Should I Set “CertificateNotAfter” when Specifying KeyGenParameterSpec

Issue

This Content is from Stack Overflow. Question asked by Mycotina

In Android, I’m trying to generate an AES key which I will store within AndroidKeystore. The key itself will be used to encrypt some data at rest.

I’m following this github snippet as reference :

Android-encryption-sample

val keyGenParameterSpec = KeyGenParameterSpec.Builder(
                KEY_ALIAS,
                KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT)
                .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                //.setUserAuthenticationRequired(true) //  requires lock screen, invalidated if lock screen is disabled
                //.setUserAuthenticationValidityDurationSeconds(120) // only available x seconds from password authentication. -1 requires finger print - every time
    //            .setKeySize(256) // Set key size
                //To Set Certificate Values instead of maual initialization of certificate
    //            .setCertificateNotBefore(startDate) // By default, this date is Jan 1 1970.
    //            .setCertificateNotAfter(endDate) // By default, this date is Jan 1 2048.
    //            .setCertificateSerialNumber(number) // By default, the serial number is 1.
    //            .setCertificateSubject(x500Principal) // By default, the subject is CN=fake.

                .setRandomizedEncryptionRequired(true) // 4 different ciphertext for same plaintext on each call
                .build()

The code if interest is shown in the previous code block. As we can see, there is a “setCertificateNotAfter()” method which can be called on the builder function. From what I know is that it sets the expiry date for the certificate.

My question is, for my use case, is it important to provide an expiry date? What will happen after the expiry date is exceeded? Will I be unable to encrypt/decrypt with the key anymore?

Thanks.



Solution

This question is not yet answered, be the first one who answer using the comment. Later the confirmed answer will be published as the solution.

This Question and Answer are collected from stackoverflow and tested by JTuto community, is licensed under the terms of CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.

people found this article helpful. What about you?