Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

When to install keystore & when to install only certificate wrapped in keystore [duplicate]

I have a PKCS#12 file which I considered as a keystore file since it contains one key entry & one certificate entry.

In Android, I see people programmatically install keystore in the following way (The code is from Android developer blog):

byte[] keystore = . . (read from a PKCS#12 keystore)

Intent installIntent = KeyChain.createInstallIntent();
installIntent.putExtra(KeyChain.EXTRA_PKCS12, keystore);
startActivityForResult(installIntent, INSTALL_KEYSTORE_CODE);

I also see people programmatically install only the certificate wrapped inside keystore:

Intent intent = KeyChain.createInstallIntent();
intent.putExtra(KeyChain.EXTRA_CERTIFICATE, cert);
startActivity(intent);

Besides, I also see people install both the keystore & the certificate wrapped in keystore. For example, this article shows us how to first install keystore & then install the certificate wrapped in keystore programmatically.

I really get confused about when should I install keystore only & when should I install certificate (wrapped inside keystore) only ? And when should I install both ?? Could someone make me clear about this please?

For example, my keystore PKCS#12 file (mycert.p12) contains key/certificate pair, it is used to connect to VPN server. When should my android client install both keystore and certificate wrapped in the keystore ? When should client install only certificate wrapped in keystore? What are the differences ? I am quite confused about this.

like image 751
Leem.fin Avatar asked Nov 12 '13 13:11

Leem.fin


People also ask

When should I use keystore?

TrustStore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in an SSL connection. While Keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification.

Why do I need a keystore?

Android Keystore system protects key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from application processes and from the Android device as a whole.

Do I need to install Keytool?

Nope! keytool ships with a standard Android Studio install as part of the JRE needed to run Android Studio itself. If you look at where you installed Android Studio (usually C:\Program Files\Android\Android Studio on Windows or /Applications/Android Studio on Mac), you'll find a folder inside called jre .


1 Answers

I have a PKCS#12 file which I considered as a keystore file since it contains one key entry & one certificate entry.

Correct.

In Android, I see people programmatically install keystore in the following way ...

This is done when you have a keystore, i.e. a keypair and certificate.

I also see people programmatically install only the certificate wrapped inside keystore

This is done when you have someone else's certificate, typically a self-signed one, that isn't trusted by any of the default CA's (certificate authorities) that are already installed. You should never have to do this.

So note that you never do both with the same certificate, because the cases (the ownerships) are different. There can never be any doubt about which process is appropriate. If it's yours, import the keystore. If it's someone else's, import the certificate.

The ultimate normative reference for all this stuff is ITU Recommendation X.509.

Finally, some notes on the poor quality blog articles you have linked.

From Unifying key store access in ICS:

In the past, it was common practice for apps to maintain their own key store if they needed to authenticate a secure SSL web server, or authenticate the user to a server via a client certificate.

This is already incorrect.

  1. To authenticate a web server you shouldn't need anything, if it has a CA-signed certificate. If it has a self-signed certificate you will need to import it into your truststore.

  2. To authenticate yourself to a web server, you need a keystore containing your own private key and a certificate, preferably a CA-signed one. Otherwise the server has to import your self-signed certificate into its truststore, i.e. the converse of (1) above. Don't go down this path. Self-signed certificates are far more trouble than they are worth, which is nothing, as you can tell from the price you pay for them.

From Using ICS keychain API:

We first get the private key and certificate chain using the key alias and then create and verify a signature to check if the key is actually usable.

Complete nonsense. We already have the private key, the public key, and the certificate. They are already usable. Creating a signature and verifying it locally is just a complete waste of time.

Installing a CA certificate is not very different from installing a PKCS#12 file: you load the certificate in a byte array and pass it as an extra to the install intent.

The difference being that you use KeyChain.EXTRA_CERTIFICATE in the CA certificate case, and KeyChain.EXTRA_PKCS12 in the keystore case.

like image 97
user207421 Avatar answered Sep 19 '22 17:09

user207421