IssueTracker

Project: platform/frameworks/support
Branch: androidx-master-dev

commit b90079595f33f58fece04026a97faa0d243acdb1
Author: Yuichi Araki <yaraki@google.com>
Date:   Wed Sep 18 16:55:49 2019

    Change the way to detect mismatch between POJO and query
   
    This fixes cursor mismatch warnings with expandProjection.
   
    Bug: 140759491
    Test: QueryMethodProcessorTest
    Change-Id: I7659002e5e0d1ef60fc1af2a625c0c36da0664d8

M       room/compiler/src/main/kotlin/androidx/room/processor/QueryMethodProcessor.kt
M       room/compiler/src/main/kotlin/androidx/room/solver/TypeAdapterStore.kt
M       room/compiler/src/main/kotlin/androidx/room/solver/query/result/PojoRowAdapter.kt
M       room/compiler/src/test/kotlin/androidx/room/processor/QueryMethodProcessorTest.kt
M       room/compiler/src/test/kotlin/androidx/room/testing/TestProcessor.kt

https://android-review.googlesource.com/1123258
https://goto.google.com/android-sha1/b90079595f33f58fece04026a97faa0d243acdb1

  The following changes were cherrypicked through Coastguard (https://android-build.googleplex.com/coastguard/)
  Release Track: (https://android-build.googleplex.com/coastguard/dashboard/6093116828680192/#/cherrypickHistory/all)
  Created: 2019-10-14 17:23:42.610596+00:00
  Changes: aosp/1123258
 

Project: platform/frameworks/support
Branch: androidx-master-dev

commit bdde5a1a970ddc9007b28de4aa29d60ffa588f08
Author: Yigit Boyar <yboyar@google.com>
Date:   Thu Apr 16 16:47:05 2020

    Re-factor how errors are dismissed when query is re-written
   
    This CL changes how we handle errors/warnings if query is
    re-written.
    There was a bug in expandProjection where we would report warnings
    for things that Room already fixes automatically (b/140759491).
    The solution to that problem (I7659002e5e0d1ef60fc1af2a625c0c36da0664d8)
    solved it by deferring validating of columns until after re-write
    decision is made. Unfortunately, this required changing PojoRowAdapter
    to have a dummy mapping until it is validating, make it hard to use
    as it does have a non-null mapping which is not useful.
   
    This CL partially reverts that change and instead rely on the log
    deferring logic we have in Context. This way, we don't need to break
    the stability of PojoRowAdapter while still having the ability to
    drop warnings that room fixes. This will also play nicer when we
    have different query re-writing options that can use more information
    about the query results.
   
    Bug: 153387066
    Bug: 140759491
    Test: existing tests pass
    Change-Id: I2ec967c763d33d7a3ff02c1a13c6953b460d1e5f

M       room/compiler/src/main/kotlin/androidx/room/log/RLog.kt
M       room/compiler/src/main/kotlin/androidx/room/processor/QueryMethodProcessor.kt
M       room/compiler/src/main/kotlin/androidx/room/solver/TypeAdapterStore.kt
M       room/compiler/src/main/kotlin/androidx/room/solver/query/result/PojoRowAdapter.kt

https://android-review.googlesource.com/1288456

Thanks. Would mind performing one more test?

Replace ks.load(null, null); with

char[] pwd = "...".toCharArray(); // insert your password there, but don't post it here on the forum
ks.load(null, pwd);
keystorePasswords = Arrays.asList(pwd);

Yes, with those parameters, I'm getting the KeyStore loaded.

Nevertheless, I'm receiving an Exception a little bit later.
Do you have any ideas what goes wrong?
Do I have to create another issue?
I could sign the apk file with jarsigner.

Regards, Éric.

