-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JCE Provider Addition #27
Comments
Thanks for reporting this @hf. The docs were updated to use Although it's convenient to some users to have SpongyCastle attempt to take over all JCE operations (especially when they're using 3rd party libraries that blindly call JCE functions without allowing specification of the provider), I agree that in general it's probably safest to activate SpongyCastle explicitly with the "SC" provider argument.
I can guess that might be the case, but could you provide a quick explanation, or links to references, of what the issues are? |
If you want to use the AndroidKeyStore mechanism to use device-secured keys (self-signed RSA certificates) then the certificate generation, as documented, fails at least on Android 4.4.2 with SpongyCastle specific exceptions. I'm guessing that in the background, the AndroidKeyStore KeyPairGenerator uses an internal RSA KeyPairGenerator. Instead of using AndroidOpenSSL or some other (device specific) provider, it resolves the SpongyCastle provider and it's RSA KeyPairGenerator. Then, when the AndroidKeyStore tries to securely store the private exponent of the RSA key, SpongyCastle's private key implementation throws an exception. Here is a snippet of the exception on Android 4.4.2.
Again, this is not a bug in SpongyCastle, but rather in the AndroidKeyStore implementations. The problem can be solved as described in the initial report. Something similar also happens when using the Fingerprint API, but the problems there can be alleviated if you specify the undocumented Android JCE providers for the fingerprinting. The issue rtyley/spongycastle-old#10 is also not a bug in SpongyCastle, but improper use of the JCE provider architecture. This is why I'm suggesting that people must explicitly use the SC provider by name, if they require SpongyCastle-specific algorithms. I think this should be noted on the website. This is a very big problem since third-party libraries that use SpongyCastle internally use it as specified, and the problem is not able to be overcome unless the library changes the insert position. |
This is not really a bug, but is a problem in the way that the website for SpongyCastle advises users to add the JCE provider.
Currently, the website advertises:
As the method to use SpongyCastle.
Please change it to:
The advertised method creates issues by using the Android Key Store on API 18 and up, and sometimes creates issues with the Fingerprint APIs on some devices on API 23 and up.
Also, please inform the user on explicitly using the "SC" provider for all SpongyCastle cryptographic operations, instead of relying on the provider ordering and resolution.
The text was updated successfully, but these errors were encountered: