[aerogear-dev] AG Crypto, BouncyCastle...SpongyCastle...Android. Oh my!

[Bruno Oliveira]

Good morning everyone,

Yesterday we found an issue on AG Crypto, it just doesn't work with AG Android when you make use of the CryptoBox or try to generate a key pair. I would like to thank Sebastien, Passos and Summers for reporting and testing it.

The reason why it din't work is because AG Crypto make use of the APIs for GCM and Elliptic curves and has explicit calls to BouncyCastle. For example:

- BouncyCastle:

import org.bouncycastle.crypto.InvalidCipherTextException;
import org.bouncycastle.crypto.modes.AEADBlockCipher;
import org.bouncycastle.crypto.params.AEADParameters;
import org.bouncycastle.crypto.params.KeyParameter;

- SpongyCastle (on Android):

import org.spongycastle.crypto.InvalidCipherTextException;
import org.spongycastle.crypto.modes.AEADBlockCipher;
import org.spongycastle.crypto.params.AEADParameters;
import org.spongycastle.crypto.params.KeyParameter;

This is all because Google made us a favor (https://code.google.com/p/android/issues/detail?id=3280). More details about SpongyCastle here: http://rtyley.github.io/spongycastle/

To understand the issue and reproduce the following stacktrace (https://gist.github.com/secondsun/225a3698ab83f4d077bc). Follow these steps:

- Get the staging url https://repository.jboss.org/nexus/content/repositories/jboss_releases_staging_profile-2817
- Get the following PR https://github.com/aerogear/aerogear-android/pull/140
- Run the integration tests (https://github.com/aerogear/aerogear-android-integration-tests) with AG Crypto 0.1.3

Why that never happened before? The key pair and CryptoBox was not being used on Android.

Possible solution:

Since yesterday I was thinking about a possible solution, a dirty idea of factory to providers came to my mind but the number of wrappers would make the whole API impractical. Chatting with qmx, he suggested to me http://maven.apache.org/plugins/maven-shade-plugin/ (Thanks bro).

The whole idea is to have a profile specific for Android, please see my PR (https://github.com/aerogear/aerogear-crypto-java/pull/22) into this way we will have a jar being generated specifically for mobile devices.

What will change for Android?

- You don't need to specify a gazillion of dependencies anymore (https://github.com/aerogear/aerogear-android/pull/141/files#diff-600376dffeb79835ede4a0b285078036R136)

- Is necessary to specify the classifier (https://github.com/aerogear/aerogear-android/pull/141/files#diff-600376dffeb79835ede4a0b285078036R135)

- The code duplication was removed (https://github.com/aerogear/aerogear-android/pull/141/files#diff-55ea76a676297e3a3ea9cd7e0f5d7e34R113)

If you want to test it, run the integration tests (https://github.com/aerogear/aerogear-android-integration-tests/pull/26). One test was intentionally skipped (https://github.com/abstractj/aerogear-android-integration-tests/commit/f114b46e5f518d912176f6746ec914e13f565c22). I'm still investigating.

Arms are welcome.


-- 
abstractj