1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
|
/*
* Copyright (C) 2013 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.example.android.basicandroidkeystore;
import android.content.Context;
import android.os.Bundle;
import android.security.KeyPairGeneratorSpec;
import android.support.v4.app.Fragment;
import android.util.Base64;
import android.view.MenuItem;
import com.example.android.common.logger.Log;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateException;
import java.util.Calendar;
import java.util.GregorianCalendar;
import javax.security.auth.x500.X500Principal;
public class BasicAndroidKeyStoreFragment extends Fragment {
public static final String TAG = "BasicAndroidKeyStoreFragment";
// BEGIN_INCLUDE(values)
public static final String SAMPLE_ALIAS = "myKey";
// Some sample data to sign, and later verify using the generated signature.
public static final String SAMPLE_INPUT="Hello, Android!";
// Just a handy place to store the signature in between signing and verifying.
public String mSignatureStr = null;
// You can store multiple key pairs in the Key Store. The string used to refer to the Key you
// want to store, or later pull, is referred to as an "alias" in this case, because calling it
// a key, when you use it to retrieve a key, would just be irritating.
private String mAlias = null;
// END_INCLUDE(values)
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setHasOptionsMenu(true);
setAlias(SAMPLE_ALIAS);
}
@Override
public void onActivityCreated(Bundle savedInstanceState) {
super.onActivityCreated(savedInstanceState);
}
@Override
public boolean onOptionsItemSelected(MenuItem item) {
switch (item.getItemId()) {
case R.id.btn_create_keys:
try {
createKeys(getActivity());
Log.d(TAG, "Keys created");
return true;
} catch (NoSuchAlgorithmException e) {
Log.w(TAG, "RSA not supported", e);
} catch (InvalidAlgorithmParameterException e) {
Log.w(TAG, "No such provider: AndroidKeyStore");
} catch (NoSuchProviderException e) {
Log.w(TAG, "Invalid Algorithm Parameter Exception", e);
}
return true;
case R.id.btn_sign_data:
try {
mSignatureStr = signData(SAMPLE_INPUT);
} catch (KeyStoreException e) {
Log.w(TAG, "KeyStore not Initialized", e);
} catch (UnrecoverableEntryException e) {
Log.w(TAG, "KeyPair not recovered", e);
} catch (NoSuchAlgorithmException e) {
Log.w(TAG, "RSA not supported", e);
} catch (InvalidKeyException e) {
Log.w(TAG, "Invalid Key", e);
} catch (SignatureException e) {
Log.w(TAG, "Invalid Signature", e);
} catch (IOException e) {
Log.w(TAG, "IO Exception", e);
} catch (CertificateException e) {
Log.w(TAG, "Error occurred while loading certificates", e);
}
Log.d(TAG, "Signature: " + mSignatureStr);
return true;
case R.id.btn_verify_data:
boolean verified = false;
try {
if (mSignatureStr != null) {
verified = verifyData(SAMPLE_INPUT, mSignatureStr);
}
} catch (KeyStoreException e) {
Log.w(TAG, "KeyStore not Initialized", e);
} catch (CertificateException e) {
Log.w(TAG, "Error occurred while loading certificates", e);
} catch (NoSuchAlgorithmException e) {
Log.w(TAG, "RSA not supported", e);
} catch (IOException e) {
Log.w(TAG, "IO Exception", e);
} catch (UnrecoverableEntryException e) {
Log.w(TAG, "KeyPair not recovered", e);
} catch (InvalidKeyException e) {
Log.w(TAG, "Invalid Key", e);
} catch (SignatureException e) {
Log.w(TAG, "Invalid Signature", e);
}
if (verified) {
Log.d(TAG, "Data Signature Verified");
} else {
Log.d(TAG, "Data not verified.");
}
return true;
}
return false;
}
/**
* Creates a public and private key and stores it using the Android Key Store, so that only
* this application will be able to access the keys.
*/
public void createKeys(Context context) throws NoSuchProviderException,
NoSuchAlgorithmException, InvalidAlgorithmParameterException {
// BEGIN_INCLUDE(create_valid_dates)
// Create a start and end time, for the validity range of the key pair that's about to be
// generated.
Calendar start = new GregorianCalendar();
Calendar end = new GregorianCalendar();
end.add(Calendar.YEAR, 1);
//END_INCLUDE(create_valid_dates)
// BEGIN_INCLUDE(create_spec)
// The KeyPairGeneratorSpec object is how parameters for your key pair are passed
// to the KeyPairGenerator. For a fun home game, count how many classes in this sample
// start with the phrase "KeyPair".
KeyPairGeneratorSpec spec =
new KeyPairGeneratorSpec.Builder(context)
// You'll use the alias later to retrieve the key. It's a key for the key!
.setAlias(mAlias)
// The subject used for the self-signed certificate of the generated pair
.setSubject(new X500Principal("CN=" + mAlias))
// The serial number used for the self-signed certificate of the
// generated pair.
.setSerialNumber(BigInteger.valueOf(1337))
// Date range of validity for the generated pair.
