I want to generate a KeyPair on my Android device that have a root certificate as a Google Hardware Attestation Root certificate.
I've seen in the documentation on Android here that I can change the self-signed certificate
For asymmetric key pairs, a self-signed X.509 certificate will be also generated and stored in the Android Keystore. This is because the KeyStore abstraction does not support storing key pairs without a certificate. The subject, serial number, and validity dates of the certificate can be customized in this spec. The self-signed certificate may be replaced at a later time by a certificate signed by a Certificate Authority (CA).
I can see here that I can get chain of X.509 certificates associated with the hardware-backed keystore with the the keyStore getCertificateChain()
Use a KeyStore object's
getCertificateChain()method to get a reference to the chain of X.509 certificates associated with the hardware-backed keystore.
However, I haven't found how I can change the certificate on my KeyPair with the Google Hardware Attestation Root certificate
private fun generateKeyPairAttestationAndGetPublicKey(): String {
val keyStore = KeyStore.getInstance("AndroidKeyStore")
val keyPairGenerator = KeyPairGenerator.getInstance(
KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"
)
keyPairGenerator.initialize(
KeyGenParameterSpec.Builder(
"my-mobile-key",
KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_ENCRYPT
)
.setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
.setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
.build()
)
keyPairGenerator.generateKeyPair()
keyStore.load(null)
val keyEntry = keyStore.getEntry("my-mobile-key", null) as KeyStore.PrivateKeyEntry
val x509Cert = keyEntry.certificate as? X509Certificate ?: throw Exception("Certificate generated by the KeyPair is not a X509Certificate")
}
How can I do that ?