I need to encrypt the some file which are created by the android native service written in C++. I have to use Keystore but I dont know how to use. is there any libraries or document?
Asked
Active
Viewed 2,860 times
5
-
Android Keystore does not expose the key material of private or secret keys, by design (see https://developer.android.com/training/articles/keystore.html) – Jon Goodwin Feb 09 '17 at 07:43
-
@JonGoodwin but it seems that you could still call `getPrivateKey()` on an entry to get the key, what am I missing ? – Scis Apr 30 '19 at 19:04
1 Answers
6
I know the thread is old but maybe it will help someone in the future. The hints below refer to Android Keystore v3 and v4 (Oreo and Pie respectively).
Basically the HAL keystore (as described here) is wrapped in the keystore service. The service API mimics the interface described in IKeymasterDevice.hal. Instead of blob you can use a string alias for the key (e.g. "mySecretKey"). The service stores the keyblobs (raw key material + key parameters) to the file system. Default location is /data/misc/keystore/user_0/<uid>_<key_alias>.
Keystore service is also the layer which checks whether requesting process is allowed to use the key (based on process uid).
The communication with keystore service is done via binder interface (IPC). You may want to read more about it here.
AOSP contains reference client implementation here.
Example usage can be found in the stock CLI here
The AOSP comes with SW based keystore implementation which can be found here. By default the keyblob on AOSP builds are not encrypted.
Note that the stock keystore_cli_v2 does NOT provide support for key import. If you plan to encrypt the data offline (e.g. pycrypto) you must extend it. If you plan to do so remember that the keystore_client_impl.cpp is linked to libkeystore_binder.so and not the keystore_cli_v2.
For the asymmetric key ciphers you may export the public key component using the API.
Michal Oleszczuk
- 61
- 1
- 4