There is a problem in 4.1 with apps that need to create a signature using a
private key in the KeyChain. In particular, apps that establish SSL client
sessions (such as OpenVPN) would use code such as this to allow an SSL
negotiation to use a client cert/key from the keychain:
import java.security.PrivateKey;
import javax.crypto.Cipher;
. . .
PrivateKey privateKey = KeyChain.getPrivateKey(context, alias);
if (privateKey) {
byte[] data;
Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
cipher.init(Cipher.ENCRYPT_MODE, privateKey);
byte[] signed_bytes = cipher.doFinal(data);
}
This code now fails badly on 4.1 (testing on Nexus 7) even though
KeyChain.getPrivateKey returns a non-null value for privateKey. It not
only fails to work, but causes a segfault later when privateKey is garbage
collected.
There are essentially two problems here...
1. KeyChain.getPrivateKey(this, alias) returns an object that segfaults
when collected by the GC. The segfault occurs in RSA_free in libcrypto.
This is 100% reproducible for me on Nexus 7. This behavior has been
documented in other posts, e.g.
http://code.google.com/p/android/issues/detail?id=36545
2. I understand that the new OpenSSL engine supports only signing,
verifying and key import and that java.security.Signature is now the
preferred class for obtaining an RSA signature. That's fine, however the
RSA signature used for verification of an SSL session is typically
generated by the cipher object
javax.crypto.Cipher.getInstance("RSA/ECB/PKCS1PADDING") acting as an
encryptor. Can java.security.Signature replicate this behavior? This
issue is also documented here:
http://stackoverflow.com/questions/11261774/using-android-4-1-keychain
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/android-security-discuss/-/vJ27W2Hjh-8J.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
