使用KeyGenParameterSpec.Builder等效替换KeyPairGeneratorSpec - 密钥库操作失败

时间:2016-04-22 20:10:17

标签: java android encryption rsa key-generator

不推荐使用以下方法

KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");

KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(this)
                            .setAlias(alias)
                            .setSubject(new X500Principal("CN=Sample Name, O=Android Authority"))
                            .setSerialNumber(BigInteger.ONE)
                            .setStartDate(start.getTime())
                            .setEndDate(end.getTime())
                            .build();

generator.initialize(spec);

我遇到的替代品看起来像这样

KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");

generator.initialize(new KeyGenParameterSpec.Builder
                            (alias, KeyProperties.PURPOSE_SIGN)
                            .setDigests(KeyProperties.DIGEST_SHA256)
                            .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
                            .build());

虽然我可以使用它来生成密钥对条目并加密该值,但我无法解密它

 public void encryptString(String alias) {
        try {
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry)keyStore.getEntry(alias, null);
            RSAPublicKey publicKey = (RSAPublicKey) privateKeyEntry.getCertificate().getPublicKey();

            String initialText = startText.getText().toString();
            if(initialText.isEmpty()) {
                Toast.makeText(this, "Enter text in the 'Initial Text' widget", Toast.LENGTH_LONG).show();
                return;
            }

            //Security.getProviders();

            Cipher inCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", "AndroidKeyStoreBCWorkaround");
            inCipher.init(Cipher.ENCRYPT_MODE, publicKey);

            ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
            CipherOutputStream cipherOutputStream = new CipherOutputStream(
                    outputStream, inCipher);
            cipherOutputStream.write(initialText.getBytes("UTF-8"));
            cipherOutputStream.close();

            byte [] vals = outputStream.toByteArray();
            encryptedText.setText(Base64.encodeToString(vals, Base64.DEFAULT));
        } catch (Exception e) {
            Toast.makeText(this, "Exception " + e.getMessage() + " occured", Toast.LENGTH_LONG).show();
            Log.e(TAG, Log.getStackTraceString(e));
        }
    }

public void decryptString(String alias) {
        try {
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry)keyStore.getEntry(alias, null);

            Cipher output = Cipher.getInstance("RSA/ECB/PKCS1Padding", "AndroidKeyStoreBCWorkaround");
            output.init(Cipher.DECRYPT_MODE, privateKeyEntry.getPrivateKey());

            String cipherText = encryptedText.getText().toString();
            CipherInputStream cipherInputStream = new CipherInputStream(
                    new ByteArrayInputStream(Base64.decode(cipherText, Base64.DEFAULT)), output);
            ArrayList<Byte> values = new ArrayList<>();
            int nextByte;
            while ((nextByte = cipherInputStream.read()) != -1) {
                values.add((byte)nextByte);
            }

            byte[] bytes = new byte[values.size()];
            for(int i = 0; i < bytes.length; i++) {
                bytes[i] = values.get(i).byteValue();
            }

            String finalText = new String(bytes, 0, bytes.length, "UTF-8");
            decryptedText.setText(finalText);

        } catch (Exception e) {
            Toast.makeText(this, "Exception " + e.getMessage() + " occured", Toast.LENGTH_LONG).show();
            Log.e(TAG, Log.getStackTraceString(e));
        }

decrypt方法中,以下命令失败:

 Cipher output = Cipher.getInstance("RSA/ECB/PKCS1Padding", "AndroidKeyStoreBCWorkaround");
                output.init(Cipher.DECRYPT_MODE, privateKeyEntry.getPrivateKey());


java.security.InvalidKeyException: Keystore operation failed

我认为它与KeyGenParamaterSpec.Builder有不正确的条件,类似于加密密码类型是不正确的字符串,在解密函数中也是一样。

但这可以追溯到使用新的KeygenParameterSpec.Builder,因为使用较旧的弃用方法允许我加密和解密。

如何解决?

2 个答案:

答案 0 :(得分:3)

正如Alex提到的一个缺失部分是KeyProperties.PURPOSE_DECRYPT,其他部分是setSignaturePaddings,而您必须使用setEncryptionPaddings方法。以下是示例代码段。

    new KeyGenParameterSpec.Builder(ALIAS, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
            // other options
           .build()

有关详细信息,请参阅documentation

答案 1 :(得分:1)

鉴于您没有提供异常的完整堆栈跟踪,很难100%确定。

您的代码会生成私钥,使其仅被授权用于签名,而不是解密。加密工作正常,因为它不使用私钥 - 它使用公钥,Android Keystore公钥可以不受任何限制地使用。解密失败,因为它需要使用私钥,但您的代码未授权使用私钥进行解密。

看起来立即修复是授权私钥用于解密。通过在调用KeyGenParameterSpec.Builder构造函数时列出KeyProperties.PURPOSE_DECRYPT来实现Thia。如果密钥不应用于签名,请从那里删除KeyProperties.PURPOSE_SIGN以及删除setSignaturePaddings。

您还需要使用PKCS1Padding授权私钥使用:调用setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)

相关问题
最新问题