EncryptedSharedPreferences isUserAuthenticationRequired 无法正常工作
EncryptedSharedPreferences isUserAuthenticationRequired not working properly
我正在使用 EncryptedSharedPreferences 来存储加密数据。
val biometricManager = BiometricManager.from(this)
val hasFingerprint = biometricManager.canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS
val advanceSpec = KeyGenParameterSpec.Builder(
"master_key",
KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
).apply {
setBlockModes(KeyProperties.BLOCK_MODE_GCM)
setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
setKeySize(256)
if(hasFingerprint){
setUserAuthenticationRequired(true)
setUserAuthenticationValidityDurationSeconds(1)
if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.N){
setInvalidatedByBiometricEnrollment(false)
}
if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.P){
setIsStrongBoxBacked(true)
setUserConfirmationRequired(true)
}
}
}.build()
val masterKey = MasterKeys.getOrCreate(advanceSpec)
val preferences = EncryptedSharedPreferences.create(
"TestPreferences",
masterKey,
applicationContext,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
实际上,我遗漏了 BiometricPrompt 部分。我认为调用 setUserAuthenticationRequired(true) 会自动处理用户身份验证。但我们必须自己显示 BiometricPrompt。 isUserAuthenticationRequired 仅确保只有在用户被授权时才会激活密钥。
val biometricPrompt = BiometricPrompt(
activity,
ContextCompat.getMainExecutor(activity),
object: BiometricPrompt.AuthenticationCallback() {
override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
super.onAuthenticationSucceeded(result)
createSharedPreferences()
}
}
)
biometricPrompt.authenticate(promptInfo)
但是,有一个问题。它只在创建 EncryptedSharedPreferences 时抛出 UserNotAuthenticatedException。之后,我们可以根据需要执行读写操作。它没有考虑 setUserAuthenticationValidityDurationSeconds(1).
我找到了不需要身份验证的原因post 1 秒。这是因为,一旦启动了加密的共享首选项,它就会加载用于在内存中加密和解密数据的密钥,然后使用这些密钥从文件中访问数据。你可以阅读EncryptedSharedPreferenceclass里面的代码。这很明显。
KeysetHandle daeadKeysetHandle = new AndroidKeysetManager.Builder()
.withKeyTemplate(prefKeyEncryptionScheme.getKeyTemplate())
.withSharedPref(context, KEY_KEYSET_ALIAS, fileName)
.withMasterKeyUri(KEYSTORE_PATH_URI + masterKeyAlias)
.build().getKeysetHandle();
KeysetHandle aeadKeysetHandle = new AndroidKeysetManager.Builder()
.withKeyTemplate(prefValueEncryptionScheme.getKeyTemplate())
.withSharedPref(context, VALUE_KEYSET_ALIAS, fileName)
.withMasterKeyUri(KEYSTORE_PATH_URI + masterKeyAlias)
.build().getKeysetHandle();
DeterministicAead daead = daeadKeysetHandle.getPrimitive(DeterministicAead.class);
Aead aead = aeadKeysetHandle.getPrimitive(Aead.class);
return new EncryptedSharedPreferences(fileName, masterKeyAlias,
context.getSharedPreferences(fileName, Context.MODE_PRIVATE), aead, daead);
我正在使用 EncryptedSharedPreferences 来存储加密数据。
val biometricManager = BiometricManager.from(this)
val hasFingerprint = biometricManager.canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS
val advanceSpec = KeyGenParameterSpec.Builder(
"master_key",
KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
).apply {
setBlockModes(KeyProperties.BLOCK_MODE_GCM)
setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
setKeySize(256)
if(hasFingerprint){
setUserAuthenticationRequired(true)
setUserAuthenticationValidityDurationSeconds(1)
if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.N){
setInvalidatedByBiometricEnrollment(false)
}
if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.P){
setIsStrongBoxBacked(true)
setUserConfirmationRequired(true)
}
}
}.build()
val masterKey = MasterKeys.getOrCreate(advanceSpec)
val preferences = EncryptedSharedPreferences.create(
"TestPreferences",
masterKey,
applicationContext,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
实际上,我遗漏了 BiometricPrompt 部分。我认为调用 setUserAuthenticationRequired(true) 会自动处理用户身份验证。但我们必须自己显示 BiometricPrompt。 isUserAuthenticationRequired 仅确保只有在用户被授权时才会激活密钥。
val biometricPrompt = BiometricPrompt(
activity,
ContextCompat.getMainExecutor(activity),
object: BiometricPrompt.AuthenticationCallback() {
override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
super.onAuthenticationSucceeded(result)
createSharedPreferences()
}
}
)
biometricPrompt.authenticate(promptInfo)
但是,有一个问题。它只在创建 EncryptedSharedPreferences 时抛出 UserNotAuthenticatedException。之后,我们可以根据需要执行读写操作。它没有考虑 setUserAuthenticationValidityDurationSeconds(1).
我找到了不需要身份验证的原因post 1 秒。这是因为,一旦启动了加密的共享首选项,它就会加载用于在内存中加密和解密数据的密钥,然后使用这些密钥从文件中访问数据。你可以阅读EncryptedSharedPreferenceclass里面的代码。这很明显。
KeysetHandle daeadKeysetHandle = new AndroidKeysetManager.Builder()
.withKeyTemplate(prefKeyEncryptionScheme.getKeyTemplate())
.withSharedPref(context, KEY_KEYSET_ALIAS, fileName)
.withMasterKeyUri(KEYSTORE_PATH_URI + masterKeyAlias)
.build().getKeysetHandle();
KeysetHandle aeadKeysetHandle = new AndroidKeysetManager.Builder()
.withKeyTemplate(prefValueEncryptionScheme.getKeyTemplate())
.withSharedPref(context, VALUE_KEYSET_ALIAS, fileName)
.withMasterKeyUri(KEYSTORE_PATH_URI + masterKeyAlias)
.build().getKeysetHandle();
DeterministicAead daead = daeadKeysetHandle.getPrimitive(DeterministicAead.class);
Aead aead = aeadKeysetHandle.getPrimitive(Aead.class);
return new EncryptedSharedPreferences(fileName, masterKeyAlias,
context.getSharedPreferences(fileName, Context.MODE_PRIVATE), aead, daead);