Links
Android Sites
Language
Results
Loading...
1
/*
2
* Copyright (C) 2013 The Android Open Source Project
3
*
4
* Licensed under the Apache License, Version 2.0 (the "License");
5
* you may not use this file except in compliance with the License.
6
* You may obtain a copy of the License at
7
*
8
* http://www.apache.org/licenses/LICENSE-2.0
9
*
10
* Unless required by applicable law or agreed to in writing, software
11
* distributed under the License is distributed on an "AS IS" BASIS,
12
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
* See the License for the specific language governing permissions and
14
* limitations under the License.
15
*/
16
17
package com.example.android.basicandroidkeystore;
18
19
import android.content.Context;
20
import android.os.Bundle;
21
import android.security.KeyPairGeneratorSpec;
22
import android.support.v4.app.Fragment;
23
import android.util.Base64;
24
import android.view.MenuItem;
25
26
import com.example.android.common.logger.Log;
27
28
import java.io.IOException;
29
import java.math.BigInteger;
30
import java.security.InvalidAlgorithmParameterException;
31
import java.security.InvalidKeyException;
32
import java.security.KeyPair;
33
import java.security.KeyPairGenerator;
34
import java.security.KeyStore;
35
import java.security.KeyStoreException;
36
import java.security.NoSuchAlgorithmException;
37
import java.security.NoSuchProviderException;
38
import java.security.Signature;
39
import java.security.SignatureException;
40
import java.security.UnrecoverableEntryException;
41
import java.security.cert.CertificateException;
42
import java.util.Calendar;
43
import java.util.GregorianCalendar;
44
45
import javax.security.auth.x500.X500Principal;
46
47
public class BasicAndroidKeyStoreFragment extends Fragment {
48
49
public static final String TAG = "BasicAndroidKeyStoreFragment";
50
52
53
public static final String SAMPLE_ALIAS = "myKey";
54
55
// Some sample data to sign, and later verify using the generated signature.
56
public static final String SAMPLE_INPUT="Hello, Android!";
57
58
// Just a handy place to store the signature in between signing and verifying.
59
public String mSignatureStr = null;
60
61
// You can store multiple key pairs in the Key Store. The string used to refer to the Key you
62
// want to store, or later pull, is referred to as an "alias" in this case, because calling it
63
// a key, when you use it to retrieve a key, would just be irritating.
64
private String mAlias = null;
65
67
68
@Override
69
public void onCreate(Bundle savedInstanceState) {
70
super.onCreate(savedInstanceState);
71
setHasOptionsMenu(true);
72
setAlias(SAMPLE_ALIAS);
73
}
74
75
@Override
76
public void onActivityCreated(Bundle savedInstanceState) {
77
super.onActivityCreated(savedInstanceState);
78
}
79
80
@Override
81
public boolean onOptionsItemSelected(MenuItem item) {
82
switch (item.getItemId()) {
83
case R.id.btn_create_keys:
84
try {
85
createKeys(getActivity());
86
Log.d(TAG, "Keys created");
87
return true;
88
} catch (NoSuchAlgorithmException e) {
89
Log.w(TAG, "RSA not supported", e);
90
} catch (InvalidAlgorithmParameterException e) {
91
Log.w(TAG, "No such provider: AndroidKeyStore");
92
} catch (NoSuchProviderException e) {
93
Log.w(TAG, "Invalid Algorithm Parameter Exception", e);
94
}
95
return true;
96
case R.id.btn_sign_data:
97
try {
98
mSignatureStr = signData(SAMPLE_INPUT);
99
} catch (KeyStoreException e) {
100
Log.w(TAG, "KeyStore not Initialized", e);
101
} catch (UnrecoverableEntryException e) {
102
Log.w(TAG, "KeyPair not recovered", e);
103
} catch (NoSuchAlgorithmException e) {
104
Log.w(TAG, "RSA not supported", e);
105
} catch (InvalidKeyException e) {
106
Log.w(TAG, "Invalid Key", e);
107
} catch (SignatureException e) {
