A module to create and store keys in the Android hardware keystore, which helps with encryption, decryption, and HMAC calculation.
The secure-keystore kotlin artifact (.aar) has been published to Maven.
-
In settings.gradle.kts of your app modify the following:
dependencyResolutionManagement { repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS) repositories { google() mavenCentral() maven("https://oss.sonatype.org/content/repositories/snapshots/") } } -
In your app's
build.gradle.kts, add the following:dependencies { implementation("io.mosip:secure-keystore:1.0-SNAPSHOT") }
The Kotlin library has been added to your project.
npm install @mosip/secure-keystoredeviceSupportsHardware() => boolean
Check if the device supports hardware keystore.
hasAlias(alias: String) => boolean
Check if the given alias is present in the keystore.
generateKey(alias: String, isAuthRequired: boolean, authTimeout?: number) => void
Generates a symmetric key for encryption and decryption.
generateKeyPair(type: String, alias: String, isAuthRequired: boolean, authTimeout?: number) => String
Generates an asymmetric RSA or EC (P-256) key pair for signing.
removeKey(alias: String) => void
Removes a key associated with the alias from the keystore.
encryptData(
alias: String,
data: String,
onSuccess: (encryptedText: String) -> Unit,
onFailure: (code: number, message: String) -> Unit,
context: Context,
) => voidEncrypts the given data (encoded in Base64) using the key assigned to the alias. Returns the encrypted data as a String through the onSuccess callback.
decryptData(
alias: String,
encryptedText: String,
onSuccess: (data: String) -> Unit,
onFailure: (code: number, message: String) -> Unit,
context: Context,
) => voidDecrypts the given encryptedText using the key assigned to the alias. Returns the decrypted data as a String through the onSuccess callback.
sign(
signAlgorithm: String,
alias: String,
data: String,
onSuccess: (signature: String) -> Unit,
onFailure: (code: number, message: String) -> Unit,
context: Context,
) => voidCreates a signature for the given data and signing algorithm using the key assigned to the alias. Returns the signature as a String through the onSuccess callback.
For
SHA256withECDSAassignAlgorithm, the output is in standard ASN.1 format. In the case of certain verifiers like jwt.io, conversion to RS format is necessary.
private fun convertDerToRsFormat(derSignature: ByteArray): ByteArray {
val asn1InputStream = ASN1InputStream(ByteArrayInputStream(derSignature))
val seq = asn1InputStream.readObject() as ASN1Sequence
val r = (seq.getObjectAt(0) as ASN1Integer).value
val s = (seq.getObjectAt(1) as ASN1Integer).value
val rBytes = r.toByteArray()
val sBytes = s.toByteArray()
val rPadded = ByteArray(32)
val sPadded = ByteArray(32)
val rTrimmed = if (rBytes.size > 32) rBytes.copyOfRange(rBytes.size - 32, rBytes.size) else rBytes
val sTrimmed = if (sBytes.size > 32) sBytes.copyOfRange(sBytes.size - 32, sBytes.size) else sBytes
System.arraycopy(rTrimmed, 0, rPadded, 32 - rTrimmed.size, rTrimmed.size)
System.arraycopy(sTrimmed, 0, sPadded, 32 - sTrimmed.size, sTrimmed.size)
return rPadded + sPadded
}generateHmacSha(
alias: String,
data: String,
onSuccess: (signature: String) -> Unit,
onFailure: (code: number, message: String) -> Unit,
) => voidGenerates an HMAC signature for the given data using the key assigned to the alias. Returns the signature as a String through the onSuccess callback.
generateHmacSha256Key(alias: String) => void
Generates a symmetric key specifically for HMAC-SHA256 operations.
retrieveGenericKey(account: String) => String[]
Retrieves a list of keys associated with the specified account.
storeGenericKey(
publicKey: String,
privateKey: String,
account: String,
) => voidStores the specified public and private key pair associated with the account.
retrieveKey(alias: String) => String
Retrieves the key associated with the alias.
removeAllKeys() => void
Removes all keys stored in the keystore.
See the contributing guide to learn how to contribute to the repository and the development workflow.
MPL-2.0