I am trying to convert my private key string to a PrivateKey object in my Android application. I have read a lot of posts on StackOverflow about this topic, but I just can solve my issue.
I am using the following function to convert my key:
String privateKey = "MIGkAgEBBDCAHpFQ62QnGCEvYh/pE9QmR1C9aLcDItRbslbmhen/h1tt8AyMhskeenT+rAyyPhGgBwYFK4EEACKhZANiAAQLW5ZJePZzMIPAxMtZXkEWbDF0zo9f2n4+T1h/2sh/fviblc/VTyrv10GEtIi5qiOy85Pf1RRw8lE5IPUWpgu553SteKigiKLUPeNpbqmYZUkWGh3MLfVzLmx85ii2vMU=";
#Nullable
private static PrivateKey getKey(String key) {
try {
byte[] byteKey = Base64.decode(key.getBytes(), Base64.DEFAULT);
KeyFactory keyFactory = KeyFactory.getInstance("EC");
return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(byteKey));
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
According to ASN.1 JavaScript decoder, I do have a valid private key.
Nonetheless, getKey() always fails with the following exception:
java.security.spec.InvalidKeySpecException: java.lang.RuntimeException: error:0c0000be:ASN.1 encoding routines:OPENSSL_internal:WRONG_TAG
I cannot make sense of this error message. Even after a lot of googling. Does anybody know, what I am doing wrong? Am I using the wrong key spec (though many of the answers here suggest the use of PKCS8EncodedKeySpec().
The private key you see in the code above was generated by jwt.io using an ES384 algorithm.
Related
I have recently started to receive a Play Store warning like this: “Your app contains unsafe cryptographic encryption patterns” and in order try to get rid of it (and having no idea what does exactly means) I created a "complex" structure regarding encription in my app as follows:
1) This next method (located in a class different than Cryptography one just in case) stores cipher preferences in two places, the "real" values in SharedPreferences, and the "default" values in application class setter called AppSettings ("default" means the default value that is required in order to get a SharedPreference if it fails to find one).
public static void setCryptPreferences()
{
Context context = AppSettings.getContext();
AppSettings appSettings = AppSettings.getInstance();
String[] defCryptoValues = new String[]{ "AES", "AES/CBC/PKCS5Padding", "UTF-8"};
appSettings.setDefCryptValues(defCryptoValues);
AWUtils.setSharedPreference(context, "CRYPT_ALGORITHM", "AES");
AWUtils.setSharedPreference(context, "PADDING", "AES/CBC/PKCS5Padding");
AWUtils.setSharedPreference(context, "CHAR_ENCODING", "UTF-8");
}
And I set them with this function on app startup.
2) Then, whenever I need to encrypt, I use them with this next method:
public static String cipherText(String plainText)
{
AppSettings appSettings = AppSettings.getInstance();
Cryptography crypto = new Cryptography();
String[] defCryptoValues = appSettings.getDefCryptValues();
String[] cryptoParams = Cryptography.getCryptoParams(defCryptoValues);
return crypto.encrypt(plainText, cryptoParams);
}
And finally this is the real crypt method:
private String encrypt(String text, String[] cryptedParams)
{
checkKeys();
if (text == null) return null;
String retVal = null;
try {
final SecretKeySpec key = new SecretKeySpec(mCryptKey.getBytes(cryptedParams[2]), cryptedParams[0]);
final IvParameterSpec iv = new IvParameterSpec(mCryptIV.getBytes(cryptedParams[2]));
final Cipher cipher = Cipher.getInstance(cryptedParams[1]);
cipher.init(Cipher.ENCRYPT_MODE, key, iv);
final byte[] encrypted = cipher.doFinal(text.getBytes(cryptedParams[2]));
retVal = new String(encodeHex(encrypted));
} catch (Exception e) {
e.printStackTrace();
}
return retVal;
}
I don't understand very clearly the warning, and I thought I is related of having the encrypt params
"CRYPT_ALGORITHM", "AES"
"PADDING", "AES/CBC/PKCS5Padding"
"CHAR_ENCODING", "UTF-8"
as plain text in the Cryptography class and so I created all this thinking on "hiding" them and thinking it could help me to get rid of it, but it hasn't. I have recently uploaded a new version of my app and the warning still remains there and I don't know what to do.
Realm is using AES-256 for encryption and decryption. And, I am trying to use Android KeyStore to generate/store the keys, but as per this page - https://developer.android.com/training/articles/keystore.html#SecurityFeatures, Android supports this only on APIs 23 and above.
Can someone please point me to an example or any other related info on how I can use realm with encryption to support APIs 4.0 and above?
Thanks.
We recently ran into the same problem and decided to simply store the key in private Shared Preferences, because if the phone is not rooted, you will not be able to get it and if it is rooted, then there are some ways to get data even from secure keyStore.
