androidkeystore | sample project from Android sdk modified folder structure | Code Editor library

In the latest posted encryption code, nonce, ciphertext and tag are concatenated and Base64 encoded, in the following called nonceCiphertextTagB64.

When decrypting

• nonceCiphertextTagB64 must first be Base64 decoded to nonceCiphertextTag,
• the nonce must be encapsulated in a GCMParameterSpec instance; the nonce are the first 12 bytes of nonceCiphertextTag,
• a cipher instance for AES/GCM/NoPadding must be created, which is initialized with the key and the GCMParameterSpec instance in decryption mode,
• the concatenation of ciphertext and tag is decrypted; the concatenation of ciphertext and tag is the data after the nonce.

In the following example implementation, with respect to a repro, the 32 bytes key 01234567890123456789012345678901 is used (instead of a key from the key store). The ciphertext was created with the posted code for encryption using the same key and the plaintext The quick brown fox jumps over the lazy dog:

Most of the time
does not have a closing tag.
. However to make this work everything needs a closing tag.

I'm answering my own question, as my findings maybe helpful to others.

Up to now (July 6th 2021) I do have no idea why a SecretKey that is generated with the option

Since you're mixing groups and inline variables, you may need to change this from a mapping to a sequence, as in:

The problem is reproducible on my machine. It occurs when the encrypted data encryptedBytes in CryptoImpl.encrypt has a length of more than 255 bytes. The reason is that starting with 256 bytes encryptedBytes.size cannot be stored on one byte, while the methods int InputStream.read() or void OutputStream.write(int) read or write only one byte.

Therefore, if the size of the ciphertext is to be written, a sufficiently large bytes buffer must be used in CryptoImpl.encrypt, e.g. 4 bytes:

(Answering my own question). I have gotten this to work with the above solution on the following device specs.

• Device: Samsung A31
• Android Version: 10
• Biometric: Fingerprint

Previously, I was testing this with an emulator, and the keys would not be invalidated. This may be an issue where emulators do not properly invalidate keys.

I will have time in the near future to test this on future devices (Google Pixel, other Samsung Devices, etc.) And will update my answer when I get more details.

I decided to create my own JWK class. And I used GSON library to parse / stringify JSON.

Another solution :

@jps proposed to use this library connect2id.com/products/nimbus-jose-jwt/examples/jwk-generation

It doesn't matter how you key track of/store your keyName. It is not a security concern. You may as well save it as a constant in your source file.

This is generally called a Keystore alias, like in the documentation. When you generate a key in the keystore, you will have to specify an alias. You will have to use the same alias to refer/access the key at a later time.

As far as I know, there are two things to remember for aliases:

1. An alias should be unique for each keystore entry.
2. Aliases should not differ only in case. Depending on the implementation the keystore aliases may be case-sensitive/case-insensitive. So to err on the side of caution, do not use aliases in a KeyStore that only differ in case.

Regarding your first question:

If, as described in your comment, the message is already hashed (e.g. with SHA256) and only needs to be signed using PKCS#1 v1.5 padding, then this is possible with NONEwithRSA. However, it must be specified in the key properties that no digest is used.
If the signature should also comply with the standard, i.e. a verification with SHA256withRSA should be possible, the digest ID (more precisely, the DER encoding of the DigestInfo value) must be placed in front of the hashed message. The following code (based on the posted code) shows this for SHA256 (tested for Android P / API 28):