加密

本文档介绍了使用 Android 加密工具的正确方法,并提供了一些使用示例。如果您的应用需要更高的密钥安全性,请使用 Android Keystore 系统

仅使用 Android Keystore 系统指定提供程序

如果您使用的是 Android Keystore 系统,则必须指定一个提供程序。

但在其他情况下,Android 并不保证为指定算法提供特定的提供程序。如果指定提供程序时未使用 Android Keystore 系统,则可能会导致未来版本出现兼容性问题。

选择推荐的算法

如果您可以自由选择使用哪种算法(例如在不需要与第三方系统兼容时),我们建议您使用以下算法:

建议
Cipher 采用 CBC 或 GCM 模式且具有 256 位密钥的 AES(例如 AES/GCM/NoPadding
MessageDigest SHA-2 系列(例如,SHA-256
Mac SHA-2 系列 HMAC(例如,HMACSHA256
Signature 使用 ECDSA 的 SHA-2 系列(例如,SHA256withECDSA

执行常见的加密操作

以下各部分提供的代码段演示了如何在应用中完成常见的加密操作。

读取文件

Kotlin

    // Although you can define your own key generation parameter specification, it's
    // recommended that you use the value specified here.
    val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC
    val masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec)

    val fileToRead = "my_sensitive_data.txt"
    lateinit var byteStream: ByteArrayOutputStream
    val encryptedFile = EncryptedFile.Builder(
        File(directory, fileToRead),
        context,
        masterKeyAlias,
        EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
    ).build()

    val contents = encryptedFile.bufferedReader().useLines { lines ->
        lines.fold("") { working, line ->
            "$working\n$line"
        }
    }
    

Java

    // Although you can define your own key generation parameter specification, it's
    // recommended that you use the value specified here.
    KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC;
    String masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec);

    String fileToRead = "my_sensitive_data.txt";
    ByteArrayOutputStream byteStream;

    EncryptedFile encryptedFile = new EncryptedFile.Builder(
            File(directory, fileToRead),
            context,
            masterKeyAlias,
            EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
    ).build();

    StringBuffer stringBuffer = new StringBuffer();
    try (BufferedReader reader =
                 new BufferedReader(new FileReader(encryptedFile))) {

        String line = reader.readLine();
        while (line != null) {
            stringBuffer.append(line).append('\n');
            line = reader.readLine();
        }
    } catch (IOException e) {
        // Error occurred opening raw file for reading.
    } finally {
        String contents = stringBuffer.toString();
    }
    

写入文件

Kotlin

    // Although you can define your own key generation parameter specification, it's
    // recommended that you use the value specified here.
    val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC
    val masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec)

    // Creates a file with this name, or replaces an existing file
    // that has the same name. Note that the file name cannot contain
    // path separators.
    val fileToWrite = "my_sensitive_data.txt"
    val encryptedFile = EncryptedFile.Builder(
        File(directory, fileToWrite),
        context,
        masterKeyAlias,
        EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
    ).build()

    encryptedFile.bufferedWriter().use { writer ->
        writer.write("MY SUPER-SECRET INFORMATION")
    }
    

Java

    // Although you can define your own key generation parameter specification, it's
    // recommended that you use the value specified here.
    KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC;
    String masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec);

    // Creates a file with this name, or replaces an existing file
    // that has the same name. Note that the file name cannot contain
    // path separators.
    String fileToWrite = "my_sensitive_data.txt";
    try {
        EncryptedFile encryptedFile = new EncryptedFile.Builder(
                new File(directory, fileToWrite),
                context,
                masterKeyAlias,
                EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
        ).build();

        // Write to a file.
        BufferedWriter writer = new BufferedWriter(new FileWriter(encryptedFile));
        writer.write("MY SUPER-SECRET INFORMATION");
    } catch (GeneralSecurityException gse) {
        // Error occurred getting or creating keyset.
    } catch (IOException ex) {
        // Error occurred opening file for writing.
    }
    