We use next Realm configuration inside Application subclass:
RealmConfiguration config = new RealmConfiguration.Builder()
.deleteRealmIfMigrationNeeded()
.name(DB_NAME)
.encryptionKey(mKeyProvider.getRealmKey())
.build();
And mKeyProvider is our helper class that is used to get the key:
public class SharedPrefsKeyProvider implements KeyProvider {
private static final String REALM_KEY = "chats.realm_key";
SharedPreferences mAppSharedPrefs;
public SharedPrefsKeyProvider(SharedPreferences aAppSharedPrefs) {
mAppSharedPrefs = aAppSharedPrefs;
}
#Override
public byte[] getRealmKey() {
byte[] key;
String savedKey = getStringFromPrefs(REALM_KEY);
if (savedKey.isEmpty()) {
key = generateKey();
String keyString = encodeToString(key);
saveStringToPrefs(keyString);
} else {
key = decodeFromString(savedKey);
}
return key;
}
#Override
public void removeRealmKey() {
mAppSharedPrefs.edit().remove(REALM_KEY).apply();
}
#NonNull
private String getStringFromPrefs(String aKey) {
return mAppSharedPrefs.getString(aKey, "");
}
private void saveStringToPrefs(String aKeyString) {
mAppSharedPrefs.edit().putString(REALM_KEY, aKeyString).apply();
}
private String encodeToString(byte[] aKey) {
Timber.d("Encoding Key: %s", Arrays.toString(aKey));
return Base64.encodeToString(aKey, Base64.DEFAULT);
}
private byte[] decodeFromString(String aSavedKey) {
byte[] decoded = Base64.decode(aSavedKey, Base64.DEFAULT);
Timber.d("Decoded Key: %s", Arrays.toString(decoded));
return decoded;
}
private byte[] generateKey() {
byte[] key = new byte[64];
new SecureRandom().nextBytes(key);
return key;
}
}
A KeyProvider is just a custom interface. An example of KeyProvider can be:
package xxx.com;
interface KeyProvider {
byte[] getRealmKey();
void removeRealmKey();
}
AES 256 encryption is symmetric Encryption, try RSA encryption which is asymmetric. And if you are trying to encrypt sensitive user data to store in preferences or sqlite, i would suggest you try Android keystore system.
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.
check my sample gist to achieve this encryption and decryption here.
And better part is it works on android 18 and above.
i have a problem with RSA encryption and decryption. I'm developing in android and would like to outsource the RSA encryption and decryption. My source code worked well before i tried to outsource it.
I created a private key and public key and saved it as private.key and public.key. The error is a ClassNotFoundException caused by this method:
public Key getPrivateKey(){
try {
InputStream fis = activity.getResources().openRawResource(R.raw.private);
ObjectInputStream ois = new ObjectInputStream(fis);
Key RSAprivateKey = (Key)ois.readObject();
return RSAprivateKey;
}
catch (FileNotFoundException e) {
Log.e("FileNotFound","FileNotFound");
e.printStackTrace();
} catch (IOException e) {
Log.e("IOEXception","IOEXception");
e.printStackTrace();
} catch (ClassNotFoundException e) {
Log.e("ClassNotFound","ClassNotFound");
Log.e("Errro", "Error: "+ e.getMessage());
Log.e("error", e.toString());
e.printStackTrace();
}
return null;
}
I looked at the logcat and got this error message:
E/ClassNotFound(1205): ClassNotFound
03-19 13:54:52.176: E/Errro(1205): Error:
com.android.org.bouncycastle.jce.provider.JCERSAPrivateCrtKey
03-19 13:54:52.176: E/error(1205): java.lang.ClassNotFoundException:
com.android.org.bouncycastle.jce.provider.JCERSAPrivateCrtKey
I hope you understand my problem, because English is not my native language.
Edit: I found out that the problem is not caused by outsourcing the code. So i guess the topic can be marked as solved.
RSAPublicKey and RSAPrivateKey are interfaces. When you get a Key you actually receive an implementation by the cryptographic provider of this interface. These providers differ for different Java platforms (although, at least officially, Android/Dalvik isn't even a Java platform). So you should never expect serialization to work unless you are working on the same platform.
There are however ways to serialize public and private keys in Java; the Key interface contains the getEncoded() method which returns the most common binary encoding of the key. In the case of RSAPublicKey this is the PKCS#1 encoding within X5.09 SubjectKeyIdentifier. In the case of RSAPrivateKey this is the inner PKCS#8 encoding wrapped around the PKCS#1 defined structure. These can be represented using X509EncodedKeySpec and PKCS8EncodedKeySpec and converted back into keys using an RSA KeyFactory.
Note that the private key will not be encrypted if you call getEncoded. Normally you don't want to transport private keys at all, and if you do you should really encrypt them. You can do this using the Cipher.wrap and Cipher.unwrap methods.
I want to know:
Can we use Context.MODE_PRIVATE in SQLite while Database creating to protect from unwanted Database access.
I am not getting any example on google.
How to use this Context.MODE_PRIVATE in Database.
Please assist me. Provide any link or sample.
IN THIS LINK they are talking about file. so Database is also file.