********** Output begin **********
Now calling ks.load(null,null);
DONE call ks.load(null,null);
Exception in thread "main" java.security.InvalidKeyException: Failed to sign using signer "TE-B5137"
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:287)
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.sign(V1SchemeSigner.java:248)
        at com.android.apksig.DefaultApkSignerEngine.outputJarEntries(DefaultApkSignerEngine.java:372)
        at com.android.apksig.ApkSigner.sign(ApkSigner.java:395)
        at com.android.apksig.ApkSigner.sign(ApkSigner.java:178)
        at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:289)
        at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:87)
Caused by: java.security.InvalidKeyException: Failed to sign using SHA1withRSA
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:484)
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:285)
        ... 6 more
Caused by: java.security.InvalidKeyException: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
        at sun.security.rsa.RSAKeyFactory.translatePrivateKey(RSAKeyFactory.java:288)
        at sun.security.rsa.RSAKeyFactory.engineTranslateKey(RSAKeyFactory.java:191)
        at sun.security.rsa.RSAKeyFactory.toRSAKey(RSAKeyFactory.java:111)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:106)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:99)
        at java.security.Signature$Delegate.init(Signature.java:1152)
        at java.security.Signature$Delegate.chooseProvider(Signature.java:1112)
        at java.security.Signature$Delegate.engineInitSign(Signature.java:1176)
        at java.security.Signature.initSign(Signature.java:527)
        at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:480)
        ... 7 more
********** Output end **********

Thank you very much. It looks like the issue in #6 is that a stock Sun/Oracle implementation of SHA1withRSA Signature is used instead of a PKCS11-specific one. The stock Sun/Oracle implementation doesn't know (as expected) how to handle hardware-backed PrivateKey instances, which is the type of keys loaded from PKCS#11 hardware-backed keystore. I wonder whether jarsigner contains additional code, specifically for PKCS11 keystores. Or, perhaps, jarsigner is run with additional code/JARs in its CLASSPATH...


I'll dig around to investigate. For now, it does indeed look like you'll need to continue using jarsigner to sign your APKs.

[Comment deleted]

[Comment deleted]

Fixes up for review: https://android-review.googlesource.com/#/c/362613/ (depends on https://android-review.googlesource.com/#/c/362029/).

There are two issues here:
1. --ks NONE means KeyStore.load needs to be invoked with a null InputStream rather than a null LoadStoreParameter.
2. before signing, sun.security.pkcs11.SunPKCS11 Provider  needs to be added to the list of registered JCA providers. Otherwise, JCA cannot find a Provider which can offer Signature.SHA1withRSA and/or Signature.SHA256withRSA for the hardware-backed PrivateKey created by the PKCS11 KeyStore.

With the above fixes in place, the following should work:

apksigner sign \
    --provider-class sun.security.pkcs11.SunPKCS11 \
    --provider-arg "$JDK_PATH\bin\eToken.cfg" \
    --ks NONE \
    --ks-pass "pass:$STOREPASS" \
    --ks-type PKCS11 \
    --ks-key-alias "my alias" \
    some.apk

The fixes have landed. Would you please confirm that, if you build apksigner from commit b3049643c3eba5fdbecc7550df8e15da2ba35934 or newer, it works with your eToken (see command example in comment #10)? Thank you very much for helping identify and fix this issue.

Éric, would you mind confirming that the fix mentioned in comment #10/#11 makes apksigner work with your eToken?

[Comment deleted]

Hi thanks for your patch and sorry for the delay (I was working on another project last week).
Yes it do the jobs and I can now sign the app file using the Usb-Dongle.
The "apksigner -verify" will also return positive result.
Regards, Éric.

When I use my private KeyStore, an Exception happens:
 --ks "easySoft-App2.p12"
 --ks-type PKCS12
 --ks-pass pass:xxxxx
 --ks-key-alias easysoft.test
 my.apk
Failed to load signer "signer #1"
java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available
        at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:792)
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1998)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at com.android.apksigner.ApkSignerTool$SignerParams.loadKeyStoreFromFile(ApkSignerTool.java:808)
        at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCertsFromKeyStore(ApkSignerTool.java:700)
        at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCerts(ApkSignerTool.java:646)
        at com.android.apksigner.ApkSignerTool$SignerParams.access$500(ApkSignerTool.java:600)
        at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:255)
        at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:88)
Caused by: java.security.NoSuchAlgorithmException: PBE AlgorithmParameters not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.security.Security.getImpl(Security.java:695)
        at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:146)
        at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:786)
        ... 8 more

I hope it's not due to the patch.
Regards.

Thanks. I'm really glad we've sorted out the PKCS #11 issue. Please file a separate ticket for the PKCS #12 issue, and post a link here for continuity. In that new ticket, please also mention whether this works with jarsigner and what parameters you pass into jarsigner. This would be similar to the original report here which was quite detailed and informative.

The fix has been released in apksigner 0.7, released as part of Android SDK Build Tools 26.0.1.

Thanks for this

You're welcome!