Fixed
Status Update
Comments
kl...@google.com <kl...@google.com> #2
Thank you for the report. I don't have an eToken, so, your help is needed to understand and resolve this issue.
It looks like you're invoking jarsigner and apksigner with significantly different parameters (keystore type, password, and provider constructor arg are different). Assuming the jarsigner invocation works, please invoke apksigner as follows and then report the full output (incl. exception stack trace).
apksigner sign
--ks NONE
--ks-pass "pass:$STOREPASS"
--ks-type PKCS11
--ks-provider-class sun.security.pkcs11.SunPKCS11
--ks-provider-arg "$JDK_PATH\bin\eToken.cfg"
--ks-key-alias "my alias"
some.apk
P. S. Invoking KeyStore.load((InputStream) null) is fine. This is what is supposed to happen when you use NONE as the path to keystore. Seehttps://docs.oracle.com/javase/8/docs/technotes/tools/windows/jarsigner.html .
It looks like you're invoking jarsigner and apksigner with significantly different parameters (keystore type, password, and provider constructor arg are different). Assuming the jarsigner invocation works, please invoke apksigner as follows and then report the full output (incl. exception stack trace).
apksigner sign
--ks NONE
--ks-pass "pass:$STOREPASS"
--ks-type PKCS11
--ks-provider-class sun.security.pkcs11.SunPKCS11
--ks-provider-arg "$JDK_PATH\bin\eToken.cfg"
--ks-key-alias "my alias"
some.apk
P. S. Invoking KeyStore.load((InputStream) null) is fine. This is what is supposed to happen when you use NONE as the path to keystore. See
kl...@google.com <kl...@google.com> #3
Are you in the position to try to build your own version of apksigner from source? If so, if the invocation from comment #1 fails, please report the full stack trace, then replace https://android.googlesource.com/platform/tools/apksig/+/master/src/apksigner/java/com/android/apksigner/ApkSignerTool.java#628 ks.load(null) with ks.load(null, null), build your own apksigner and try it with the same parameters again. Perhaps there is a difference in how KeyStore.load(KeyStore.LoadStoreParameter) and KeyStore(InputStream, char[]) handle null.
To rebuild apksigner, download its source (git clonehttps://android.googlesource.com/platform/tools/apksig ), and then either install Bazel +and then "bazel build :apksigner", or, as a quick hack:
mkdir classes
javac -d classes -sourcepath src/main/java -sourcepath src/apksigner/java @src-files.txt
copy src/apksigner/java/com/android/apksigner/*.txt classes/com/android/apksigner/
java -cp classes com.android.apksigner.ApkSignerTool sign ...
To rebuild apksigner, download its source (git clone
mkdir classes
javac -d classes -sourcepath src/main/java -sourcepath src/apksigner/java @src-files.txt
copy src/apksigner/java/com/android/apksigner/*.txt classes/com/android/apksigner/
java -cp classes com.android.apksigner.ApkSignerTool sign ...
e....@gmail.com <e....@gmail.com> #4
Thank you for the quick reply, I have patched the ApkSignerTool as you've suggest:
********** CODE begin **********
if ("NONE".equals(keystoreFile)) {
System.out.println("Now calling ks.load(null,null);");
ks.load(null,null);
System.out.println("DONE call ks.load(null,null);");
} else {
********** CODE end **********
but this do not the job.. Result:
********** Output begin **********
Now calling ks.load(null,null);
Failed to load signer "signer #1"
java.io.IOException: load failed
at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:766)
at java.security.KeyStore.load(KeyStore.java:1445)
at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCertsFromKeyStore(ApkSignerTool.java:629)
at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCerts(ApkSignerTool.java:580)
at com.android.apksigner.ApkSignerTool$SignerParams.access$200(ApkSignerTool.java:534)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:229)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:87)
Caused by: javax.security.auth.login.LoginException: no password provided, and no callback handler available for retrieving password
at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1184)
at sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:864)
at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:751)
... 6 more
********** Output end **********
regards, Éric
********** CODE begin **********
if ("NONE".equals(keystoreFile)) {
System.out.println("Now calling ks.load(null,null);");
ks.load(null,null);
System.out.println("DONE call ks.load(null,null);");
} else {
********** CODE end **********
but this do not the job.. Result:
********** Output begin **********
Now calling ks.load(null,null);
Failed to load signer "signer #1"
java.io.IOException: load failed
at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:766)
at java.security.KeyStore.load(KeyStore.java:1445)
at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCertsFromKeyStore(ApkSignerTool.java:629)
at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCerts(ApkSignerTool.java:580)
at com.android.apksigner.ApkSignerTool$SignerParams.access$200(ApkSignerTool.java:534)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:229)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:87)
Caused by: javax.security.auth.login.LoginException: no password provided, and no callback handler available for retrieving password
at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1184)
at sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:864)
at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:751)
... 6 more
********** Output end **********
regards, Éric
kl...@google.com <kl...@google.com> #5
Thanks. Would mind performing one more test?