.setStartDate(start.getTime())
.setEndDate(end.getTime())
.build();
// END_INCLUDE(create_spec)
// BEGIN_INCLUDE(create_keypair)
// Initialize a KeyPair generator using the the intended algorithm (in this example, RSA
// and the KeyStore. This example uses the AndroidKeyStore.
KeyPairGenerator kpGenerator = KeyPairGenerator
.getInstance(SecurityConstants.TYPE_RSA,
SecurityConstants.KEYSTORE_PROVIDER_ANDROID_KEYSTORE);
kpGenerator.initialize(spec);
KeyPair kp = kpGenerator.generateKeyPair();
Log.d(TAG, "Public Key is: " + kp.getPublic().toString());
// END_INCLUDE(create_keypair)
}
/**
* Signs the data using the key pair stored in the Android Key Store. This signature can be
* used with the data later to verify it was signed by this application.
* @return A string encoding of the data signature generated
*/
public String signData(String inputStr) throws KeyStoreException,
UnrecoverableEntryException, NoSuchAlgorithmException, InvalidKeyException,
SignatureException, IOException, CertificateException {
byte[] data = inputStr.getBytes();
// BEGIN_INCLUDE(sign_load_keystore)
KeyStore ks = KeyStore.getInstance(SecurityConstants.KEYSTORE_PROVIDER_ANDROID_KEYSTORE);
// Weird artifact of Java API. If you don't have an InputStream to load, you still need
// to call "load", or it'll crash.
ks.load(null);
// Load the key pair from the Android Key Store
KeyStore.Entry entry = ks.getEntry(mAlias, null);
/* If the entry is null, keys were never stored under this alias.
* Debug steps in this situation would be:
* -Check the list of aliases by iterating over Keystore.aliases(), be sure the alias
* exists.
* -If that's empty, verify they were both stored and pulled from the same keystore
* "AndroidKeyStore"
*/
if (entry == null) {
Log.w(TAG, "No key found under alias: " + mAlias);
Log.w(TAG, "Exiting signData()...");
return null;
}
/* If entry is not a KeyStore.PrivateKeyEntry, it might have gotten stored in a previous
* iteration of your application that was using some other mechanism, or been overwritten
* by something else using the same keystore with the same alias.
* You can determine the type using entry.getClass() and debug from there.
*/
if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
Log.w(TAG, "Not an instance of a PrivateKeyEntry");
Log.w(TAG, "Exiting signData()...");
return null;
}
// END_INCLUDE(sign_data)
// BEGIN_INCLUDE(sign_create_signature)
// This class doesn't actually represent the signature,
// just the engine for creating/verifying signatures, using
// the specified algorithm.
Signature s = Signature.getInstance(SecurityConstants.SIGNATURE_SHA256withRSA);
// Initialize Signature using specified private key
s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
// Sign the data, store the result as a Base64 encoded String.
s.update(data);
byte[] signature = s.sign();
String result = Base64.encodeToString(signature, Base64.DEFAULT);
// END_INCLUDE(sign_data)
return result;
}
/**
* Given some data and a signature, uses the key pair stored in the Android Key Store to verify
* that the data was signed by this application, using that key pair.
* @param input The data to be verified.
* @param signatureStr The signature provided for the data.
* @return A boolean value telling you whether the signature is valid or not.
*/
public boolean verifyData(String input, String signatureStr) throws KeyStoreException,
CertificateException, NoSuchAlgorithmException, IOException,
UnrecoverableEntryException, InvalidKeyException, SignatureException {
byte[] data = input.getBytes();
byte[] signature;
// BEGIN_INCLUDE(decode_signature)
// Make sure the signature string exists. If not, bail out, nothing to do.
if (signatureStr == null) {
Log.w(TAG, "Invalid signature.");
Log.w(TAG, "Exiting verifyData()...");
return false;
}
try {
// The signature is going to be examined as a byte array,
// not as a base64 encoded string.
signature = Base64.decode(signatureStr, Base64.DEFAULT);
} catch (IllegalArgumentException e) {
// signatureStr wasn't null, but might not have been encoded properly.
// It's not a valid Base64 string.
return false;
}
// END_INCLUDE(decode_signature)
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
// Weird artifact of Java API. If you don't have an InputStream to load, you still need
// to call "load", or it'll crash.
ks.load(null);
// Load the key pair from the Android Key Store
KeyStore.Entry entry = ks.getEntry(mAlias, null);
if (entry == null) {
Log.w(TAG, "No key found under alias: " + mAlias);
Log.w(TAG, "Exiting verifyData()...");
return false;
}
if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
Log.w(TAG, "Not an instance of a PrivateKeyEntry");
return false;
}
// This class doesn't actually represent the signature,
// just the engine for creating/verifying signatures, using
// the specified algorithm.
Signature s = Signature.getInstance(SecurityConstants.SIGNATURE_SHA256withRSA);
// BEGIN_INCLUDE(verify_data)
// Verify the data.
s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate());
s.update(data);
return s.verify(signature);
// END_INCLUDE(verify_data)
}
public void setAlias(String alias) {
mAlias = alias;
}
}
|
