重构 PasswordStorageManager

Author: lc6464

app/build.gradle.kts

@@ -1,17 +1,18 @@
+import org.jetbrains.kotlin.gradle.dsl.JvmTarget
+
 plugins {
     alias(libs.plugins.android.application)
     alias(libs.plugins.kotlin.android)
-    // alias(libs.plugins.kotlin.compose)
 }
 
 android {
     namespace = "cn.lc6464.fileencryptor"
-    compileSdk = 35
+    compileSdk = 36
 
     defaultConfig {
         applicationId = "cn.lc6464.fileencryptor"
         minSdk = 31
-        targetSdk = 35
+        targetSdk = 36
         versionCode = 2
         versionName = "2.0"
 
@@ -32,8 +33,10 @@ android {
         sourceCompatibility = JavaVersion.VERSION_11
         targetCompatibility = JavaVersion.VERSION_11
     }
-    kotlinOptions {
-        jvmTarget = "11"
+    kotlin {
+        compilerOptions {
+            jvmTarget = JvmTarget.JVM_11
+        }
     }
     buildFeatures {
         viewBinding = true
@@ -54,8 +57,6 @@ dependencies {
 
     implementation(libs.androidx.lifecycle.runtime.ktx)
 
-    implementation(libs.androidx.security.crypto)
-
     testImplementation(libs.junit)
     androidTestImplementation(libs.androidx.junit)
     androidTestImplementation(libs.androidx.espresso.core)

app/src/main/AndroidManifest.xml

@@ -1,11 +1,9 @@
 <?xml version="1.0" encoding="utf-8"?>
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
-    xmlns:tools="http://schemas.android.com/tools">
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
 
     <application
         android:icon="@mipmap/ic_launcher"
         android:label="@string/app_name"
-        android:roundIcon="@mipmap/ic_launcher_round"
         android:supportsRtl="true"
         android:theme="@style/Theme.FileEncryptor">
         <activity

app/src/main/java/cn/lc6464/fileencryptor/PasswordStorageManager.kt

@@ -1,37 +1,127 @@
 package cn.lc6464.fileencryptor
 
 import android.content.Context
-import androidx.security.crypto.EncryptedSharedPreferences
-import androidx.security.crypto.MasterKey
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
 import androidx.core.content.edit
+import java.nio.charset.StandardCharsets
+import java.security.KeyStore
+import javax.crypto.Cipher
+import javax.crypto.KeyGenerator
+import javax.crypto.SecretKey
+import javax.crypto.spec.GCMParameterSpec
 
+/**
+ * 这是一个辅助类，负责所有与 Android Keystore 交互的加密和解密操作。
+ * 它将密钥安全地存储在硬件支持的 Keystore 中。
+ */
+private class CryptoHelper {
+
+    private val keyStore = KeyStore.getInstance("AndroidKeyStore").apply {
+        load(null)
+    }
+
+    private fun getSecretKey(alias: String): SecretKey {
+        return (keyStore.getEntry(alias, null) as? KeyStore.SecretKeyEntry)?.secretKey
+            ?: generateSecretKey(alias)
+    }
+
+    private fun generateSecretKey(alias: String): SecretKey {
+        val keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"
+        )
+        val parameterSpec = KeyGenParameterSpec.Builder(
+            alias,
+            KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
+        )
+            .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+            .setKeySize(256)
+            .build()
+        keyGenerator.init(parameterSpec)
+        return keyGenerator.generateKey()
+    }
+
+    fun encrypt(data: String, keyAlias: String): Pair<ByteArray, ByteArray> {
+        val key = getSecretKey(keyAlias)
+        val cipher = Cipher.getInstance("AES/GCM/NoPadding")
+        cipher.init(Cipher.ENCRYPT_MODE, key)
+        val encryptedData = cipher.doFinal(data.toByteArray(StandardCharsets.UTF_8))
+        return Pair(cipher.iv, encryptedData)
+    }
+
+    fun decrypt(iv: ByteArray, encryptedData: ByteArray, keyAlias: String): String {
+        val key = getSecretKey(keyAlias)
+        val cipher = Cipher.getInstance("AES/GCM/NoPadding")
+        val spec = GCMParameterSpec(128, iv) // GCM 认证标签长度为 128 位
+        cipher.init(Cipher.DECRYPT_MODE, key, spec)
+        val decryptedData = cipher.doFinal(encryptedData)
+        return String(decryptedData, StandardCharsets.UTF_8)
+    }
+}
+
+
+/**
+ * 使用平台原生 API (AndroidKeyStore 和 SharedPreferences) 来安全地存储密码。
+ * 这取代了已弃用的 EncryptedSharedPreferences。
+ */
 class PasswordStorageManager(context: Context) {
 
