• Alex Klyubin's avatar
    AndroidKeyStore keys should not be handled by Bouncy Castle. · 4812563f
    Alex Klyubin authored
    Bouncy Castle JCA provider incorrectly declares that its Cipher, Mac,
    Signature, and KeyAgreement implementations accept arbitrary keys (
    including AndroidKeyStore keys). As a result, when a Cipher, Mac,
    Signature, or KeyAgreement instance is requested from JCA without
    explicitly specifying the provider (which follows best practices)
    and then initialied with an AndroidKeyStore key, JCA chooses the
    BouncyCastle's implementation, which in turn blows up because it
    can't handle such keys.
    
    The workaround is to install Cipher, Mac, Signature, and
    KeyAgreement implementations backed by AndroidKeyStore as a
    higher-priority JCA provider than the Bouncy Castle one. This is
    achieved by splitting out the above implementations from
    AndroidKeyStoreProvider into AndroidKeyStoreBCWorkaroundProvider
    and installing the AndroidKeyStoreProvider at the usual priority
    (below Bouncy Castle) and the AndroidKeyStoreBCWorkaroundProvider
    at above Bouncy Castle priority.
    ...
    4812563f
preloaded-classes 111 KB