Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Android KeyStore - How to save an RSA PrivateKey

Tags:

security

keystore

android-4.3-jelly-bean

I receive from a web service(made by myself) an RSA PrivateKey PKCS#8 encoded in a base 64 String. My Android app must save this key somewhere into the phone securely.

From the 4.3 version of Android, it's possible saving keys using the new KeyStore API. I've found an article with code axample that shows how to generate a KeyPair with the Specification needed to store the keys. And after to recover the keys. 

// generate a key pair
Context ctx = getContext();
Calendar notBefore = Calendar.getInstance()
Calendar notAfter = Calendar.getInstance();
notAfter.add(1, Calendar.YEAR);
KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(ctx)
            .setAlias("key1")
            .setSubject(
                    new X500Principal(String.format("CN=%s, OU=%s", alais,
                            ctx.getPackageName())))
            .setSerialNumber(BigInteger.ONE).setStartDate(notBefore.getTime())
            .setEndDate(notAfter.getTime()).build();

KeyPairGenerator kpGenerator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
kpGenerator.initialize(spec);
KeyPair kp = kpGenerator.generateKeyPair();

// in another part of the app, access the keys
KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry)keyStore.getEntry("key1", null);
RSAPublicKey pubKey = (RSAPublicKey)keyEntry.getCertificate().getPublicKey();
RSAPrivateKey privKey = (RSAPrivateKey) keyEntry.getPrivateKey();

But i don't understand how can i save an existing key to it. Can anybody help me? Thanks in advance

like image 344
FUGAZI Avatar asked Nov 21 '13 18:11

FUGAZI

1 Answers

In KeyStore the private keys must be stored along with a certificate (even a fake self-signed certificate). To store your key in the AndroidKeyStore you should follow these steps:

  1. decode the Base64 PKCS#8 to get a PrivateKey instance
  2. either the web service sends a certificate (or certificate chain) along with the private key or the PKCS#8 blob also contain the public key.
  3. if required you need to generate a certificate for the private key. The BouncyCastle library can do this (a code sample can be found here).

Now you can add your key to the keystore.

PrivateKey myKey = getKey();
X509Certificate certificate = getCertificate();
KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
keystore.setKeyEntry("anAlias", myKey, null, new Certificate[] { certificate });
like image 181
Jcs Avatar answered Oct 01 '22 16:10

Jcs
Sign in to Comment

Related questions

JVM debug connector internals and security
Preventing java agents from attaching at runtime
What is the standard procedure used for login-systems in iOS-apps?
Security of scala runtime
Android word dictionary security issue
How to block libwww-perl access in .net?
The 'Access-Control-Allow-Origin' header has a value 'http://localhost:4200' that is not equal to the supplied origin
Anybody using Rhino Security?
How to make Google Tag Manager and Content-Security-Policy coexist?
UWP - Cross Device Data Encryption
What's the best tool for Javascript security auditing?
Why would using PrincipalSearcher be faster than FindByIdentity()?
Rolling out a web authentication system
JWT Security with IP Addresses
The HTTP request was forbidden with client authentication scheme 'Anonymous'
Rails plugin for API Key + Secret Key signing [closed]
How can I hide a password/username used in a bash script for accessing MySQL?
Changing bios code/flashing the bios
How to check the authenticity of a Chrome extension?
Can I put the npm node_modules directory outside of my 'webroot'

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!