KeyInfo的isInsideSecureHardware-method的返回值似乎取决于设备型号,操作系统版本以及其他一些随机因素.
例如,当使用索尼xperia z5 compact与旧的os版本时,isInsideSecureHardware()可能会返回true一段时间,然后突然开始为同一私钥返回false.
使用最新的操作系统版本(32.2.A.0.224),它似乎只返回false.
华为Nexus 6P始终如一.
有没有办法确保密钥存储在安全的硬件中?
这是我目前的代码:
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT)
.setUserAuthenticationRequired(true)
.setBlockModes(KeyProperties.BLOCK_MODE_ECB)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.build());
KeyPair keyPair = keyPairGenerator.generateKeyPair();
// Check that private key is inside secure hardware
KeyFactory factory = KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
KeyInfo keyInfo = factory.getKeySpec(key, KeyInfo.class);
boolean secure = keyInfo.isInsideSecureHardware(); // this usually returns false
谢谢!
有人提到以下警告打印到日志:
W keystore: Primary keymaster device failed to generate key, falling back to SW.