feat: react native wrapper for Android Keystore for creating cryptographic key paris and signing

Author: Derrick Mbarani

android/src/main/java/com/rnandroidkeystore/RnAndroidKeystoreModule.kt

@@ -1,12 +1,234 @@
 package com.rnandroidkeystore
 
+import android.os.Build
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyInfo
+import android.security.keystore.KeyProperties
+import android.util.Base64
+import com.facebook.react.bridge.Arguments
+import com.facebook.react.bridge.Promise
 import com.facebook.react.bridge.ReactApplicationContext
+import java.nio.charset.StandardCharsets
+import java.security.KeyFactory
+import java.security.KeyPairGenerator
+import java.security.KeyStore
+import java.security.PrivateKey
+import java.security.PublicKey
+import java.security.Signature
+import java.security.spec.ECGenParameterSpec
 
 class RnAndroidKeystoreModule(reactContext: ReactApplicationContext) :
   NativeRnAndroidKeystoreSpec(reactContext) {
 
-  override fun multiply(a: Double, b: Double): Double {
-    return a * b
+  override fun getName() = NAME
+
+  override fun generateKeyPair(
+    alias: String,
+    algorithm: String,
+    keySize: Double,
+    hardwareBacked: Boolean,
+    userAuthenticationRequired: Boolean,
+    promise: Promise
+  ) {
+    try {
+      if (algorithm.uppercase() != "ECDSA") {
+        promise.resolve(errorResult("Unsupported algorithm: $algorithm"))
+        return
+      }
+
+      val keyStore = getKeyStore()
+      if (keyStore.containsAlias(alias)) {
+        val existingPublicKey = getPublicKeyFromAlias(alias)
+        if (existingPublicKey == null) {
+          promise.resolve(errorResult("Failed to load existing public key"))
+          return
+        }
+
+        promise.resolve(successResult().apply {
+          putString("publicKey", toPem(existingPublicKey))
+          putString("privateKey", alias)
+          putDouble("keySize", keySize)
+        })
+        return
+      }
+
+      createEcKeyPair(alias, userAuthenticationRequired, hardwareBacked)
+
+      val publicKey = getPublicKeyFromAlias(alias)
+      if (publicKey == null) {
+        promise.resolve(errorResult("Failed to retrieve generated public key"))
+        return
+      }
+
+      promise.resolve(successResult().apply {
+        putString("publicKey", toPem(publicKey))
+        putString("privateKey", alias)
+        putDouble("keySize", keySize)
+      })
+    } catch (error: Exception) {
+      promise.reject("GENERATE_KEY_PAIR_ERROR", error.message, error)
+    }
+  }
+
+  override fun getPublicKeyPEM(alias: String, promise: Promise) {
+    try {
+      val publicKey = getPublicKeyFromAlias(alias)
+      if (publicKey == null) {
+        promise.resolve(errorResult("Key not found for alias: $alias"))
+        return
+      }
+
+      promise.resolve(successResult().apply {
+        putString("publicKeyPEM", toPem(publicKey))
+      })
+    } catch (error: Exception) {
+      promise.reject("GET_PUBLIC_KEY_ERROR", error.message, error)
+    }
+  }
+
+  override fun sign(alias: String, payload: String, algorithm: String, promise: Promise) {
+    try {
+      val keyStore = getKeyStore()
+      val key = keyStore.getKey(alias, null) as? PrivateKey
+      if (key == null) {
+        promise.resolve(errorResult("Private key not found for alias: $alias"))
+        return
+      }
+
+      val signature = Signature.getInstance(algorithm)
+      signature.initSign(key)
+      signature.update(payload.toByteArray(StandardCharsets.UTF_8))
+
+      val signedBytes = signature.sign()
+      val encodedSignature = Base64.encodeToString(signedBytes, Base64.NO_WRAP)
+
+      promise.resolve(successResult().apply {
+        putString("signature", encodedSignature)
+      })
+    } catch (error: Exception) {
+      promise.reject("SIGN_ERROR", error.message, error)
+    }
+  }
+
+  override fun deleteKey(alias: String, promise: Promise) {
+    try {
+      val keyStore = getKeyStore()
+      if (keyStore.containsAlias(alias)) {
+        keyStore.deleteEntry(alias)
+      }
+
+      promise.resolve(successResult())
+    } catch (error: Exception) {
+      promise.reject("DELETE_KEY_ERROR", error.message, error)
+    }
+  }
+
+  override fun keyExists(alias: String, promise: Promise) {
+    try {
+      val keyStore = getKeyStore()
+      val result = Arguments.createMap().apply {
+        putBoolean("success", true)
+        putBoolean("exists", keyStore.containsAlias(alias))
+      }
+      promise.resolve(result)
+    } catch (error: Exception) {
+      val result = Arguments.createMap().apply {
+        putBoolean("success", false)
+        putBoolean("exists", false)
+      }
+      promise.resolve(result)
+    }
+  }
+
+  override fun isHardwareBackedKeystoreAvailable(promise: Promise) {
+    val tempAlias = "android_hw_check_${System.currentTimeMillis()}"
+    try {
+      createEcKeyPair(tempAlias, userAuthenticationRequired = false, hardwareBacked = false)
+
+      val keyStore = getKeyStore()
+      val key = keyStore.getKey(tempAlias, null) as? PrivateKey
+      if (key == null) {
+        promise.resolve(Arguments.createMap().apply { putBoolean("available", false) })
+        return
+      }
+
+      val keyFactory = KeyFactory.getInstance(key.algorithm, "AndroidKeyStore")
+      val keyInfo = keyFactory.getKeySpec(key, KeyInfo::class.java) as KeyInfo
+      val isHardwareBacked = keyInfo.isInsideSecureHardware
+
+      promise.resolve(Arguments.createMap().apply {
+        putBoolean("available", isHardwareBacked)
+      })
+    } catch (_: Exception) {
+      promise.resolve(Arguments.createMap().apply {
+        putBoolean("available", false)
+      })
+    } finally {
+      try {
+        val keyStore = getKeyStore()
+        if (keyStore.containsAlias(tempAlias)) {
+          keyStore.deleteEntry(tempAlias)
+        }
+      } catch (_: Exception) {
+      }
+    }
+  }
+
+  private fun createEcKeyPair(alias: String, userAuthenticationRequired: Boolean, hardwareBacked: Boolean) {
+    try {
+      createEcKeyPairInternal(alias, userAuthenticationRequired, hardwareBacked)
+    } catch (error: Exception) {
+      if (hardwareBacked) {
+        createEcKeyPairInternal(alias, userAuthenticationRequired, false)
+      } else {
+        throw error
+      }
+    }
+  }
+
+  private fun createEcKeyPairInternal(alias: String, userAuthenticationRequired: Boolean, hardwareBacked: Boolean) {
+    val keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore")
+
+    val builder = KeyGenParameterSpec.Builder(
+      alias,
+      KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY,
+    )
+      .setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1"))
+      .setDigests(KeyProperties.DIGEST_SHA256)
+      .setUserAuthenticationRequired(userAuthenticationRequired)
+
+    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && hardwareBacked) {
+      builder.setIsStrongBoxBacked(true)
+    }
+
+    keyPairGenerator.initialize(builder.build())
+    keyPairGenerator.generateKeyPair()
+  }
+
+  private fun getPublicKeyFromAlias(alias: String): PublicKey? {
+    val keyStore = getKeyStore()
+    val certificate = keyStore.getCertificate(alias) ?: return null
+    return certificate.publicKey
+  }
+
+  private fun toPem(publicKey: PublicKey): String {
+    val base64 = Base64.encodeToString(publicKey.encoded, Base64.NO_WRAP)
+    return "-----BEGIN PUBLIC KEY-----\n$base64\n-----END PUBLIC KEY-----"
+  }
+
+  private fun getKeyStore(): KeyStore {
+    val keyStore = KeyStore.getInstance("AndroidKeyStore")
+    keyStore.load(null)
+    return keyStore
+  }
+
+  private fun successResult() = Arguments.createMap().apply {
+    putBoolean("success", true)
+  }
+
+  private fun errorResult(message: String) = Arguments.createMap().apply {
+    putBoolean("success", false)
+    putString("error", message)
   }
 
   companion object {

example/src/App.tsx

@@ -1,12 +1,39 @@
+import { useEffect, useState } from 'react';
 import { Text, View, StyleSheet } from 'react-native';
-import { multiply } from 'rn-android-keystore';
-
-const result = multiply(3, 7);
+import * as k from 'rn-android-keystore';
 
 export default function App() {
+  const [hardwareBacked, setHardwareBacked] = useState<boolean | null>(null);
+  const [keypair, setKeypair] = useState<{
+    publicKey: string;
+    privateKey: string;
+  } | null>(null);
+
+  useEffect(() => {
+    (async () => {
+      const isHardwareBacked = await k.isHardwareBackedKeystoreAvailable();
+      setHardwareBacked(isHardwareBacked);
+
+      const keypairResponse = await k.getOrCreateKeyPair();
+      setKeypair(keypairResponse);
+    })();
+  }, []);
+
   return (
     <View style={styles.container}>
-      <Text>Result: {result}</Text>
+      <Text>
+        Hardware-backed Keystore Available: {hardwareBacked ? 'Yes' : 'No'}
+      </Text>
+      <Text>Public Key: {keypair?.publicKey}</Text>
+      <Text>Private Key: {keypair?.privateKey}</Text>
+      <View style={styles.methodsContainer}>
+        <Text>Android Keystore Methods</Text>
+        <View style={styles.methodsList}>
+          {Object.keys(k).map((v) => (
+            <Text key={v}>* {v}</Text>
+          ))}
+        </View>
+      </View>
     </View>
   );
 }
@@ -17,4 +44,10 @@ const styles = StyleSheet.create({
     alignItems: 'center',
     justifyContent: 'center',
   },
+  methodsContainer: {
+    marginTop: 16,
+  },
+  methodsList: {
+    marginTop: 8,
+  },
 });

src/NativeRnAndroidKeystore.ts

@@ -1,7 +1,45 @@
 import { TurboModuleRegistry, type TurboModule } from 'react-native';
 
 export interface Spec extends TurboModule {
-  multiply(a: number, b: number): number;
+  generateKeyPair(
+    alias: string,
+    algorithm: string,
+    keySize: number,
+    hardwareBacked: boolean,
+    userAuthenticationRequired: boolean
+  ): Promise<{
+    success: boolean;
+    error?: string;
+    publicKey?: string;
+    privateKey?: string;
+    keySize?: number;
+  }>;
+  getPublicKeyPEM(alias: string): Promise<{
+    success: boolean;
+    error?: string;
+    publicKeyPEM?: string;
+  }>;
+  sign(
+    alias: string,
+    payload: string,
+    algorithm: string
+  ): Promise<{
+    success: boolean;
+    error?: string;
+    signature?: string;
+  }>;
+  deleteKey(alias: string): Promise<{
+    success: boolean;
+    error?: string;
+  }>;
+  keyExists(alias: string): Promise<{
+    success: boolean;
+    exists: boolean;
+  }>;
+  isHardwareBackedKeystoreAvailable(): Promise<{
+    success: boolean;
+    available: boolean;
+  }>;
 }
 
 export default TurboModuleRegistry.getEnforcing<Spec>('RnAndroidKeystore');