加密消息

Kotlin

    val plaintext: ByteArray = ...
    val keygen = KeyGenerator.getInstance("AES")
    keygen.init(256)
    val key: SecretKey = keygen.generateKey()
    val cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING")
    cipher.init(Cipher.ENCRYPT_MODE, key)
    val ciphertext: ByteArray = cipher.doFinal(plaintext)
    val iv: ByteArray = cipher.iv
    

Java

    byte[] plaintext = ...;
    KeyGenerator keygen = KeyGenerator.getInstance("AES");
    keygen.init(256);
    SecretKey key = keygen.generateKey();
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
    cipher.init(Cipher.ENCRYPT_MODE, key);
    byte[] ciphertext = cipher.doFinal(plaintext);
    byte[] iv = cipher.getIV();
    

生成消息摘要

Kotlin

    val message: ByteArray = ...
    val md = MessageDigest.getInstance("SHA-256")
    val digest: ByteArray = md.digest(message)
    

Java

    byte[] message = ...;
    MessageDigest md = MessageDigest.getInstance("SHA-256");
    byte[] digest = md.digest(message);
    

生成数字签名

您需要拥有一个包含签名密钥的 PrivateKey 对象;签名密钥可以在运行时生成、从与您的应用捆绑在一起的文件中读取,或者根据您的需要从其他一些来源获取。

Kotlin

    val message: ByteArray = ...
    val key: PrivateKey = ...
    val s = Signature.getInstance("SHA256withECDSA")
            .apply {
                initSign(key)
                update(message)
            }
    val signature: ByteArray = s.sign()
    

Java

    byte[] message = ...;
    PrivateKey key = ...;
    Signature s = Signature.getInstance("SHA256withECDSA");
    s.initSign(key);
    s.update(message);
    byte[] signature = s.sign();
    

验证数字签名

您需要拥有一个包含签名者公钥的 PublicKey 对象;该公钥可以从与您的应用捆绑在一起的文件中读取、从证书中提取,或者根据您的需要从其他一些来源获取。

Kotlin

    val message: ByteArray = ...
    val signature: ByteArray = ...
    val key: PublicKey = ...
    val s = Signature.getInstance("SHA256withECDSA")
            .apply {
                initVerify(key)
                update(message)
            }
    val valid: Boolean = s.verify(signature)
    

Java

    byte[] message = ...;
    byte[] signature = ...;
    PublicKey key = ...;
    Signature s = Signature.getInstance("SHA256withECDSA");
    s.initVerify(key);
    s.update(message);
    boolean valid = s.verify(signature);
    

实现方面的复杂问题

Android 加密实现的一些细节看似不寻常,但因兼容性方面的考虑而存在。本部分探讨了您最有可能遇到的一些细节。

OAEP MGF1 消息摘要

RSA OAEP 加密算法由两个不同的消息摘要进行参数化,它们分别为:“主”摘要和 MGF1 摘要。Cipher.getInstance("RSA/ECB/OAEPwithSHA-256andMGF1Padding") 等包含摘要名称的加密算法标识符可指定主摘要,并使 MGF1 摘要处于未指定状态。在 Android Keystore 中,SHA-1 用于 MGF1 摘要;而在其他 Android 加密提供程序中,这两个摘要相同。

为了更好地控制您的应用使用的摘要,您应该请求带有 OAEPPadding 的加密算法(像 Cipher.getInstance("RSA/ECB/OAEPPadding") 一样),并向 init() 提供 OAEPParameterSpec 以明确选择这两个摘要。

Kotlin

    val key: Key = ...
    val cipher = Cipher.getInstance("RSA/ECB/OAEPPadding")
            .apply {
                // To use SHA-256 the main digest and SHA-1 as the MGF1 digest
                init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT))
                // To use SHA-256 for both digests
                init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT))
            }
    

Java

    Key key = ...;
    Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding");
    // To use SHA-256 the main digest and SHA-1 as the MGF1 digest
    cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT));
    // To use SHA-256 for both digests
    cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT));
    

已弃用的功能

下面几部分介绍了您不应再在应用中使用的已弃用功能。

Bouncy Castle 算法

许多算法的 Bouncy Castle 实现都已弃用。这只会影响您明确请求了 Bouncy Castle 提供程序的情况,如以下示例所示:

