Given that there are many known issues with Android Keystore and his ability to lose data or just generally fall (see. Here , here , here , here , here and here ) I find it interesting to know whether any developer used Keystore Android in live application to generate keys and did not encounter a lot of crash reports due to the fact that Keystore can not create or get a key from Keystore? How did you get around known issues? I am particularly interested in a scenario in which a class is KeyPairGeneratorused to create a private-public key pair that does not require user authentication (i.e. does not require a screen lock on the device).
Edit: I included below code that I used to create a private-public key pair via Android Keystore:
KeyPair createPrivateKeyEntry(@NonNull Context context,
@NonNull String keyAlias) throws CryptoException {
try {
AlgorithmParameterSpec spec = getAlgorithmParameterSpec(context, keyAlias);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(
"RSA",
"AndroidKeyStore"
);
keyPairGenerator.initialize(spec);
return keyPairGenerator.generateKeyPair();
} catch (Exception e) {
String message = "Unexpected error when attempting to create a private key entry.";
throw new CryptoException(message, e);
}
}
private AlgorithmParameterSpec getAlgorithmParameterSpec(@NonNull Context context,
@NonNull String keyAlias) {
int keySize = 2048;
X500Principal subject = new X500Principal("CN=" + keyAlias);
BigInteger serialNumber = BigInteger.valueOf(1337);
Calendar validityStartCalendar = Calendar.getInstance();
Calendar validityEndCalendar = Calendar.getInstance();
validityEndCalendar.add(Calendar.YEAR, 99);
Date validityStartDate = validityStartCalendar.getTime();
Date validityEndDate = validityEndCalendar.getTime();
AlgorithmParameterSpec spec;
if (Build.VERSION.SDK_INT >= 23) {
spec = new KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setKeySize(keySize)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
.setCertificateSubject(subject)
.setCertificateSerialNumber(serialNumber)
.setKeyValidityStart(validityStartDate)
.setKeyValidityEnd(validityEndDate)
.setUserAuthenticationRequired(false)
.build();
} else {
spec = new KeyPairGeneratorSpec.Builder(context)
.setAlias(keyAlias)
.setKeySize(keySize)
.setSubject(subject)
.setSerialNumber(serialNumber)
.setStartDate(validityStartDate)
.setEndDate(validityEndDate)
.build();
}
return spec;
}
source
share