Brian, thank you for clarification regarding 4.1 changes.
My goal is to use a private key from KeyChain to do SSL client
authentication using OpenSSL. In my app I statically link with my own
version of OpenSSL 1.0.1c in the JNI shared library. The OpenSSL build is
basically a Jellybean version with some additional patches.
In Jellybean a new OpenSSL engine "keystore" was introduced, which can
interact with KeyChain. In my JNI module I'm trying to load "keystore"
engine dynamically into my OpenSSL library. Here is the code snippet:
SSL_load_error_strings();
SSL_library_init();
ENGINE_load_dynamic();
ENGINE *pKeystoreEngine = ENGINE_by_id("keystore");
The problem is that ENGINE_by_id() fails with the following error:
error:260B606D:engine routines:DYNAMIC_LOAD:init failed, <my openssl
path>/openssl/openssl-1.0.1c/external/openssl/crypto/engine/eng_dyn.c ,521
error:2606A074:engine routines:ENGINE_by_id:no such engine, <my openssl
path>/openssl/openssl-1.0.1c/external/openssl/crypto/engine/eng_list.c ,417
The same code works fine if built in a separate native (non-JNI)
executable. Any ideas what could go wrong? I suspect the system dynamically
loaded OpenSSL used by JCE may conflict with my own static version, but not
sure how exactly.
I would appreciate any hint.
Thanks,
Andrew
On Mon, Oct 29, 2012 at 12:24 PM, Brian Carlstrom <[email protected]> wrote:
> On Fri, Oct 26, 2012 at 11:47 PM, Anders Rundgren
> <[email protected]> wrote:
> > I still haven't much of a clue on how "KeyChain" and "JCE" play together
> > or how you can generate keys for usage by "KeyChain".
>
> The PrivateKey's returned by KeyChain.getPrivateKey are meant to work
> with JCE. The one thing they don't guarantee to support in the long
> term is to getEncoded() to get the raw bytes. This worked in 4.0 as we
> still were based on the underlying private KeyStore implementation,
> but in 4.1 with initial support for hardware keystores, we disabled
> that which caused a few surprised. I believe 4.1.1 or 4.1.2 added
> additional provider support for using these keys.
>
> Currently they only way to get keys to the store is to install them
> from a PKCS#12 file or via the browser <keygen> tag support. We are
> looking at doing something better in the future, some of it may be
> lurking in AOSP code, I don't recall. :)
>
> Other resources below.
>
> -bri
>
> Blog post:
>
> http://android-developers.blogspot.com/2012/03/unifying-key-store-access-in-ics.html
>
> javadoc:
> http://developer.android.com/reference/android/security/KeyChain.html
>
> I'm also a fan of Nikolay Elenkov's posts such as:
> http://nelenkov.blogspot.com/2011/11/using-ics-keychain-api.html
>
> >
> > Regards,
> > Anders
> >
> >>
> >> since it was from this change
> >>
> >> Author: Elliott Hughes <[email protected]>
> >> Date: Thu Jan 6 18:13:31 2011 -0800
> >>
> >> Retire SecurityManager.
> >>
> >> This change removes all the code that was calling
> getSecurityManager, and
> >> removes all use of AccessController.doPrivileged. It also changes
> the
> >> implementation of AccessController so it doesn't actually do
> anything; it's
> >> only there for source-level compatibility.
> >>
> >> Bug: 2585285
> >> Change-Id: I1f0295a4f12bce0316d8073011d8593fee116f71
> >>
> >> -bri
> >>
> >> On Fri, Oct 26, 2012 at 3:24 PM, Anders Rundgren
> >> <[email protected]> wrote:
> >>>
> http://developer.android.com/reference/java/security/package-summary.html
> >>>
> >>> As of 2012-10-07 the page begins with:
> >>>
> >>> "package java.security
> >>> This package is for compatibility with legacy code only, and should
> not be used or expected to do anything useful."
> >>>
> >>>
> >>> Where is the recommended API that one can expect does something useful?
> >>>
> >>> Anders
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> Groups "Android Security Discussions" group.
> >>> To post to this group, send email to
> [email protected].
> >>> To unsubscribe from this group, send email to
> [email protected].
> >>> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
> >>>
> >>
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To post to this group, send email to
> [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
