Android Keystore decrypting encrypted data gives incorrect result

Question

I'm trying to encrypt a arbitrary String using a KeyPair generated by an instance of java.security.KeyPairGenerator. Unfortunately after encrypting and decrypting the String with the generated KeyPair the result is incorrect.

here is how I go about doing this:

val ks: KeyStore = KeyStore.getInstance("AndroidKeyStore").apply {
    load(null)
}

fun encryptUsingKey(publicKey: PublicKey, bytes: ByteArray): ByteArray {
    val inCipher = Cipher.getInstance("RSA/NONE/NoPadding")
    inCipher.init(Cipher.ENCRYPT_MODE, publicKey)
    return inCipher.doFinal(bytes)
}

fun decryptUsingKey(privateKey: PrivateKey, bytes: ByteArray): ByteArray {
    val inCipher = Cipher.getInstance("RSA/NONE/NoPadding")
    inCipher.init(Cipher.DECRYPT_MODE, privateKey)
    return inCipher.doFinal(bytes)
}

fun getKey(): KeyStore.Entry {
    val containsAlias = ks.containsAlias(alias)
    if (!containsAlias) {
        val kpg: KeyPairGenerator = KeyPairGenerator.getInstance(
            KeyProperties.KEY_ALGORITHM_RSA,
            "AndroidKeyStore"
        )
        val parameterSpec: KeyGenParameterSpec =
            KeyGenParameterSpec.Builder(
                alias,
                KeyProperties.PURPOSE_DECRYPT or KeyProperties.PURPOSE_ENCRYPT
            )
                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
                .setRandomizedEncryptionRequired(false)
                .build()

        kpg.initialize(parameterSpec)

        val kp = kpg.generateKeyPair()
    }
    return ks.getEntry(alias, null)
}

My encryption/decryption test looks like this:

fun testEncryptionDecryption() {
    val entry = getKey()

    if (entry is KeyStore.PrivateKeyEntry) {
        val privateKey = entry.privateKey
        val certificate = entry.certificate
        val publicKey = certificate.publicKey

        val testKey = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"

        val encrypted = service.encryptUsingKey(publicKey, Base64.decodeFromString(testKey))
        val decrypted = service.decryptUsingKey(privateKey, encrypted)

        assertEquals(testKey, Base64.encodeToString(decrypted))

    }
}

Unfortunately the result looks like this:

org.junit.ComparisonFailure: expected:<[0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF]> but was:<[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANNdt-Oeu_PQAQgxBdNdt-Oeu_PQAQgxBdNdt-Oeu_PQAQgxBdNdt-Oeu_PQAQgxBQ]>

Can someone enlighten me to what's going on here? Where do all these A's come from? Am I using the keys incorrectly?

Answer 1

As suspected it was incorrect configuration. The following works:

val inCipher = Cipher.getInstance("RSA/ECB/OAEPPadding")

val kpg: KeyPairGenerator = KeyPairGenerator.getInstance(
            KeyProperties.KEY_ALGORITHM_RSA,
            "AndroidKeyStore"
        )
        val parameterSpec: KeyGenParameterSpec =
            KeyGenParameterSpec.Builder(
                alias,
                KeyProperties.PURPOSE_DECRYPT or KeyProperties.PURPOSE_ENCRYPT
            )
                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
                .setBlockModes(KeyProperties.BLOCK_MODE_ECB)
                .setDigests(KeyProperties.DIGEST_SHA1)
                .build()

        kpg.initialize(parameterSpec)