1

I'm trying to store the certificates of the client in the Android key store and then parse it to a key manager for it to send it to server. We have a setup where the client needs to present his certificate as well so that's why I need that. Currently I'm working on it and I can't get it to work

KeyStore exception
    android.os.ServiceSpecificException:  (code 7)
    
 Preferred provider doesn't support key:
 java.security.InvalidKeyException: Keystore operation failed

Caused by: android.security.KeyStoreException: Incompatible digest
Could not find provider for algorithm: NONEwithRSA
javax.net.ssl.SSLHandshakeException: Handshake failed

the current setup that I have is that I generated a keypair in the android key store and then generated a Certificate signing request which was then signed by a Certificate authority and i stored it into the android key store . This part worked fine because I can grab the certificate and I tested this manually. But the rest doesn't work it gives out the errors that I just showed. Everywhere I looked I can't find the solution to this problem and I tried everything already.

Any help is welcome!

Improve this question
5
  • I don't think this will work. The AndroidKeyStore returns special Java implementations of PrivateKey interface and the SSL/TLs handling on Android is implemented in BoringSSL a fork of OpenSSL thus implemented in native code and not Java. BoringSSL needs full access to the private key which is denied by AndroidKeyStore. Therefore I don't think that there is a way to use a private key from AndroidKeyStore for establishing an TLS connection. Commented Jan 19, 2024 at 9:09
  • @Robert Are you sure of this or is this a speculation? And if so do you know any other way of doing this? I was tasked with establishing the SSL Connection with the Android Key Store (doesn't mean it is possible) so I want to find any way possible Commented Jan 19, 2024 at 9:14
  • I would call it an "guess with high probability". BoringSSL is developed independently of Android, but for accessing keys from AndroidKeyStore it would have to make use of JNI and use Java crypto code instead of it's own one. Technically it would be possible to write an extension to BoringSSL to let it use AndroidKeyStore keys, but I doubt that this had been done (by Google) or even if such a software exists I don't think it would be integrated in AOSP. Commented Jan 19, 2024 at 9:25
  • @Robert do you think creating the extension is going to be hard? Or if you know any other way I can do the SSL Communication (through the Android Key Store if possible) differently? If it's way too difficult I will just work with a locally created key store or something Commented Jan 19, 2024 at 9:45
  • I don't know. I am not familiar with the internals of BoringSSL, but you would require to rewrite all the crypto that uses the key from AndroidKeyStore. And of course the extension needs to be included into AOSP, so it would be available only on new and updated devices. So may be it would be usable in a few years. Or you would have to implement and maintain your own fork BoringSSL and use that with all the TLS connections in your project (effectively re-implement the HTTP stack of Android). Commented Jan 19, 2024 at 10:41
Related questions
4055
Proper use cases for Android UserManager.isUserAGoat()?
4374
How can I close/hide the Android soft keyboard programmatically?
3568
Why is the Android emulator so slow? How can we speed up the Android emulator?
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.