我有一个安卓应用程序,使用安卓安全密钥库对账户信息进行加密/解密。
最小SDK设置为23,因此始终应该有一个有效的密钥库可用,但是我收到了一些关于密钥库故障的崩溃报告,其中一个来自运行Android 10的Essential PH1手机。
报告的错误如下:
如果有人能解决这个问题,将不胜感激。
如果有区别的话,我正在使用带有GCMParameterSpec和固定IV的AES 128加密。
该密钥是使用以下参数创建的。
这表明安全补丁或更新操作系统需要升级密钥。但每次启动应用程序时都会出现此问题,而操作系统肯定没有那么频繁地进行更新,因此这种情况是没有意义的。
函数“upgrade_key”似乎是Android系统的一部分,甚至无法从Java端访问。你该如何处理这个错误呢?
最小SDK设置为23,因此始终应该有一个有效的密钥库可用,但是我收到了一些关于密钥库故障的崩溃报告,其中一个来自运行Android 10的Essential PH1手机。
报告的错误如下:
Non-fatal Exception: java.security.InvalidKeyException
Keystore operation failed
android.security.KeyStore.getInvalidKeyException (KeyStore.java:1362)
android.security.KeyStore.getInvalidKeyException (KeyStore.java:1402)
android.security.keystore.KeyStoreCryptoOperationUtils.getInvalidKeyExceptionForInit (KeyStoreCryptoOperationUtils.java:54)
android.security.keystore.KeyStoreCryptoOperationUtils.getExceptionForCipherInit (KeyStoreCryptoOperationUtils.java:89)
android.security.keystore.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:265)
android.security.keystore.AndroidKeyStoreCipherSpiBase.engineInit (AndroidKeyStoreCipherSpiBase.java:148)
javax.crypto.Cipher.tryTransformWithProvider (Cipher.java:2980)
javax.crypto.Cipher.tryCombinations (Cipher.java:2891)
javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider (Cipher.java:2796)
javax.crypto.Cipher.chooseProvider (Cipher.java:773)
javax.crypto.Cipher.init (Cipher.java:1288)
javax.crypto.Cipher.init (Cipher.java:1223)
Caused by android.security.KeyStoreException
-62
android.security.KeyStore.getKeyStoreException (KeyStore.java:1292)
android.security.KeyStore.getInvalidKeyException (KeyStore.java:1402)
android.security.keystore.KeyStoreCryptoOperationUtils.getInvalidKeyExceptionForInit (KeyStoreCryptoOperationUtils.java:54)
android.security.keystore.KeyStoreCryptoOperationUtils.getExceptionForCipherInit (KeyStoreCryptoOperationUtils.java:89)
android.security.keystore.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized (AndroidKeyStoreCipherSpiBase.java:265)
android.security.keystore.AndroidKeyStoreCipherSpiBase.engineInit (AndroidKeyStoreCipherSpiBase.java:148)
javax.crypto.Cipher.tryTransformWithProvider (Cipher.java:2980)
javax.crypto.Cipher.tryCombinations (Cipher.java:2891)
javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider (Cipher.java:2796)
javax.crypto.Cipher.chooseProvider (Cipher.java:773)
javax.crypto.Cipher.init (Cipher.java:1288)
javax.crypto.Cipher.init (Cipher.java:1223)
似乎也会在不同的情况下获取密钥失败。
Caused by android.security.KeyStoreException
-62
android.security.KeyStore.getKeyStoreException (KeyStore.java:839)
android.security.keystore.AndroidKeyStoreProvider.getKeyCharacteristics (AndroidKeyStoreProvider.java:236)
android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreKeyFromKeystore (AndroidKeyStoreProvider.java:356)
android.security.keystore.AndroidKeyStoreSpi.engineGetKey (AndroidKeyStoreSpi.java:101)
java.security.KeyStore.getKey (KeyStore.java:1062)
我已经在互联网和Android源代码中搜索了有关错误-62的信息,除了一个包含相同错误的报告外,似乎没有找到任何解决方案。该报告与“信号”相关,但似乎从未得到解决。
https://github.com/signalapp/Signal-Android/issues/8589
我不知道是什么原因导致这个问题,也不知道为什么其他设备都能正常工作。如果有人能解决这个问题,将不胜感激。
如果有区别的话,我正在使用带有GCMParameterSpec和固定IV的AES 128加密。
该密钥是使用以下参数创建的。
setBlockModes(KeyProperties.BLOCK_MODE_GCM)
setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
setKeySize(128)
setRandomizedEncryptionRequired(false)
编辑
我终于在这里找到了错误的定义和描述
https://source.android.com/reference/hal/structkeymaster2__device
KM_ERROR_KEY_REQUIRES_UPGRADE = -62,
keymaster_error_t (* upgrade_key)(const struct keymaster2_device *dev, const keymaster_key_blob_t *key_to_upgrade, const keymaster_key_param_set_t *upgrade_params, keymaster_key_blob_t *upgraded_key)
Upgrades an old key. Keys can become "old" in two ways: Keymaster can be upgraded to a new version, or the system can be updated to invalidate the OS version and/or patch level. In either case, attempts to use an old key will result in keymaster returning KM_ERROR_KEY_REQUIRES_UPGRADE. This method should then be called to upgrade the key.
Parameters
[in] dev The keymaster device structure.
[in] key_to_upgrade The keymaster key to upgrade.
[in] upgrade_params Parameters needed to complete the upgrade. In particular, KM_TAG_APPLICATION_ID and KM_TAG_APPLICATION_DATA will be required if they were defined for the key.
[out] upgraded_key The upgraded key blob.
这表明安全补丁或更新操作系统需要升级密钥。但每次启动应用程序时都会出现此问题,而操作系统肯定没有那么频繁地进行更新,因此这种情况是没有意义的。
函数“upgrade_key”似乎是Android系统的一部分,甚至无法从Java端访问。你该如何处理这个错误呢?