KeyPairGeneratorSpec deprecated

Question

KeyPairGeneratorSpec is deprecated since API 23. How do you handle this warning?

Example code:

KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
kpg.initialize(new KeyPairGeneratorSpec.Builder(context).build());

Answer 1

Per the documentation, you should use KeyGenParameterSpec instead. For example (for an RSA signing key):

KeyPairGenerator kpg = KeyPairGenerator.getInstance(
        KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
kpg.initialize(new KeyGenParameterSpec.Builder(
        "mykey", KeyProperties.PURPOSE_SIGN)
        .setDigests(KeyProperties.DIGEST_SHA256)
        .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PSS)
        .build());

The additional options to set digest and padding mode are required. This is because, following good crypto security practices, AndroidKeyStore now locks down the ways a key can be used (signing vs decryption, digest and padding modes, etc.) to a specified set. If you try to use a key in a way you didn't specify when you created it, it will fail. This failure is actually enforced by the secure hardware, if your device has it, so even if an attacker roots the device the key can still only be used in the defined ways.

KeyGenParameterSpec also supports creating ECDSA, AES and HMAC keys, and allows you to place other restrictions on how the keys can be used. For example, if you use the setUserAuthenticationRequired method, it will be impossible to use the key unless the user is around to authenticate themselves.

Answer 2

From SDK 18 to 23 = KeyPairGeneratorSpec

SDK 23 and above = KeyGenParameterSpec

@RequiresApi(Build.VERSION_CODES.JELLY_BEAN_MR2)
            fun setAlgorithmParameterSpec(context: Context?) {
                val start = GregorianCalendar();
                val end = GregorianCalendar();
                end.add(Calendar.YEAR, 10);
                val spec: AlgorithmParameterSpec?
                if (Build.VERSION.SDK_INT < 23) {
                    spec = context?.let {
                        android.security.KeyPairGeneratorSpec.Builder(it)
                            // Alias - is a key for your KeyPair, to obtain it from Keystore in future.
                            .setAlias(alias ?: "")
                            // The subject used for the self-signed certificate of the generated pair
                            .setSubject(X500Principal("CN=$alias"))
                            // The serial number used for the self-signed certificate of the generated pair.
                            .setSerialNumber(BigInteger.valueOf(1337))
                            // Date range of validity for the generated pair.
                            .setStartDate(start.time).setEndDate(end.time)
                            .build()
                    };
                } else {
                    spec = KeyGenParameterSpec.Builder(alias ?: "", KeyProperties.PURPOSE_DECRYPT)
                        .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
                        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
                        .build();
                }
            }