Kotlin

    Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC")
    // OR
    Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"))
    

Java

    Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC");
    // OR
    Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"));
    

如上所述,我们不建议请求特定的提供程序,因此,如果您遵循该准则,则此弃用应该不会对您产生影响。

无需使用 IV 的基于密码的加密算法

需要初始化矢量 (IV) 的基于密码的加密 (PBE) 算法可以通过密钥(经过适当的构造)获得,或者通过明确传递的 IV 获得。目前,在传递不包含 IV 且未明确 IV 的 PBE 密钥时,Android 上的 PBE 加密算法会假定 IV 为零。

使用 PBE 加密算法时,请务必传递明确的 IV,如以下代码段所示:

Kotlin

    val key: SecretKey = ...
    val cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC")
    val iv = ByteArray(16)
    SecureRandom().nextBytes(iv)
    cipher.init(Cipher.ENCRYPT_MODE, key, IvParameterSpec(iv))
    

Java

    SecretKey key = ...;
    Cipher cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC");
    byte[] iv = new byte[16];
    new SecureRandom().nextBytes(iv);
    cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
    

Crypto 提供程序

自 Android 9(API 级别 28)起,Crypto Java 加密架构 (JCA) 提供程序已被移除。如果您的应用请求 Crypto 提供程序实例(例如通过调用以下方法来请求),则会出现 NoSuchProviderException

Kotlin

    SecureRandom.getInstance("SHA1PRNG", "Crypto")
    

Java

    SecureRandom.getInstance("SHA1PRNG", "Crypto");
    

支持的算法

下面列出了 Android 的各个 API 级别都支持的 JCA 算法标识符。

AlgorithmParameterGenerator

算法 支持的 API 级别
AES 1-8
DES 1-8
DESede 1-8
DH 1+
DSA 1+

AlgorithmParameters

算法 支持的 API 级别
AES 1+
BLOWFISH 10+
ChaCha20 28+
DES 1+
DESede 1+
DH 1+
DSA 1+
EC 26+
GCM 22+
IES 1-8
OAEP 1+
PBEwithHmacSHA1AndAES_128 26+
PBEwithHmacSHA1AndAES_256 26+
PBEwithHmacSHA224AndAES_128 26+
PBEwithHmacSHA224AndAES_256 26+
PBEwithHmacSHA256AndAES_128 26+
PBEwithHmacSHA256AndAES_256 26+
PBEwithHmacSHA384AndAES_128 26+
PBEwithHmacSHA384AndAES_256 26+
PBEwithHmacSHA512AndAES_128 26+
PBEwithHmacSHA512AndAES_256 26+
PKCS12PBE 1+
PSS 1-8、24+

CertPathBuilder

算法 支持的 API 级别
PKIX 1+

CertPathValidator

算法 支持的 API 级别
PKIX 1+

CertStore

算法 支持的 API 级别
Collection 1+

CertificateFactory

算法 支持的 API 级别
X.509 1+

Cipher

算法 模式 填充 支持的 API 级别 备注
AES CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
1+
GCM NoPadding 10+
AES_128 CBC
ECB
NoPadding
PKCS5Padding
26+
GCM NoPadding 26+
AES_256 CBC
ECB
NoPadding
PKCS5Padding
26+
GCM NoPadding 26+
ARC4 ECB NoPadding 10+
NONE NoPadding 28+
BLOWFISH CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
10+
ChaCha20 NONE
Poly1305
NoPadding 28+ 具有 20 轮、96 位随机数以及 32 位计数器的 ChaCha(如 RFC 7539 中所述)。
DES CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
1+
DESede CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
1+
RSA ECB
NONE
NoPadding
OAEPPadding
PKCS1Padding
1+
OAEPwithSHA-1andMGF1Padding
OAEPwithSHA-256andMGF1Padding
10+
OAEPwithSHA-224andMGF1Padding
OAEPwithSHA-384andMGF1Padding
OAEPwithSHA-512andMGF1Padding
23+

