[android-security-discuss] X.509 Certificate - Key Usage

Thu, 24 Sep 2015 09:45:04 -0700 

I have a requirement to generate self signed X.509 certificates with the 
'Key Usage' (i.e. purpose) extension specified. I note that Android API 23 
(Marshmallow) provides a KeyGenParameterSpec.Builder where the key purpose 
is specified in the constructor (see below)


                KeyPairGenerator keyPairGenerator = 
KeyPairGenerator.getInstance(
                        KeyProperties.KEY_ALGORITHM_RSA, 
KEYSTORE_PROVIDER_ANDROID_KEYSTORE);
                keyPairGenerator.initialize(
                        new KeyGenParameterSpec.Builder(
                                alias,
                                KeyProperties.PURPOSE_SIGN)
                                .setCertificateSubject(new 
X500Principal("CN=Subject"))
                                .setDigests(KeyProperties.DIGEST_SHA256)
                                
.setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
                                .setCertificateNotBefore(start.getTime())
                                .setCertificateNotAfter(end.getTime())
                                .setKeyValidityStart(start.getTime())
                                .setKeyValidityEnd(end.getTime())
                                .setKeySize(2048)
                                
.setCertificateSerialNumber(BigInteger.valueOf(1337))
                                .build());
                keyPairGenerator.generateKeyPair();


However the certificate produced does not appear to include the Key Usage 
extension. Please see screen shot below

<https://lh3.googleusercontent.com/-jPO9kxxwDqQ/VfmAk_PXoSI/AAAAAAAAAAg/-hhKx0MlP40/s1600/not%2Bincluded.PNG>

As a comparison, the following screen shot shows a certificate generated on 
a Windows PC, which includes the key usage extension

<https://lh3.googleusercontent.com/-NfMZiEwdUO8/VfmA82aq3SI/AAAAAAAAAAo/hvkOQFuml94/s1600/included.PNG>


Please could someone advise whether I am using the KeyGenParameterSpec.Builder 
incorrectly, or does it not support including the key usage extension in 
the generated certificate? If it isn't supported, is there another way of 
inserting the key usage extension into the certificate?


Regards, Michael




-- 
You received this message because you are subscribed to the Google Groups 
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.

Reply via email to