我正在使用以下代码在Android设备(8.1 / API级别27)上生成密钥对:
KeyGenParameterSpec spec = new KeyGenParameterSpec.Builder(
KEY_ALIAS,
KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY
)
.setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
.setCertificateSubject(new X500Principal("CN=X, O=X"))
.setCertificateSerialNumber(BigInteger.ONE)
.setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.build();
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
generator.initialize(spec);
generator.generateKeyPair();
然后我想证明生成的证书已由Google根证书签名,以证明该证书存储在TEE中(请参见Verifying hardware-backed key pairs with Key Attestation):
KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) keystore
.getEntry(KEY_ALIAS, null);
KeyFactory keyFactory = KeyFactory.getInstance(
privateKeyEntry.getPrivateKey().getAlgorithm(),
"AndroidKeyStore"
);
KeyInfo keyInfo = keyFactory.getKeySpec(privateKeyEntry.getPrivateKey(), KeyInfo.class);
Log.i(TAG, "Is key in secure hardware: " + keyInfo.isInsideSecureHardware());
Log.i(TAG, "Number of certificates in the chain: " + privateKeyEntry.getCertificateChain().length);
哪个返回:
Is key in secure hardware: true
Number of certificates in the chain: 1
链中唯一的证书是包含生成的公共密钥的证书。而且它没有certificate extension data的证明。
如何生成密钥对,以使我拥有包含要证明的扩展数据的证书链?
答案 0 :(得分:0)
您需要通过在setAttestationChallenge实例上调用KeyGenParameterSpec.Builder并将服务器端生成的随机数传递给它来显式地请求硬件证明。
这将导致Android密钥库使用OEM提供的受硬件保护的密钥对公共密钥证书进行签名(该密钥本身又由Google的中间CA密钥签名,由Google根CA密钥签名)。 / p>
然后,通过在getCertificateChain实例上调用KeyStore获得完整的链。