1

Is apksigner tool that comes along with Android SDK Build Tools compliant with JCE (Java Cryptography Extension) specification?

Ananth Ramasamy Meenachi
  • 785
  • 1
  • 9
  • 26
  • What exactly do you mean by "compliant"? apksigner is not a cryptographic extension or provider of crypto primitives. However, it does aim to play nice with JCA/JCE by using crypto primitives via the JCA framework. – Alex Klyubin Jul 20 '17 at 08:08
  • apksigner is a recent addition to apk signing and not sure how mature it is, does the tool works well with providers offered by major HSM vendors. – Ananth Ramasamy Meenachi Jul 21 '17 at 13:40

1 Answers1

1

The current (as of July 25 2017) apksigner version 0.7 released in Andriod SDK Build Tools 26.0.1 supports signing using HSM keys via Sun/Oracle's PKCS #11 Provider and its extensions. For example:

apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 \
  --provider-arg token.cfg --ks NONE --ks-type PKCS11 app.apk

Also see https://geoffreymetais.github.io/code/key-signing/.

Alex Klyubin
  • 5,554
  • 2
  • 29
  • 24
  • When we use --ks-type PKCS11, we are getting error "java.security.KeyStoreException: PKCS11 not found". We have the PKCS11 provider configured in java.security file. Any guidance from your end will help. – Ananth Ramasamy Meenachi Jul 26 '17 at 18:57
  • Did you also add `--provider-class sun.security.pkcs11.SunPKCS11 --provider-arg `? Also, does the equivalent jarsigner command work for you: `jarsigner -providerClass sun.security.pkcs11.SunPKCS11 -providerArg -keystore NONE -storetype PKCS11 app.apk` – Alex Klyubin Jul 26 '17 at 20:46
  • I get either "jarsigner error: java.lang.reflect.InvocationTargetException" or "jarsigner error: java.lang.RuntimeException: keystore load: load failed" when I change the slot. – Ananth Ramasamy Meenachi Jul 27 '17 at 04:10
  • Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: 0x80000067 at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method) at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1222) – Ananth Ramasamy Meenachi Jul 27 '17 at 04:44
  • It sounds like this issue is not an issue with jarsigner or apksigner, but rather an issue between your HSM and Sun/Oracle's PKCS11 JCA/JCE KeyStore implementation. All I can suggest is consulting the HSM's documentation and/or contacting its manufacturer for more information. – Alex Klyubin Jul 27 '17 at 05:27