keystore-decryptor icon indicating copy to clipboard operation
keystore-decryptor copied to clipboard

Published 20 hours ago verified publisher icon nelenkov

Question about USRPKEY and USRCERT

Open benzino77 opened this issue 9 years ago • 5 comments

Hi Nikolay, Thanks for a great work! Few days ago I create user certificate on startssl.com. Unfortunately I've done it on my Android (4.4) tablet , and now I'm not able to export my cert and pkey to use them on other devices/computers. I've started to "google" for a solution and finally found your post about keystore-decryptor. The problem is that it does not "dump" the certificate or private key itself. It only shows me information about cert or pkey:

benzino@benzino-VirtualBox:~/Pobrane/Folder/keystore-decryptor-master$ java -jar build/libs/ksdecryptor-all.jar ../master ../1000_USRCERT_nowy+Pcertyfikat+Pstartssl 5524
Read 'master'
master key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Read '1000_USRCERT_nowy+Pcertyfikat+Pstartssl'
X509Certificate:
  issuer: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 1 Primary Intermediate Client CA
  subject: [email protected],[email protected]
  serial: 123456789

benzino@benzino-VirtualBox:~/Pobrane/Folder/keystore-decryptor-master$ java -jar build/libs/ksdecryptor-all.jar ../master ../1000_USRPKEY_nowy+Pcertyfikat+Pstartssl 5524
Read 'master'
master key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Read '1000_USRPKEY_nowy+Pcertyfikat+Pstartssl'
RSA private exponent: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy (2046)
RSA modulus: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (2048)

Is this possible to "dump" pkey and cert so I can use it on other devices?

benzino77 avatar Nov 10 '15 08:11 benzino77

If the program displays the private exponent, you can recover the private key (this only works if the device doesn't have a hardware-backed keystore). Right now the program doesn't dump key files, but, depending on the format you need, it can be as easy as calling getEncoded() on the relevant object and writing the bytes to a file.

nelenkov avatar Nov 10 '15 11:11 nelenkov

Thanks for a quick replay! Well it sounds (I think) pretty simple to someone who is familiar with java coding. Maybe you can consider this as a "feature request" ;)

benzino77 avatar Nov 10 '15 12:11 benzino77

Hi Nelenkov,

I referred readme file for command : java -jar ksdecryptor-all.jar

But my questions is where is " ksdectyptor-all.jar " I could not find it within the Keystore-decryptor-master.Zip,

I have downloaded & extracted the zip, performed gradle build & its successful. I want to understand how to build this. Thanks in advance

jasonmarsstatham avatar Jul 14 '16 12:07 jasonmarsstatham

@jasonmarsstatham after a successful build, the JAR is in the directory build/libs

dnet avatar Feb 15 '17 10:02 dnet

@nelenkov You mention being able to extract the private key on devices that don't have a hardware backed keystore. What about devices that do, but during keypair generation did not have KeyPairGenerator.setEncryptionRequired() set? Does this mean the private key is stored in clear in /data/misc/keystore/user_0/? If not, what is the purpose of setEncryptionRequired()? Android M documentation itself mentions that when the keypair is not encrypted, changing the device lock screen will no longer wipe out the keystore. Doesn't this suggest that in cases where the keypair is encrypted (presumably via setEncryptionRequired()) it's encrypted with a key stored within the TEE that's derived from, and/or accessed via the device lock credentials?

galapogos avatar Mar 08 '17 03:03 galapogos