在Android密钥库中存储hmac密钥 [英] Storing a hmac key in Android keystore

问题描述

我使用以下代码创建一个hmac键并将其作为字符串返回。

I am using the below code to create a hmac key and returning it as a string.

KeyGenerator keyGen = null;
    try {
        keyGen = KeyGenerator.getInstance("HmacSHA256");
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    SecretKey key = keyGen.generateKey();
    byte[] encoded = key.getEncoded();
    String s=Base64.encodeToString(encoded, Base64.DEFAULT);
    Log.i("Hmac key before encrypt",s);

    try {
        KeyStore keystore = KeyStore.getInstance("AndroidKeyStore");
        keystore.load(null, null);
        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) keystore.getEntry("temp", null);
        RSAPublicKey publicKey = (RSAPublicKey) privateKeyEntry.getCertificate().getPublicKey();

        Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
        cipher.init(Cipher.ENCRYPT_MODE, publicKey);
        byte[] cipherBytes = cipher.doFinal(encoded);

        return Base64.encodeToString(cipherBytes,Base64.DEFAULT);


    } catch (UnrecoverableEntryException e) {
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    } catch (KeyStoreException e) {
        e.printStackTrace();
    } catch (IllegalBlockSizeException e) {
        e.printStackTrace();
    } catch (InvalidKeyException e) {
        e.printStackTrace();
    } catch (BadPaddingException e) {
        e.printStackTrace();
    } catch (NoSuchPaddingException e) {
        e.printStackTrace();
    } catch (CertificateException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    }

如何将其存储在android密钥库中？我尝试使用以下代码：

How can I store this in the android keystore?. I have tried using the below code:

KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null);

        KeyStore.ProtectionParameter param = new KeyStore.PasswordProtection("test".toCharArray());
        keyStore.setEntry("key1",hmacKey,param);

无论hmacKey采用何种格式，我都会收到错误：String / Bytes或 javax.crypto.SecretKey 。以下是错误：
如果传递密钥 hmacKey ：

I get an errors no matter what format hmacKey is in: String/Bytes or javax.crypto.SecretKey. Below are the errors: In case of passing Key hmacKey:

Wrong 2nd argument type. Found: 'java.security.Key', required: 'java.security.KeyStore.Entry'

在我传递字符串或字节数组的情况下也是如此。

Same in cases where I pass a string or byte array.

如果我将参数强制转换为 java.security.KeyStore.Entry ，它仍然不起作用。

If I typecast the parameter to java.security.KeyStore.Entry, it still doesn't work.

这是正确的方法吗？任何人都可以指出如何使用别名将HMAC密钥存储在密钥库中。如何将hmack密钥转换为 java.security.KeyStore.Entry 格式？

Is this the correct way of doing so? Can anyone give pointers as to how the HMAC key can be stored in the keystore using an alias. How can convert the hmack key to java.security.KeyStore.Entry format?

推荐答案

创建Android密钥库是为了允许您在应用程序代码中使用非对称密钥和对称密钥 。按照在培训材料中指定：

The Android key store was created to allow you to use asymmetric keys and symmetric keys outside your application code. As specified in the training material:

密钥材料永远不会进入申请流程。当应用程序使用Android密钥库密钥执行加密操作时，在幕后明文，密文和要签名或验证的消息被馈送到执行加密操作的系统进程。如果应用程序的进程受到攻击，攻击者可能能够使用应用程序的密钥，但无法提取其密钥材料（例如，要在Android设备之外使用）。

Key material never enters the application process. When an application performs cryptographic operations using an Android Keystore key, behind the scenes plaintext, ciphertext, and messages to be signed or verified are fed to a system process which carries out the cryptographic operations. If the app's process is compromised, the attacker may be able to use the app's keys but will not be able to extract their key material (for example, to be used outside of the Android device).

因此，在应用程序代码中生成密钥的想法 - 因此在密钥库之外 - 并不是一个好主意。如何在密钥库中生成密钥是为中的HMAC密钥定义的 KeyGenParameterSpec 类的API ：

So the idea of generating the key inside the application code - and thus outside the key store - is not a good idea. How to generate a secret key inside the key store is defined for HMAC keys in the API for the KeyGenParameterSpec class:

KeyGenerator keyGenerator = KeyGenerator.getInstance(
         KeyProperties.KEY_ALGORITHM_HMAC_SHA256, "AndroidKeyStore");
keyGenerator.initialize(
         new KeyGenParameterSpec.Builder("key2", KeyProperties.PURPOSE_SIGN).build());
SecretKey key = keyGenerator.generateKey();
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(key);
...

// The key can also be obtained from the Android Keystore any time as follows:
KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
key = (SecretKey) keyStore.getKey("key2", null);

可以找到其他关键类型在 KeyProperties 类

Other key types can be found in the KeyProperties class

这篇关于在Android密钥库中存储hmac密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！