KeyAgreement

算法 支持的 API 级别
DH 1+
ECDH 11+

KeyFactory

算法 支持的 API 级别
DH 1+
DSA 1+
EC 11+
RSA 1+
X.509 1-8

KeyGenerator

算法 支持的 API 级别
AES 1+
AESWRAP 1-8
ARC4 14+
BLOWFISH 10+
ChaCha20 28+
DES 1+
DESede 1+
DESedeWRAP 1-8
HmacMD5 1+
HmacSHA1 11+
HmacSHA224 1-8、22+
HmacSHA256 1+
HmacSHA384 1+
HmacSHA512 1+
RC4 10-13

KeyManagerFactory

算法 支持的 API 级别
PKIX 1+

KeyPairGenerator

算法 支持的 API 级别
DH 1+
DSA 1+
EC 11+
RSA 1+

KeyStore

算法 支持的 API 级别
AndroidCAStore 14+
AndroidKeyStore 18+
BCPKCS12 1-8
BKS 1+
BouncyCastle 1+
PKCS12 1+
PKCS12-DEF 1-8

Mac

算法 支持的 API 级别
DESMAC 1-8
DESMAC/CFB8 1-8
DESedeMAC 1-8
DESedeMAC/CFB8 1-8
DESedeMAC64 1-8
DESwithISO9797 1-8
HmacMD5 1+
HmacSHA1 1+
HmacSHA224 1-8、22+
HmacSHA256 1+
HmacSHA384 1+
HmacSHA512 1+
ISO9797ALG3MAC 1-8
PBEwithHmacSHA 1+
PBEwithHmacSHA1 1+
PBEwithHmacSHA224 26+
PBEwithHmacSHA256 26+
PBEwithHmacSHA384 26+
PBEwithHmacSHA512 26+

MessageDigest

算法 支持的 API 级别
MD5 1+
SHA-1 1+
SHA-224 1-8、22+
SHA-256 1+
SHA-384 1+
SHA-512 1+

SSLContext

算法 支持的 API 级别
Default 10+
SSL 10+
SSLv3 10-25
TLS 1+
TLSv1 10+
TLSv1.1 16+
TLSv1.2 16+

SSLEngine

算法 支持的 API 级别 默认处于启用状态
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_DES_CBC_SHA 9-22 9-19
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 9-22
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 9-22
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA 9-22
SSL_DH_anon_WITH_DES_CBC_SHA 9-22
SSL_DH_anon_WITH_RC4_128_MD5 9-22
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_RSA_EXPORT_WITH_RC4_40_MD5 9-22 9-19
SSL_RSA_WITH_3DES_EDE_CBC_SHA 9+ 9-19
SSL_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_RSA_WITH_NULL_MD5 9-22
SSL_RSA_WITH_NULL_SHA 9-22
SSL_RSA_WITH_RC4_128_MD5 9-25 9-19
SSL_RSA_WITH_RC4_128_SHA 9-25 9-23
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 1-8 1-8
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 1-8 1-8
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 9-22 9-22
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 9-22 20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 20-22
TLS_DHE_DSS_WITH_DES_CBC_SHA 1-8 1-8
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 1-8 1-8
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 1-8 1-8
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 9-25 9-25
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 20-25 20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 9-25 20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 20-25 20-25
TLS_DHE_RSA_WITH_DES_CBC_SHA 1-8 1-8
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 1-8
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 1-8
TLS_DH_DSS_WITH_DES_CBC_SHA 1-8
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 1-8
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 1-8
TLS_DH_RSA_WITH_DES_CBC_SHA 1-8
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 1-8
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 1-8
TLS_DH_anon_WITH_AES_128_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_128_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_128_GCM_SHA256 20-22
TLS_DH_anon_WITH_AES_256_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_256_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_256_GCM_SHA384 20-22
TLS_DH_anon_WITH_DES_CBC_SHA 1-8
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 20+ 20+
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 20+
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 20+ 20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 20+
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_ECDSA_WITH_NULL_SHA 20-22
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 20-25 20-23
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 20+ 20+
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 20+
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 20+ 20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 20+
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_NULL_SHA 20-22
TLS_ECDHE_RSA_WITH_RC4_128_SHA 20-25 20-23
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 20-22
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_ECDSA_WITH_NULL_SHA 20-22
TLS_ECDH_ECDSA_WITH_RC4_128_SHA 20-22
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 20-22
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_RSA_WITH_NULL_SHA 20-22
TLS_ECDH_RSA_WITH_RC4_128_SHA 20-22
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDH_anon_WITH_AES_128_CBC_SHA 20-22
TLS_ECDH_anon_WITH_AES_256_CBC_SHA 20-22
TLS_ECDH_anon_WITH_NULL_SHA 20-22
TLS_ECDH_anon_WITH_RC4_128_SHA 20-22
TLS_EMPTY_RENEGOTIATION_INFO_SCSV 20+ 20+
TLS_FALLBACK_SCSV 21+
TLS_NULL_WITH_NULL_NULL 1-8
TLS_PSK_WITH_3DES_EDE_CBC_SHA 21-22
TLS_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_PSK_WITH_RC4_128_SHA 21-25
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 1-8 1-8
TLS_RSA_WITH_3DES_EDE_CBC_SHA 1-8 1-8
TLS_RSA_WITH_AES_128_CBC_SHA 9+ 9+
TLS_RSA_WITH_AES_128_CBC_SHA256 20+
TLS_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_RSA_WITH_AES_256_CBC_SHA 9+ 20+
TLS_RSA_WITH_AES_256_CBC_SHA256 20+
TLS_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_RSA_WITH_DES_CBC_SHA 1-8 1-8
TLS_RSA_WITH_NULL_MD5 1-8
TLS_RSA_WITH_NULL_SHA 1-8
TLS_RSA_WITH_NULL_SHA256 20-22