How can i implement this?
As commonsware mentioned, SQLite databases on internal storage are private by default. But as mentioned by others rooted phone as always access to your file.
Rather you can use any encryption algorithm to save the data in DB which will help you to restrict the readability unless intruder know the encryption algorithm.
You cant set "Context.MODE_PRIVATE" flag in SQLite.
While creating database, following syntax is useful
openOrCreateDatabase(String path, int mode, SQLiteDatabase.CursorFactory factory)
For example,
openOrCreateDatabase("StudentDB",Context.MODE_PRIVATE,null);
See my tutorial on this site.
Option 1: Use SQLcipher.
Option 2: Secure Method Ever No Chance To Hack. It is not perfect, but it is better than nothing.
1) Insert data using this Function:
public static String getEncryptedString(String message) {
String cipherText = null;
try {
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(("YOUR-SECURE-PASSWORD-KEY").getBytes(), "AES"));
byte[] bytes = cipher.doFinal(message.getBytes());
cipherText = Base64.encodeToString(bytes, Base64.DEFAULT);
} catch(Exception ex) {
cipherText = "Error in encryption";
Log.e(TAG , ex.getMessage());
ex.printStackTrace();
}
return cipherText;
}
2) Get data from the database and pass into this function parameter:
//This function returns output string
public static String getDecryptedString(String encoded) {
String decryptString = null;
try {
byte[] bytes = Base64.decode(encoded, Base64.DEFAULT);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(("YOUR-SECURE-PASSWORD-KEY").getBytes() , "AES"));
decryptString = new String(cipher.doFinal(bytes), "UTF-8");
} catch(Exception ex) {
decryptString = "Error in decryption";
ex.printStackTrace();
}
return decryptString;
}
3) Benefits of these methods:
- Not possible to decrypt without the right Key.
- AES Encryption is a very secure encryption method.
4) Store your AES key in the c++ file.
I'm writing both a server and an Android client application. The Android client sends measurements to the server. In order to ensure the data integrity, a digital signature is appended to each measurement.
Since I need everything to be Gson-compatible, storing the public key itself is not possible. I'm storing the G, P, Q and Y factors instead.
Here's a snippet from the request class:
public PublicKey getPublicKey() {
try {
DSAPublicKeySpec keySpec = new DSAPublicKeySpec(publicKeyY, publicKeyP,
publicKeyQ, publicKeyG);
KeyFactory fact = KeyFactory.getInstance("DSA");
PublicKey pubKey = fact.generatePublic(keySpec); // A
return pubKey;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
public void setPublicKey(PublicKey publicKey) {
try {
KeyFactory fact = KeyFactory.getInstance("DSA");
DSAPublicKeySpec pub = fact.getKeySpec(publicKey, DSAPublicKeySpec.class); // B
publicKeyG = pub.getG();
publicKeyP = pub.getP();
publicKeyQ = pub.getQ();
publicKeyY = pub.getY();
} catch (Exception e) {
e.printStackTrace();
}
}
The constructor makes use of the setPublicKey-method. When I create such request on the client side and send it to the server, both result in an exception.
On the client:
java.lang.RuntimeException: not implemented yet DSA Public Key
y: 2f9286201b266f38d682e99814612f7d37c575d3a210de114bdf02092f4a835109f28a590cfc568bb6525d59b8275fe791f3ddf20e85df44fd2e8622289f6dbc27c73d31d1769feae19573df22a9ca8ef80a9f7230b0b4a2671cc03fdb2788b55b4e9a68a7a5a93a214cc5aa39ccb5155a13354870d45a38760a80fd34333073
class java.security.spec.DSAPublicKeySpec
at org.bouncycastle.jce.provider.JDKKeyFactory.engineGetKeySpec(JDKKeyFactory.java:148)
at java.security.KeyFactory.getKeySpec(KeyFactory.java:210)
Next thing in the stack trace points at the rule I marked as B
On the server:
java.lang.NullPointerException
at sun.security.provider.DSAPublicKey.<init>(DSAPublicKey.java:74)
at sun.security.provider.DSAPublicKeyImpl.<init>(DSAPublicKeyImpl.java:46)
at sun.security.provider.DSAKeyFactory.engineGeneratePublic(DSAKeyFactory.java:86)
at java.security.KeyFactory.generatePublic(KeyFactory.java:304)
at sensserve.protocol.StartSessionRequest.getPublicKey(StartSessionRequest.java:66)
Nextly pointing to the rule A.
I absolutely have no clue what I did wrong and what these messages mean. How can I solve these? Anyone who can tell me what I'm doing wrong?
Thanks a lot.
You should be able to store the public key in Base64 encoded from and still get valid JSON. You should be able to use DSAPublicKeySpec directly without calling getKeySpec() which apparently is not implemented in Bouncy Castle (Android's JCE provider). Not sure why you are getting NPE on the server, maybe wrong format. BTW, it will probably be easier if you are dealing with a single provider, so you might want to use Bouncy Castle on the server as well.