On Thu, Jul 5, 2012 at 9:26 PM, H <[email protected]> wrote:
> Hi, been seeing some ACRA reports from users on Jelly Bean when my app runs
> the LVL code.
>
> In the LicenseValidator.verify() method, I perform this twice:
>
> sig.verify(Base64.decode(signature))
>
...
> Caused by: java.lang.NullPointerException
> at org.apache.harmony.xnet.provider.jsse.NativeCrypto.EVP_VerifyFinal(Native
> Method)
> at
> org.apache.harmony.xnet.provider.jsse.OpenSSLSignature.engineVerify(OpenSSLSignature.java:240)
> ... 7 more
>
> Does anyone know if the implementation of Signature or the underlying
> classes has changed..? I'm guessing that since the first check works and the
> second fails, can you now only perform one verify() on a signature and after
> that, the object is no longer valid to be verified again()..?
>
Yes, it has changed. In JB, the OpenSSL based provider has been
extended to support RSA
keys and RSA signatures (SHA1withRSA, etc.). Additionally, this is now
the default, so the
signature verification code that previously was using the Java crypto
provider (BouncyCastle)
is now calling the native one (Cf. NativeCrypto.EVP_VerifyFinal --
that's a wrapper for an
OpenSSL function). This has presumably done for better performance,
but there seem to be
a few bugs, I've been getting crashes here and there too. Changing
Signature.getInstance("SHA1withRSA") to
Signature.getInstance("SHA1withRSA", "BC")
should make it work as before, but do some testing to be sure.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
