apksigner cannot decrypt some keystores with non-ASCII passwords which were created using keytool and which work fine with jarsigner [37135737]

Fixed

Bug

Status Update

No update yet.

Description

kl...@google.com

created issue #1

Feb 14, 2017 02:30AM

apksigner uses standard Java JCA KeyStore API for loading password-encrypted key material from keystores. The API operates on passwords provided as Unicode characters (Java type: char[]). Weirdly enough, it appears that when Sun/Oracle keytool is provided with password via console/stdin keytool uses the console's/stdin's native encoding of the password, where each input byte is upcast into char. When the password is passed in as a command-line parameter, the password's Unicode representation is used as expected.

For example, on Windows 10 with English US as the UI language, the console/stdin uses IMB437 as the character encoding. Assuming the six character password "ab¡äю1" (0x0061 0x0062 0x00a1 0x00e4 0x044e 0x0031 in big-endian hexadecimal representation):
$ keytool -genkey -v -keystore native.jks -keyalg RSA -keysize 2048 -validity 10000 -alias test
generates a keystore and key protected with 0x0061 0x0062 0x00ad 0x0084 0x003f 0x0031
whereas
$ keytool -genkey -v -keystore native.jks -keyalg RSA -keysize 2048 -validity 10000 -alias test -storepass ab¡äю1
generates a keystore and key protected with 0x0061 0x0062 0x00a1 0x00e4 0x003f 0x0031

The same command-lines on modern Linux/OSX which these days use UTF-8 by default for console produces keystores encrypted using:
0x0061 0x0062 0x00c2 0x00a1 0x00c3 0x00a4 0x00d1 0x008e 0x0031
and
0x0061 0x0062 0x00a1 0x00e4 0x044e 0x0031
respectively.

This weird behavior might be a remnant of the early days of Java where there was no Console (which automatically provides Unicode characters as input and thus has a concept of character encoding of standard input) nor a standard concept of character encoding for standard input. jarsigner appears to follow the same behavior, potentially to remain compatible with old keystores from those days and with current versions of keytool.

To complicate matters, keytool is not the only means of creating keystores which are used for signing APKs. For example, Android Studio offers this functionality as well. Thus, apksigner needs to try both the password represented as Unicode characters as well as the password represented as the form encoded according to the console's character encoding.

Comments

kl...@google.com <kl...@google.com> #2Feb 15, 2017 08:35PM

Is this fixed? I'm still seeing this issue with AGP 8.1.0-beta01 + Gradle 8.1

kl...@google.com <kl...@google.com> #3Mar 7, 2017 05:29AM

The fix has not been landed.

kl...@google.com <kl...@google.com> #4Apr 24, 2017 06:17PM

Due to this bug in CI we hit configuration cache invalidation 100% of the time. Can we make sure the fix lands soon? And especially before 8.1.0 stable.

cb...@google.com <cb...@google.com> Apr 24, 2017 06:18PM

Marked as fixed.

as...@gmail.com <as...@gmail.com> #5Jul 24, 2017 09:31AM

I cc'ed you on the CL which should be landed this week.

ap...@google.com <ap...@google.com> #6Aug 9, 2017 04:24PM

Aurimas, is this 8.1 blocking for Androidx? If not, feel free to remove the "Blocking release" label.

ap...@google.com <ap...@google.com> #7Aug 9, 2017 09:29PM

cherry pick to G is landed.