-    // 使用 MasterKey.Builder 替换已弃用的 MasterKeys.getOrCreate
-    // 这是 Android Security 库推荐的现代方法。
-    private val masterKey = MasterKey.Builder(context)
-        .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
-        .build()
-
-    // 使用接受 MasterKey 对象的 create 方法重载
-    // 注意参数顺序也发生了变化 (context 现在是第一个参数)。
-    private val sharedPreferences = EncryptedSharedPreferences.create(
-        context, // 第一个参数是 Context
-        "secret_shared_prefs", // 第二个参数是文件名
-        masterKey, // 第三个参数是 MasterKey 对象
-        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
-        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
-    )
+    private val cryptoHelper = CryptoHelper()
+    private val sharedPreferences =
+        context.getSharedPreferences("secure_prefs", Context.MODE_PRIVATE)
 
     companion object {
-        private const val KEY_PASSWORD = "password"
+        private const val KEY_ALIAS_PASSWORD = "password_key_alias"
+        private const val PREF_KEY_ENCRYPTED_PASSWORD = "encrypted_password"
+        private const val PREF_KEY_PASSWORD_IV = "password_iv"
     }
 
     fun savePassword(password: String) {
-        sharedPreferences.edit { putString(KEY_PASSWORD, password) }
+        try {
+            val (iv, encryptedPassword) = cryptoHelper.encrypt(password, KEY_ALIAS_PASSWORD)
+            sharedPreferences.edit {
+                putString(
+                    PREF_KEY_PASSWORD_IV,
+                    android.util.Base64.encodeToString(iv, android.util.Base64.NO_WRAP)
+                )
+                putString(
+                    PREF_KEY_ENCRYPTED_PASSWORD,
+                    android.util.Base64.encodeToString(
+                        encryptedPassword,
+                        android.util.Base64.NO_WRAP
+                    )
+                )
+            }
+        } catch (e: Exception) {
+            // 在这里处理加密失败的异常，例如记录日志
+            e.printStackTrace()
+        }
     }
 
     fun getPassword(): String? {
-        return sharedPreferences.getString(KEY_PASSWORD, null)
+        return try {
+            val ivString = sharedPreferences.getString(PREF_KEY_PASSWORD_IV, null)
+            val encryptedPasswordString =
+                sharedPreferences.getString(PREF_KEY_ENCRYPTED_PASSWORD, null)
+
+            if (ivString != null && encryptedPasswordString != null) {
+                val iv = android.util.Base64.decode(ivString, android.util.Base64.NO_WRAP)
+                val encryptedPassword =
+                    android.util.Base64.decode(encryptedPasswordString, android.util.Base64.NO_WRAP)
+                cryptoHelper.decrypt(iv, encryptedPassword, KEY_ALIAS_PASSWORD)
+            } else {
+                null
+            }
+        } catch (e: Exception) {
+            // 在这里处理解密失败的异常
+            e.printStackTrace()
+            // 如果解密失败（例如密钥已更改或数据损坏），最好清除旧数据
+            sharedPreferences.edit {
+                remove(PREF_KEY_PASSWORD_IV)
+                remove(PREF_KEY_ENCRYPTED_PASSWORD)
+            }
+            null
+        }
     }
 }

gradle/libs.versions.toml

@@ -12,7 +12,6 @@ constraintlayout = "2.2.1"
 material = "1.12.0"
 kotlinxCorutinesCore = "1.10.2"
 kotlinxCorutinesAndroid = "1.10.2"
-securityCrypto = "1.1.0"
 
 [libraries]
 androidx-core-ktx = { group = "androidx.core", name = "core-ktx", version.ref = "coreKtx" }
@@ -26,7 +25,6 @@ androidx-constraintlayout = { group = "androidx.constraintlayout", name = "const
 androidx-material = { group = "com.google.android.material", name = "material", version.ref = "material" }
 kotlinx-coroutines-core = { group = "org.jetbrains.kotlinx", name = "kotlinx-coroutines-core", version.ref = "kotlinxCorutinesCore" }
 kotlinx-coroutines-android = { group = "org.jetbrains.kotlinx", name = "kotlinx-coroutines-android", version.ref = "kotlinxCorutinesAndroid" }
-androidx-security-crypto = { group = "androidx.security", name = "security-crypto", version.ref = "securityCrypto" }
 
 [plugins]
 android-application = { id = "com.android.application", version.ref = "agp" }