How to use keyStore?

[Serobegi]

esp32ListView.setOnItemClickListener(new AdapterView.OnItemClickListener() {
            @Override
            public void onItemClick(AdapterView<?> parent, View view, int position, long id) {

                if(amazonFreeRTOSDevice != null){
                    amazonFreeRTOSManager.disconnectFromDevice(amazonFreeRTOSDevice);
                    amazonFreeRTOSDevice = null;
                }
                // esp32List.get(position).getBluetoothDevice().createBond() // 최후의 수단

                try {
                    amazonFreeRTOSDevice = amazonFreeRTOSManager
                            .connectToDevice(
                                    esp32List.get(position).getBluetoothDevice(),
                                    connectionStatusCallback,
                                    KeyStore.getInstance("String"),
                                    false);

                } catch (KeyStoreException e) {
                    e.printStackTrace();
                }
            }
        });

i don't know Keystore, help me.. plz

[ravibhagavandas]

@Serobegi

What are you using the keystore for ? Keystore option provided in the demo app is used for storing the certificate and private key used for connecting to AWS IoT MQTT broker. Is that your intended usage ?

If so you can look into AWSIoTKeyStoreHelper class on how to generate a key pair in keystore and pass the keystore to the SDK.

For security purpose we recommend to use a cognito based authentication on the mobile devices, as it does not involve storing a keypair on the mobile device. You can find more documentation on how to set up cognito for the demo here.

[Serobegi]

Hello!

I don't need MQTT function, I am making an app that can make BLE connection with the board and send and receive WIFI information only.

Can you tell me how to use WSIoTKeyStoreHelper class?

And thank you so much for replying.

---

Currently, "implementation('com.amazonaws:aws-android-sdk-mobile-client:2.13.5')" has been added to build.gradle(Module:app).

AWSCredentialsProvider awsCredentialsProvider = AWSMobileClient.getInstance();

                 amazonFreeRTOSDevice = amazonFreeRTOSManager.connectToDevice(
                         esp32List.get(position).getBluetoothDevice(),
                         connectionStatusCallback,
                         awsCredentialsProvider,
                         false);

Is this the same as using KeyStore? What else do I need to register or go through to use the above function?

[ravibhagavandas]

AWSCredentialsProvider awsCredentialsProvider = AWSMobileClient.getInstance(); This uses Cognito based authentication (which is the recommended way for user authentication on mobile app) instead of keystore.

You can find a sample of how to create keys and load them from keystore using AwsIoTkeystoreHelper class here: https://github.com/awslabs/aws-sdk-android-samples/blob/main/AndroidPubSub/src/com/amazonaws/demo/androidpubsub/PubSubActivity.java#L203

The sample creates a key pair and certificate using createKeysAndCertificate() API and saves it to the keystore.

[Darsh-Dev]

hi @ravibhagavandas ,

You can find a sample of how to create keys and load them from keystore using AwsIoTkeystoreHelper class here: https://github.com/awslabs/aws-sdk-android-samples/blob/main/AndroidPubSub/src/com/amazonaws/demo/androidpubsub/PubSubActivity.java#L203

I can't open this link (page not found).

I would like to use the keystore instead of congnito based solution. Can you please share the steps/document?

[ravibhagavandas]

For security concerns we now recommend to always use Cognito instead of creating certificates/private key for mobile apps. All of our current examples recommend using Cognito as the means to authenticate a websocket connection to AWS IoT. You can get more details on Cognito authentication from the demo in this repository.

Please note the Keystore helper class and related files have been moved under aws_amplify repository here

[Darsh-Dev]

@ravibhagavandas I would like to check the Device Certificate blacklist, whitelist, revoke, OCSP stapling feature of BLE end node device. Can we achieve similar feature using Cognito based solution?

[ravibhagavandas]

Could you elaborate more on your use case? By BLE end node device does it mean an end micro-controller device here owns the certificate? If so I am not sure how a certificate on mobile app can helps this. Cognito uses the user name and password based authentication to create short lived tokens (more details here) hence you don't need to handle certificates and blacklisting/revocation etc.

[Darsh-Dev]

We have used the Optiga TrustM HSM on BLE based end device. We have added Mutual authentication and data encrypt/decrypt functionality and its working. Now, we would like to share the device certification with AWS cloud and needs to validate Device Certificate blacklist, whitelist, revoke, OCSP stapling features.

I want to understand, how Cognito is more secured then certification based model? How we can blacklist/revoke the BLE end device from AWS cloud?

[abhidixi11]

I'm closing this issue, please feel free to open a new one.