1.3.101.112 Signature not available #1265
Comments
if ("1.3.101.112".equals(publicKey.getAlgorithm())) {
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME); // remove AOSP BC
Security.addProvider(new BouncyCastleProvider());
var factory = KeyFactory.getInstance("ED25519");
var encoded = new X509EncodedKeySpec(publicKey.getEncoded());
publicKey = factory.generatePublic(encoded);
}
cert.verify(publicKey);
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME); // avoid next getCertificateChain failureNow I use this workaround, but it's too dirty |
|
aosp-mirror/platform_frameworks_base@51d7088 https://android-review.googlesource.com/c/platform/frameworks/base/+/2135614/comment/eac61ef5_23221905/ |
|
I think that comment is incorrect - Conscrypt doesn't implement Ed25519 (yet!). It sounds to me it is Android Keystore that is returning public keys with those types. Unfortunately currently the only way to verify those signatures will be via BC... It's a shame there's no way to install BC under a different name so you don't have to jump through those install/uninstall hoops. We have a patch for that on Android, I'll try and upstream it to BC. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://cs.android.com/android/platform/superproject/main/+/main:frameworks/base/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java;l=72
Android hardcodes that value (https://cs.android.com/android/platform/superproject/main/+/main:frameworks/base/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java;l=256), so I can't replace conscrypt with BC, but it can't be used to verify the certificate signature: 1.3.101.112 Signature not available
The text was updated successfully, but these errors were encountered: