> > > I understand that on 4.1, private keys might be offloaded to hardware, > but > > still the code above should work because it's not accessing the key > directly > > -- it is only performing an encrypt operation using the key. > > Not quite. You are feeding it to the Bouncy Castle provider, which knows > nothing about native keys and thus cannot use your key. I agree that it > should be better documented, but the new OpenSSL engine supports > only signing, verifying and key import. It should work if you use the > Signature class. The segfault sounds bad though, can you reproduce > it consistently? You might want to post this on android-security as well, > a lot of the Google people responsible for this seem to monitor it. >
Well, there's essentially two problems here... 1. KeyChain.getPrivateKey(this, alias) returns an object that segfaults when collected by the GC. The segfault occurs in RSA_free in libcrypto. This is 100% reproducible for me on Nexus 7. This behavior has been documented in other posts, e.g. http://code.google.com/p/android/issues/detail?id=36545 2. You say that the new OpenSSL engine supports only signing, verifying and key import. That's fine, but keep in mind that the RSA signature used for verification of an SSL session is typically generated by the cipher object javax.crypto.Cipher.getInstance("RSA/ECB/PKCS1PADDING") acting as an encryptor. Can java.security.Signature replicate this behavior? This issue is also documented here: http://stackoverflow.com/questions/11261774/using-android-4-1-keychain -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
