Search code examples

java.lang.IllegalArgumentException: bad base-64 when decrypting string

I am trying to encrypt a string using the KeyStore and used this post as reference.

KeyPairGeneratorSpec replacement with KeyGenParameterSpec.Builder equivalents - Keystore operation failed

yet, I keep getting this "bad base-64" when I decrypt the string. I am not understanding exactly how to fix this. I understand that the encrypted string contains characters that the decryptor does not know. But I don't understand the fix.

I saw some posts like those, but did not help much since there is no code on the answers.

java.lang.IllegalArgumentException: bad base-64

This is a snipped of my the test code, can someone show me how I decrpyt my string?

Cipher inCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", "AndroidOpenSSL");
inCipher.init(Cipher.ENCRYPT_MODE, publicKey);

Cipher outCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", "AndroidOpenSSL");
outCipher.init(Cipher.DECRYPT_MODE, privateKey);

ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
CipherOutputStream cipherOutputStream = new CipherOutputStream(
        outputStream, inCipher);

String ecryptedText = outputStream.toString();
Log.d(TAG, "Encrypt = " + ecryptedText);

String cipherText = ecryptedText;
CipherInputStream cipherInputStream = new CipherInputStream(
        new ByteArrayInputStream(Base64.decode(cipherText, Base64.DEFAULT)), outCipher);
ArrayList<Byte> values = new ArrayList<>();
int nextByte;
while ((nextByte = != -1) {

byte[] bytes = new byte[values.size()];
for(int i = 0; i < bytes.length; i++) {
    bytes[i] = values.get(i).byteValue();

String finalText = new String(bytes, 0, bytes.length, "UTF-8");
Log.d(TAG, "Decrypt = " + ecryptedText);


  • Here is a working example on how you can use Android KeyStore to Encrypt/Decrypt memory strings by using ByteArrayOutputStream and ByteArrayInputStream. Notice the provider change, for >= 6 use "AndroidKeyStoreBCWorkaround" and for older versions use "AndroidOpenSSL". Also, you have to encode the encrypted data to Base64 string using Base64.encodeToString like this:

    String ecryptedText = Base64.encodeToString(outputStream.toByteArray(), Base64.DEFAULT);

    My final working example based on your code

    try {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(
                KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
                new KeyGenParameterSpec.Builder(
                        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
        KeyPair keyPair = keyPairGenerator.generateKeyPair();
        // error in android 6: InvalidKeyException: Need RSA private or public key AndroidOpenSSL
        // error in android 5: NoSuchProviderException: Provider not available: AndroidKeyStoreBCWorkaround
        String provider = Build.VERSION.SDK_INT < Build.VERSION_CODES.M ? "AndroidOpenSSL" : "AndroidKeyStoreBCWorkaround";
        Cipher inCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", provider);
        inCipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic());
        Cipher outCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", provider);
        outCipher.init(Cipher.DECRYPT_MODE, keyPair.getPrivate());
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        CipherOutputStream cipherOutputStream = new CipherOutputStream(
                outputStream, inCipher);
        String plainText = "This is a text";
        String ecryptedText = Base64.encodeToString(outputStream.toByteArray(), Base64.DEFAULT);
        Log.d(TAG, "Encrypt = " + ecryptedText);
        String cipherText = ecryptedText;
        CipherInputStream cipherInputStream = new CipherInputStream(
                new ByteArrayInputStream(Base64.decode(cipherText, Base64.DEFAULT)), outCipher);
        ArrayList<Byte> values = new ArrayList<>();
        int nextByte;
        while ((nextByte = != -1) {
        byte[] bytes = new byte[values.size()];
        for(int i = 0; i < bytes.length; i++) {
            bytes[i] = values.get(i).byteValue();
        String finalText = new String(bytes, 0, bytes.length, "UTF-8");
        Log.d(TAG, "Decrypt = " + finalText);
    } catch (javax.crypto.NoSuchPaddingException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (IOException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (NoSuchAlgorithmException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (NoSuchProviderException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (InvalidAlgorithmParameterException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (InvalidKeyException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (UnsupportedOperationException e) {
        Log.e(TAG, Log.getStackTraceString(e));


    D/MainActivity: Encrypt = rejkfeas3HgYnZOlC4S/R3KvlMTyiBjr5T6LqWGj9bq6nvpM0KBsoeYtr4OdCLITFX5GojuO4VpB
    D/MainActivity: Decrypt = This is a text

    Android Studio Output


    For Android API 19, you just have to use the previous KeyStore API KeyPairGeneratorSpec instead of KeyGenParameterSpec like this:

    try {
        Calendar start = Calendar.getInstance();
        Calendar end = Calendar.getInstance();
        end.add(Calendar.YEAR, 1);
        KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(this)
            .setSubject(new X500Principal("CN=Sample Name, O=Android Authority"))
        KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
        // error in android 6: InvalidKeyException: Need RSA private or public key AndroidOpenSSL
        // error in android 5: NoSuchProviderException: Provider not available: AndroidKeyStoreBCWorkaround
        String provider = Build.VERSION.SDK_INT < Build.VERSION_CODES.M ? "AndroidOpenSSL" : "AndroidKeyStoreBCWorkaround";
        KeyPair keyPair = generator.generateKeyPair();
        Cipher inCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", provider);
        inCipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic());
        Cipher outCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", provider);
        outCipher.init(Cipher.DECRYPT_MODE, keyPair.getPrivate());
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        CipherOutputStream cipherOutputStream = new CipherOutputStream(
                outputStream, inCipher);
        String plainText = "This is a text";
        String ecryptedText = Base64.encodeToString(outputStream.toByteArray(), Base64.DEFAULT);
        Log.d(TAG, "Encrypt = " + ecryptedText);
        String cipherText = ecryptedText;
        CipherInputStream cipherInputStream = new CipherInputStream(
                new ByteArrayInputStream(Base64.decode(cipherText, Base64.DEFAULT)), outCipher);
        ArrayList<Byte> values = new ArrayList<>();
        int nextByte;
        while ((nextByte = != -1) {
        byte[] bytes = new byte[values.size()];
        for(int i = 0; i < bytes.length; i++) {
            bytes[i] = values.get(i).byteValue();
        String finalText = new String(bytes, 0, bytes.length, "UTF-8");
        Log.d(TAG, "Decrypt = " + finalText);
    } catch (javax.crypto.NoSuchPaddingException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (IOException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (NoSuchAlgorithmException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (NoSuchProviderException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (InvalidAlgorithmParameterException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (InvalidKeyException e) {
        Log.e(TAG, Log.getStackTraceString(e));
    } catch (UnsupportedOperationException e) {
        Log.e(TAG, Log.getStackTraceString(e));