Password is ignored in most cases
yuriymyronovych opened this issue · comments
when generating key I can provide an additional password which is ignored in most cases. So annoying.... It should not be in the interface if it is not used.
Found same issues in source, given password simply not used/ignored. Looks like we need like to fork lib fixing this issue, since project looks like not maintained anymore...
Thanks fo repirting this issue. @stan-ko, if you find out an issue and you have a fix for it, pull requests are welcomed.
If I find some free time, I will also jump into it.
Ok guys, so here is the declaration of the method you are blaming on:
/**
* Required for Symmetric using API < 23 and Asymmetric key using API < 18.
*
* @param password used for additional key secure in Default KeyStore.
*/
public Builder setPassword(char[] password) {
mProps.mPassword = password;
return this;
}
And here are the mPassword
from KeyProps
usages :
- First in
private KeyPair generateDefaultAsymmetricKey(KeyProps keyProps)
method
keyStore.setKeyEntry(keyProps.mAlias, key, keyProps.mPassword, new Certificate[]{certificate});
- Second in
private SecretKey generateDefaultSymmetricKey(KeyProps keyProps)
:
keyStore.setEntry(keyProps.mAlias, keyEntry, new KeyStore.PasswordProtection(keyProps.mPassword));
To clarify the thing, for AndroidKeyStore
provider, you do not need any key password, and moreover, you even can not set any (you can find more information about this here). This password is only used in non AndroidKeyStore
provider cases (when Scytale is using java secure providers instead), specifically if you are trying to generate Symmetric on devices lower then 23 API and Asymmetric on devices lower then 18 API.
Next time, please be more specific about the "most cases" and the "places in source" code, were some functionality is missed or has an issue, thanks.