SSLSocket

算法 支持的 API 级别 默认处于启用状态
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_DES_CBC_SHA 9-22 9-19
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 9-22
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 9-22
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA 9-22
SSL_DH_anon_WITH_DES_CBC_SHA 9-22
SSL_DH_anon_WITH_RC4_128_MD5 9-22
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_RSA_EXPORT_WITH_RC4_40_MD5 9-22 9-19
SSL_RSA_WITH_3DES_EDE_CBC_SHA 9+ 9-19
SSL_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_RSA_WITH_NULL_MD5 9-22
SSL_RSA_WITH_NULL_SHA 9-22
SSL_RSA_WITH_RC4_128_MD5 9-25 9-19
SSL_RSA_WITH_RC4_128_SHA 9-25 9-23
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 9-22 9-22
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 9-22 11-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 20-22
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 9-25 9-25
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 20-25 20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 9-25 11-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 20-25 20-25
TLS_DH_anon_WITH_AES_128_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_128_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_128_GCM_SHA256 20-22
TLS_DH_anon_WITH_AES_256_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_256_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 11+ 11+
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 20+
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 11+ 11+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 20+
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_ECDSA_WITH_NULL_SHA 11-22
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 11-25 11-23
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 11+ 11+
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 20+
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 11+ 11+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 20+
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_NULL_SHA 11-22
TLS_ECDHE_RSA_WITH_RC4_128_SHA 11-25 11-23
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 11-22 11-19
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 11-22 11-19
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_ECDSA_WITH_NULL_SHA 11-22
TLS_ECDH_ECDSA_WITH_RC4_128_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_RSA_WITH_NULL_SHA 11-22
TLS_ECDH_RSA_WITH_RC4_128_SHA 11-22 11-19
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 11-22
TLS_ECDH_anon_WITH_AES_128_CBC_SHA 11-22
TLS_ECDH_anon_WITH_AES_256_CBC_SHA 11-22
TLS_ECDH_anon_WITH_NULL_SHA 11-22
TLS_ECDH_anon_WITH_RC4_128_SHA 11-22
TLS_EMPTY_RENEGOTIATION_INFO_SCSV 11+ 11+
TLS_FALLBACK_SCSV 21+
TLS_PSK_WITH_3DES_EDE_CBC_SHA 21-22
TLS_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_PSK_WITH_RC4_128_SHA 21-25
TLS_RSA_WITH_AES_128_CBC_SHA 9+ 9+
TLS_RSA_WITH_AES_128_CBC_SHA256 20+
TLS_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_RSA_WITH_AES_256_CBC_SHA 9+ 11+
TLS_RSA_WITH_AES_256_CBC_SHA256 20+
TLS_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_RSA_WITH_NULL_SHA256 20-22