Replace ks.load(null, null); with
char[] pwd = "...".toCharArray(); // insert your password there, but don't post it here on the forum
ks.load(null, pwd);
keystorePasswords = Arrays.asList(pwd);
Replace ks.load(null, null); with
char[] pwd = "...".toCharArray(); // insert your password there, but don't post it here on the forum
ks.load(null, pwd);
keystorePasswords = Arrays.asList(pwd);
lo...@gmail.com <lo...@gmail.com> #6
Yes, with those parameters, I'm getting the KeyStore loaded.
Nevertheless, I'm receiving an Exception a little bit later.
Do you have any ideas what goes wrong?
Do I have to create another issue?
I could sign the apk file with jarsigner.
Regards, Éric.
********** Output begin **********
Now calling ks.load(null,null);
DONE call ks.load(null,null);
Exception in thread "main" java.security.InvalidKeyException: Failed to sign using signer "TE-B5137"
at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:287)
at com.android.apksig.internal.apk.v1.V1SchemeSigner.sign(V1SchemeSigner.java:248)
at com.android.apksig.DefaultApkSignerEngine.outputJarEntries(DefaultApkSignerEngine.java:372)
at com.android.apksig.ApkSigner.sign(ApkSigner.java:395)
at com.android.apksig.ApkSigner.sign(ApkSigner.java:178)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:289)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:87)
Caused by: java.security.InvalidKeyException: Failed to sign using SHA1withRSA
at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:484)
at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:285)
... 6 more
Caused by: java.security.InvalidKeyException: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
at sun.security.rsa.RSAKeyFactory.translatePrivateKey(RSAKeyFactory.java:288)
at sun.security.rsa.RSAKeyFactory.engineTranslateKey(RSAKeyFactory.java:191)
at sun.security.rsa.RSAKeyFactory.toRSAKey(RSAKeyFactory.java:111)
at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:106)
at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:99)
at java.security.Signature$Delegate.init(Signature.java:1152)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1112)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1176)
at java.security.Signature.initSign(Signature.java:527)
at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:480)
... 7 more
********** Output end **********
Nevertheless, I'm receiving an Exception a little bit later.
Do you have any ideas what goes wrong?
Do I have to create another issue?
I could sign the apk file with jarsigner.
Regards, Éric.
