IssueTracker

Fixed in r1313.

[Empty comment from Monorail migration]

[Empty comment from Monorail migration]

This issue was migrated from crbug.com/nativeclient/245?no_tracker_redirect=1

[Monorail components: TrustedRT]

Yes, with those parameters, I'm getting the KeyStore loaded.

Nevertheless, I'm receiving an Exception a little bit later.
Do you have any ideas what goes wrong?
Do I have to create another issue?
I could sign the apk file with jarsigner.

Regards, Éric.

********** Output begin **********
Now calling ks.load(null,null);
DONE call ks.load(null,null);
Exception in thread "main" java.security.InvalidKeyException: Failed to sign using signer "TE-B5137"
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:287)
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.sign(V1SchemeSigner.java:248)
        at com.android.apksig.DefaultApkSignerEngine.outputJarEntries(DefaultApkSignerEngine.java:372)
        at com.android.apksig.ApkSigner.sign(ApkSigner.java:395)
        at com.android.apksig.ApkSigner.sign(ApkSigner.java:178)
        at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:289)
        at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:87)
Caused by: java.security.InvalidKeyException: Failed to sign using SHA1withRSA
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:484)
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:285)
        ... 6 more
Caused by: java.security.InvalidKeyException: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
        at sun.security.rsa.RSAKeyFactory.translatePrivateKey(RSAKeyFactory.java:288)
        at sun.security.rsa.RSAKeyFactory.engineTranslateKey(RSAKeyFactory.java:191)
        at sun.security.rsa.RSAKeyFactory.toRSAKey(RSAKeyFactory.java:111)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:106)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:99)
        at java.security.Signature$Delegate.init(Signature.java:1152)
        at java.security.Signature$Delegate.chooseProvider(Signature.java:1112)
        at java.security.Signature$Delegate.engineInitSign(Signature.java:1176)
        at java.security.Signature.initSign(Signature.java:527)
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:480)
        ... 7 more
********** Output end **********

Thank you very much. It looks like the issue in #6 is that a stock Sun/Oracle implementation of SHA1withRSA Signature is used instead of a PKCS11-specific one. The stock Sun/Oracle implementation doesn't know (as expected) how to handle hardware-backed PrivateKey instances, which is the type of keys loaded from PKCS#11 hardware-backed keystore. I wonder whether jarsigner contains additional code, specifically for PKCS11 keystores. Or, perhaps, jarsigner is run with additional code/JARs in its CLASSPATH...


I'll dig around to investigate. For now, it does indeed look like you'll need to continue using jarsigner to sign your APKs.

[Comment deleted]

[Comment deleted]

Fixes up for review: https://android-review.googlesource.com/#/c/362613/ (depends on https://android-review.googlesource.com/#/c/362029/).

There are two issues here:
1. --ks NONE means KeyStore.load needs to be invoked with a null InputStream rather than a null LoadStoreParameter.
2. before signing, sun.security.pkcs11.SunPKCS11 Provider  needs to be added to the list of registered JCA providers. Otherwise, JCA cannot find a Provider which can offer Signature.SHA1withRSA and/or Signature.SHA256withRSA for the hardware-backed PrivateKey created by the PKCS11 KeyStore.

With the above fixes in place, the following should work:

apksigner sign \
    --provider-class sun.security.pkcs11.SunPKCS11 \
    --provider-arg "$JDK_PATH\bin\eToken.cfg" \
    --ks NONE \
    --ks-pass "pass:$STOREPASS" \
    --ks-type PKCS11 \
    --ks-key-alias "my alias" \
    some.apk

The fixes have landed. Would you please confirm that, if you build apksigner from commit b3049643c3eba5fdbecc7550df8e15da2ba35934 or newer, it works with your eToken (see command example in comment #10)? Thank you very much for helping identify and fix this issue.

Éric, would you mind confirming that the fix mentioned in comment #10/#11 makes apksigner work with your eToken?

[Comment deleted]

Hi thanks for your patch and sorry for the delay (I was working on another project last week).
Yes it do the jobs and I can now sign the app file using the Usb-Dongle.
The "apksigner -verify" will also return positive result.
Regards, Éric.

When I use my private KeyStore, an Exception happens:
 --ks "easySoft-App2.p12"
 --ks-type PKCS12
 --ks-pass pass:xxxxx
 --ks-key-alias easysoft.test
 my.apk
Failed to load signer "signer #1"
java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available
        at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:792)
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1998)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at com.android.apksigner.ApkSignerTool$SignerParams.loadKeyStoreFromFile(ApkSignerTool.java:808)
        at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCertsFromKeyStore(ApkSignerTool.java:700)
        at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCerts(ApkSignerTool.java:646)
        at com.android.apksigner.ApkSignerTool$SignerParams.access$500(ApkSignerTool.java:600)
        at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:255)
        at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:88)
Caused by: java.security.NoSuchAlgorithmException: PBE AlgorithmParameters not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.security.Security.getImpl(Security.java:695)
        at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:146)
        at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:786)
        ... 8 more

I hope it's not due to the patch.
Regards.

Thanks. I'm really glad we've sorted out the PKCS #11 issue. Please file a separate ticket for the PKCS #12 issue, and post a link here for continuity. In that new ticket, please also mention whether this works with jarsigner and what parameters you pass into jarsigner. This would be similar to the original report here which was quite detailed and informative.

The fix has been released in apksigner 0.7, released as part of Android SDK Build Tools 26.0.1.

Thanks for this

You're welcome!