我惊讶地发现 Jatpack Security只提供对File和SharedPreferences加密的支持。但是我需要能够加密和解密Strings 因为我想使用AccountManagerand 来存储刷新和访问令牌,并且按照官方文档中的建议,这种数据应该加密发送到AccountManager:
在线搜索有很多关于如何String在 Android 上加密 s 的教程,但其中大多数似乎已经很老了,我害怕选择错误的教程可能会导致 Play Store Console 上出现这种警告:
那么,String2021 年在 Android 应用程序中加密 s 的正确且安全的方法是什么?Jetpack Security 仍然可以在某种程度上使用(也许是生成密钥?)以及为什么它不支持开箱即用的字符串加密,而只支持Files 和SharedPreferences?
在深入了解 and 的实现之后EncryptedSharedPreferences,EncryptedFile我设法创建了一个CryptoHelper类,它使用与 Jetpack Security 的 2 个类相同的方法,提供了一种加密、解密、签名和验证ByteArrays 的方法:
import android.content.Context
import androidx.security.crypto.MasterKeys
import com.google.crypto.tink.Aead
import com.google.crypto.tink.DeterministicAead
import com.google.crypto.tink.KeyTemplate
import com.google.crypto.tink.KeyTemplates
import com.google.crypto.tink.PublicKeySign
import com.google.crypto.tink.PublicKeyVerify
import com.google.crypto.tink.aead.AeadConfig
import com.google.crypto.tink.daead.DeterministicAeadConfig
import com.google.crypto.tink.integration.android.AndroidKeysetManager
import com.google.crypto.tink.signature.SignatureConfig
import java.io.IOException
import java.security.GeneralSecurityException
/**
* Class used to encrypt, decrypt, sign ad verify data.
*
* <pre>
* // Encrypt
* val cypherText = cryptoHelper.encrypt(text.toByteArray())
* // Decrypt
* val plainText = cryptoHelper.decrypt(cypherText)
* // Sign
* val signature = cryptoHelper.sign(text.toByteArray())
* // Verify
* val verified = cryptoHelper.verify(signature, text.toByteArray())
* </pre>
*/
@Suppress("unused")
class CryptoHelper(
private val aead: Aead,
private val deterministicAead: DeterministicAead,
private val signer: PublicKeySign,
private val verifier: PublicKeyVerify,
) {
/**
* Builder class to configure CryptoHelper
*/
class Builder(
// Required parameters
private val context: Context,
) {
// Optional parameters
private var masterKeyAlias: String = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
private var keysetPrefName = KEYSET_PREF_NAME
private var keysetAlias = KEYSET_ALIAS
private var aeadKeyTemplate: KeyTemplate
private var deterministicAeadKeyTemplate: KeyTemplate
private var signKeyTemplate: KeyTemplate
init {
AeadConfig.register()
DeterministicAeadConfig.register()
SignatureConfig.register()
aeadKeyTemplate = KeyTemplates.get("AES256_GCM")
deterministicAeadKeyTemplate = KeyTemplates.get("AES256_SIV")
signKeyTemplate = KeyTemplates.get("ECDSA_P256")
}
/**
* @param masterKey The SharedPreferences file to store the keyset.
* @return This Builder
*/
fun setMasterKey(masterKey: String): Builder {
this.masterKeyAlias = masterKey
return this
}
/**
* @param keysetPrefName The SharedPreferences file to store the keyset.
* @return This Builder
*/
fun setKeysetPrefName(keysetPrefName: String): Builder {
this.keysetPrefName = keysetPrefName
return this
}
/**
* @param keysetAlias The alias in the SharedPreferences file to store the keyset.
* @return This Builder
*/
fun setKeysetAlias(keysetAlias: String): Builder {
this.keysetAlias = keysetAlias
return this
}
/**
* @param keyTemplate If the keyset for Aead encryption is not found or valid, generates a new one using keyTemplate.
* @return This Builder
*/
fun setAeadKeyTemplate(keyTemplate: KeyTemplate): Builder {
this.aeadKeyTemplate = keyTemplate
return this
}
/**
* @param keyTemplate If the keyset for deterministic Aead encryption is not found or valid, generates a new one using keyTemplate.
* @return This Builder
*/
fun setDeterministicAeadKeyTemplate(keyTemplate: KeyTemplate): Builder {
this.deterministicAeadKeyTemplate = keyTemplate
return this
}
/**
* @param keyTemplate If the keyset for signing/verifying is not found or valid, generates a new one using keyTemplate.
* @return This Builder
*/
fun setSignKeyTemplate(keyTemplate: KeyTemplate): Builder {
this.signKeyTemplate = keyTemplate
return this
}
/**
* @return An CryptoHelper with the specified parameters.
*/
@Throws(GeneralSecurityException::class, IOException::class)
fun build(): CryptoHelper {
val aeadKeysetHandle = AndroidKeysetManager.Builder()
.withKeyTemplate(aeadKeyTemplate)
.withSharedPref(context, keysetAlias + "_aead__", keysetPrefName)
.withMasterKeyUri(KEYSTORE_PATH_URI + masterKeyAlias)
.build().keysetHandle
val deterministicAeadKeysetHandle = AndroidKeysetManager.Builder()
.withKeyTemplate(deterministicAeadKeyTemplate)
.withSharedPref(context, keysetAlias + "_daead__", keysetPrefName)
.withMasterKeyUri(KEYSTORE_PATH_URI + masterKeyAlias)
.build().keysetHandle
val signKeysetHandle = AndroidKeysetManager.Builder()
.withKeyTemplate(signKeyTemplate)
.withSharedPref(context, keysetAlias + "_sign__", keysetPrefName)
.withMasterKeyUri(KEYSTORE_PATH_URI + masterKeyAlias)
.build().keysetHandle
val aead = aeadKeysetHandle.getPrimitive(Aead::class.java)
val deterministicAead = deterministicAeadKeysetHandle.getPrimitive(DeterministicAead::class.java)
val signer = signKeysetHandle.getPrimitive(PublicKeySign::class.java)
val verifier = signKeysetHandle.publicKeysetHandle.getPrimitive(PublicKeyVerify::class.java)
return CryptoHelper(aead, deterministicAead, signer, verifier)
}
}
fun encrypt(plainText: ByteArray, associatedData: ByteArray = ByteArray(0)): ByteArray =
aead.encrypt(plainText, associatedData)
fun decrypt(ciphertext: ByteArray, associatedData: ByteArray = ByteArray(0)): ByteArray =
aead.decrypt(ciphertext, associatedData)
fun encryptDeterministically(plainText: ByteArray, associatedData: ByteArray = ByteArray(0)): ByteArray =
deterministicAead.encryptDeterministically(plainText, associatedData)
fun decryptDeterministically(ciphertext: ByteArray, associatedData: ByteArray = ByteArray(0)): ByteArray =
deterministicAead.decryptDeterministically(ciphertext, associatedData)
fun sign(data: ByteArray): ByteArray =
signer.sign(data)
fun verify(signature: ByteArray, data: ByteArray): Boolean =
try {
verifier.verify(signature, data)
true
} catch (e: GeneralSecurityException) {
false
}
companion object {
private const val KEYSTORE_PATH_URI = "android-keystore://"
private const val KEYSET_PREF_NAME = "__crypto_helper_pref__"
private const val KEYSET_ALIAS = "__crypto_helper_keyset"
}
}
不要忘记添加com.google.crypto.tink:tink-android为实现依赖项,因为 Jetpack Security 不会将其公开为 api。