Good morning everyone,
Yesterday we found an issue on AG Crypto, it just doesn't work with AG Android when
you make use of the CryptoBox or try to generate a key pair. I would like to thank
Sebastien, Passos and Summers for reporting and testing it.
The reason why it din't work is because AG Crypto make use of the APIs for GCM and
Elliptic curves and has explicit calls to BouncyCastle. For example:
- BouncyCastle:
import org.bouncycastle.crypto.InvalidCipherTextException;
import org.bouncycastle.crypto.modes.AEADBlockCipher;
import org.bouncycastle.crypto.params.AEADParameters;
import org.bouncycastle.crypto.params.KeyParameter;
- SpongyCastle (on Android):
import org.spongycastle.crypto.InvalidCipherTextException;
import org.spongycastle.crypto.modes.AEADBlockCipher;
import org.spongycastle.crypto.params.AEADParameters;
import org.spongycastle.crypto.params.KeyParameter;
This is all because Google made us a favor
(
https://code.google.com/p/android/issues/detail?id=3280). More details about SpongyCastle
here:
http://rtyley.github.io/spongycastle/
To understand the issue and reproduce the following stacktrace
(
https://gist.github.com/secondsun/225a3698ab83f4d077bc). Follow these steps:
- Get the staging url
https://repository.jboss.org/nexus/content/repositories/jboss_releases_st...
- Get the following PR
https://github.com/aerogear/aerogear-android/pull/140
- Run the integration tests
(
https://github.com/aerogear/aerogear-android-integration-tests) with AG Crypto 0.1.3
Why that never happened before? The key pair and CryptoBox was not being used on Android.
Possible solution:
Since yesterday I was thinking about a possible solution, a dirty idea of factory to
providers came to my mind but the number of wrappers would make the whole API impractical.
Chatting with qmx, he suggested to me
http://maven.apache.org/plugins/maven-shade-plugin/
(Thanks bro).
The whole idea is to have a profile specific for Android, please see my PR
(
https://github.com/aerogear/aerogear-crypto-java/pull/22) into this way we will have a
jar being generated specifically for mobile devices.
What will change for Android?
- You don't need to specify a gazillion of dependencies anymore
(
https://github.com/aerogear/aerogear-android/pull/141/files#diff-600376df...)
- Is necessary to specify the classifier
(
https://github.com/aerogear/aerogear-android/pull/141/files#diff-600376df...)
- The code duplication was removed
(
https://github.com/aerogear/aerogear-android/pull/141/files#diff-55ea76a6...)
If you want to test it, run the integration tests
(
https://github.com/aerogear/aerogear-android-integration-tests/pull/26). One test was
intentionally skipped
(
https://github.com/abstractj/aerogear-android-integration-tests/commit/f1...).
I'm still investigating.
Arms are welcome.
--
abstractj