2021-06-02 20:44:38 +02:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
2023-05-03 11:06:20 +02:00
== Sensitive Code Example
2021-06-02 20:44:38 +02:00
Any users can use the key:
2022-02-04 17:28:24 +01:00
[source,kotlin]
2021-06-02 20:44:38 +02:00
----
val keyGenerator: KeyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore")
var builder: KeyGenParameterSpec = KeyGenParameterSpec.Builder("test_secret_key", KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT) // Noncompliant
.setBlockModes(KeyProperties.BLOCK_MODE_GCM)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.build()
keyGenerator.init(builder)
----
== Compliant Solution
The use of the key is limited to authenticated users (for a duration of time defined to 60 seconds):
2022-02-04 17:28:24 +01:00
[source,kotlin]
2021-06-02 20:44:38 +02:00
----
val keyGenerator: KeyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore")
var builder: KeyGenParameterSpec = KeyGenParameterSpec.Builder("test_secret_key", KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT)
.setBlockModes(KeyProperties.BLOCK_MODE_GCM)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.setUserAuthenticationRequired(true) // Compliant
.setUserAuthenticationParameters (60, KeyProperties.AUTH_DEVICE_CREDENTIAL)
.build()
keyGenerator.init(builder)
----
include::../see.adoc[]
2021-09-20 15:38:42 +02:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
endif::env-github,rspecator-view[]
