어제, 오늘 그리고 내일

java.security.KeyStoreException: entries cannot be protected with passwords

     at android.security.keystore.AndroidKeyStoreSpi.engineSetKeyEntry(AndroidKeyStoreSpi.java:308)

     at java.security.KeyStore.setKeyEntry(KeyStore.java:1179)

Apparently despite the fact that the method takes a password parameter, the AndroidKeystoreimplementation does not support this, take a look at line 200 in the source.

In any case, a password, whether strong or weak that is stored anywhere on the device is unsafe. This is especially true of source code (including source code in general, non-android contexts). If I get my hands on your app's APK, I can use one of several excellent APK analysis tools to access the class's constant pool, which will contain the password in plain text. No amount of obfuscation could prevent this, or even make it more difficult. This is perhaps the reason that the AndroidKeystoreimplementation doesn't allow this.

The whole point of the key store service on android device (it's actually implemented as a separate process you can talk to via a unix socket) is to protect access to sensitive material by requiring a users passcode to unlock it, so there's no point in putting a password on your key pairs or other secrets.. In more recent phones, this is all implmented in hardware, which provides very strong security.