I didnt realise there was a security google group so have x-posted there. Please reply to that one if poss :) https://groups.google.com/forum/#!topic/android-security-discuss/dPaJAB48TPg
On Friday, 14 March 2014 18:40:24 UTC, Dori wrote: > > Hi, this is partly a sanity check and partly a cry for help! > > I have been playing with crypto stuff for a couple of days and my head > feel like spagetti - so apologies in advance. > > Im trying to take advantage of the new hardware-backed (on some devices) > keystore which has been publically available since 4.3. My goal is to > create a public / private key pair (RSA) so I can encrypt (using the public > key) a local AES key and decypt this AES in hardware at the points I need > to use it for other decyption tasks to be performed upon incoming data. > > I cant find much info on the new implementations - there is the info on > the release notes > http://developer.android.com/about/versions/android-4.3.html#Security which > states > > *"To manage your app's private credentials in the Android Key Store, > generate a new key with KeyPairGenerator > <http://developer.android.com/reference/java/security/KeyPairGenerator.html> > withKeyPairGeneratorSpec > <http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html>. > > First get an instance of KeyPairGenerator > <http://developer.android.com/reference/java/security/KeyPairGenerator.html> > by > calling getInstance() > <http://developer.android.com/reference/java/security/KeyPairGenerator.html#getInstance(java.lang.String)>. > > Then callinitialize() > <http://developer.android.com/reference/java/security/KeyPairGenerator.html#initialize(int)>, > > passing it an instance of KeyPairGeneratorSpec > <http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html>, > > which you can get usingKeyPairGeneratorSpec.Builder > <http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.Builder.html>. > > Finally, get your KeyPair > <http://developer.android.com/reference/java/security/KeyPair.html> by > calling generateKeyPair() > <http://developer.android.com/reference/java/security/KeyPairGenerator.html#generateKeyPair()>."* > > I am doing this using examples from Nikolay > Elenkov<http://www.blogger.com/profile/11035625669830795409> > s great blog post > http://nelenkov.blogspot.co.uk/2013/08/credential-storage-enhancements-android-43.html > with > code like > > // generate a key pair > Context ctx = getContext(); > Calendar notBefore = Calendar.getInstance() > Calendar notAfter = Calendar.getInstance(); > notAfter.add(1, Calendar.YEAR); > KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(ctx) > .setAlias("key1") > .setSubject( > new X500Principal(String.format("CN=%s, OU=%s", alais, > ctx.getPackageName()))) > > .setSerialNumber(BigInteger.ONE).setStartDate(notBefore.getTime()) > .setEndDate(notAfter.getTime()).build(); > > KeyPairGenerator kpGenerator = KeyPairGenerator.getInstance("RSA", > "AndroidKeyStore"); > kpGenerator.initialize(spec); > KeyPair kp = kpGenerator.generateKeyPair(); > > > the problem is > .generateKeyPair();<http://developer.android.com/reference/java/security/KeyPairGenerator.html#generateKeyPair()>throws > > java.lang.IllegalStateException: Can't generate certificate *Caused > by:*java.lang.UnsupportedOperationException: private exponent cannot be > extracted. I get this is the main strength of hardware backed creds. Does > anyone know what the approach should be post 4.3? The method is not > deprecated and this is not mentioned at all in the docs - which worries me > a little - this does seem to be a theme of crypto libs I have found from my > brief foray. > > Any pointers on what the new approach for key pair generation is and then > how I may go about using the private keys alias for *DE*cryption that > would be amazing, even if its to call me stupid for missing some > fundedemental javadoc or android dev training article or something. > > Many thanks > > Dori > > > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups "Android Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