108
Log.w(TAG, "Invalid Signature", e);
109
} catch (IOException e) {
110
Log.w(TAG, "IO Exception", e);
111
} catch (CertificateException e) {
112
Log.w(TAG, "Error occurred while loading certificates", e);
113
}
114
Log.d(TAG, "Signature: " + mSignatureStr);
115
return true;
116
117
case R.id.btn_verify_data:
118
boolean verified = false;
119
try {
120
if (mSignatureStr != null) {
121
verified = verifyData(SAMPLE_INPUT, mSignatureStr);
122
}
123
} catch (KeyStoreException e) {
124
Log.w(TAG, "KeyStore not Initialized", e);
125
} catch (CertificateException e) {
126
Log.w(TAG, "Error occurred while loading certificates", e);
127
} catch (NoSuchAlgorithmException e) {
128
Log.w(TAG, "RSA not supported", e);
129
} catch (IOException e) {
130
Log.w(TAG, "IO Exception", e);
131
} catch (UnrecoverableEntryException e) {
132
Log.w(TAG, "KeyPair not recovered", e);
133
} catch (InvalidKeyException e) {
134
Log.w(TAG, "Invalid Key", e);
135
} catch (SignatureException e) {
136
Log.w(TAG, "Invalid Signature", e);
137
}
138
if (verified) {
139
Log.d(TAG, "Data Signature Verified");
140
} else {
141
Log.d(TAG, "Data not verified.");
142
}
143
return true;
144
}
145
return false;
146
}
147
148
/**
149
* Creates a public and private key and stores it using the Android Key Store, so that only
150
* this application will be able to access the keys.
151
*/
152
public void createKeys(Context context) throws NoSuchProviderException,
153
NoSuchAlgorithmException, InvalidAlgorithmParameterException {
155
// Create a start and end time, for the validity range of the key pair that's about to be
156
// generated.
157
Calendar start = new GregorianCalendar();
158
Calendar end = new GregorianCalendar();
159
end.add(1, Calendar.YEAR);
161
162
164
// The KeyPairGeneratorSpec object is how parameters for your key pair are passed
165
// to the KeyPairGenerator. For a fun home game, count how many classes in this sample
166
// start with the phrase "KeyPair".
167
KeyPairGeneratorSpec spec =
168
new KeyPairGeneratorSpec.Builder(context)
169
// You'll use the alias later to retrieve the key. It's a key for the key!
170
.setAlias(mAlias)
171
// The subject used for the self-signed certificate of the generated pair
172
.setSubject(new X500Principal("CN=" + mAlias))
173
// The serial number used for the self-signed certificate of the
174
// generated pair.
175
.setSerialNumber(BigInteger.valueOf(1337))
176
// Date range of validity for the generated pair.
177
.setStartDate(start.getTime())
178
.setEndDate(end.getTime())
179
.build();
181
183
// Initialize a KeyPair generator using the the intended algorithm (in this example, RSA
184
// and the KeyStore. This example uses the AndroidKeyStore.
185
KeyPairGenerator kpGenerator = KeyPairGenerator
186
.getInstance(SecurityConstants.TYPE_RSA,
187
SecurityConstants.KEYSTORE_PROVIDER_ANDROID_KEYSTORE);
188
kpGenerator.initialize(spec);
189
KeyPair kp = kpGenerator.generateKeyPair();
190
Log.d(TAG, "Public Key is: " + kp.getPublic().toString());
192
}
193
194
/**
195
* Signs the data using the key pair stored in the Android Key Store. This signature can be
196
* used with the data later to verify it was signed by this application.
197
* @return A string encoding of the data signature generated
198
*/
199
public String signData(String inputStr) throws KeyStoreException,
200
UnrecoverableEntryException, NoSuchAlgorithmException, InvalidKeyException,
201
SignatureException, IOException, CertificateException {
202
byte[] data = inputStr.getBytes();
203
205
KeyStore ks = KeyStore.getInstance(SecurityConstants.KEYSTORE_PROVIDER_ANDROID_KEYSTORE);
206
207
// Weird artifact of Java API. If you don't have an InputStream to load, you still need
208
// to call "load", or it'll crash.