SecretKeyFactory

算法 支持的 API 级别
AES 23+
DES 1+
DESede 1+
HmacSHA1 23+
HmacSHA224 23+
HmacSHA256 23+
HmacSHA384 23+
HmacSHA512 23+
PBEwithHmacSHA1 1+
PBEwithHmacSHA1AndAES_128 26+
PBEwithHmacSHA1AndAES_256 26+
PBEwithHmacSHA224AndAES_128 26+
PBEwithHmacSHA224AndAES_256 26+
PBEwithHmacSHA256AndAES_128 26+
PBEwithHmacSHA256AndAES_256 26+
PBEwithHmacSHA384AndAES_128 26+
PBEwithHmacSHA384AndAES_256 26+
PBEwithHmacSHA512AndAES_128 26+
PBEwithHmacSHA512AndAES_256 26+
PBEwithMD5AND128BITAES-CBC-OPENSSL 1+
PBEwithMD5AND192BITAES-CBC-OPENSSL 1+
PBEwithMD5AND256BITAES-CBC-OPENSSL 1+
PBEwithMD5ANDDES 1+
PBEwithMD5ANDRC2 1+
PBEwithSHA1ANDDES 1+
PBEwithSHA1ANDRC2 1+
PBEwithSHA256AND128BITAES-CBC-BC 1+
PBEwithSHA256AND192BITAES-CBC-BC 1+
PBEwithSHA256AND256BITAES-CBC-BC 1+
PBEwithSHAAND128BITAES-CBC-BC 1+
PBEwithSHAAND128BITRC2-CBC 10+
PBEwithSHAAND128BITRC4 10+
PBEwithSHAAND192BITAES-CBC-BC 1+
PBEwithSHAAND2-KEYTRIPLEDES-CBC 1+
PBEwithSHAAND256BITAES-CBC-BC 1+
PBEwithSHAAND3-KEYTRIPLEDES-CBC 1+
PBEwithSHAAND40BITRC2-CBC 1+
PBEwithSHAAND40BITRC4 10+
PBEwithSHAANDTWOFISH-CBC 10+
PBKDF2withHmacSHA1 10+
PBKDF2withHmacSHA1And8BIT 19+
PBKDF2withHmacSHA224 26+
PBKDF2withHmacSHA256 26+
PBKDF2withHmacSHA384 26+
PBKDF2withHmacSHA512 26+

SecureRandom

算法 支持的 API 级别
SHA1PRNG 1+

Signature

算法 支持的 API 级别
DSA 1+
DSAwithSHA1 1+
DSS 1-19
ECDSA 11+
ECDSAwithSHA1 11+
MD2withRSA 1-3
MD4withRSA 1-8
MD5withRSA 1+
MD5withRSA/ISO9796-2 1-8
NONEwithDSA 1+
NONEwithECDSA 11+
NONEwithRSA 17+
RSASSA-PSS 1-8
SHA1withDSA 1+
SHA1withECDSA 11+
SHA1withRSA 1+
SHA1withRSA/ISO9796-2 1-8
SHA1withRSA/PSS 23+
SHA224withDSA 20+
SHA224withECDSA 20+
SHA224withRSA 20+
SHA224withRSA/PSS 23+
SHA256withDSA 1+
SHA256withECDSA 11+
SHA256withRSA 1+
SHA256withRSA/PSS 23+
SHA384withECDSA 11+
SHA384withRSA 1+
SHA384withRSA/PSS 23+
SHA512withECDSA 11+
SHA512withRSA 1+
SHA512withRSA/PSS 23+

TrustManagerFactory

算法 支持的 API 级别
PKIX 1+