gpt4 book ai didi

android - 是否可以使用 HSM 保护 Android KeyChain?

转载 作者:行者123 更新时间:2023-12-04 23:59:38 31 4
gpt4 key购买 nike

出于安全原因,我想将我的私钥存储在 HSM 中,然后通过 KeyChain 与另一个应用共享私钥。 . KeyStore提到它可以由 HSM 支持,但我还没有找到任何说明 KeyChain 可以支持的文档。

基于 the KeyChain documentation ,KeyChain 是在应用程序之间共享的正确方式:

Use the KeyChain API when you want system-wide credentials. When anapp requests the use of any credential through the KeyChain API, usersget to choose, through a system-provided UI, which of the installedcredentials an app can access. This allows several apps to use thesame set of credentials with user consent.

那么,是否可以使用 HSM 保护 Android KeyChain?

最佳答案

经过大量的查找,最终发现答案是肯定的,是可以的。

Android 4.3 changelog似乎是唯一记录它的地方:

Android also now supports hardware-backed storage for your KeyChaincredentials, providing more security by making the keys unavailablefor extraction. That is, once keys are in a hardware-backed key store(Secure Element, TPM, or TrustZone), they can be used forcryptographic operations but the private key material cannot beexported. Even the OS kernel cannot access this key material.


我用代码对此进行了测试,似乎一旦您将 KeyPair 导入到 KeyChain 中,它就会自动放入安全硬件中。这是我运行测试的 Kotlin 代码:

GlobalScope.launch {
context?.let { it1 ->
val privKey = KeyChain.getPrivateKey(it1, "device_certificate")
Log.d("App", privKey.toString()) // Shows that this is an AndroidKeyStoreRSAPrivateKey
val keyFactory: KeyFactory = KeyFactory.getInstance(privKey?.algorithm, "AndroidKeyStore")
val keyInfo: KeyInfo = keyFactory.getKeySpec(privKey, KeyInfo::class.java)
if (keyInfo.isInsideSecureHardware()) {
Log.d("App", "The key is in secure hardware!")
}
else {
Log.d("App", "The key is not in secure hardware!")
}
}
}

打印出“ key 在安全硬件中!”。

关于android - 是否可以使用 HSM 保护 Android KeyChain?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63182799/

31 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com