4

Is there a way of generating CSRs of keys stored inside an Android KeyStore? I know you can generate keys then generate a CSR and lastly store the keys inside the Android KeyStore, but is it also possible to generate CSRs of at an earlier point generated and already inside the KeyStore stored keys?

I tried to do it just the same way you would do it with freshly generated keys using Spongycastle. But i ran into a problem while creating the JCAContentSigner. Running this code:

new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("SC").build(privateKey)

It will throw the exception:

org.spongycastle.operator.OperatorCreationException: cannot create signer: Supplied key (android.security.keystore.AndroidKeyStoreRSAPrivateKey) is not a RSAPrivateKey instance

Without setting SpongyCastle as Security Provider, i get this exception:

org.spongycastle.operator.OperatorCreationException: cannot create signer: Keystore operation failed

So my question is, whether one of these three options is possible:

  1. cast a android.security.keystore.AndroidKeyStoreRSAPrivateKey into a RSAPrivateKey instance?

  2. get it to work without setting SpongyCastle as Security Provider?

  3. generating a CSR without SpongyCastle?

C3nturyFox
  • 41
  • 1
  • 3
    Does this answer your question? [Create Certificate Signing Request inside an Android app](https://stackoverflow.com/questions/36361218/create-certificate-signing-request-inside-an-android-app) – Josh Correia Jul 25 '20 at 05:44
  • 2
    Nope, there is no answer in the thread you linked... anyway, found my own solution by now. – C3nturyFox Jul 25 '20 at 16:53
  • 1
    What is the solution? I'm also after this... Thanks – NOP-MOV Jul 29 '20 at 14:12
  • 2
    @NOP-MOV The reason why its not working is: When you are building the `JcaContentSignerBuilder` into a `PKCS10CertificationRequest`, you pass it a `ContentSigner` as argument. The `ContentSigner` itself is built by passing your `PrivateKey` to the `ContentSignerBuilder`. When the `ContentSigner` now tries to sign something, its gonna fail, because it cannot use your Hardware-Backed key to sign. Solution to this is to overwrite the `build()` of the `ContentSignerBuilder`, so that it uses your Hardware-Backed key. – C3nturyFox Jul 30 '20 at 20:56
  • 1
    ```public ContentSigner build(String alias) { KeyStore.Entry keystoreEntry = keyManager.getKey(alias); PrivateKey privatekey = ((KeyStore.PrivateKeyEntry) keystoreEntry).getPrivateKey(); sig.initSign(privateKey); } ``` – C3nturyFox Jul 30 '20 at 21:06
  • Sry, the formatting is fked. Hope its more or less clear what i meant. If not shoot me a message. – C3nturyFox Jul 30 '20 at 21:08
  • Thank you so much, will try to use it. Thanks!!! – NOP-MOV Aug 01 '20 at 10:35
  • Hi @C3nturyFox, I am facing SAME issues in the above process, I am able to generate a CSR file but the signature is not matching, can you share the sample code for how you pass the private key and PKCS10CertificationRequestBuilder.build return proper certificate – Jarvis Feb 26 '22 at 20:43
  • @Jarvis Long time ago, i am not quite remembering all of that. The sample code i posted isnt working? Can you be more precise, which signatures arent matching? – C3nturyFox Feb 28 '22 at 00:07
  • Thanks, @C3nturyFox, I fix the issue using JcaContentSignerBuilder method in spongycastle library – Jarvis Mar 02 '22 at 08:52

0 Answers0