.setKeyValidityStart(start.getTime()) .setKeyValidityEnd(end.getTime()) .setKeySize(2048) .setCertificateSerialNumber(BigInteger.valueOf(1)) .build();
/** * Generate a new key pair entry in the Android Keystore by using the KeyPairGenerator API. * This creates both a KeyPair and a self-signed certificate, both with the same alias, * using the {@link #keyAlgorithm} provided. */ private void generateAuthenticationKey() throws GeneralSecurityException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyAlgorithm, keystoreName); KeyGenParameterSpec.Builder specBuilder = new KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_SIGN) .setCertificateSubject(new X500Principal("CN=unused")) .setDigests(KeyProperties.DIGEST_SHA256); if (keyAlgorithm.equals(KeyProperties.KEY_ALGORITHM_RSA)) { specBuilder.setKeySize(KEY_SIZE_RSA) .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1); } else if (keyAlgorithm.equals(KeyProperties.KEY_ALGORITHM_EC)) { specBuilder.setKeySize(KEY_SIZE_EC); } kpg.initialize(specBuilder.build()); kpg.generateKeyPair(); }
@TargetApi(M) public void createKeyPair() { KeyPairGenerator keyPairGenerator; try { keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"); } catch (NoSuchAlgorithmException | NoSuchProviderException e) { throw new RuntimeException("Failed to get an instance of KeyPairGenerator", e); } /* By calling setUserAuthenticationRequired(true), we are indicating that any time the private key for this pair so to be used, we have to be authed via fingerprint. This is what enforces the invariant that the successful verification of the signature implies that an authorized individual has touched the fingerprint sensor. */ try { keyPairGenerator.initialize( new KeyGenParameterSpec.Builder(KEY_NAME, PURPOSE_SIGN) .setKeySize(2048) .setDigests(DIGEST_SHA256) .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) .setUserAuthenticationRequired(true) .build()); keyPairGenerator.generateKeyPair(); } catch (InvalidAlgorithmParameterException e) { throw new RuntimeException("failed to generate key pair", e); } }
when(mAesBuilder.setBlockModes(anyString())).thenReturn(mAesBuilder); when(mAesBuilder.setEncryptionPaddings(anyString())).thenReturn(mAesBuilder); when(mAesBuilder.setKeySize(anyInt())).thenReturn(mAesBuilder); when(mAesBuilder.setKeyValidityForOriginationEnd(any(Date.class))).thenReturn(mAesBuilder); when(mAesBuilder.build()).thenReturn(mock(KeyGenParameterSpec.class));
KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(BLOCK_MODE) .setKeySize(256) .setUserAuthenticationRequired(false) .setRandomizedEncryptionRequired(true)
KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setKeySize(AES_GCM_KEY_SIZE_IN_BITS) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .build());
@Override public void generateKey(CryptoUtils.ICryptoFactory cryptoFactory, String alias, Context context) throws Exception { Calendar writeExpiry = Calendar.getInstance(); writeExpiry.add(Calendar.YEAR, ENCRYPT_KEY_LIFETIME_IN_YEARS); CryptoUtils.IKeyGenerator keyGenerator = cryptoFactory.getKeyGenerator(KeyProperties.KEY_ALGORITHM_AES, ANDROID_KEY_STORE); keyGenerator.init(new KeyGenParameterSpec.Builder(alias, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_CBC) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) .setKeySize(AES_KEY_SIZE) .setKeyValidityForOriginationEnd(writeExpiry.getTime()) .build()); keyGenerator.generateKey(); }
private static AlgorithmParameterSpec generateParameterSpec(String alias) { return new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT) .setBlockModes(ENCRYPTION_BLOCK_MODE) .setEncryptionPaddings(ENCRYPTION_PADDING) .setRandomizedEncryptionRequired(true) .setKeySize(ENCRYPTION_KEY_SIZE) .build(); }