某些点后，AndroidKeyStore getEntry一直失败 [英] AndroidKeyStore getEntry is consistently failing after certain point

问题描述

我正在使用AndroidKeyStore生成一个用于加密/解密内部数据的RSA密钥对。

i am using the AndroidKeyStore to generate a RSA key pair, which are used to encrypt/decrypt the internal data.

这样做的代码如下：它尝试检索现有的RSA密钥对（通过别名）。如果没有，那么它会尝试生成一个新的。
代码为 -

The code which does that is as follows - it tries to retrieve the existing RSA key pair (via an alias ). If none exists then it tries to generate a new one. the code is as -

private void initializePublicPrivateKeys(){
    try
    {
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null);
        KeyStore.PrivateKeyEntry entry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(APP_RSA_KEY_PAIR_SECRET_ALIAS, null);
        _app_privateRSAKey = entry.getPrivateKey();
        _app_publicRSAKey = entry.getCertificate().getPublicKey();
    }
    catch(Exception e){

    }
}

private void initializeRSAKeyPairs() {

    initializePublicPrivateKeys();
    boolean isKeyNotGenerated = _app_privateRSAKey == null || _app_publicRSAKey == null;

    if(isKeyNotGenerated)
    {
        //Check here, if we already stored some data with previous RSA key pair - if a entry is present in SharedPreference then that would mean we had previously generated a RSA key pair and the entry is in-turn encrypted by this key pair.

        generateAppRSAPublicPrivateKeys();
        initializePublicPrivateKeys();// initialize it again , since we have new keys generated.
    }
}

@TargetApi(18)
private void generateAppRSAPublicPrivateKeys(){
    Calendar cal = Calendar.getInstance();
    Date now = cal.getTime();
    // the certificate created would be valid for 25 years. This is just a random value.
    cal.add(Calendar.YEAR, 25);
    Date end = cal.getTime();

    try{
        KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
        Context appContext = getApplicationContext();


        KeyPairGeneratorSpec.Builder keyPairGeneratorBuilder =
                new KeyPairGeneratorSpec.Builder(appContext)
                        .setAlias("myrsaalias")
                        .setStartDate(now)
                        .setEndDate(end)
                        .setSerialNumber(BigInteger.valueOf(1))
                        .setSubject(new X500Principal(String.format("CN=%s, OU=%s", "myrsaalias",
                                appContext.getApplicationInfo().packageName)));

        if(Build.VERSION.SDK_INT >= 19){
            keyPairGeneratorBuilder.setKeySize(2048); 
        }

        generator.initialize(keyPairGeneratorBuilder.build());
        generator.generateKeyPair();
    }
    catch(Exception e){
        e.printStackTrace();
        throw new IllegalArgumentException("Failed to generate RSA Public Private Key pair");
    }
}

此代码工作正常。一旦密钥对生成，我使用它们来加密/解密数据（以共享的优先级存储这个数据）但是，在某些时间点之后（重新启动一些应用程序后），initializePublicPrivateKeys函数无法检索密钥对（在此之后一直失败）
，所以在加密形式的共享首选项中存储的数据是什么丢失，因为我没有相应的公钥来解密。 （如果我生成一个新的，那么，我猜，这将是不同的，并会在我解密数据时返回不正确的结果）

This code works fine. Once the key pair is generated, I use them to encrypt/decrypt data ( store this data in shared preference ) BUT after certain point of time ( after some app relaunch ) the initializePublicPrivateKeys function fails to retrieve the key pairs.(after this point it fails consistently ) and so what ever data that is stored in the shared preference in encrypted form is lost since i dont have the corresponding public key to decrypt that at all. ( if i generate a new one then, i guess, this would be different and would return incorrect results when i decrypt the data)

我想知道在这个初始化PublicPrivateKeys功能可以失败？

I was wondering in what cases this initializePublicPrivateKeys function can fail ?

PS：现在，我无法捕获异常详细信息，因为我无法访问的某些客户端设备上出现问题，我需要自己解决问题的根源。
此外，在此期间，设备密码或PIN码也不会更改（我已经与我的客户确认了）

PS: for now, I can't capture the exception details because the problem is occurring on some customer device which i don't have access to and I need to figure out the source of the problem myself. Also, device password or PIN is not changed during this period ( i confirmed this with my customer )

提前感谢

推荐答案

用户是否可以将屏幕锁定类型更改为不安全的方法，例如无或滑动，从而触发AndroidKeyStore中的所有键被删除？这个博客文章中讨论了一个已知的问题： https：// doridori。 github.io/android-security-the-forgetful-keystore/

Is it possible the user changed their screen lock type to an insecure method such as None or Swipe thus triggering all the keys in the AndroidKeyStore to be deleted? It is a known issue discussed in this blog article: https://doridori.github.io/android-security-the-forgetful-keystore/

此处还提到： https://code.google.com/p/android/issues/detail?id=61989

如果您没有严格的安全性要求，并希望您的应用程序即使用户没有屏幕锁定也可以正常工作，那么也许只需使用存储在数据区域中的密钥库文件中的密钥对，并跳过 AndroidKeyStore 。

If you do not have strict security requirements and want your app to work even if the user has no screen lock then perhaps just use a keypair stored in a keystore file in your data area and skip the AndroidKeyStore.

这篇关于某些点后，AndroidKeyStore getEntry一直失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！