I use a keystore (BKS format) in my android app to store public private keypairs. The app was used over a long time and had 10+ public private key pairs. All of a sudden, one of the app's major functionality stopped working. Root cause was found out to be the following:
Only one public private keypair is remaining in the BKS file. All other keypairs are lost. I verified in the code that KeyStore.deleteEntry(alias) is not called anywhere in the app. The only place where I could find if something would have gone wrong is following:
We create a keypair and set it using:
KeyStore.setKeyEntry(keyId, keyPair.getPrivate(), getKeyStorePassword(), certChain);
The javadoc of above method states the following: If the given alias already exists, the keystore information associated with it is overridden by the given key (and possibly certificate chain).
Normally, a string obtained from server which is a UUID is used as alias to set a new KeyPair in KeyStore. So, the possibility of new alias being same as one which is already present in keystore is very unlikely. Even if that's the case, it would have just overridden one key pair. But, in this case, around 10+ key pairs are lost.
Does anyone know of any known issues which result in this kind of key-pair loss?
Additional info:
I found that the certificate associated with public key for every key pair is valid only for 1 year. I thought the key pairs for which certificate is expired may be deleted when a new key pair is being set in the keystore. But, when I executed the test case by changing the validity as 30 days, and changing the device time ahead by more than 30 days, the issue could not be reproduced.
One more thing which I am not sure if it is relevant for this issue is: Currently the serial number for the all the certificates being generated is BigInteger.ONE:
X509v1CertificateBuilder certBuilder = new JcaX509v1CertificateBuilder( subject, BigInteger.ONE, notBefore, notAfter, subject, keyPair.getPublic());
I think this is wrong, but, I am not sure if this may lead to the issue which I have.
Following is the list of security providers (
Security.getProviders()) in the device in which this issue was seen:- AndroidKeyStoreBCWorkaround version 1.0
- AndroidOpenSSL version 1.0
- BC version 1.52
- Crypto version 1.0
- HarmonyJSSE version 1.0
- AndroidKeyStore version 1.0
So, all Java crypto operations are done using AndroidKeyStoreBCWorkaround version 1.0. The device is Nexus 5, Android 6.0.1.
来源:https://stackoverflow.com/questions/50735558/keys-lost-from-bks-file-without-deletekey-command