Use Android keystore for encrypting DB key.

Only for new accounts on API 23+.
2026-02-12 18:59:06 +01:00 · 2020-01-09 14:06:42 +00:00
parent 8a6e886d09
commit 4d3c1b4fd2
12 changed files with 222 additions and 37 deletions
--- a/briar-android/src/main/java/org/briarproject/briar/android/AndroidDatabaseConfig.java
+++ b/briar-android/src/main/java/org/briarproject/briar/android/AndroidDatabaseConfig.java
@@ -1,18 +1,26 @@
 package org.briarproject.briar.android;

+import org.briarproject.bramble.api.crypto.KeyStoreConfig;
 import org.briarproject.bramble.api.db.DatabaseConfig;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;

 import java.io.File;

+import javax.annotation.Nullable;
+
+import static android.os.Build.VERSION.SDK_INT;
+
@NotNullByDefault
 class AndroidDatabaseConfig implements DatabaseConfig {

 	private final File dbDir, keyDir;
+	@Nullable
+	private final KeyStoreConfig keyStoreConfig;

 	AndroidDatabaseConfig(File dbDir, File keyDir) {
 		this.dbDir = dbDir;
 		this.keyDir = keyDir;
+		keyStoreConfig = SDK_INT >= 23 ? new AndroidKeyStoreConfig() : null;
 	}

 	@Override
@@ -24,4 +32,10 @@ class AndroidDatabaseConfig implements DatabaseConfig {
 	public File getDatabaseKeyDirectory() {
 		return keyDir;
 	}
+
+	@Nullable
+	@Override
+	public KeyStoreConfig getKeyStoreConfig() {
+		return keyStoreConfig;
+	}
 }
--- a/briar-android/src/main/java/org/briarproject/briar/android/AndroidKeyStoreConfig.java
+++ b/briar-android/src/main/java/org/briarproject/briar/android/AndroidKeyStoreConfig.java
@@ -0,0 +1,52 @@
+package org.briarproject.briar.android;
+
+import android.security.keystore.KeyGenParameterSpec;
+
+import org.briarproject.bramble.api.crypto.KeyStoreConfig;
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+import androidx.annotation.RequiresApi;
+
+import static android.security.keystore.KeyProperties.PURPOSE_SIGN;
+import static android.security.keystore.KeyProperties.PURPOSE_VERIFY;
+
+@RequiresApi(23)
+@NotNullByDefault
+class AndroidKeyStoreConfig implements KeyStoreConfig {
+
+	private final KeyGenParameterSpec spec;
+
+	AndroidKeyStoreConfig() {
+		int purposes = PURPOSE_SIGN | PURPOSE_VERIFY;
+		spec = new KeyGenParameterSpec.Builder("db", purposes)
+				.setKeySize(256)
+				.build();
+	}
+
+	@Override
+	public String getKeyStoreType() {
+		return "AndroidKeyStore";
+	}
+
+	@Override
+	public String getAlias() {
+		return "db";
+	}
+
+	@Override
+	public String getProviderName() {
+		return "AndroidKeyStore";
+	}
+
+	@Override
+	public String getMacAlgorithmName() {
+		return "HmacSHA256";
+	}
+
+	@Override
+	public AlgorithmParameterSpec getParameterSpec() {
+		return spec;
+	}
+}