'Re: [dev-crypto] On Android (but not Ubuntu 14.04): org.bouncycastle.openssl.PEMException: Unable to'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    Re: [dev-crypto] On Android (but not Ubuntu 14.04): org.bouncycastle.openssl.PEMException: Unable to
From:       David Hook <dgh () cryptoworkshop ! com>
Date:       2017-11-11 5:49:54
Message-ID: 3c84b236-3c8c-e077-90a6-7f395d9bcdea () cryptoworkshop ! com
[Download RAW message or body]


Hi Kirk,

I think Android Nougat is actually based on BC 1.57 - that did have
PBKDF-OpenSSL in it, but I don't think it is included.

To be honest, I'd really recommend using PKCS#8 instead - these days
it's just as portable. I think the only thing you might need to be
careful of is I'm not sure if Android will handle passwords where the
char to byte array conversion is done using UTF-8.

Regards,

David

On 11/11/17 04:43, Bailey, Kirk A wrote:
> Hello,
> 
> I'm using the latest BC release (1.58) and I'm having a problem when running code \
> on Android (Nougat) that I do not have when running the same code using Java \
> (Eclipse) on Ubuntu 14.04. Specifically, when I try to decode an encrypted RSA key, \
> I get (on Android) the exception: "org.bouncycastle.openssl.PEMException: Unable to \
> create OpenSSL PBDKF: no such algorithm: PBKDF-OpenSSL for provider BC". I do not \
> get any exception on Ubuntu. I'm using the same keys and BC JAR files in both \
> environments. I am able to successfully load an unencrypted key in both \
> environments. 
> I created the 2 test keys with the following openssl commands:
> 
> > openssl genrsa -aes256 -out enc-key.key 2048
> > openssl genrsa -out plain-key.key 2048
> I put together a simple test case to demonstrate the issue. Here's the method I \
> call to read in a key: 
> public static PrivateKey createPrivateKeyFromPem(Reader keyReader, String password)
> throws IOException, InvalidKeySpecException, NoSuchAlgorithmException {
> 
> Security.addProvider(new BouncyCastleProvider());
> PEMParser pemParser = new PEMParser(keyReader);
> Object rawKey = pemParser.readObject();
> pemParser.close();
> PEMKeyPair pemKeyPair = null;
> 
> if (rawKey instanceof PEMEncryptedKeyPair) {
> PEMDecryptorProvider decryptor = new \
>                 JcePEMDecryptorProviderBuilder().setProvider("BC")
> .build(password.toCharArray());
> pemKeyPair = ((PEMEncryptedKeyPair) rawKey).decryptKeyPair(decryptor);
> } else {
> pemKeyPair = (PEMKeyPair) rawKey;
> }
> 
> JcaPEMKeyConverter keyConverter = new JcaPEMKeyConverter().setProvider("BC");
> KeyPair keyPair = keyConverter.getKeyPair(pemKeyPair);
> 
> return keyPair.getPrivate();
> }
> 
> The Java program I run in Ubuntu 14.04 to exercise this is:
> 
> public static void main(String[] args)
> throws InvalidKeySpecException, NoSuchAlgorithmException, FileNotFoundException, \
> IOException { 
> String encKeyFileName = "/home/user/tmp/enc-key.key";
> String plainKeyFileName = "/home/user/tmp/plain-key.key";
> 
> PrivateKey plainKey = createPrivateKeyFromPem(new FileReader(new \
> File(plainKeyFileName)), ""); System.out.println("Plain private key: " + plainKey);
> PrivateKey encKey = createPrivateKeyFromPem(new FileReader(new \
> File(encKeyFileName)), "secret"); System.out.println("Plain private key: " + \
> encKey); }
> 
> It runs as expected with no exceptions and prints out the information for both the \
> unencrypted and encrypted keys. 
> In a simple Android Activity I do the same thing in its onCreate() method (below). \
> Note that I've included the key files as assets in the APK. 
> protected void onCreate(Bundle savedInstanceState) {
> super.onCreate(savedInstanceState);
> setContentView(R.layout.activity_main);
> String encKeyAsset = "enc-key.key";
> String plainKeyAsset = "plain-key.key";
> try {
> InputStream keyStream = getAssets().open(plainKeyAsset);
> PrivateKey plainKey = createPrivateKeyFromPem(new InputStreamReader(keyStream), \
> ""); keyStream.close();
> Log.i(TAG, "Plain key: " + plainKey);
> 
> keyStream = getAssets().open(encKeyAsset);
> PrivateKey encKey = createPrivateKeyFromPem(new InputStreamReader(keyStream), "");
> keyStream.close();
> Log.i(TAG, "Encrypted key: " + encKey);
> } catch (Exception e) {
> Log.e(TAG, "Exception: ", e);
> }
> }
> 
> The unencrypted key is handled without issue, but I get an exception for the \
> encrypted key: 
> ...
> 11-10 12:15:06.915  8898  8898 E com.example.keytest.MainActivity: Exception:
> 11-10 12:15:06.915  8898  8898 E com.example.keytest.MainActivity: \
> org.bouncycastle.openssl.PEMException: Unable to create OpenSSL PBDKF: no such \
> algorithm: PBKDF-OpenSSL for provider BC 11-10 12:15:06.915  8898  8898 E \
> com.example.keytest.MainActivity: at \
> org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source) 11-10 \
> 12:15:06.915  8898  8898 E com.example.keytest.MainActivity: at \
> org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source) 11-10 \
> 12:15:06.915  8898  8898 E com.example.keytest.MainActivity: at \
> org.bouncycastle.openssl.jcajce.PEMUtilities.crypt(Unknown Source) 11-10 \
> 12:15:06.915  8898  8898 E com.example.keytest.MainActivity: at \
> org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder$1$1.decrypt(Unknown \
> Source) 11-10 12:15:06.915  8898  8898 E com.example.keytest.MainActivity: at \
> org.bouncycastle.openssl.PEMEncryptedKeyPair.decryptKeyPair(Unknown Source) 11-10 \
> 12:15:06.915  8898  8898 E com.example.keytest.MainActivity: at \
> com.example.keytest.MainActivity.createPrivateKeyFromPem(MainActivity.java:43) \
> 11-10 12:15:06.915  8898  8898 E com.example.keytest.MainActivity: at \
> com.example.keytest.MainActivity.onCreate(MainActivity.java:65) 11-10 12:15:06.915  \
> 8898  8898 E com.example.keytest.MainActivity: at \
>                 android.app.Activity.performCreate(Activity.java:6662)
> ...
> 
> Any ideas on the cause and/or fix? If not, what else can I do to help track down \
> the cause? 
> 
> Best Regards,
> Kirk Bailey
> 
> **************************************************************************************** \
> Note: If the reader of this message is not the intended recipient, or an employee \
> or agent responsible for delivering this message to the intended recipient, you are \
> hereby notified that any dissemination, distribution or copying of this \
> communication is strictly prohibited. If you have received this communication in \
> error, please notify us immediately by replying to the message and deleting it from \
> your computer. Thank you. \
> ****************************************************************************************
>  
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic