KeyProperties.PURPOSE_SIGN|KeyProperties.PURPOSE_VERIFY) .setCertificateSubject(new X500Principal("CN=Inspeckage, OU=ACPM, O=ACPM, C=BR")) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) .setCertificateNotBefore(start.getTime())
alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build());
/** * Generate a new key pair entry in the Android Keystore by using the KeyPairGenerator API. * This creates both a KeyPair and a self-signed certificate, both with the same alias, * using the {@link #keyAlgorithm} provided. */ private void generateAuthenticationKey() throws GeneralSecurityException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyAlgorithm, keystoreName); KeyGenParameterSpec.Builder specBuilder = new KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_SIGN) .setCertificateSubject(new X500Principal("CN=unused")) .setDigests(KeyProperties.DIGEST_SHA256); if (keyAlgorithm.equals(KeyProperties.KEY_ALGORITHM_RSA)) { specBuilder.setKeySize(KEY_SIZE_RSA) .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1); } else if (keyAlgorithm.equals(KeyProperties.KEY_ALGORITHM_EC)) { specBuilder.setKeySize(KEY_SIZE_EC); } kpg.initialize(specBuilder.build()); kpg.generateKeyPair(); }
KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setAlgorithmParameterSpec(new ECGenParameterSpec(EC_CURVE)) .setDigests(KEY_DIGEST) .setAttestationChallenge(challenge) .setKeyValidityStart(startTime);
KEYSTORE_WIGLE_CREDS_KEY_V1, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP) .build();
KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setAlgorithmParameterSpec(new ECGenParameterSpec(AttestationProtocol.EC_CURVE)) .setDigests(AttestationProtocol.KEY_DIGEST) .setAttestationChallenge("sample".getBytes()); AttestationProtocol.generateKeyPair(KEY_ALGORITHM_EC, builder.build());
.setDigests(KeyProperties.DIGEST_SHA256) .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) .setCertificateSerialNumber(BigInteger.valueOf(1337))
@TargetApi(M) public void createKeyPair() { KeyPairGenerator keyPairGenerator; try { keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"); } catch (NoSuchAlgorithmException | NoSuchProviderException e) { throw new RuntimeException("Failed to get an instance of KeyPairGenerator", e); } /* By calling setUserAuthenticationRequired(true), we are indicating that any time the private key for this pair so to be used, we have to be authed via fingerprint. This is what enforces the invariant that the successful verification of the signature implies that an authorized individual has touched the fingerprint sensor. */ try { keyPairGenerator.initialize( new KeyGenParameterSpec.Builder(KEY_NAME, PURPOSE_SIGN) .setKeySize(2048) .setDigests(DIGEST_SHA256) .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) .setUserAuthenticationRequired(true) .build()); keyPairGenerator.generateKeyPair(); } catch (InvalidAlgorithmParameterException e) { throw new RuntimeException("failed to generate key pair", e); } }
@Override public void writeResult(PrintWriter out) throws GeneralSecurityException { String alias = intent.getStringExtra("alias"); String algorithm = intent.getStringExtra("algorithm"); int purposes = intent.getIntExtra("purposes", 0); String[] digests = intent.getStringArrayExtra("digests"); int size = intent.getIntExtra("size", 2048); String curve = intent.getStringExtra("curve"); int userValidity = intent.getIntExtra("validity", 0); KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(alias, purposes); builder.setDigests(digests); if (algorithm.equals(KeyProperties.KEY_ALGORITHM_RSA)) { // only the exponent 65537 is supported for now builder.setAlgorithmParameterSpec( new RSAKeyGenParameterSpec(size, RSAKeyGenParameterSpec.F4)); builder.setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1); } if (algorithm.equals(KeyProperties.KEY_ALGORITHM_EC)) { builder.setAlgorithmParameterSpec(new ECGenParameterSpec(curve)); } if (userValidity > 0) { builder.setUserAuthenticationRequired(true); builder.setUserAuthenticationValidityDurationSeconds(userValidity); } KeyPairGenerator generator = KeyPairGenerator.getInstance(algorithm, PROVIDER); generator.initialize(builder.build()); generator.generateKeyPair(); } });
private void encryptIdentityKeyBiometric(byte[] encKey) { if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) { try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"); keyPairGenerator.initialize(new KeyGenParameterSpec.Builder( "quickPass", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT ) .setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, F4)) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) .setUserAuthenticationRequired(true) .build()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); //or try with "RSA" cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic()); this.biometricKeyEncrypted = cipher.doFinal(encKey); } catch (Exception e) { Log.e(TAG, e.getMessage(), e); } } }
@TargetApi(Build.VERSION_CODES.M) private boolean generateKey(String keystoreAlias, boolean isAuthenticationRequired) { try { final KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"); keyGenerator.initialize( new KeyGenParameterSpec.Builder(keystoreAlias, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP) .setUserAuthenticationRequired(isAuthenticationRequired) .build()); keyGenerator.generateKeyPair(); return true; } catch ( NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException exc) { exc.printStackTrace(); return false; } }
/** * Generate NIST P-256 EC Key pair for signing and verification * * @param keyName * @param invalidatedByBiometricEnrollment * @return * @throws Exception */ @TargetApi(Build.VERSION_CODES.P) private KeyPair generateKeyPair(String keyName, boolean invalidatedByBiometricEnrollment) throws Exception { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyName, KeyProperties.PURPOSE_SIGN) .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) // Require the user to authenticate with a biometric to authorize every use of the key .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(invalidatedByBiometricEnrollment); keyPairGenerator.initialize(builder.build()); return keyPairGenerator.generateKeyPair(); }
@TargetApi(Build.VERSION_CODES.M) static void createKeysM(String alias, boolean requireAuth) { try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, SecurityConstants.KEYSTORE_PROVIDER_ANDROID_KEYSTORE); keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(alias, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT).setAlgorithmParameterSpec( new RSAKeyGenParameterSpec(1024, F4)) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) // Only permit the private key to be used if the user authenticated // within the last five minutes. .setUserAuthenticationRequired(requireAuth) .build()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); } catch (NoSuchProviderException | NoSuchAlgorithmException | InvalidAlgorithmParameterException e) { throw new RuntimeException(e); } }
/** * Generate NIST P-256 EC Key pair for signing and verification * @param keyName * @param invalidatedByBiometricEnrollment * @return * @throws Exception */ private KeyPair generateKeyPair(String keyName, boolean invalidatedByBiometricEnrollment) throws Exception { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyName, KeyProperties.PURPOSE_SIGN) .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) // Require the user to authenticate with a biometric to authorize every use of the key .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(invalidatedByBiometricEnrollment); keyPairGenerator.initialize(builder.build()); return keyPairGenerator.generateKeyPair(); }
/** * Android Keystoreに非対称鍵のペアを生成します。 * 秘密鍵は指紋認証に必ず利用されます。公開鍵の利用に制限はありません。 */ public void createKeyPair() { try { mKeyPairGenerator.initialize( new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_SIGN) .setDigests(KeyProperties.DIGEST_SHA256) .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) // 利用時に毎回認証を要求します。 .setUserAuthenticationRequired(true) .build()); mKeyPairGenerator.generateKeyPair(); } catch (InvalidAlgorithmParameterException e) { throw new RuntimeException(e); } }