Login/Register
PKCS#12 Keystore creation on Android device
Asked Answered
androidbouncycastlekeystorepfxandroid-keystore
M

0

6

I'm currently developing an Android app that generates an RSA key pair, builds and sends an PKCS#10 certification request to one CA, waits for the CA's response (which contains the certificate-chain including the issued for the end-entity), and then builds the PKCS#12 KeyStore to be installed within the Android KeyStore.

I just show you below some piece of code:

// It removes Android-BC
Security.removeProvider("BC");
// I've tried with SpongyCastle but it also fails.
// I've previously imported BC jars.
Security.addProvider(new BouncyCastleProvider()); 
KeyStore ks = KeyStore.getInstance("PKCS12","BC");
ks.load(null);

// KeyPair generated by RSA with BC, and certificates obtained from CA.
PrivateKey prvK;
Certificate eeCert, caCert;

PKCS12BagAttributeCarrier caCertBagAttr = 
   (PKCS12BagAttributeCarrier) caCert;
caCertBagAttr.setBagAttribute(
   PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
   new DERBMPString("CA"));

PKCS12BagAttributeCarrier certBagAttr =
   (PKCS12BagAttributeCarrier) eeCert;
certBagAttr.setBagAttribute(
   PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
   new DERBMPString("EE Certificate"));
certBagAttr.setBagAttribute(
   PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
   new SubjectKeyIdentifierStructure(eeCert.getPublicKey()));

Certificate[] chain = new Certificate[2];
chain[1] = caCert;
chain[0] = eeCert;

PKCS12BagAttributeCarrier privBagAttr = 
   (PKCS12BagAttributeCarrier) prvK;
privBagAttr.setBagAttribute(
   PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
   new DERBMPString("EE Certificate Key"));
privBagAttr.setBagAttribute(
   PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
   new SubjectKeyIdentifierStructure(eeCert.getPublicKey()));

// Finally, keystore is saved to file.
ks.setKeyEntry("P12", prvK, null, chain);
saveP12File(ks);

The thing is that everything is working OK when I run it on my Windows PC (BouncyCastle 1.49), but that PKCS#12 file created when I run it on Android cannot be used on SSL handshake or signing because Logcat says that it doesn't have any associated PrivateKey.

If I print the full content of the KeyStore on Java after loading the file, it seems that everything is right, but when I use on Android Browser or when I take it and install on Windows, its private key can't be used.

Same code on Android and PC, same version of BC, PKCS#12 doesn't seem to be malformed.

Can anybody help me? Thanks in advance.

EDIT

I have built a servlet that generates an RSA Key Pair and sends back to my app in PEM format. All seems work OK:

  • I can generate a valid (encrypting with public and decrypting test works good) RSA keypair either on Android device or through the external servlet.
  • I receive both CA and EE certificates from the CA.
  • I'm able to build a "valid" PKCS12 (I called it valid because it can be read by Android, Windows)

But:

  • I'm not able to open an SSL channel using the EE certificate as client-certificate for handshake. Either on Windows or Android.

I have uploaded to my Dropbox:

  1. CA certificate
  2. EE certificate issued by the CA
  3. Private Key for the EE certificate
  4. Public Key for the EE certificate
  5. PKCS12 created on Android
  6. Java Android Code

Tested against Tomcat with empty trustStore (doesnt' matter which CA issued client-certificate) unsuccessfully.

Does anybody see something that could explain it?

Minium answered 12/2, 2014 at 20:12 Comment(6)
What if you produce two key stores one on PC and another on a handset and then try binary diff on the resulting files?Psychosomatics
Doing what you're saying I've discovered that the problem was not PKCS#12 creation. It was RSA key pair generation. I don't know why, but when I generate an RSA KeyPair on Android, save to PEM file, and then load on Java PC app, crtCoefficients are different. Does anybody know why?Minium
Could you show the code demonstrating the problem?Psychosomatics
I've added some new details to my question...Minium
Problem solved. I was creating PKCS#12 keystore with wrong PrivateKey. Neither BC nor Android shows failure message. Thank you divanov for your help.Minium
Not at all. This is type of problem I wouldn't be able to solve.Psychosomatics

© 2022 - 2024 — McMap. All rights reserved.