********** Output begin **********
Now calling ks.load(null,null);
DONE call ks.load(null,null);
Exception in thread "main" java.security.InvalidKeyException: Failed to sign using signer "TE-B5137"
at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:287)
at com.android.apksig.internal.apk.v1.V1SchemeSigner.sign(V1SchemeSigner.java:248)
at com.android.apksig.DefaultApkSignerEngine.outputJarEntries(DefaultApkSignerEngine.java:372)
at com.android.apksig.ApkSigner.sign(ApkSigner.java:395)
at com.android.apksig.ApkSigner.sign(ApkSigner.java:178)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:289)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:87)
Caused by: java.security.InvalidKeyException: Failed to sign using SHA1withRSA
at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:484)
at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:285)
... 6 more
Caused by: java.security.InvalidKeyException: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
at sun.security.rsa.RSAKeyFactory.translatePrivateKey(RSAKeyFactory.java:288)
at sun.security.rsa.RSAKeyFactory.engineTranslateKey(RSAKeyFactory.java:191)
at sun.security.rsa.RSAKeyFactory.toRSAKey(RSAKeyFactory.java:111)
at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:106)
at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:99)
at java.security.Signature$Delegate.init(Signature.java:1152)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1112)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1176)
at java.security.Signature.initSign(Signature.java:527)
at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:480)
... 7 more
********** Output end **********
kl...@google.com <kl...@google.com> #7
Thank you very much. It looks like the issue in #6 is that a stock Sun/Oracle implementation of SHA1withRSA Signature is used instead of a PKCS11-specific one. The stock Sun/Oracle implementation doesn't know (as expected) how to handle hardware-backed PrivateKey instances, which is the type of keys loaded from PKCS#11 hardware-backed keystore. I wonder whether jarsigner contains additional code, specifically for PKCS11 keystores. Or, perhaps, jarsigner is run with additional code/JARs in its CLASSPATH...
I'll dig around to investigate. For now, it does indeed look like you'll need to continue using jarsigner to sign your APKs.
I'll dig around to investigate. For now, it does indeed look like you'll need to continue using jarsigner to sign your APKs.
kl...@google.com <kl...@google.com> #8
[Comment deleted]
kl...@google.com <kl...@google.com> #9
[Comment deleted]
kl...@google.com <kl...@google.com> #10
Fixes up for review: https://android-review.googlesource.com/#/c/362613/ (depends on https://android-review.googlesource.com/#/c/362029/ ).
There are two issues here:
1. --ks NONE means KeyStore.load needs to be invoked with a null InputStream rather than a null LoadStoreParameter.
2. before signing, sun.security.pkcs11.SunPKCS11 Provider needs to be added to the list of registered JCA providers. Otherwise, JCA cannot find a Provider which can offer Signature.SHA1withRSA and/or Signature.SHA256withRSA for the hardware-backed PrivateKey created by the PKCS11 KeyStore.
With the above fixes in place, the following should work:
apksigner sign \
--provider-class sun.security.pkcs11.SunPKCS11 \
--provider-arg "$JDK_PATH\bin\eToken.cfg" \
--ks NONE \
--ks-pass "pass:$STOREPASS" \
--ks-type PKCS11 \
--ks-key-alias "my alias" \
some.apk
There are two issues here:
1. --ks NONE means KeyStore.load needs to be invoked with a null InputStream rather than a null LoadStoreParameter.
2. before signing, sun.security.pkcs11.SunPKCS11 Provider needs to be added to the list of registered JCA providers. Otherwise, JCA cannot find a Provider which can offer Signature.SHA1withRSA and/or Signature.SHA256withRSA for the hardware-backed PrivateKey created by the PKCS11 KeyStore.
With the above fixes in place, the following should work:
apksigner sign \
--provider-class sun.security.pkcs11.SunPKCS11 \
--provider-arg "$JDK_PATH\bin\eToken.cfg" \
--ks NONE \
--ks-pass "pass:$STOREPASS" \
--ks-type PKCS11 \
--ks-key-alias "my alias" \
some.apk
kl...@google.com <kl...@google.com> #11
The fixes have landed. Would you please confirm that, if you build apksigner from commit b3049643c3eba5fdbecc7550df8e15da2ba35934 or newer, it works with your eToken (see command example in comment #10 )? Thank you very much for helping identify and fix this issue.
kl...@google.com <kl...@google.com> #12
Éric, would you mind confirming that the fix mentioned in comment #10 /#11 makes apksigner work with your eToken?
e....@gmail.com <e....@gmail.com> #13
[Comment deleted]
e....@gmail.com <e....@gmail.com> #14
Hi thanks for your patch and sorry for the delay (I was working on another project last week).
Yes it do the jobs and I can now sign the app file using the Usb-Dongle.
The "apksigner -verify" will also return positive result.
Regards, Éric.
Yes it do the jobs and I can now sign the app file using the Usb-Dongle.
The "apksigner -verify" will also return positive result.
