3DE在Android硬件支持的密钥库中失败
我正在尝试在Android(值得信赖的Exceution Envorivers或strongbox)上使用安全硬件中的主要商店进行3DE解密。 根据我阅读的内容,应使用Keymaster 4.0 [ 1 , 2 ],但是我得到nullpoInterException:尝试获取null Array 在BC提供商中,cipher.init在下面的代码中(请参阅最后的stacktrace)。我已经在三星选项卡Active 3,Note 10和S22+上进行了测试,它们似乎都支持Keymaster 4或更高(通过公共密钥证明进行测试)。 我已经尝试明确设置一个提供商,但还没有找到其他实现3DES解密的其他产品。我猜想来自BC的NPE意味着BC无法访问关键数据,这再次意味着它没有在T恤中运行。
我尝试了使用AES的类似代码,并且它可以在不选择提供商的情况下与硬件支持的商店中的密钥一起使用。
有谁有任何提示在Keymaster中获得3DE的提示,还是3DES支持的主张被夸大了?
测试代码:
// Load key store
keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
// Generate random 3DES key
KeyGenerator keyGenerator = KeyGenerator.getInstance("DESede");
keyGenerator.init(168);
SecretKey randomDes = keyGenerator.generateKey();
// Store in keystore
keyStore.setEntry(
"randomDes",
new KeyStore.SecretKeyEntry(randomDes),
new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setBlockModes(KeyProperties.BLOCK_MODE_CBC)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.build());
// Read key back from keystore, key data is not in object as it is protected
keyStore3Des = (SecretKey) keyStore.getKey("randomDes", null);
assert keyStore3Des.getEncoded() == null;
// Create cipher for decrypt
Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding");
IvParameterSpec iv = new IvParameterSpec(new byte[8]);
cipher.init(Cipher.DECRYPT_MODE, keyStore3Des, iv);
StackTrace:
java.lang.NullPointerException: Attempt to get length of null array
at com.android.org.bouncycastle.crypto.params.KeyParameter.<init>(KeyParameter.java:17)
at com.android.org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineInit(BaseBlockCipher.java:787)
at javax.crypto.Cipher.tryTransformWithProvider(Cipher.java:2980)
at javax.crypto.Cipher.tryCombinations(Cipher.java:2891)
at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider(Cipher.java:2796)
at javax.crypto.Cipher.chooseProvider(Cipher.java:773)
at javax.crypto.Cipher.init(Cipher.java:1288)
at javax.crypto.Cipher.init(Cipher.java:1223)
I'm trying to get 3DES decryption with the key stores in secure hardware on Android (Trusted Exceution Environment or StrongBox) working.
From what I've read 3DES should be available with KeyMaster 4.0 [1, 2], but I get a NullPointerException: Attempt to get length of null array in the BC provider with the code below on cipher.init (see stacktrace at the end). I've tested on Samsung Tab Active 3, Note 10 and S22+, which all seem to support KeyMaster 4 or better (tested through public key attestation).
I've tried explicitly setting a provider, but haven't found any other that implements 3DES decryption. I'm guessing that the NPE from BC means that BC hasn't got access to the key data, which again means that it's not running in the TEE.
I've tried similar code with AES, and it works with the key in hardware-backed store without selecting a provider.
Does anyone have any tips for getting 3DES in KeyMaster working, or are the claims for 3DES support exaggerated?
Test code:
// Load key store
keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
// Generate random 3DES key
KeyGenerator keyGenerator = KeyGenerator.getInstance("DESede");
keyGenerator.init(168);
SecretKey randomDes = keyGenerator.generateKey();
// Store in keystore
keyStore.setEntry(
"randomDes",
new KeyStore.SecretKeyEntry(randomDes),
new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setBlockModes(KeyProperties.BLOCK_MODE_CBC)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.build());
// Read key back from keystore, key data is not in object as it is protected
keyStore3Des = (SecretKey) keyStore.getKey("randomDes", null);
assert keyStore3Des.getEncoded() == null;
// Create cipher for decrypt
Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding");
IvParameterSpec iv = new IvParameterSpec(new byte[8]);
cipher.init(Cipher.DECRYPT_MODE, keyStore3Des, iv);
Stacktrace:
java.lang.NullPointerException: Attempt to get length of null array
at com.android.org.bouncycastle.crypto.params.KeyParameter.<init>(KeyParameter.java:17)
at com.android.org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineInit(BaseBlockCipher.java:787)
at javax.crypto.Cipher.tryTransformWithProvider(Cipher.java:2980)
at javax.crypto.Cipher.tryCombinations(Cipher.java:2891)
at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider(Cipher.java:2796)
at javax.crypto.Cipher.chooseProvider(Cipher.java:773)
at javax.crypto.Cipher.init(Cipher.java:1288)
at javax.crypto.Cipher.init(Cipher.java:1223)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论