Open whyoleg opened 9 months ago
Any high level thoughts on how to do this until the library supports it?
Hey @eygraber, unfortunately, not at this point. I haven't really investigated this a lot, as there is a lot of questions and differences in behaviour on different OS's.
I'm investigating this, and got a good implementation on JVM.
Android is an issue because it doesn't allow you to export any Key that was added to the AndroidKeyStore. I tried creating my own KeyStore, and encrypt the password for it with a SecretKey from the AndroidKeyStore but that doesn't work since Android doesn't support JKS keystores and PKCS12 only allows PrivateKey not SecretKey.
Is there any way to add some interop there so it is easy to create Cipher from a JSecretKey directly? Otherwise I don't see a way to make this work with the AndroidKeyStore.
And right after I sent that I found that on Android the BKS KeyStore should work :sweat_smile:
Yeah, providing some interop functions for JDK APIs would be nice, though it's not a priority at the moment. Feel free to create an issue for that, and if you do want to contribute I would be glad to discuss design. Until now, you can take a look on Cipher
implementations in JDK - they are really rather simple.
I have a working version abstracting this across Android, iOS, JVM, and web here. The web implementation unfortunately just stores the key in indexedDb, so it should only be used in scenarios where there is implicit trust in the environment or there is reliance on external factors to maintain security (e.g. the browser won't be accessible unless the user has logged into their OS account).
Introduce an API for storing keys in JDK KeyStore, Apple KeyChain, SecureEnclave and other places.