From 4812563f68c87278af68309662433279d10f573e Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Wed, 29 Apr 2015 13:16:30 -0700 Subject: AndroidKeyStore keys should not be handled by Bouncy Castle. Bouncy Castle JCA provider incorrectly declares that its Cipher, Mac, Signature, and KeyAgreement implementations accept arbitrary keys ( including AndroidKeyStore keys). As a result, when a Cipher, Mac, Signature, or KeyAgreement instance is requested from JCA without explicitly specifying the provider (which follows best practices) and then initialied with an AndroidKeyStore key, JCA chooses the BouncyCastle's implementation, which in turn blows up because it can't handle such keys. The workaround is to install Cipher, Mac, Signature, and KeyAgreement implementations backed by AndroidKeyStore as a higher-priority JCA provider than the Bouncy Castle one. This is achieved by splitting out the above implementations from AndroidKeyStoreProvider into AndroidKeyStoreBCWorkaroundProvider and installing the AndroidKeyStoreProvider at the usual priority (below Bouncy Castle) and the AndroidKeyStoreBCWorkaroundProvider at above Bouncy Castle priority. Bug: 20691708 Change-Id: I336464f4a49bc30c6845ddc4e84b07f4105424dd --- preloaded-classes | 1 + 1 file changed, 1 insertion(+) (limited to 'preloaded-classes') diff --git a/preloaded-classes b/preloaded-classes index c94623a..d2ed762 100644 --- a/preloaded-classes +++ b/preloaded-classes @@ -1152,6 +1152,7 @@ android.provider.Settings$SettingNotFoundException android.provider.Settings$System android.provider.Telephony$Mms android.renderscript.RenderScript +android.security.AndroidKeyStoreBCWorkaroundProvider android.security.AndroidKeyStoreProvider android.speech.tts.TextToSpeechService android.speech.tts.TextToSpeechService$SpeechItemV1 -- cgit v1.1