I'm trying to store a keypair into Android's keystore. So far, i have this test code :
KeyPairGenerator keygen = KeyPairGenerator.getInstance("RSA");
KeyPair keypair = keygen.generateKeyPair();
PrivateKey priv = keypair.getPrivate();
PublicKey pub = keypair.getPublic();
String passwd = "Insert some strong password here.";
Certificate certChain = new Certificate;
certChain = generateCertificate(keypair);
ks.setKeyEntry("test", priv, passwd.toCharArray(), certChain);
generateCertificate method is using Bouncy Castle library.
When i run this code, i get a
java.security.KeyStoreException: entries cannot be protected with passwords
Which is stange, since
setKeyEntry do have a password argument. How can i get rid of this ? And is using a strong-string password stored in app's source code safe ?
Best How To :
Apparently despite the fact that the method takes a password parameter, the
AndroidKeystore implementation does not support this, take a look at line 200 in the source.
In any case, a password, whether strong or weak that is stored anywhere on the device is unsafe. This is especially true of source code (including source code in general, non-android contexts). If I get my hands on your app's APK, I can use one of several excellent APK analysis tools to access the class's constant pool, which will contain the password in plain text. No amount of obfuscation could prevent this, or even make it more difficult. This is perhaps the reason that the
AndroidKeystore implementation doesn't allow this.
The whole point of the key store service on android device (it's actually implemented as a separate process you can talk to via a unix socket) is to protect access to sensitive material by requiring a users passcode to unlock it, so there's no point in putting a password on your key pairs or other secrets.. In more recent phones, this is all implmented in hardware, which provides very strong security.