Home | History | Annotate | Download | only in com.example.android.basicandroidkeystore
      1 /*
      2 * Copyright (C) 2013 The Android Open Source Project
      3 *
      4 * Licensed under the Apache License, Version 2.0 (the "License");
      5 * you may not use this file except in compliance with the License.
      6 * You may obtain a copy of the License at
      7 *
      8 *      http://www.apache.org/licenses/LICENSE-2.0
      9 *
     10 * Unless required by applicable law or agreed to in writing, software
     11 * distributed under the License is distributed on an "AS IS" BASIS,
     12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13 * See the License for the specific language governing permissions and
     14 * limitations under the License.
     15 */
     16 
     17 package com.example.android.basicandroidkeystore;
     18 
     19 import android.content.Context;
     20 import android.os.Bundle;
     21 import android.security.KeyPairGeneratorSpec;
     22 import android.support.v4.app.Fragment;
     23 import android.util.Base64;
     24 import android.view.MenuItem;
     25 
     26 import com.example.android.common.logger.Log;
     27 
     28 import java.io.IOException;
     29 import java.math.BigInteger;
     30 import java.security.InvalidAlgorithmParameterException;
     31 import java.security.InvalidKeyException;
     32 import java.security.KeyPair;
     33 import java.security.KeyPairGenerator;
     34 import java.security.KeyStore;
     35 import java.security.KeyStoreException;
     36 import java.security.NoSuchAlgorithmException;
     37 import java.security.NoSuchProviderException;
     38 import java.security.Signature;
     39 import java.security.SignatureException;
     40 import java.security.UnrecoverableEntryException;
     41 import java.security.cert.CertificateException;
     42 import java.util.Calendar;
     43 import java.util.GregorianCalendar;
     44 
     45 import javax.security.auth.x500.X500Principal;
     46 
     47 public class BasicAndroidKeyStoreFragment extends Fragment {
     48 
     49     public static final String TAG = "BasicAndroidKeyStoreFragment";
     50 
     51     // BEGIN_INCLUDE(values)
     52 
     53     public static final String SAMPLE_ALIAS = "myKey";
     54 
     55     // Some sample data to sign, and later verify using the generated signature.
     56     public static final String SAMPLE_INPUT="Hello, Android!";
     57 
     58     // Just a handy place to store the signature in between signing and verifying.
     59     public String mSignatureStr = null;
     60 
     61     // You can store multiple key pairs in the Key Store.  The string used to refer to the Key you
     62     // want to store, or later pull, is referred to as an "alias" in this case, because calling it
     63     // a key, when you use it to retrieve a key, would just be irritating.
     64     private String mAlias = null;
     65 
     66     // END_INCLUDE(values)
     67 
     68     @Override
     69     public void onCreate(Bundle savedInstanceState) {
     70         super.onCreate(savedInstanceState);
     71         setHasOptionsMenu(true);
     72         setAlias(SAMPLE_ALIAS);
     73     }
     74 
     75     @Override
     76     public void onActivityCreated(Bundle savedInstanceState) {
     77         super.onActivityCreated(savedInstanceState);
     78     }
     79 
     80     @Override
     81     public boolean onOptionsItemSelected(MenuItem item) {
     82         switch (item.getItemId()) {
     83             case R.id.btn_create_keys:
     84                 try {
     85                     createKeys(getActivity());
     86                     Log.d(TAG, "Keys created");
     87                     return true;
     88                 } catch (NoSuchAlgorithmException e) {
     89                     Log.w(TAG, "RSA not supported", e);
     90                 } catch (InvalidAlgorithmParameterException e) {
     91                     Log.w(TAG, "No such provider: AndroidKeyStore");
     92                 } catch (NoSuchProviderException e) {
     93                     Log.w(TAG, "Invalid Algorithm Parameter Exception", e);
     94                 }
     95                 return true;
     96             case R.id.btn_sign_data:
     97                 try {
     98                     mSignatureStr = signData(SAMPLE_INPUT);
     99                 } catch (KeyStoreException e) {
    100                     Log.w(TAG, "KeyStore not Initialized", e);
    101                 } catch (UnrecoverableEntryException e) {
    102                     Log.w(TAG, "KeyPair not recovered", e);
    103                 } catch (NoSuchAlgorithmException e) {
    104                     Log.w(TAG, "RSA not supported", e);
    105                 } catch (InvalidKeyException e) {
    106                     Log.w(TAG, "Invalid Key", e);
    107                 } catch (SignatureException e) {
    108                     Log.w(TAG, "Invalid Signature", e);
    109                 } catch (IOException e) {
    110                     Log.w(TAG, "IO Exception", e);
    111                 } catch (CertificateException e) {
    112                     Log.w(TAG, "Error occurred while loading certificates", e);
    113                 }
