Reputation: 821
We are currently experiencing an issue where sometimes when a user installes our app, the app tries to access and generate a key in the keystore but the keystore throws this exception:
Caused by: java.lang.IllegalStateException: could not generate key in keystore
We think it has to do with the unlock pattern off the phone does not unlock the keystore, and/or a device administrator locks the keystore.
This is how the keystore is created and how the keys are generated:
public SecretKeyWrapper(Context context, String alias) throws GeneralSecurityException, IOException {
mCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
final KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
if (!keyStore.containsAlias(alias)) {
generateKeyPair(context, alias);
final KeyStore.PrivateKeyEntry entry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(alias, null);
mPair = new KeyPair(entry.getCertificate().getPublicKey(), entry.getPrivateKey());
private static void generateKeyPair(Context context, String alias) throws GeneralSecurityException {
final Calendar start = new GregorianCalendar();
final Calendar end = new GregorianCalendar();
end.add(Calendar.YEAR, 100);
final KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(context)
.setSubject(new X500Principal("CN=" + alias))
final KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
Does anyone know how to:
Upvotes: 23
Views: 9599
Reputation: 4448
Caused by: java.lang.IllegalStateException: could not generate key in keystore
hope 1st exception will solved by following code below:
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
KeyStore.Entry entry = ks.getEntry(alias, null);
ks.getEntry(alias, new KeyStore.PasswordProtection(password))
Unlock the keystore when it has been locked by a device administrator:
can appear locked not only on pre-ICS devices. The simplest way to get KeyStore
locked is:
After the device is booted, KeyStore will be LOCKED.
intent will start
activity, which, in turn, will show UnlockDialog, prompting for a password.
* KeyStore: LOCKED
* KeyGuard: OFF/ON
* Action: old unlock dialog
* Notes: assume old password, need to use it to unlock.
* if unlock, ensure key guard before install.
* if reset, treat as UNINITALIZED/OFF
You can just generate a master key and store it as a private file, other apps won't be able to read it, so you'll be fine on non-rooted devices. This is the approach recommended on the Android Developers Blog::
Same question answer: Android android.credentials.UNLOCK Initializing keystore without password
Upvotes: 11