Menu
I would like to import into AndroidKeyStore a key. So, I can generate it by openssl in following way
openssl rsa -text -in privateKey2048.pem
openssl pkcs8 -topk8 -inform PEM -in ./privateKey2048.pem -outform DER -out private2048.der -nocrypt
then I can convert it from private2048.der into hex format, which can be converted in byteArray in android app. But it's not clear for me, How to import this byteArray into AndroidKeyStore?
So in general, my question is how import into KeyStore key which exist as a String or byteArray?
ps: I know that it is possible to generate a keyPair by keyPairGenerator.generateKeyPair(), but I would like to import my key, for example generated by openssl and then hard-coded in application.
662
The rsa command processes RSA keys. They can be converted between various forms and their components printed out. Note this command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the pkcs8 utility.
A public/private key RSA pair is generated, which is stored in the Android device's keystore and protected usually by the device PIN. An AES-based symmetric key is also generated, which is used to encrypt and decrypt the secrets.
In the menu bar, click Build > Generate Signed Bundle/APK. In the Generate Signed Bundle or APK dialog, select Android App Bundle or APK and click Next. Below the field for Key store path, click Create new. On the New Key Store window, provide the following information for your keystore and key, as shown in figure 2.
It's not a good idea to hard-code a private key into your application. This key is compromised because the contents of your APK are not secret and thus the key can be extracted from the APK. If you're still believe you need to do this despite this warning, read on.
To import the private key into the Android Keystore, you need to represent it as a PrivateKey instance and then you also need an X.509 certificate (for the public key corresponding to the private key) represented as an X509Certificate instance. This is because JCA KeyStore abstraction does not support storing private keys without a certificate.
To convert the PKCS#8 DER encoded private key into a PrivateKey:
PrivateKey privateKey =
KeyFactory.getInstance("RSA").generatePrivate(
new PKCS8EncodedKeySpec(privateKeyPkcs8));
To convert the PEM or DER encoded certificate into a Certificate:
Certificate cert =
CertificateFactory.getInstance("X.509").generateCertificate(
new ByteArrayInputStream(pemOrDerEncodedCert));
Finally, to import the private key and the cert into Android Keystore's "myKeyAlias" entry:
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
ks.setKeyEntry("myKeyAlias", privateKey, null, new Certificate[] {cert});
See more advanced examples at https://developer.android.com/reference/android/security/keystore/KeyProtection.html.
174
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