    114                 Log.d(TAG, "Signature: " + mSignatureStr);
    115                 return true;
    116 
    117             case R.id.btn_verify_data:
    118                 boolean verified = false;
    119                 try {
    120                     if (mSignatureStr != null) {
    121                         verified = verifyData(SAMPLE_INPUT, mSignatureStr);
    122                     }
    123                 } catch (KeyStoreException e) {
    124                     Log.w(TAG, "KeyStore not Initialized", e);
    125                 } catch (CertificateException e) {
    126                     Log.w(TAG, "Error occurred while loading certificates", e);
    127                 } catch (NoSuchAlgorithmException e) {
    128                     Log.w(TAG, "RSA not supported", e);
    129                 } catch (IOException e) {
    130                     Log.w(TAG, "IO Exception", e);
    131                 } catch (UnrecoverableEntryException e) {
    132                     Log.w(TAG, "KeyPair not recovered", e);
    133                 } catch (InvalidKeyException e) {
    134                     Log.w(TAG, "Invalid Key", e);
    135                 } catch (SignatureException e) {
    136                     Log.w(TAG, "Invalid Signature", e);
    137                 }
    138                 if (verified) {
    139                     Log.d(TAG, "Data Signature Verified");
    140                 } else {
    141                     Log.d(TAG, "Data not verified.");
    142                 }
    143                 return true;
    144         }
    145         return false;
    146     }
    147 
    148     /**
    149      * Creates a public and private key and stores it using the Android Key Store, so that only
    150      * this application will be able to access the keys.
    151      */
    152     public void createKeys(Context context) throws NoSuchProviderException,
    153             NoSuchAlgorithmException, InvalidAlgorithmParameterException {
    154         // BEGIN_INCLUDE(create_valid_dates)
    155         // Create a start and end time, for the validity range of the key pair that's about to be
    156         // generated.
    157         Calendar start = new GregorianCalendar();
    158         Calendar end = new GregorianCalendar();
    159         end.add(1, Calendar.YEAR);
    160         //END_INCLUDE(create_valid_dates)
    161 
    162 
    163         // BEGIN_INCLUDE(create_spec)
    164         // The KeyPairGeneratorSpec object is how parameters for your key pair are passed
    165         // to the KeyPairGenerator.  For a fun home game, count how many classes in this sample
    166         // start with the phrase "KeyPair".
    167         KeyPairGeneratorSpec spec =
    168                 new KeyPairGeneratorSpec.Builder(context)
    169                         // You'll use the alias later to retrieve the key.  It's a key for the key!
    170                         .setAlias(mAlias)
    171                                 // The subject used for the self-signed certificate of the generated pair
    172                         .setSubject(new X500Principal("CN=" + mAlias))
    173                                 // The serial number used for the self-signed certificate of the
    174                                 // generated pair.
    175                         .setSerialNumber(BigInteger.valueOf(1337))
    176                                 // Date range of validity for the generated pair.
    177                         .setStartDate(start.getTime())
    178                         .setEndDate(end.getTime())
    179                         .build();
    180         // END_INCLUDE(create_spec)
    181 
    182         // BEGIN_INCLUDE(create_keypair)
    183         // Initialize a KeyPair generator using the the intended algorithm (in this example, RSA
    184         // and the KeyStore.  This example uses the AndroidKeyStore.
    185         KeyPairGenerator kpGenerator = KeyPairGenerator
    186                 .getInstance(SecurityConstants.TYPE_RSA,
    187                         SecurityConstants.KEYSTORE_PROVIDER_ANDROID_KEYSTORE);
    188         kpGenerator.initialize(spec);
    189         KeyPair kp = kpGenerator.generateKeyPair();
    190         Log.d(TAG, "Public Key is: " + kp.getPublic().toString());
    191         // END_INCLUDE(create_keypair)
    192     }
    193 
    194     /**
    195      * Signs the data using the key pair stored in the Android Key Store.  This signature can be
    196      * used with the data later to verify it was signed by this application.
    197      * @return A string encoding of the data signature generated
    198      */
    199     public String signData(String inputStr) throws KeyStoreException,
    200             UnrecoverableEntryException, NoSuchAlgorithmException, InvalidKeyException,
    201             SignatureException, IOException, CertificateException {
    202         byte[] data = inputStr.getBytes();
    203 
    204         // BEGIN_INCLUDE(sign_load_keystore)
    205         KeyStore ks = KeyStore.getInstance(SecurityConstants.KEYSTORE_PROVIDER_ANDROID_KEYSTORE);
    206 
    207         // Weird artifact of Java API.  If you don't have an InputStream to load, you still need
    208         // to call "load", or it'll crash.
