeyPair and a self-signed certificate, both with the same alias, * using the {@link #keyAlgorithm} provided. */ private void generateAuthenticationKey() throws GeneralSecurityException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyAlgorithm, keystoreName); KeyGenParameterSpec.Builder specBuilder = new KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_SIGN) .setCertificateSubject(new X500Principal("CN=unused")) .setDigests(KeyProperties.DIGEST_SHA256); if (keyAlgorithm.equals(KeyProperties.KEY_ALGORITHM_RSA)) { specBuilder.setKeySize(KEY_SIZE_RSA) .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1); } else if (keyAlgorithm.equals(KeyProperties.KEY_ALGORITHM_EC)) { specBuilder.setKeySize(KEY_SIZE_EC); } kpg.initialize(specBuilder.build()); kpg.generateKeyPair(); }
public boolean isKeyProtectedEnforcedBySecureHardware() { try { //这里随便生成一个key,检查是不是受保护即可 generateKey("temp"); final SecretKey key = (SecretKey) mStore.getKey("temp", null); if (key == null) { return false; } SecretKeyFactory factory = SecretKeyFactory.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"); KeyInfo keyInfo; keyInfo = (KeyInfo) factory.getKeySpec(key, KeyInfo.class); return keyInfo.isInsideSecureHardware() && keyInfo.isUserAuthenticationRequirementEnforcedBySecureHardware(); } catch (Exception e) { // Not an Android KeyStore key. return false; } } }
private void createKey(KeyStore ks, String keyName, int timeout) throws Exception { KeyStore.Entry entry=ks.getEntry(keyName, null); if (entry==null) { KeyGenParameterSpec spec= new KeyGenParameterSpec.Builder(keyName, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) .setUserAuthenticationRequired(true) .setUserAuthenticationValidityDurationSeconds(timeout) .setRandomizedEncryptionRequired(false) .build(); KeyGenerator keygen= KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, KEYSTORE); keygen.init(spec); keygen.generateKey(); } }
private SecretKey generateKey(String keyAlias) throws NoSuchProviderException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, KEYSTORE_PROVIDER); keyGenerator.init(new KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) .setRandomizedEncryptionRequired(false) // we need that to make our custom IV work .build()); return keyGenerator.generateKey(); } }
/** * Android Keystoreに非対称鍵のペアを生成します。 * 秘密鍵は指紋認証に必ず利用されます。公開鍵の利用に制限はありません。 */ public void createKeyPair() { try { mKeyPairGenerator.initialize( new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_SIGN) .setDigests(KeyProperties.DIGEST_SHA256) .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) // 利用時に毎回認証を要求します。 .setUserAuthenticationRequired(true) .build()); mKeyPairGenerator.generateKeyPair(); } catch (InvalidAlgorithmParameterException e) { throw new RuntimeException(e); } }
private boolean isInSecureHardware() { try { KeyFactory factory = KeyFactory.getInstance(privateKey.getAlgorithm(), keystoreName); KeyInfo keyInfo = factory.getKeySpec(privateKey, KeyInfo.class); return keyInfo.isInsideSecureHardware(); } catch (GeneralSecurityException e) { Log.w(TAG, "Could not determine if private key is in secure hardware or not"); } return false; }
private void createKey(String keyName, int timeout) throws Exception { KeyStore.Entry entry=ks.getEntry(keyName, null); if (entry==null) { KeyGenParameterSpec spec= new KeyGenParameterSpec.Builder(keyName, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) .setUserAuthenticationRequired(true) .setUserAuthenticationValidityDurationSeconds(timeout) .setRandomizedEncryptionRequired(false) .build(); KeyGenerator keygen= KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, KEYSTORE); keygen.init(spec); keygen.generateKey(); } } }
/** * Creates a symmetric key in the Android Key Store which can only be used after the user has * authenticated with fingerprint. */ public void createKey() { // The enrolling flow for fingerprint. This is where you ask the user to set up fingerprint // for your flow. Use of keys is necessary if you need to know if the set of // enrolled fingerprints has changed. try { // Set the alias of the entry in Android KeyStore where the key will appear // and the constrains (purposes) in the constructor of the Builder mKeyGenerator = KeyGenerator.getInstance( KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"); mKeyGenerator.init(new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) // Require the user to authenticate with a fingerprint to authorize every use // of the key .setUserAuthenticationRequired(true) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) .build()); mKeyGenerator.generateKey(); } catch (NoSuchProviderException | NoSuchAlgorithmException | InvalidAlgorithmParameterException e) { throw new RuntimeException(e); } }
KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyName, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setUserAuthenticationRequired(true) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7); builder.setInvalidatedByBiometricEnrollment(invalidatedByBiometricEnrollment); mKeyGenerator.init(builder.build()); mKeyGenerator.generateKey(); } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException
keyStore.load(null); keyGenerator.init(new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setUserAuthenticationRequired(true) .setEncryptionPaddings( KeyProperties.ENCRYPTION_PADDING_PKCS7) .build()); keyGenerator.generateKey(); } catch (NoSuchAlgorithmException |
void CreateKey() throws Exception { KeyGenerator keyGen = KeyGenerator.getInstance(KEY_ALGORITHM, KEYSTORE_NAME); KeyGenParameterSpec keyGenSpec = new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(BLOCK_MODE) .setEncryptionPaddings(ENCRYPTION_PADDING) .setUserAuthenticationRequired(true) .build(); keyGen.init(keyGenSpec); keyGen.generateKey(); } }
void CreateKey() throws Exception { KeyGenerator keyGen = KeyGenerator.getInstance(KEY_ALGORITHM, KEYSTORE_NAME); KeyGenParameterSpec keyGenSpec = new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(BLOCK_MODE) .setEncryptionPaddings(ENCRYPTION_PADDING) .setUserAuthenticationRequired(true) .build(); keyGen.init(keyGenSpec); keyGen.generateKey(); } }
public void generateNewKey(boolean auth, int authSecs) throws SystemException { KeyGenParameterSpec keySpec = new KeyGenParameterSpec.Builder(KEY_ALIAS, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(auth) .setUserAuthenticationValidityDurationSeconds(authSecs) .build(); KeyGenerator keyGenerator; try { keyGenerator = KeyGenerator.getInstance( KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"); keyGenerator.init(keySpec); } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException e) { throw new SystemException(e); } keyGenerator.generateKey(); }
void generateKey(String keyAlias) { //这里使用AES + CBC + PADDING_PKCS7,并且需要用户验证方能取出 try { final KeyGenerator generator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"); mStore.load(null); final int purpose = KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT; final KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyAlias, purpose); builder.setUserAuthenticationRequired(true); builder.setBlockModes(KeyProperties.BLOCK_MODE_CBC); builder.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7); generator.init(builder.build()); generator.generateKey(); } catch (Exception e) { e.printStackTrace(); } }