KeyGenParameterSpec does not support this. The only reason a certificate is
at created when generating a key pair in Android Keystore is because the
java.security.KeyStore abstraction requires a certificate for storing a key
pair. If you want more control over the certificate, you should use some
library (e.g., Bouncy Castle) to generate the certificate you for the key
pair in question. You can then replace the original certificate with new
one in the KeyStore.
Alex
On Thu, Sep 24, 2015, 09:44 Michael Adams <mjabanking...@gmail.com> wrote:
> I have a requirement to generate self signed X.509 certificates with the
> 'Key Usage' (i.e. purpose) extension specified. I note that Android API 23
> (Marshmallow) provides a KeyGenParameterSpec.Builder where the key
> purpose is specified in the constructor (see below)
>
>
> KeyPairGenerator keyPairGenerator =
> KeyPairGenerator.getInstance(
> KeyProperties.KEY_ALGORITHM_RSA,
> KEYSTORE_PROVIDER_ANDROID_KEYSTORE);
> keyPairGenerator.initialize(
> new KeyGenParameterSpec.Builder(
> alias,
> KeyProperties.PURPOSE_SIGN)
> .setCertificateSubject(new
> X500Principal("CN=Subject"))
> .setDigests(KeyProperties.DIGEST_SHA256)
>
> .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
> .setCertificateNotBefore(start.getTime())
> .setCertificateNotAfter(end.getTime())
> .setKeyValidityStart(start.getTime())
> .setKeyValidityEnd(end.getTime())
> .setKeySize(2048)
>
> .setCertificateSerialNumber(BigInteger.valueOf(1337))
> .build());
> keyPairGenerator.generateKeyPair();
>
>
> However the certificate produced does not appear to include the Key Usage
> extension. Please see screen shot below
>
>
> <https://lh3.googleusercontent.com/-jPO9kxxwDqQ/VfmAk_PXoSI/AAAAAAAAAAg/-hhKx0MlP40/s1600/not%2Bincluded.PNG>
>
> As a comparison, the following screen shot shows a certificate generated
> on a Windows PC, which includes the key usage extension
>
>
> <https://lh3.googleusercontent.com/-NfMZiEwdUO8/VfmA82aq3SI/AAAAAAAAAAo/hvkOQFuml94/s1600/included.PNG>
>
>
> Please could someone advise whether I am using the KeyGenParameterSpec.Builder
> incorrectly, or does it not support including the key usage extension in
> the generated certificate? If it isn't supported, is there another way of
> inserting the key usage extension into the certificate?
>
>
> Regards, Michael
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to android-security-discuss+unsubscr...@googlegroups.com.
> To post to this group, send email to
> android-security-discuss@googlegroups.com.
> Visit this group at
> http://groups.google.com/group/android-security-discuss.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-security-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to android-security-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
