Android KeyStore implementation for <4.3
I am planning to use KeyStore
in my android application to encrypt the AES key with KeyPair
which is stored internally KeyStore
. Android Documentation for KeyStore:
https://developer.android.com/training/articles/keystore.html
After searching on the internet, I found an example AOSP that I edited:
/* * Copyright (C) 2013 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ import android.annotation.TargetApi; import android.content.Context; import android.os.Build; import android.security.KeyPairGeneratorSpec; import java.io.IOException; import java.math.BigInteger; import java.security.GeneralSecurityException; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.UnrecoverableEntryException; import java.util.Calendar; import java.util.GregorianCalendar; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.security.auth.x500.X500Principal; /** * Wraps {@link SecretKey} instances using a public/private key pair stored in * the platform {@link KeyStore}. This allows us to protect symmetric keys with * hardware-backed crypto, if provided by the device. * <p> * See <a href="http://en.wikipedia.org/wiki/Key_Wrap">key wrapping</a> for more * details. * <p> * Not inherently thread safe. * * Some explanations: * http://nelenkov.blogspot.nl/2013/08/credential-storage-enhancements-android-43.html */ public class SecretKeyWrapper { private final Cipher mCipher; private final KeyPair mPair; /** * Create a wrapper using the public/private key pair with the given alias. * If no pair with that alias exists, it will be generated. */ public SecretKeyWrapper(Context context, String alias) throws GeneralSecurityException, IOException { mCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); final KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); if (!keyStore.containsAlias(alias)) { generateKeyPair(context, alias); } // Even if we just generated the key, always read it back to ensure we // can read it successfully. final KeyStore.PrivateKeyEntry entry = (KeyStore.PrivateKeyEntry) keyStore.getEntry( alias, null); mPair = new KeyPair(entry.getCertificate().getPublicKey(), entry.getPrivateKey()); } @TargetApi(Build.VERSION_CODES.JELLY_BEAN_MR2) private static void generateKeyPair(Context context, String alias) throws GeneralSecurityException { final Calendar start = new GregorianCalendar(); final Calendar end = new GregorianCalendar(); end.add(Calendar.YEAR, 100); final KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(context) .setAlias(alias) .setSubject(new X500Principal("CN=" + alias)) .setSerialNumber(BigInteger.ONE) .setStartDate(start.getTime()) .setEndDate(end.getTime()) .build(); final KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore"); gen.initialize(spec); gen.generateKeyPair(); } /** * Wrap a {@link SecretKey} using the public key assigned to this wrapper. * Use {@link #unwrap(byte[])} to later recover the original * {@link SecretKey}. * * @return a wrapped version of the given {@link SecretKey} that can be * safely stored on untrusted storage. */ public byte[] wrap(SecretKey key) throws GeneralSecurityException { mCipher.init(Cipher.WRAP_MODE, mPair.getPublic()); return mCipher.wrap(key); } /** * Unwrap a {@link SecretKey} using the private key assigned to this * wrapper. * * @param blob a wrapped {@link SecretKey} as previously returned by * {@link #wrap(SecretKey)}. */ public SecretKey unwrap(byte[] blob) throws GeneralSecurityException { mCipher.init(Cipher.UNWRAP_MODE, mPair.getPrivate()); return (SecretKey) mCipher.unwrap(blob, "AES", Cipher.SECRET_KEY); } }
This implementation of kan wrap
and unwrap
a SecretKey
, which in my case is an AES key.
However, this KeyStore is only supported from 4.3 and up. See the jelly bean annotation.
To get to my question, what are the possibilities for a similar implementation below 4.3?
Thanks in advance,
Keystore has been available since version 1.6, but there is no official API in previous versions. You can still use it through the private API, but you may run into various problems.
An example can be found on the same blog you linked to:
http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html
The implementation can be somewhat tricky because the key store must be unlocked independently of the device being locked. It might be better to consider password based encryption for earlier versions, there is a blog post about this.
source share
The creation and storage of symmetric keys in the Android KeyStore is supported from Android 6.0 (API Level 23) onwards.
Asymmetric key creation and storage in the Android KeyStore is supported from Android 4.3 (API level 18) onwards.
See this doc for more information: http://developer.android.com/training/articles/keystore.html
source share