Hi, this is partly a sanity check and partly a cry for help! I have been playing with crypto stuff for a couple of days and my head feel like spagetti - so apologies in advance.
Im trying to take advantage of the new hardware-backed (on some devices) keystore which has been publically available since 4.3. My goal is to create a public / private key pair (RSA) so I can encrypt (using the public key) a local AES key and decypt this AES in hardware at the points I need to use it for other decyption tasks to be performed upon incoming data. I cant find much info on the new implementations - there is the info on the release notes http://developer.android.com/about/versions/android-4.3.html#Security which states *"To manage your app's private credentials in the Android Key Store, generate a new key with KeyPairGenerator <http://developer.android.com/reference/java/security/KeyPairGenerator.html> withKeyPairGeneratorSpec <http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html>. First get an instance of KeyPairGenerator <http://developer.android.com/reference/java/security/KeyPairGenerator.html> by calling getInstance() <http://developer.android.com/reference/java/security/KeyPairGenerator.html#getInstance(java.lang.String)>. Then callinitialize() <http://developer.android.com/reference/java/security/KeyPairGenerator.html#initialize(int)>, passing it an instance of KeyPairGeneratorSpec <http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html>, which you can get usingKeyPairGeneratorSpec.Builder <http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.Builder.html>. Finally, get your KeyPair <http://developer.android.com/reference/java/security/KeyPair.html> by calling generateKeyPair() <http://developer.android.com/reference/java/security/KeyPairGenerator.html#generateKeyPair()>."* I am doing this using examples from Nikolay Elenkov<http://www.blogger.com/profile/11035625669830795409> s great blog post http://nelenkov.blogspot.co.uk/2013/08/credential-storage-enhancements-android-43.html with code like // generate a key pair Context ctx = getContext(); Calendar notBefore = Calendar.getInstance() Calendar notAfter = Calendar.getInstance(); notAfter.add(1, Calendar.YEAR); KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(ctx) .setAlias("key1") .setSubject( new X500Principal(String.format("CN=%s, OU=%s", alais, ctx.getPackageName()))) .setSerialNumber(BigInteger.ONE).setStartDate(notBefore.getTime()) .setEndDate(notAfter.getTime()).build(); KeyPairGenerator kpGenerator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore"); kpGenerator.initialize(spec); KeyPair kp = kpGenerator.generateKeyPair(); the problem is .generateKeyPair();<http://developer.android.com/reference/java/security/KeyPairGenerator.html#generateKeyPair()>throws java.lang.IllegalStateException: Can't generate certificate *Caused by:*java.lang.UnsupportedOperationException: private exponent cannot be extracted. I get this is the main strength of hardware backed creds. Does anyone know what the approach should be post 4.3? The method is not deprecated and this is not mentioned at all in the docs - which worries me a little - this does seem to be a theme of crypto libs I have found from my brief foray. Any pointers on what the new approach for key pair generation is and then how I may go about using the private keys alias for *DE*cryption that would be amazing, even if its to call me stupid for missing some fundedemental javadoc or android dev training article or something. Many thanks Dori -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups "Android Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