    209         ks.load(null);
    210 
    211         // Load the key pair from the Android Key Store
    212         KeyStore.Entry entry = ks.getEntry(mAlias, null);
    213 
    214         /* If the entry is null, keys were never stored under this alias.
    215          * Debug steps in this situation would be:
    216          * -Check the list of aliases by iterating over Keystore.aliases(), be sure the alias
    217          *   exists.
    218          * -If that's empty, verify they were both stored and pulled from the same keystore
    219          *   "AndroidKeyStore"
    220          */
    221         if (entry == null) {
    222             Log.w(TAG, "No key found under alias: " + mAlias);
    223             Log.w(TAG, "Exiting signData()...");
    224             return null;
    225         }
    226 
    227         /* If entry is not a KeyStore.PrivateKeyEntry, it might have gotten stored in a previous
    228          * iteration of your application that was using some other mechanism, or been overwritten
    229          * by something else using the same keystore with the same alias.
    230          * You can determine the type using entry.getClass() and debug from there.
    231          */
    232         if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
    233             Log.w(TAG, "Not an instance of a PrivateKeyEntry");
    234             Log.w(TAG, "Exiting signData()...");
    235             return null;
    236         }
    237         // END_INCLUDE(sign_data)
    238 
    239         // BEGIN_INCLUDE(sign_create_signature)
    240         // This class doesn't actually represent the signature,
    241         // just the engine for creating/verifying signatures, using
    242         // the specified algorithm.
    243         Signature s = Signature.getInstance(SecurityConstants.SIGNATURE_SHA256withRSA);
    244 
    245         // Initialize Signature using specified private key
    246         s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
    247 
    248         // Sign the data, store the result as a Base64 encoded String.
    249         s.update(data);
    250         byte[] signature = s.sign();
    251         String result = Base64.encodeToString(signature, Base64.DEFAULT);
    252         // END_INCLUDE(sign_data)
    253 
    254         return result;
    255     }
    256 
    257     /**
    258      * Given some data and a signature, uses the key pair stored in the Android Key Store to verify
    259      * that the data was signed by this application, using that key pair.
    260      * @param input The data to be verified.
    261      * @param signatureStr The signature provided for the data.
    262      * @return A boolean value telling you whether the signature is valid or not.
    263      */
    264     public boolean verifyData(String input, String signatureStr) throws KeyStoreException,
    265             CertificateException, NoSuchAlgorithmException, IOException,
    266             UnrecoverableEntryException, InvalidKeyException, SignatureException {
    267         byte[] data = input.getBytes();
    268         byte[] signature;
    269         // BEGIN_INCLUDE(decode_signature)
    270 
    271         // Make sure the signature string exists.  If not, bail out, nothing to do.
    272 
    273         if (signatureStr == null) {
    274             Log.w(TAG, "Invalid signature.");
    275             Log.w(TAG, "Exiting verifyData()...");
    276             return false;
    277         }
    278 
    279         try {
    280             // The signature is going to be examined as a byte array,
    281             // not as a base64 encoded string.
    282             signature = Base64.decode(signatureStr, Base64.DEFAULT);
    283         } catch (IllegalArgumentException e) {
    284             // signatureStr wasn't null, but might not have been encoded properly.
    285             // It's not a valid Base64 string.
    286             return false;
    287         }
    288         // END_INCLUDE(decode_signature)
    289 
    290         KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
    291 
    292         // Weird artifact of Java API.  If you don't have an InputStream to load, you still need
    293         // to call "load", or it'll crash.
    294         ks.load(null);
    295 
    296         // Load the key pair from the Android Key Store
    297         KeyStore.Entry entry = ks.getEntry(mAlias, null);
    298 
    299         if (entry == null) {
    300             Log.w(TAG, "No key found under alias: " + mAlias);
    301             Log.w(TAG, "Exiting verifyData()...");
    302             return false;
    303         }
    304 
    305         if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
    306             Log.w(TAG, "Not an instance of a PrivateKeyEntry");
    307             return false;
    308         }
    309 
    310         // This class doesn't actually represent the signature,
    311         // just the engine for creating/verifying signatures, using
    312         // the specified algorithm.
    313         Signature s = Signature.getInstance(SecurityConstants.SIGNATURE_SHA256withRSA);
    314 
    315         // BEGIN_INCLUDE(verify_data)
    316         // Verify the data.
    317         s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate());
    318         s.update(data);
    319         boolean valid = s.verify(signature);
    320         return valid;
    321         // END_INCLUDE(verify_data)
    322     }
    323 
    324     public void setAlias(String alias) {
    325         mAlias = alias;
    326     }
    327 }
    328