209
ks.load(null);
210
211
// Load the key pair from the Android Key Store
212
KeyStore.Entry entry = ks.getEntry(mAlias, null);
213
214
/* If the entry is null, keys were never stored under this alias.
215
* Debug steps in this situation would be:
216
* -Check the list of aliases by iterating over Keystore.aliases(), be sure the alias
217
* exists.
218
* -If that's empty, verify they were both stored and pulled from the same keystore
219
* "AndroidKeyStore"
220
*/
221
if (entry == null) {
222
Log.w(TAG, "No key found under alias: " + mAlias);
223
Log.w(TAG, "Exiting signData()...");
224
return null;
225
}
226
227
/* If entry is not a KeyStore.PrivateKeyEntry, it might have gotten stored in a previous
228
* iteration of your application that was using some other mechanism, or been overwritten
229
* by something else using the same keystore with the same alias.
230
* You can determine the type using entry.getClass() and debug from there.
231
*/
232
if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
233
Log.w(TAG, "Not an instance of a PrivateKeyEntry");
234
Log.w(TAG, "Exiting signData()...");
235
return null;
236
}
238
240
// This class doesn't actually represent the signature,
241
// just the engine for creating/verifying signatures, using
242
// the specified algorithm.
243
Signature s = Signature.getInstance(SecurityConstants.SIGNATURE_SHA256withRSA);
244
245
// Initialize Signature using specified private key
246
s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
247
248
// Sign the data, store the result as a Base64 encoded String.
249
s.update(data);
250
byte[] signature = s.sign();
251
String result = Base64.encodeToString(signature, Base64.DEFAULT);
253
254
return result;
255
}
256
257
/**
258
* Given some data and a signature, uses the key pair stored in the Android Key Store to verify
259
* that the data was signed by this application, using that key pair.
260
* @param input The data to be verified.
261
* @param signatureStr The signature provided for the data.
262
* @return A boolean value telling you whether the signature is valid or not.
263
*/
264
public boolean verifyData(String input, String signatureStr) throws KeyStoreException,
265
CertificateException, NoSuchAlgorithmException, IOException,
266
UnrecoverableEntryException, InvalidKeyException, SignatureException {
267
byte[] data = input.getBytes();
268
byte[] signature;
270
271
// Make sure the signature string exists. If not, bail out, nothing to do.
272
273
if (signatureStr == null) {
274
Log.w(TAG, "Invalid signature.");
275
Log.w(TAG, "Exiting verifyData()...");
276
return false;
277
}
278
279
try {
280
// The signature is going to be examined as a byte array,
281
// not as a base64 encoded string.
282
signature = Base64.decode(signatureStr, Base64.DEFAULT);
283
} catch (IllegalArgumentException e) {
284
// signatureStr wasn't null, but might not have been encoded properly.
285
// It's not a valid Base64 string.
286
return false;
287
}
289
290
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
291
292
// Weird artifact of Java API. If you don't have an InputStream to load, you still need
293
// to call "load", or it'll crash.
294
ks.load(null);
295
296
// Load the key pair from the Android Key Store
297
KeyStore.Entry entry = ks.getEntry(mAlias, null);
298
299
if (entry == null) {
300
Log.w(TAG, "No key found under alias: " + mAlias);
301
Log.w(TAG, "Exiting verifyData()...");
302
return false;
303
}
304
305
if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
306
Log.w(TAG, "Not an instance of a PrivateKeyEntry");
307
return false;
308
}
309
310
// This class doesn't actually represent the signature,
311
// just the engine for creating/verifying signatures, using
312
// the specified algorithm.
313
Signature s = Signature.getInstance(SecurityConstants.SIGNATURE_SHA256withRSA);
314
316
// Verify the data.
317
s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate());
318
s.update(data);
319
boolean valid = s.verify(signature);
320
return valid;
322
}
323
324
public void setAlias(String alias) {
325
mAlias = alias;
326
}
327
}