Regards, Éric.
e....@gmail.com <e....@gmail.com> #15
When I use my private KeyStore, an Exception happens:
--ks "easySoft-App2.p12"
--ks-type PKCS12
--ks-pass pass:xxxxx
--ks-key-alias easysoft.test
my.apk
Failed to load signer "signer #1"
java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available
at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:792)
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1998)
at java.security.KeyStore.load(KeyStore.java:1445)
at com.android.apksigner.ApkSignerTool$SignerParams.loadKeyStoreFromFile(ApkSignerTool.java:808)
at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCertsFromKeyStore(ApkSignerTool.java:700)
at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCerts(ApkSignerTool.java:646)
at com.android.apksigner.ApkSignerTool$SignerParams.access$500(ApkSignerTool.java:600)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:255)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:88)
Caused by: java.security.NoSuchAlgorithmException: PBE AlgorithmParameters not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:695)
at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:146)
at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:786)
... 8 more
I hope it's not due to the patch.
Regards.
--ks "easySoft-App2.p12"
--ks-type PKCS12
--ks-pass pass:xxxxx
--ks-key-alias easysoft.test
my.apk
Failed to load signer "signer #1"
java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available
at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:792)
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1998)
at java.security.KeyStore.load(KeyStore.java:1445)
at com.android.apksigner.ApkSignerTool$SignerParams.loadKeyStoreFromFile(ApkSignerTool.java:808)
at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCertsFromKeyStore(ApkSignerTool.java:700)
at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCerts(ApkSignerTool.java:646)
at com.android.apksigner.ApkSignerTool$SignerParams.access$500(ApkSignerTool.java:600)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:255)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:88)
Caused by: java.security.NoSuchAlgorithmException: PBE AlgorithmParameters not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:695)
at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:146)
at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:786)
... 8 more
I hope it's not due to the patch.
Regards.
kl...@google.com <kl...@google.com> #16
Thanks. I'm really glad we've sorted out the PKCS #11 issue. Please file a separate ticket for the PKCS #12 issue, and post a link here for continuity. In that new ticket, please also mention whether this works with jarsigner and what parameters you pass into jarsigner. This would be similar to the original report here which was quite detailed and informative.
kl...@google.com <kl...@google.com> #17
The fix has been released in apksigner 0.7, released as part of Android SDK Build Tools 26.0.1.
ge...@gmail.com <ge...@gmail.com> #18
Thanks for this
kl...@google.com <kl...@google.com> #19
You're welcome!
Description
***** *****
***** !!!! THIS BUG TRACKER IS FOR GERRIT CODE REVIEW !!!! *****
***** *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, CYANOGENMOD, *****
***** INTERNAL ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.*****
***** *****
***** THOSE ISSUES BELONG IN DIFFERENT ISSUE TRACKERS *****
***** *****
*****************************************************************
Affected Version:
What steps will reproduce the problem?
1.Use the native KeyStore from Windows
2.User a certificate witch need an USE-eToken
3.callapksigner with those parameters:
@("sign",
"--ks", "$easyTokenSignCrtPath",
"--ks-type", "PKCS11",
"--ks-pass", "file:$apkSignerPwPath",
"--ks-provider-class", "sun.security.pkcs11.SunPKCS11",
"--ks-provider-arg", "C:\PROGRA~1\Java\jdk1.8.0_121\bin\eToken.cfg",
"--ks-key-alias", "my alias",
"$scrDir\$toSign")
What is the expected output?
apk file should be sign, all those parameters are working with jarsigner, on the same computer
What do you see instead?
Please provide any additional information below.
- Windows Server 2016
- JDK 1.8.0_121
- eToken works with jarsigner on the same Computer, parameters are:
$jarSignerParams=@(
"-keystore","NONE",
"-storepass", "$STOREPASS",
"-storetype", "PKCS11",
"-tsa", "
"-providerclass", "sun.security.pkcs11.SunPKCS11",
"-providerArg", "$JDK_PATH\bin\eToken.cfg"
"$scrDir\$toSignJarsigner",
"my alias")
As far as I could analyse, {KeyStore}.engineLoad() should not be called will 'null' as parameter, which is done in apksigner
Regards, Éric